Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit: http://onguardonline.gov/

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.

Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers.  The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.

Attention! Windows XP Users - As of April 8, 2014, Microsoft will no longer offer technical assistance or provide security updates for Windows XP operating systems. PCs running Windows XP after April 8, 2014, should not be considered to be protected. It is important Windows XP users migrate to a current supported operating system in order to receive regular security updates to protect against malicious online attacks. If you currently use Windows XP to access financial sites, it is strongly recommended that you update to a newer operating system version before April 8, 2014.

4/15/2014

RCE, information disclosure and XSS flaws found in PayPal Partner Program. A security researcher identified and reported a cross-site scripting (XSS) issue and an information disclosure issue that could be leveraged for remote code execution in the PayPal Partner Program’s payment processor Web site. The issues were later closed by PayPal.

Expert finds SQL injection, RCE vulnerabilities in Flickr Photo Books. A security researcher identified and reported a SQL injection vulnerability and a remote code execution vulnerability in Flickr’s Photo Books Web site that could allow an attacker to gain access to Flickr’s databases. Yahoo closed the vulnerabilities after a second report by the researcher.

Hardware manufacturer LaCie suffered year-long data breach. Computer storage manufacturer LaCie stated that the FBI informed the company of a data breach where malware was used to gain access to customer transactions carried out on the company’s Web site. LaCie temporarily disabled the e-commerce portion of its Web site and will be resetting users’ passwords in response.

Heartbleed: VMware starts delivering patches. VMware announced that it began issuing patches for its products affected by the Heartbleed OpenSSL vulnerability, with patches for all affected products expected by April 19.

Flash SMS flaw in iOS can be exploited to make the lock screen unresponsive. A security researcher identified a Flash SMS flaw in iOS that can be used to make a device’s lock screen unresponsive, which could be used for ransom attacks. The flaw was fixed with the release of iOS 7.1 but devices running previous versions of the mobile operating system are vulnerable.

4/14/2014

Nine people accused of stealing millions of dollars with Zeus malware. The U.S. Department of Justice unsealed an indictment against nine individuals for allegedly being involved in a criminal organization that used the Zeus banking trojan to steal millions of dollars. The alleged scheme used Zeus to steal account information and then transfer stolen money to accounts belonging to ‘mules’ who withdrew and transferred the money.

Akamai admits issuing faulty OpenSSL patch, reissues keys. Akamai Technologies stated April 13 that a patch issued by the company designed to protect its customers from the Heartbleed vulnerability contained a fault, making it ineffective. The company then began reissuing all Secure Sockets Layer (SSL) certificates and security keys for affected sites.

Jetpack pushes update to close critical security hole. The creators of the Jetpack plugin for WordPress published an update for the popular plugin that closes a vulnerability discovered during a security audit that could allow an attacker to bypass a site’s access controls.

Google rewards experts for XXE vulnerability in Toolbar Button Gallery. Google awarded two Detectify researchers $10,000 after they identified and reported an XML External Entity (XXE) vulnerability in the Google Toolbar Button Gallery that could have allowed an attacker to gain access to data on the company’s production servers. The vulnerability was closed soon after being reported.

4/11/2014

Cyber attacks are targeting Heartbleed flaw, says US CERT. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning April 10 stating that attackers have begun exploiting the Heartbleed vulnerability in OpenSSL and advised affected entities to report any incidents involving the vulnerability.

Expert shows that hackers can abuse Chrome speech recognition API flaw. A security researcher identified a vulnerability in an older version of Chrome’s speech recognition API that could be leveraged to obtain the transcript generated by the browser. The API was introduced in Chrome 11 but may still be used by some Web sites.

BlackBerry, Cisco products vulnerable to OpenSSL bug. BlackBerry reported that several of its software products are vulnerable to the Heartbleed OpenSSL vulnerability, though its phones were unaffected. Cisco also reported that many of its products, including video communications and phone systems, were also vulnerable.

4/10/2014

Deltek suffers data breach, hackers gain access to credit card information. Deltek reported that attackers breached the company’s GovWin IQ Web site, exposing personal and financial details of around 80,000 employees of federal contractors and about 25,000 payment card details belonging to customers of the site’s eCommerce platform. The breach was first discovered March 13 but occurred sometime between July 3, 2013 and November 2, 2013.

Not just websites hit by OpenSSL’s Heartbleed – your PC, phone and more may be in peril. A researcher from the SANS Institute reported in a presentation that the Heartbleed vulnerability in OpenSSL could also affect devices and applications on the client side as well as the server side, potentially allowing attackers to obtain passwords and cryptographic keys from PCs, phones, routers, and other devices.

SQL injection vulnerability fixed in Orbit Open Ad Server. High-Tech Bridge researchers identified and reported a SQL injection vulnerability in the popular open-source ads server Orbit Open Ad Server that could have allowed attackers to compromise Web sites running vulnerable installations. OrbitScripts fixed the vulnerability after being notified by the researchers.

BlackBerry patches remote code execution vulnerability. BlackBerry released an update April 9 which closes a remote code execution vulnerability in BlackBerry 10 that could be exploited in a limited number of scenarios.

Uh oh! Here comes the first bug in the Windows 8.1 Update. Microsoft suspended distribution of the Windows 8.1 Update for April after some enterprise customers using Windows Server Update Services (WSUS) 3.0 Service Pack 2 reported that the update prevented machines’ abilities to receive future updates.

4/9/2014

SEC charges CVS with misleading investors and committing accounting violations. CVS Caremark Corp. agreed to pay $20 million in a settlement with the U.S. Securities and Exchange Commission to resolve charges that the company misled investors and used improper accounting that artificially inflated its financial performance.

Companies advise users to change passwords due to possible Heartbleed attacks. Several private companies and government organizations advised users to change their passwords in the wake of the Heartbleed vulnerability in OpenSSL that could expose usernames, passwords, and other secure communications. Security researchers also began posting analyses of the vulnerability as organizations worked to close the vulnerability on their systems.

Four vulnerabilities fixed with the release of Adobe Flash Player 13.0.0.182. Adobe issued an update for its Flash Player, closing four security issues.

WordPress 3.8.2 addresses 2 vulnerabilities, includes 3 security hardening changes. A new version of WordPress was released for download containing fixes for two security vulnerabilities and three changes that enhance security.

Last call for XP, Office 2003 updates: April Patch Tuesday fixes 11 vulnerabilities. Microsoft released its monthly Patch Tuesday round of updates April 8, including the final updates for Windows XP and Office 2003, with 4 bulletins closing 11 vulnerabilities.

Cybercriminals use sophisticated PowerShell-based malware. Researchers at Symantec identified a new malicious PowerShell script that contains several ways to hide itself and can inject malicious code into rundll32.exe. The finding follows the discovery of another malicious PowerShell script by Trend Micro researchers known as CRIGENT or Power Worm during March.

Google patches 31 flaws in Chrome. Google released a new version of its Chrome browser, closing 31 vulnerabilities, 19 of which were rated as high priority.

2013 threat report: 8 mega data breaches, 552 million identities exposed. Symantec published its Internet Security Threat Report for 2013, showing a 62 percent increase in data breaches from organizations during the year, with 552 million identities exposed, among other findings.

Yahoo email anti-spoofing policy breaks mailing lists. Security researchers reported encountering an issue with mailing lists after Yahoo introduced a new Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy to prevent email spoofing.

4/08/2014

Microsoft drops Windows XP support. Microsoft ended support April 8 for its Windows XP operating system, leaving the widely-used operating system vulnerable to any vulnerabilities identified in the future. The operating system is still used on a significant portion of systems, including personal computers, ATMs, medical systems, industrial control systems, and other critical infrastructure systems.

OpenSSL 1.0.1g released to prevent hackers from eavesdropping on communications. A new version of OpenSSL was released after security researchers from Codenomicon and Google Security identified and reported a vulnerability that exposes all data transmissions, encryption keys, usernames, passwords, and other content via a memory leak known as Heartbleed. The vulnerability affects a variety of applications and users are advised to update as soon as possible.

Information disclosure flaw in Flickr fixed after two months. Yahoo fixed an information disclosure vulnerability in its Flickr photo sharing service which could have been exploited to reveal users’ names and email addresses.

Expert finds 8 files vulnerable to SQL injection in Yahoo HK promotions page. Yahoo removed vulnerable files from its Hong Kong promotions subdomain after a security researcher identified and reported several SQL injection vulnerabilities.

Google kills fake anti-virus app that hit No. 1 on Play charts. Google removed the Virus Shield app from its Google Play store after the app, which briefly was a top download, was found to be a fake app with no functionality. Appbrain estimated that the fake app generated around $40,000 from sales for its developer.

4/07/2014

DDoS attack enabled by persistent XSS vulnerability on top video content provider’s site. Incapsula reported that they mitigated an application layer distributed denial of service (DDoS) attack against a client which utilized a cross-site scripting (XSS) vulnerability in a popular video content provider’s Web site. Malicious JavaScript code was injected into a tag associated with users’ profiles, which executed whenever a legitimate user accessed the page.

Upatre downloader distributed via banking-themed spam campaign. Researchers at Trend Micro detected a spam campaign using banking-themed emails to distribute the Upatre downloader, which in a sample downloaded the Zeus trojan and the Necurs security-disabling malware.

85% of links spotted in cyberattacks in 2013 led to compromised legitimate sites. Websense Security Labs released their 2014 Threat Report, detailing threats and trends during the past year. The report found that 85 percent of malicious links in email and Web attacks were directed at legitimate sites that were compromised by attackers, among other findings.

4/4/2014

Millions of consumers at risk from mobile POS flaws. Security researchers from MWR InfoSecurity presenting April 4 at the SyScan security conference demonstrated how mobile point-of-sale (MPOS) systems can be compromised through several attack techniques, allowing criminals to capture payment card data, cause the devices to accept fraudulent cards, and perform other actions. The vulnerabilities were reported to affect popular MPOS devices but the researchers did not disclose which models are affected.

Zeus malware found with valid digital certificate. Comodo researchers April 3 reported finding a variant of the Zeus banking malware that includes a valid digital certificate, making it appear to be a trustworthy Internet Explorer document.

Android trojan Waller sends premium SMSs, steals money from QIWI wallets. Researchers at Kaspersky analyzed a piece of Android malware known as SMS.AndroidOS.Waller.a which can use infected devices to send SMSs to premium-rate numbers to earn criminals money and can also steal funds from Visa QIWI Wallet accounts. The malware can also perform other tasks such as update itself and install other malware.

4/3/2014

Yahoo encrypts data center links, boosts other services. Yahoo announced April 2 that it has begun encrypting all traffic moving between its data centers, turned encryption on between its email servers and others who support the SMTPLS standard, and turned on encryption on its home page, searches, and other properties to enhance user privacy and security.

Cybercriminals add new component to Sality to hijack the DNS addresses of routers. Researchers at ESET analyzed a new component of the Sality malware that was recently added and allows the malware to hijack the primary DNS address of routers. The analysis showed that the malware targets specific router models and attempts to use a brute force attack to gain administrator access, and then changes the router’s DNS server address in order to direct users to fake installation sites.

ISPs exposed to DNS DDoS attacks due to millions of vulnerable home routers. Researchers at Nominum reported finding over 5.3 million routers have open DNS proxies, which can put Internet service providers at risk of DNS amplification distributed denial of service (DDoS) attacks.

4/2/2014

Passwords, messages of 158k+ Boxee.tv users leaked. Attackers compromised the forum database for Web TV service Boxee.tv and posted the private information for over 158,000 users. The breach and subsequent leak contain email addresses, encrypted passwords, dates of birth, message histories, IP addresses, and other information.

Cybercriminals abuse security camera recorders and routers to mine for Bitcoins. A researcher at the SANS Technology Institute identified malware designed to infect security camera recorders and routers and use the devices to attempt to mine Bitcoin virtual currency. The malware is designed to run on ARM infrastructure and was spotted on Hikvision DVRs, which have a simple default root password that users often do not change.

Apple releases Safari 7.0.3, fixes security. Apple released version 7.0.3 of its Safari browser, fixing
Several issues and adding compatibility and stability improvements.

SellHack deactivates plugin after cease and desist letter from LinkedIn. The makers of the SellHack browser plugin, which uses publicly visible data to help users obtain hidden email addresses of LinkedIn users, deactivated the plugin April 1 following a cease-and-desist letter from LinkedIn.

Oculus VR finds SQL injection flaw, asks Developer Center users to change passwords. Oculus VR advised users of its Oculus Developer Center to change their passwords as a precaution after the company identified a SQL injection vulnerability. The company reported that there was no indication that the vulnerability had been exploited.

Password bug lets me see shoppers’ credit cards in eBay ProStores, claims infosec bod. A security researcher from Securatary disclosed March 20 that he identified a vulnerability in eBay’s ProStores shops that could have allowed attackers to credit themselves with gift cards for ProStores and obtain customer payment card information. The vulnerability was reported in February and later fixed by eBay.

Hotmail-gate: Windows 8 code leaker pleads guilty to theft of trade secrets. A former Microsoft employee pleaded guilty March 31 to stealing company trade secrets for sending unreleased updates for the RT operating system as well as a copy of the Microsoft Activation Server Software Development Kit to a blogger.

4/1/2014

Experts unhappy with Oracle’s Java Cloud patching process, vulnerability details published. Researchers at Security Explorations published details of 30 vulnerabilities in Oracle Java Cloud Service, about half of which can be used to break the Java security sandbox. The vulnerabilities were previously reported to Oracle in January.

CryptoDefense ransomware leaves decryption key accessible. Symantec researchers analyzed the CryptoDefense encryption ransomware and found that the decryption key needed to undo the malware’s file encryption is also left on the victim’s computer, potentially allowing victims to decrypt the files held for ransom themselves.

Middle Eastern hackers use remote access trojan to infect 24,000 machines worldwide. Researchers at Symantec reported finding 487 groups actively using the njRAT remote access trojan (RAT) for malicious uses, with around 24,000 machines infected worldwide. Symantec reported that most attacks using njRAT originate in the Middle East and that the majority of the RAT’s command and control servers are located in the Middle East and North Africa. 

Email marketing service Mad Mimi hit by DDoS attacks, blackmailed. Email marketing service Mad Mimi reported that it was the target of a distributed denial of service (DDoS) attack March 30, which caused intermittent issues. An attack claiming to be behind the DDoS attack demanded a ransom to stop the attack but was refused.

Smartphones at risk of malicious code injection through HTML5-based apps. Researchers at Syracuse University published a paper detailing how HTML5-based smartphone apps could allow for devices to be targeted with a new Cross-Device Scripting (XDS) attack that could inject malicious code via WiFi scanning, SMS messaging, or other means.

3/31/2014

Sally Beauty’s security breach grows in scope. Beauty products retailer Sally Beauty reported March 28 that a data breach exposed a larger number of payment card records than the less than 25,000 previously estimated by the company.

SEC halts pyramid scheme targeting Asian and Latino communities. The U.S. Securities and Exchange Commission announced charges and asset freezes March 28 against the operators of an alleged pyramid scheme that raised more than $65 million from Asian and Latino communities in the U.S. and abroad. The alleged scheme operates under names such as WCM and WCM777 and is based in California and Hong Kong, under the control of a Temple City, California man.

FTC settles with Fandango, Credit Karma over SSL issues in mobile apps. Fandango and Credit Karma agreed to a settlement with the Federal Trade Commission (FTC) after the FTC charged that both companies deliberately misrepresented the security of their mobile apps and created apps that failed to validate SSL certificates. The companies are required by the settlement to submit to independent security audits for the next 20 years and to create comprehensive security programs.

Philips smart TVs open to remote attacks via default wireless connection, researchers say. Researchers at ReVuln published a demonstration video showing that the newest firmware for some Philips smart TVs opens an insecure Miracast wireless network that could allow attackers within signal range to control the TV. The Miracast feature is vulnerable to attackers due to a hard-coded password.

3/28/2014

Critical vulnerabilities patches in Schneider Electric serial modbus driver. The Industrial Control Systems Computer Emergency Response Team (ICS-CERT) issued a notice March 27 advising users of 11 Schneider Electric industrial control system products that a patch is available for a stack-based overflow vulnerability in Schneider’s modbus driver. The vulnerable driver is used in a variety of industries, including energy, nuclear power, government facilities, transportation systems, and dams.

Uncommon new worm targets Word and Excel files. Researchers at Trend Micro discovered a new malware worm known as Crigent that infects systems via an infected Microsoft Word or Excel file, communicates with a command and control (C&C) server via TOR and Polipo to obscure traffic, and then gathers information on the compromised system. The worm then changes other Word and Excel files on the infected system to older file formats and uses them to attempt to spread itself to other systems.

Cybercriminals hijack WordPress websites with free premium plugins. Sucuri researchers found that several premium WordPress plugins available for free on some Web sites contain code that allows the plugins’ creator to create a new administrator account and gain control of WordPress sites that use the free premium plugins.

WinRAR spoofing vulnerability being exploited in malware campaign. A vulnerability in the WinRAR .zip file compressor identified by a security researcher was seen in a malware campaign targeting government, international, and business organizations. IntelCrawler researchers spotted the campaign, which uses the vulnerability to disguise the contents of .zip files, and found that a Zeus-like trojan is being used to establish remote administration channels and collect information.

Lenovo recalls battery packs for ThinkPad notebook computers due to fire hazard. Lenovo announced a recall March 27 of about 37,400 battery packs for ThinkPad notebooks in the U.S. and Canada due to an issue that can cause them to overheat, posing a fire hazard.

3/27/2014

Hidden crypto currency-mining code spotted in apps on Google Play. Researchers at Lookout warned that Android apps which include hidden code used to mine for several forms of cryptocurrency have been spotted being offered on Spanish underweb forums. Trend Micro researchers also spotted two apps available in the Google Play store which contain cryptocurrency mining code, similar to compromised apps originally discovered by G Data researchers.

Cerberus app users warned about data breach. Cerberus Security Team advised users of their Android security app to reset their passwords as a precaution after suspicious traffic was detected and blocked on the company’s servers. Attackers were able to gain access to some users’ usernames and encrypted passwords during the breach.

When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal. Incapsula released a report on distributed denial of service (DDoS) attack mitigation which found that DDoS attack volumes are increasing, with 20Gbps or above attacks occurring in around one-in-three attacks, among other findings.

Windows trojan packs punch, downloads ransomware “Cribit.” Trend Micro researchers found that the Fareit trojan is being used to spread a ransomware known as Cribit that encrypts victims’ files and demands a ransom in Bitcoins. The trojan has previously been used to download other malware such as Zeus.

3/26/2014

ATM malware, controlled by a text message, spews cash. Researchers at Symantec identified a new version of the Ploutus ATM malware that targets an undisclosed variety of standalone ATM and can be controlled by text message to make the ATM dispense cash.

10,000 GitHub users inadvertently reveal their AWS secret access keys. Researchers at Threat Intelligence reported that around 10,000 Amazon Web Services secret access keys are able to be found on GitHub via a search as some users have accidentally uploaded them to their project pages.

Gameover ZeuS now targets users of employment websites. Researchers at F-Secure warned users and recruiters to be cautious after a variant of the popular Gameover Zeus Trojan has been seen targeting users of popular employment Web sites, including CareerBuilder.com and Monster.com. The Trojan has been spotted using Web injections and Man-in-the-Browser (MitB) attacks to serve fake login pages in an attempt to gather login information and personal information.

3/24/2014

Weakness in Android update service puts all devices at risk for privilege escalation. Researchers at Indiana University and Microsoft published a paper that found that the Package Management Service (PMS) for Android can create vulnerabilities dubbed Pileup flaws by improperly vetting requests for operating system or app privileges after an update, automatically granting privileges that did not exist in older versions of Android. The researchers stated that vulnerabilities exist on all Android Open Source Project versions and on many customized versions, impacting over one billion Android devices.

3/21/2014

Fake IRS agent scam bilks taxpayers of $1 million. The inspector general of the Internal Revenue Service (IRS) stated March 20 that over 200,000 individuals have been targeted by the largest phone scam the agency has seen, with over $1 million stolen by callers claiming to be IRS agents. The criminals behind the scam obscure caller ID indicators to make it appear as if they are calling from a legitimate number, and in some cases know the last four digits of targets’ Social Security numbers.

GitHub falls victim of another DDoS attack. GitHub reported March 21 that it was the target of an ongoing distributed denial of service (DDoS) attack and was taking measures to mitigate the attack.

BlackOS: New malicious software used by cybercriminals to redirect traffic. Researchers at Trend Micro analyzed a piece of malware called BlackOS which automates the redirection of traffic from malicious or compromised Web sites. BlackOS started being advertised on underweb forums in February and is based on the “Tale of the North” software.

3/20/2014

Tor Browser in Apple’s App Store contains adware and spyware. Representatives of the Tor Project stated that a fake Tor Browser app in the Apple App Store contains adware and spyware and that it has been present since December 2013.

3/19/2014

Hacked EA server used to host Apple phishing page. Researchers at Netcraft reported that attackers compromised a server that hosts two Electronic Arts (EA) Web sites and used it to host a phishing page that mimics an Apple login page.

$30 RAT, WinSpy, involved in two phishing campaigns. FireEye researchers identified two phishing campaigns utilizing the WinSpy remote access Trojan (RAT) and the GimmeRAT Android malware that comes packaged with the first RAT. One campaign used spear phishing emails targeting U.S. financial institutions while a second was an indiscriminate spam campaign.

3/18/2014

Sally Beauty confirms card data breach. Cosmetics and beauty retailer Sally Beauty confirmed March 17 that attackers breached the company’s networks and stole credit card data for less than 25,000 records as estimated by the company. The breach is still under investigation.

3/17/2014

US announces transition of oversight over Internet’s domain name system. The U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) announced its intention to transition oversight of Internet domain name functions to global stakeholders. The NTIA requested that the Internet Corporation for Assigned Names and Numbers (ICANN) convene stakeholders and develop a transition proposal as a first step.

3/14/2014

Hackers can steal private WhatsApp chats with other Android apps. A security researcher identified a security flaw in WhatsApp that could allow any Android app installed on the device with access to the SD card to retrieve the WhatsApp database containing private chat logs. The database is encrypted, but a legitimate app that can decrypt the file is available.

Target says it declined to act on early alert of cyber breach. Target Corp. stated March 13 that security software detected potentially malicious activity that led to the breach of 40 million payment card records and 70 million customer records but that its staff decided not to take immediate action. The company stated that it is investigating past practices to improve security.

Phishing campaign targets Google Docs, Drive users. Symantec researchers identified a phishing campaign targeting users of Google Drive that uses a fake login page hosted on Google servers and served over Secure Sockets Layer (SSL), making the campaign potentially more convincing than most phishing attempts.

3/11/2014

Hackers steal details of thousands of individuals from Archdiocese of Seattle. The Archdiocese of Seattle warned volunteers and employees that their personally identifiable information, including Social Security numbers, may have been compromised when attackers breached the archdiocese’s systems. The archdiocese advised those affected to check and see if fraudulent tax returns have been filed in their names.

162,000 WordPress sites abused to amplify DDoS attack. Researchers at Securi found that attackers used around 162,000 WordPress sites to indirectly launch a distributed denial of service (DDoS) attack on a client’s WordPress site by abusing the sites’ XML-RPC feature, which is enabled by default on WordPress sites.

3/10/2014

Statistics company Statista hacked, email addresses and passwords possibly stolen. Statistics and studies company Statista reported that attackers may have compromised its systems and accessed a user database containing email addresses and encrypted passwords.

3/7/2014

Siesta cyber espionage campaign targets many industries. Researchers at Trend Micro discovered a cyberespionage campaign dubbed Siesta that is targeting several industries, including energy, financial services, healthcare, and defense. The campaign uses malware that enters dormancy at regular intervals and when active, sends out spoofed emails to various companies containing a malicious link that drops both a legitimate .pdf file and a malicious executable file.

3/6/2014

Sally Beauty responds to rumors about credit card data being stolen by hackers. Beauty products retailer and distributor Sally Beauty stated March 5 that it had detected an attempted intrusion into its systems and was continuing to investigate but did not believe that customers’ payment card information was compromised. The statement followed a story by a security researcher that over 280,000 payment card records were found for sale in an underweb marketplace and appeared to be connected to the company.

Bitstamp warns of phishing emails after being hit by hackers. Bitcoin exchange Bitstamp reported having its systems compromised by attackers who stole customers’ email addresses. Bitstamp stated that no virtual currency was stolen but the email addresses were being used in phishing attacks.

SEC halts international pyramid scheme being promoted through Facebook and Twitter. The U.S. Securities and Exchange Commission obtained a court order to freeze accounts belonging to MWF Financial and Fleet Mutual Wealth Limited due to the companies allegedly operating a pyramid scheme being promoted through social media networks. The companies operate internationally and around 150 U.S. investor have invested around $300,000 in the alleged scheme.

Cisco patches flaws in routers, wireless LAN controllers. Cisco Systems released firmware updates for several models of small business routers and wireless LAN controllers, addressing vulnerabilities that could allow attackers to compromise devices or perform denial of service (DoS) attacks.

ChewBacca and Zeus malware found on Tor. A researcher at Kaspersky Lab reported that an average of 900 hidden criminal services are operating through the The Onion Router (TOR) anonymity network, including malicious infrastructure, money laundering, and the sale of malware toolkits and stolen information.

3/5/2014

Smucker’s shuts down online store after hacker’s access payment card data. Ohio-based Smucker’s fruit spread company shut down its online store after it discovered that attackers breached the company’s systems and may have obtained customers’ payment card and personal information. A security researcher also reported that the group behind the attack also targeted payment processor SecurePay.

New Android devices sold with pre-installed malware. The founder of Marble Security reported finding data-stealing malware disguised as Netflix apps pre-installed on several customers’ new Android devices. Several Samsung, Asus, LG, and Motorola phones and tablets were found with the pre-installed malware.

3/4/2014

Flaw in Yahoo! Suggestions allowed hackers to delete 1.5 million posts and comments. A security researcher identified and reported an Insecure Direct Object Reference Vulnerability (IDORV) in Yahoo’s Suggestions Web site that could have allowed attackers to escalate their privileges and delete large amounts of posts and comments. Yahoo addressed the issue within 2 days.

Researchers create legal botnet abusing free cloud service offers. Researchers presenting at the RSA Conference the week of February 24 demonstrated how they were able to create a botnet by abusing trial accounts for several platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) offers. The botnet was created by automating PaaS and IaaS trial sign-up processes and could be used to perform massive port scans, Bitcoin mining, and to manipulate sweepstakes, among other tasks.

3/3/2014

Casino operator Las Vegas Sands admits hackers have stolen customer data. Las Vegas Sands announced that cyberattacks which defaced some of its Web sites also compromised employee and customer data from its Sands Bethlehem casino in Bethlehem, Pennsylvania, potentially exposing credit card and bank account information, Social Security numbers, and other personal information. The company is continuing its investigation of the breach.

Gameover malware tougher to kill with new rootkit component. Sophos researchers reported that a new variant of the Gameover banking malware that steals online banking credentials includes a kernel-level rootkit called Necurs that can make the malware more difficult to remove from infected systems.

Meetup down for days due to DDoS attack allegedly ordered by a competitor. Social networking portal Meetup was hit by a distributed denial of service (DDoS) attack beginning February 27 that took the portal's Web site offline for several days. An attacker contacted the company, claimed responsibility, and demanded a payment to end the attack.

2/28/2014

Experts find vulnerabilities in RSA Conference 2014 Android application. Six flaws were discovered in the RSA Conference 2014 app, with the most severe potentially allowing an attacker to exploit a man-in-the-middle (MitM) attack. Another vulnerability could give access to a file containing information of every user who signed up for the conference through the app’s SQLite database file.

Gameover borrows kernel-mode rootkit from Necurs malware. Security researchers warned that a new version of Gameover, the peer-to-peer (P2P) version of the Zeus Trojan, has introduced a kernel-mode rootkit from Necurs in order to target users. The new variant is delivered via spam runs and is more difficult to remove.

2/27/2014

Fake “payment certificate” notifications used to deliver cross-platform RAT. Symantec researchers reported a spam campaign designed to distribute the Java remote access trojan (RAT) dubbed JRAT that is cross-platform, potentially infecting machines running Windows, OS X, and Linux operating systems.

Flaws in Amazon’s mobile apps could have been exploited to crack passwords. Amazon patched their server after FireEye researchers reported that a weak password policy and no limitation or CAPTCHAs for passwords attempts could have been exploited by attackers to crack the passwords of accounts.

2/26/2014

Bitcoin-stealing Mac malware disguised as Angry Birds game. ESET researchers warned that cybercriminals are distributing OSX/CoinThief, malware designed to steal Bitcoins from Mac users, through torrent files, disguised as cracked versions of various popular Mac OS X applications.

Viruses can spread via Wi-Fi access points like the common cold, researchers show. University of Liverpool researchers found that a computer virus can spread through Wi-Fi access points between businesses and homes due to the fact that many access points are not protected by encryption and passwords.

2/25/2014

Cybercriminals use Pony botnet to steal 700,000 account credentials, virtual currencies. Experts found that cybercriminals managed to steal more than 700,000 credentials for Web sites, email accounts, File Transfer Protocol (FTP) servers, Secure Shell (SSH), and Virtual Desktops utilizing the Pony botnet. The botnet was also used to steal $220,000 worth of virtual currencies targeting Bitcoin and other virtual currency wallets.

Researchers bypass protections in Microsoft’s EMET security tool. Bromium Labs researchers found a flaw in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) 4.1 that could potentially allow attackers to sneak malware past it through bypassing several key defenses, taking advantage of its reliance on known vectors of return-oriented programming (ROP) exploitation attack methods.

2/24/2014

Neiman Marcus says 350,000 cards are impacted by breach, not 1.1 million. Neiman Marcus published a letter on its Web site the week of February 17 stating that around 350,000 payment cards may have been affected by a 2013 data breach, not 1.1 million as originally reported, after learning the malware used in the breach was not operating at all stores, and was not operating every day.

Banking malware distributed via YouTube ads. Bromium researchers found that cybercriminals compromised an ad network that hosted the Styx exploit kit used to serve advertisements on YouTube. The exploit kit pushes Caphaw malware onto infected devices leveraging Java vulnerabilities to obtain banking information.

2/21/2014

Leak of iBanking bot source code opens up new opportunities for cybercriminals. RSA researchers found that the source code for the server-side software of the iBanking mobile bot was leaked on a cybercrime forum, as well as a builder that can be used to unpack the existing APK file and repack it with different configurations.

Massive DDoS attack launched against Namecheap’s DNS platform. Namecheap announced that it suffered of a massive distributed denial-of-service (DDoS) attack, targeting around 300 domains in its DNS platform. The company mitigated the attack and restored services about 11 hours later.

2/20/2014

Cisco fixes flaws in several products. Cisco Systems released security updates addressing serious vulnerabilities in a range of products including its Unified Computing System (UCS) Director, Intrusion Prevention System, Unified SIP Phone 3905, and Firewall Services module products.

2/19/2014

Bank of the West job applicants told that hackers might have stolen their details. Bank of the West began notifying employment applicants in February that its Web site was breached and any personal information submitted may have been stolen by hackers.

New variant of Zeus banking Trojan concealed in JPG images. Researchers identified a new variant of the Zeus banking Trojan, ZeusVM that is concealed in a JPG image file to avoid detection by security software. The JPG image files contain the malware configuration files that are needed to launch man-in-the-middle and man-in-the-browser attacks and allow attackers to collect personal information and perform online transactions.

Zeus malware-botnet variant spotted ‘crawling’ Salesforce.com. Adallom researchers found that the Zeus trojan, malware known to steal banking credentials, was targeting Windows-based computers in order to swipe business data from the SalesForce Web site through a kind of Web-crawling action.

DoS, XSS, and data injection flaws fixed in Rails 4.0.3, 3.2.17 and 4.1.0.beta2. Ruby on Rails released fixes to address three vulnerabilities, including a data injection flaw impacting Active Record, a cross-site scripting (XSS) vulnerability, and a denial-of-service (DoS) issue in Action View.

US businesses suffered 660,000 internal security breaches. Researchers at IS Decisions found that in the last 12 months, over 660,000 internal security breaches took place in U.S. businesses, and only about 17 percent of information technology managers consider insider threats to be a top priority for their organization.

2/18/2014

Linksys announces firmware fix to neutralize “The Moon” worm. Linksys announced that they were aware of “TheMoon” malware targeting its older routers and are working on a firmware fix, but advised administrators and users to Disable Remote Administration of their devices in order to protect themselves from the attack.

Kickstarter suffers data breach. Kickstarter notified users that their user information was accessed following a data breach. The company closed the security vulnerability and began strengthening security measures on their systems, but recommended users change their passwords.

SEA hacks Forbes, steals and leaks 1M user records. The Syrian Electronic Army hacking group is believed to be behind a digital attack of the Forbes Web site and its registered users after more than 1 million user and staff records were obtained. The information was made available for public download and Sophos researchers discovered that passwords could potentially be cracked after learning they were salted and hashed, not encrypted.

2/14/2014

Cybercriminals abuse Twilio and Ow.ly for SMS phishing attack. Cloudmark researchers reported that cybercriminals are using Twilio and URL shortening service Ow.ly in an SMS message phishing campaign attempting to steal mobile service provider account login credentials.

Thousands of FTP sites compromised to serve malware and scams. Researchers at Hold Security reported that around 7,000 FTP sites and servers have been compromised and are being used by cybercriminals to host malware or to compromise connected Web services.

Fake SSL certificates used to impersonate Facebook, Google, banks. Netcraft researchers discovered a large number of fake SSL certificates in the wild purporting to be from banks, social networks, payment providers, and other services which could be used by attackers to conduct man-in-the-middle attacks. The researchers warned that mobile banking apps are especially vulnerable because they may not adequately check the validity of SSL certificates.

2/13/2014

Gameover Zeus most active banking Trojan in 2013, researchers report. Dell SecureWorks Counter Threat Unit released a report covering banking Trojans in 2013 and found that the Gameover ZeuS Trojan was the most actively observed Trojan during the year, with 38 percent of activity, followed by the Citadel Trojan at 33 percent of activity.

Android apps with Trojan SMS malware infect 300,000 devices, net crooks $6m. Researchers at Panda Labs identified a new Android Trojan app campaign that uses fake permission notifications to get users' devices to send SMS messages to a premium-rate number owned by the attackers behind the Trojan apps. The campaign has infected at least 300,000 devices and netted the attackers at least $6 million.

Linksys home routers targeted and compromised in active campaign. A security researcher reported that an unknown vulnerability is allowing Linksys E1000 routers to be targeted and infected with a worm dubbed TheMoon. The vulnerability is currently being heavily exploited in attacks.

US government delivers cybersecurity framework for critical infrastructure. The National Institute of Standards and Technology (NIST) announced February 12 that it has released the Framework for Improving Critical Infrastructure Security, a document which outlines cybersecurity practices and standards for industry and government to consider when developing security programs for critical infrastructure.

Denial-of-service vulnerability puts Apache Tomcat servers at risk. Researchers published a proof-of-concept exploit for a recently-disclosed vulnerability affecting Apache Tomcat servers that could allow attackers to execute denial-of-service (DoS) attacks against Web sites hosted on the servers.

2/12/2014

Corkow Trojan targets bank customers, Bitcoin owners and Android developers. Researchers at ESET have monitored the use of a modular banking Trojan known as Corkow that can be fitted with additional capabilities and is able to steal keystrokes, screenshots, and inject phishing pages. The malware also appears to be targeting Android developers and the login credentials for Bitcoin Web sites.

HVAC company makes statement on Target data breach. Fazio Mechanical Services confirmed that attackers used a data connection with Target used for billing, project management, and contract submission to breach Target’s systems and steal large amounts of customer payment information.

2/6/2014

Insecure file sharing puts corporate data at risk. Globalscape released the results of a survey of over 500 corporate professionals and found that in the past 12 months, 63 percent of employees used personal email to send sensitive documents, and that employees frequently used potentially insecure consumer cloud services and sites to store sensitive information, among other findings.

2/5/2014

Suspicious activity in Washoe inmate’s account leads to credit card fraud lab. The Washoe County Sherriff’s Office reported that four individuals were arrested for allegedly running a fraudulent payment card operation after a suspicious amount of money in a county jail inmate’s account was noticed by a booking employee. Authorities seized thousands of credit card numbers and other information during the arrests and expected more arrests to follow.

Adobe Flash flaw exploited in the wild, update now. Adobe issued an emergency patch for a critical vulnerability in its Flash Player for Windows, Linux, and OS X systems that could allow an attacker to gain remote control of targeted systems. The vulnerability is being actively exploited in the wild and users were advised to install the patch immediately.
iFrame attack injects code via PNGs. Researchers at Sucuri identified an iFrame injection attack in the wild that embeds malicious code in .PNG files.

13 security holes fixed with the release of Firefox 27. Mozilla released the newest version of its Firefox browser, closing a total of 13 security vulnerabilities, including 4 rated as high-impact.

2/4/2014

Gameover ZeuS adds nasty trick. A researcher at Malcovery found that a new version of the Gameover ZeuS variant encrypts its .exe file and distributes it as a .enc file to avoid detection by security software. A phishing email with an attachment containing a new version of UPATRE is then used to decrypt and execute the file.

NameChanger Fake AV has over 200 names, uses social engineering kit to spread. A researcher at Fox-IT found that the group behind the Tritax fake antivirus malware is using three variants of the NameChanger using over 200 names to disguise the malware. The fake antivirus malware has been distributed using compromised, high-profile Websites such as DailyMotion, Business Insider, and ads on Skype.

2/3/2014

Hotel company investigates data breach, card fraud. Hospitality company White Lodging Services announced that it is investigating reports of a data breach between March 2013 and late December 2013 that may have exposed customers’ payment card information. The company manages 168 hotels in 21 States under franchises including Hilton, Sheraton, Marriott, and Westin.

DailyMotion still infected, serving fake AV malware. Researchers at Invincea reported that the DailyMotion video-sharing Web site continued to be compromised more than 3 weeks after malicious ads were first found on the site and reported.