Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit:

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.

Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers.  The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.


Los Angeles-area executive arrested in $9 million bank fraud scheme. An executive of Ontario, California based Eastern Tools and Equipment was arrested February 24 following an October 2014 indictment for his role in a scheme to defraud United Commercial Bank and East West Bank of more than $9 million. The executive and his co-conspirators allegedly overstated Eastern Tools’ accounts receivable to increase the company’s line of credit with the banks then shifted money from the company’s bank accounts into about 20 shell companies before siphoning the money into their personal accounts. 

Mozilla fixes 17 vulnerabilities in Firefox 36. Mozilla released version 36 of its Firefox browser closing 17 vulnerabilities and flaws, including 4 rated as critical. 

New DDoS attack and tools use Google Maps plugin as proxy. PLXsert security researchers discovered that attackers are exploiting a known vulnerability in Joomla’s Google Maps plugin by spoofing the sources of requests, causing results to be sent from proxies to their denial of service (DDoS) targets. Researchers identified more than 150,000 potential Joomla reflectors on the internet, many of which remain vulnerable to be used for this type of attack. 

Ramnit botnet shut down. Europol Cybercrime Centre (EC3) investigators, Microsoft, AnubisNetworks, and Symantec carried out an operation to shut down the Ramnit botnet’s 7 command and control (C&C) servers and redirected traffic from 300 domains used by the botnet. EC3 estimated that more than 3.2 million Windows computers have been infected with the botnet via spam campaigns, phishing scams, and drive-by downloads that installed malicious code to grant attackers access to banking credentials and other log-in information. 

McAfee: Popular mobile apps remain vulnerable to MitM flaws found last year. Intel Security’s McAfee Labs reported that almost 75 percent of the most popular mobile apps found vulnerable to man-in-the-middle (MitM) attacks remain exposed to attacks since they were first identified in a September 2014 analysis by the Computer Emergency Response Team (CERT) at Carnegie Mellon University.


Connecticut credit union manager found wearing suspected bomb vest. Police found February 23 an Achieve Financial Credit Union executive in a car outside of the New Britain, Connecticut branch with a bomb-like device strapped to his body in an apparent scheme to rob the financial institution that was aborted after the man was allegedly abducted from his home. The suspected explosive device was removed and destroyed without incident, and officials are seeking 3 suspects in connection with the incident while working to determine if the executive was a willing participant in the alleged plot. 

Older vulnerabilities a top enabler of breaches, according to report. Hewlett Packard security researchers reported that 44 percent of known breaches happened as a result of server misconfigurations and vulnerabilities discovered years ago. The report cites 33 percent of identified exploit samples from Microsoft Windows, 11 percent from Adobe Reader and Acrobat, 6 bugs in Oracle Java, and 2 flaws in Microsoft Office flaws. 

Norton update caused Internet Explorer to crash. Symantec released a new version of the Intrusion Prevention System (IPS) definition package after a corrupt file in the previous release caused the 32-bit version of Microsoft’s Internet Explorer Web browser to crash on computers running Norton Security, Norton Security with Backup, Norton 360, and Norton Internet Security. 

Comodo’s PrivDog breaks HTTPS security possibly worse than Superfish. A security researcher discovered that Comodo’s PrivDog browsing privacy protection tool compromised browsing security by acting as a man-in-the-middle (MitM), intercepting and replacing all certificates with its own, causing browsers to accept every HTTPS certificate regardless of authority. The issue could affect nearly 64,000 users worldwide, and PrivDog released an update with a fix for the issue. 

CSIS security group warns of fake emails using its name. CSIS security experts discovered an email campaign that spoofed the company’s email address and used an employee’s name to distribute a malicious attachment and deploy malware on the recipients’ machines. The Danish-based company provides security services for some of the largest global banks and acts as a consultant to governments, media, and businesses.


Ex-Oppenheimer executive pleads guilty in loan fraud scheme: A former Oppenheimer & Co executive pleaded guilty in Manhattan federal court February 20 for his role in a fraud scheme that deceived Oklahoma regulators and the company by collaborating with three individuals to process a $30 million loan through the investment bank for the fraudulent purchase of Providence P&C while illegally using the insurance company’s assets as collateral. The case originated with a related investigation into Park Avenue Bank, which went under in March 2010. 

Cisco IPv6 processing bug can cause DoS attacks: Cisco announced that its NCS 6000 and Carrier Routing System (CRS-X) contain an IPv6 software bug that attackers could repeatedly exploit by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card to cause an extended denial of service (DoS) condition. 

Superfish SSL interception library found in several applications: Researchers: Security researchers discovered that the Komodia Redirector and SSL Digestor, originally used by the Superfish software preinstalled on Lenovo laptops can be found in several products and at least 12 Facebook applications using the SSL interception library. The researchers stated that Komodia’s proxy software does not properly implement SSL or validate certificates, enabling attackers to potentially hijack affected users’ connections.


Tax related spear-phishing aims at CTOs in tech companies. Security researchers at Talos discovered a new phishing campaign targeting chief technology officers (CTOs) with malicious attachments disguised as Microsoft Word documents laced with macros that funnel in the Vawtrak banking trojan, which can capture user credentials for more than 100 online services. The emails purport to be related to large sum payment details and federal taxes, with some appearing to originate from fake government addresses. 

Commercial spyware found in enterprise environment. Security researchers at Lacoon Mobile Security and Check Point discovered 18 different commercial remote access trojan (mRAT) spying tools that connect to the company’s Wi Fi and communicate with the command and control (C&C) server on 1,000 of 900,000 corporate mobile devices tested. The spyware, generally marketed for monitoring children, allows employers to track the location of users, log activity on the device, access emails, texts, and contacts, and possibly activate the device’s microphone for recording. 

Hackers now popping Cisco VPN portals. An Australian hacker reported a flaw that allows attackers to crack customized Cisco virtual private networks (VPNs) to steal credentials, inject malware, modify Clientless Secure Sockets Layer (SSL) and VPN portal content, and launch cross-site scripting (XSS). Cisco stated that the flaw was due to improper implementation of authentication checks in the customization framework of Clientless SSL VPN portal versions earlier than October 8, 2014 and recommended customers follow their incident response process. 

Android malware takes over device’s shutdown process. AVG security researchers discovered a new mobile malware strain affecting Android devices that hijacks the shutdown process and obtains root permission to run nefarious activities such as initiating calls or taking pictures while the phone appears to be off.


Over 250,000 home routers found with duplicate SSH keys. A Shodan researcher discovered that mis-configuration of devices likely led over 250,000 home routers from Spain, 200,000 routers from mostly China and Taiwan, and 150,000 routers from the U.S. and Japan to share the same Secure Shell (SSH) keys, which could allow an attacker to gain access to any device with a single key. Researchers recommended disabling SSH connectivity in the router. 

Lenovo to stop pre-installing controversial software. Errata Security researchers determined that Superfish adware pre-installed on Lenovo computers hijacks and throws open encrypted connections, allowing hackers to seize connections and listen in through man-in-the-middle (MitM) attacks. Lenovo disabled all Superfish software from its consumer computers and stopped pre-installing the software on its devices, but experts warned that systems could still be vulnerable even after uninstalling the software. 

DoubleFantasy is Equation group’s first attack wave. Kaspersky analysts discovered that hackers from the cyber-espionage group Equation developed the DoubleFantasy trojan, a tool used to verify the infected system as a target and a vehicle for installing more sophisticated attack tools that could steal usernames and passwords for Microsoft’s Internet Explorer and Mozilla’s Firefox Web browsers, Windows protected storage on versions up to Windows XP, and operating system authentication subsystems on Windows Vista and above. Multiple versions of the tool were discovered, and some were deployed to targets via a post-meeting compact disk from a 2009 scientific conference in Houston


Accused Russian hacker to face charges in US court. A Russian national was extradited to the U.S. and charged February 17 in New Jersey for his alleged involvement in an international scheme that stole more than 160 million credit card numbers resulting in hundreds of millions of dollars in losses to consumers and financial institutions including Dow Jones, 7-Eleven, Nasdaq, Visa, and JetBlue. The suspect, arrested in the Netherlands in 2012, allegedly hacked victims’ networks to gain access to usernames and passwords, credit card and personal identifiable information, and sold them to resellers around the world. 

Fire badly damages Key Bank branch in Phoenicia; vault contents, customer records OK. The Key Bank branch in Phoenicia, New York, issued a statement that all client information and vault contents were secure February 17 after a February 16 fire caused extensive damage to the structure. The cause of the fire remains under investigation, and the bank is closed indefinitely until officials can repair the damage. 

Vawtrak trojan downloaded via malicious macro for Microsoft Word. Trend Micro security researchers discovered a new cyber criminal campaign targeting banks including Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan with emails containing malicious macro-enabling Microsoft Word documents that install the Vawtrak banking trojan by downloading a batch file, a visual basic scripting edition (VBS script), and Powershell file. The malware serves clients modified pages to trick them into providing log in data for Microsoft Outlook, Google Chrome, Mozilla Firefox, and file transfer protocol (FTP) clients. 

Banking trojan Dyreza sends 30,000 malicious emails in one day. Bitdefender security researchers discovered that 30,000 malicious emails containing the banking trojan Dyreza were sent in one day to customers of banks including HSBC, NatWest, Barclays, RBS, Lloyds Bank, and Santander from servers in the U.K., France, Turkey, Russia, and the U.S. The trojan allows hackers to covertly steal credentials and manipulate accounts. 

Author of Android Xbot malware includes curse at AV companies. Avast security researchers discovered that the Xbot Android malware infected over 2,570 installations in 350 unique files through third-party marketplaces since the beginning of February. The malware persistently runs on infected devices, has the capability to download content to command and control (C&C) servers, and primarily focuses on capturing, reading, and writing short text messages. 

Credit card info stolen in BigFish Games site compromise. BigFish Games reported that the personal and financial information of some of its customers that made purchases between December 24, 2014 and January 8 may have been compromised after the company discovered malware installed on the billing and payment pages of their Web site January 12. Affected customers were notified of the breach February 11, and the company removed the malware and has taken steps to prevent the malware from being reinstalled. 

Siemens fixes security flaws in Simatic Step 7 (TIA Portal). Siemens patched two minor and two more severe vulnerabilities due to glitches in Simatic Step 7 that allowed hackers to possibly learn user passwords, escalate privileges, or hijack and intercept industrial communication on TCP port 102. 

Flaw in Netgear Wi-Fi routers exposes admin password, WLAN details. A network engineer discovered and notified Netgear support that certain versions of the brand’s WNDR3700v4, WNR2200, and WNR2500 home wireless routers contain a vulnerability in the embedded simple object access protocol (SOAP) service that could allow unauthenticated remote and locally-connected attackers to obtain the administrator password, device serial number, WLAN details, and various information related to clients connected to the device. 

Arabic threat group attacking thousands of victims globally. Kaspersky Lab security researchers reported that “Desert Falcons,” the first known full-scale Arabic cyber-espionage group, has used spear-phishing and social engineering techniques to deliver two backdoors though 100 malware samples to infect Windows PCs and Android devices of targets based in Egypt, Palestine, Israel, Jordan, the U.S., and other countries for at least 2 years. The malware has full-backdoor capability as well as the capability to steal call and SMS logs in Android versions, and attackers have targeted victims from political, military, government individuals and organizations, media outlets, energy and utility providers, physical security companies, and others holding geopolitical information.


Ongoing cyber attack on banks worldwide creates billion dollar loss. Kaspersky security researchers discovered that cyber criminals robbed over 100 financial institutions worldwide of up to $1 billion by using spear-phishing attacks exploiting 2 vulnerabilities in Microsoft Office and 1 vulnerability in Microsoft Word to install malware and infiltrate institutions’ networks. The attackers cashed in by instructing ATMs to dispense money at specific times without payment cards, opening accounts with fake balances, and artificially inflating account balances of bank customers and then transferring the surplus to their accounts in China and the U.S. 

Feds: Up to 900 potential victims of insurance scam preying on trucking companies. Federal investigators seized approximately $732,000 from Appeal Insurance Agency bank accounts February 12 alleging that the owner scammed up to 900 victims, primarily in commercial trucking, by collecting insurance premiums without securing legitimate policies and using the money to fund his lifestyle and pay off insurance claims filed with his office. Authorities found that $3.7 million was deposited into one of the owner’s accounts between January 2013 and July 2014. 

Firmware of over a dozen hard drive brands altered to lodge malware. Kaspersky researchers discovered that a cyber-espionage group calling itself Equation modified hard drive firmware in over 12 brands to potentially infect tens of thousands of computers worldwide, including those in sectors such as government and military institutions, nuclear research, oil and gas, telecommunications, transportation, and the financial sector, among others. Reprogramming the firmware allowed attackers to create persistent hidden storage spaces accessible only through specific methods known to them.


In the wake of TurboTax fraud, email scams emerge. Intuit reported an increase in phishing scam attempts to harvest personal and financial information from TurboTax users using a variety of themes including notifications of bogus security checks, fake tax return status updates, or notices of locked accounts. Users are led to click on an URL that links to a fake log-in page used by hackers to steal names, addresses, and Social Security numbers. 

Brinks guard shot at Capital One Bank near Galleria dies. Authorities are searching for three suspects after their getaway vehicle was found near the robbery scene following an attempted robbery of a Brinks truck that left a security guard dead near the Galleria area of Houston February 12. The suspects shot at the vehicle and the security guard during the incident. 

16 million mobile devices infected by malware. Alcatel-Lucent’s Motive Security Labs released a report and found that approximately 16 million mobile devices worldwide were infected by malware, with a 25 percent increase in infections in mobile devices in 2014. Researchers also found that command and control (C&C) protocols were more sophisticated and mobile spyware increased, among other findings. 

RIG exploit kit source code leaked online. Trustwave researchers analyzed an alleged leak of a source code for an RIG exploit kit and determined that the code is legitimate after the individual published the code after attempting to sell it online. The leaker also purported that the exploit kit included exploits for two Internet Explorer, two Adobe Flash Player, one Microsoft Silverlight, and two Java vulnerabilities.


Several PayPal-mimicking phishing sites taken offline. OpenDNS researchers found a number of phishing Web sites that appear as legitimate PayPal sites being used to steal user’s login credentials. PayPal is working to shut down the fraudulent sites. 

Ex-GOP candidate for governor facing fraud charges. A former candidate for governor and his girlfriend were arrested and charged during the week of February 2 for allegedly stealing more than $11 million from investors in New York and North Carolina and attempting to defraud banks of $8 million by submitting fake tax returns and inflated pay stubs in 3 schemes between February 2009 and July 2013. The pair allegedly promised investors that their money was being used to buy and consolidate other investments firms while the funds were being used for pair’s personal use and other business ventures. 

Google Play, browser flaws expose Android devices to remote code execution. Researchers at Rapid7 reported that vulnerabilities in Google Play due to a lack of appropriate X-Frame-Options (XFO) headers combined with a universal cross-site scripting (UXSS) vulnerability in browsers shipped with Android versions prior to 4.4 (KitKat), or a cross-site scripting (XSS) bug in Google Play, could be leveraged by attackers to remotely install arbitrary Android application packages (APKs) on smartphones. Attacks can be prevented by logging out of the Google account prior to using the affected browsers, or by using Mozilla FireFox or Chrome instead. 

Simplocker ransomware for Android returns with new version. Avast researchers reported that over 5,000 unique users were infected by a newly discovered Simplocker ransomware variant for Android that poses as an Adobe Flash Player update, employs unique encryption keys to make unlocking difficult, and displays a fake notification from the FBI about suspicious files and copyright infringement to fool victims into paying the $200 ransom.


Feds seize over $7 million (plus a little Bitcoin) during software piracy investigation. Federal agents seized $25,000 in cryptocurrency from a Seattle resident and more than $7 million and other assets from related suspects in December 2014 as part of an ongoing software piracy case. The January 30 court filing alleges that suspects traded and distributed fraudulent product activation key codes for Microsoft and other software through e-commerce sites to make at least $30 million in profits since 2009. 

Cyber Caliphate hackers take over Twitter account of Newsweek. The FBI is investigating a February 10 hijack of Newsweek’s Twitter feed in which attackers claiming to be Islamic State (ISIS)-affiliated hacker group Cyber Caliphate posted threats to the U.S. President’s family before the company regained control of the feed within 14 minutes. Newsweek confirmed that the Twitter accounts of International Business Times and Latin Times were also hijacked by the group. 

Researchers bypass all Windows protections by modifying a single bit. Microsoft released a patch for two vulnerabilities, including one that affected all versions of the Windows Operating System via Windows kernel-mode driver and allowed attackers to install software, view and change data, and create new accounts with full administrative rights. A patch addressing a critical remote code execution flaw was also released. 

Microsoft patches critical Windows, Internet Explorer vulnerabilities in Patch Tuesday update. Microsoft issued 9 security bulletins that fixed a total of 41 vulnerabilities as part of its Patch Tuesday updates that addresses issues for Windows, Office, and Server Software. 

Microsoft corporate clients targeted with volume license phishing email. A Cisco Threat Defense researcher reported that cyber-criminals were targeting Microsoft’s corporate users with phishing emails purporting to be from Microsoft’s Volume Licensing Service Center which contains a link that leads to a compromised WordPress server and downloads the Chanitor malware.


Waldwick police seize 125 credit cards from Walgreens customers. Three individuals were arrested by police at a Waldwick Walgreens February 7 when they were caught with more than 125 stolen credit cards allegedly taken from all over the U.S. The suspects were caught while they were purchasing a gift card and police found additional gift cards on them while they were arrested. 

New York plans cybersecurity reviews of insurers after breach. New York’s Financial Services Department announced plans February 9 to increase State insurers preparedness through regular cyber-security reviews and enhanced regulations in the wake of February’s Anthem Inc., breach that affected up to 80 million customers. 

About 40,000 MongoDB databases found open online. Three Saarland University cyber-security students reported security vulnerabilities in MongoDB’s database configuration, including servers with no access control mechanisms that could potentially allow access outside the backend and expose the information of millions of customer to unauthorized parties. An initial scan found nearly 40,000 databases that were open, prompting the researchers to submit their findings to MongoDB maintainers for integration into revised security instructions for users. 

Researcher publishes 10 million usernames and passwords. A researcher released 10 million username/password combinations that he collected over the years in an attempt to advance research and make authentication more secure. The researcher asserted that most combinations were dated and had been scrubbed of all identifying and compromising information. 

Box Sync for Mac exposed sensitive information: Researcher. Box Sync for Mac released version 4.0.6035 to fix a security issue discovered in January that exposed Python files containing sensitive data such as application program interface (API) keys, internal user IDs, passwords, and URLs. Box Sync representatives asserted that customer data was never at risk. 

LG fixes authentication bypass vulnerability in on-screen phone app. LG released On-Screen Phone application update 4.3.010 to fix a vulnerability discovered by Search-Lab researchers in September 2014 that allowed attackers to possibly bypass authentication and take control of users’ smartphones without their knowledge through a connection between the mobile device and the computer conducted via USB cable, Wi-Fi, or Bluetooth.


Tax fraud prompts Intuit to temporarily suspend state e-filing. Financial software developer Intuit paused State income tax e-filings made through the company’s TurboTax services February 5 and restored services February 6 after suspected fraudulent filings using stolen identities appeared in returns from 19 States. 

Area real estate investor guilty in multimillion dollar wire fraud, monetary transactions case. A real estate investor pleaded guilty February 6 to defrauding investors out of $7 million to $20 million using the Quantico Corporate Center in Stafford, Virginia, as an investment opportunity. Instead of investing the millions into land development deals, the real estate investor spent the money on poor day trading investments and other transactions. 

Surfside investment advisor in Ponzi scheme charged with fraud. A Surfside investment advisor was charged with wire-fraud conspiracy February 5 for allegedly receiving commissions in return for advising investors to sink millions into a $1.2 billion Ponzi scheme. The investment advisor collaborated with a Fort Lauderdale lawyer who was convicted and sentenced in 2010 for his role in the investment scam. 

DDoS malware for Linux distributed via SSH brute force attacks. FireEye researchers reported February 9 that a campaign utilizing Secure Shell (SSH) brute force attacks to install a distributed denial of service (DDoS) XOR.DDoS malware, first discovered by Malware Must Die in September 2014, has executed nearly 1 million login attempts between November 2014 and the end of January.


Impostors bilk Omaha’s Scoular Co. out of $17.2 million. Officials reported that Scoular Co., of Omaha was defrauded out of $17.2 million in June 2014 when perpetrators impersonated the company’s chief executive and outside auditing firm via email and ordered the Scoular controller to wire 3 separate payments to the Shanghai Pudong Development Bank in China, to be held for Dadi Co. Ltd. The FBI is seeking to recover the lost funds and continues to investigate the incident. 

Suspected bank robber shot and killed by police after chase in Chino. A man who robbed the Corona branch of the Pacific Premier Bank February 4 was killed in a shootout with police after allegedly carjacking a vehicle and leading a pursuit that ended in Chino, after crashing the car. 

Zero-day flaw in WordPress plugin used to inject malware into sites. WordPress patched a zero-day flaw in its FancyBox plugin after Sucuri researchers noted the vulnerability could allow attackers to inject malware or scripts into Web sites, after numerous users complained of malicious “iframe” injections on their sites. 

Adobe Flash Player security update fixes 18 vulnerabilities. Adobe released updates that patch a total of 18 Flash Player vulnerabilities, including fixes for use-after-free flaws and two types of confusion vulnerabilities.


Former Inland Empire insurance agent pleads guilty to federal bank fraud and tax charges in scheme that netted nearly $6 million. A former licensed insurance agent and owner of Hamilton Brewart Insurance Agency in Upland, California, pleaded guilty February 2 to charges of bank fraud and filing false tax returns after he secured over $5.9 million in loans to pay for his insurance company’s expenses from Universal Bank in his clients’ names without their knowledge or authorization from at least 2008 through 2012. 

Flash Player patches zero-day vulnerability. Adobe released an update for its Flash Player affecting version and earlier versions for Windows and Macintosh that fixes a zero-day vulnerability reported by Trend Micro researchers. The vulnerability was leveraged by attackers through the Hanjuan exploit kit in malvertising campaigns on popular Web sites targeting Internet Explorer and Mozilla Firefox users. 

Kovter trojan distributed via malvertising on Huffington Post. AOL removed malicious content from its network after Cyphort researchers discovered the spread of a previously observed malvertising campaign which delivers the Kovter trojan for ad-fraud to popular Web sites through three advertising networks. The researchers also found that this campaign utilizes different command and control (C&C) servers. 

Accused Silk Road operator convicted on U.S. drug charges. A federal jury convicted the suspected founder of the underground Silk Road Web site February 4 on several charges, including conspiracies to commit money laundering, computer hacking, and drug trafficking for his role in an approximately $200 million anonymous online drug sale scheme involving Bitcoins. Source: http://www.


S&P reaches $1.5 billion deal with U.S., states over crisis-era ratings. Credit rating firm Standard & Poor’s parent company McGraw Hill Financial Inc., will pay $687.5 million to the U.S. Department of Justice and $687.5 million to 19 U.S. States and the District of Columbia and will pay the California Public Employees’ Retirement System $125 million in a settlement reached February 2 to resolve a collection of lawsuits over the company’s ratings on mortgage securities that soured leading up to the 2008 financial crisis. 

Apple iOS now targeted in massive cyber espionage campaign. Trend Micro researchers discovered two malicious applications which utilize Apple’s iOS operating system connected to Operation Pawn Storm, a cyber espionage campaign targeting personal information, text messages, contact lists, voice recordings, pictures, lists of installed apps and processes, and geolocation data from personnel in Western military, government, defense industry firms, and the media. 

Dangerous Internet Explorer vulnerability opens door to powerful phishing attacks. Microsoft reported that it is working on a security update to address an Internet Explorer universal cross-site scripting (XSS) vulnerability discovered by a Deusen researcher that could allow attackers to bypass the Same-Origin Policy to launch phishing attacks or hijack users’ accounts on any Web site.


Former nonprofit CEO arrested, charged in $14 million health care fraud case: A former CEO of a Birmingham nonprofit was arrested and charged February 2 for his involvement in a scheme that included bank fraud, money laundering, and conspiracy in connection to his employment or involvement with Birmingham Health Care, Central Alabama Comprehensive Health, Birmingham Financial Credit Union, and several for-profit businesses known as Synergy Entities based on allegations that he diverted $14 million in funds to his private businesses over 6 years. 

Financial adviser pleads guilty in California to investment scheme: A New Jersey financial adviser to professional athletes and entertainers pleaded guilty February 2 to charges of wire fraud in connection to presenting a scheme to an undercover FBI agent to exaggerate the costs of Burger King franchises to investors in San Diego by planning on telling investors that the franchises would be purchased for $37 million, more than double their actual cost. The financial advisor planned to fraudulently take a 50 percent ownership stake, and hoped to take millions of dollars “off the top” of the deal. 

Dyre banking trojan uses worm to spread via Microsoft Outlook: Researchers at Trend Micro discovered a new variant of the Dyre (Dyreza) malware in the form of a spam email containing the Upatre downloader that propagates itself via a worm that uses Microsoft Outlook to send emails to targets, including 355 sites belonging primarily to banks and Bitcoin wallets. 

Security flaws in SerVision HVG video gateway grant access to the web interface: Researchers with the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) reported that two high-severity vulnerabilities in SerVision’s HVG video gateway product series which could allow unauthorized access to the unit’s web interface and enable users to log into the web interface with administrative rights were resolved in the latest revision of the firmware. The privilege elevation danger has yet to be mitigated.


Beware of phishing scam pretending to be Better Business Bureau questionnaire: The Better Business Bureau (BBB) warned February 2 that scammers sent bogus emails to possibly tens of thousands of businesses across the country, prompting the recipients to open a ZIP file attachment which leads to a Web site that delivers malware onto the user’s computer. The BBB is working with security vendors to mitigate the threat and disable the Web site. 

Raptr hacked, user info and passwords compromised: A representative from Raptr, a gaming social network site, announced January 28 that its network may have been breached and an unidentified number of users’ data, including names, email addresses, and password hashes, may have been accessed. Officials advised users to update log-in credentials associated with their Raptr account and change any related passwords. 

Another Flash zero day emerges: Adobe released February 2 that it is working on a patch for a zero day vulnerability in Flash Player that could cause a crash and allow an attacker to take control of the affected system. The vulnerability is reportedly being exploited via drive-by-download attacks against Windows, OS X, and Linux systems running Internet Explorer and Firefox. 

Hackers compromise business IM service HipChat: HipChat posted a security notice January 31 warning that hackers breached the firm’s defenses and accessed names, usernames, email addresses, and encrypted passwords for less than 2 percent of its customers. HipChat triggered a password reset for all affected users as a precaution. 

Facebook malware poses as Flash update, infects 110K users: A trojan posing as a Flash update infected approximately 110,000 Facebook users in 2 days by posting malicious video links that lead to a malware downloader on the profiles of previously infected users. Facebook is aware of the malware that can manipulate keystrokes and mouse movement on an infected computer and is working to block links to the scam.


Romanian national admits role as ringleader of $5 million ATM skimming scheme: A Romanian national extradited from Sweden in 2014 pleaded guilty in federal court in Newark, New Jersey, January 29 to leading an ATM skimming scheme that targeted thousands of bank customers across multiple States and defrauded several financial institutions of at least $5 million. Eleven of the 15 alleged co-conspirators have pleaded guilty to charges in connection to the scheme. 

New “F0xy” malware uses clever techniques to stay hidden: Websense researchers discovered a new piece of malware that uses legitimate Web sites and services to minimize its detection so it can download a crypto-currency miner onto an infected machine. Earlier versions of the malware worked solely on Windows Vista and later versions of Microsoft’s operating system, while the most recent variants will also run on Windows XP. 

Multiple security weaknesses in Microsoft Outlook for iOS revealed by developer: A developer at GmbH discovered that Microsoft Outlook for iOS functions violate best security practices and present business risks by storing business email credentials in the cloud and allowing use of a single ID across devices, creating challenges for administrators to maintain security levels for company data. 

Skeleton Key malware linked to backdoor trojan: Symantec: Symantec researchers reported that the Trojan.Skelky (Skeleton Key) malware appears to have been used in conjunction with the Backdoor. Winnti malware family and is capable of bypassing authentication on Active Directory (AD) systems. Skeleton Key malware was identified by Dell SecureWorks in January and was detected on computers in five unidentified organizations with offices in the U.S. and Vietnam since 2013.


Oppenheimer hit with $20M in fines: Investment advisory firm and broker dealer Oppenheimer & Co. will pay $20 million in regulatory fines for improperly selling billions of shares of penny stocks in unregistered offerings on behalf of customers, failing to file Suspicious Activity Reports, and withholding and remitting more $3 million in backup withholding taxes from sale proceeds. 

ZeroAccess click-fraud botnet back in action again: Researchers at Dell SecureWorks reported that the ZeroAccess botnet that was disrupted by authorities in 2013, resurfaced and is targeting major search engines and browsers to perpetrate click fraud templates to compromised systems. 

Apple fixes tens of vulnerabilities in OSX, iOS, Safari, Apple TV: Apple released updates for OSC, iOS, Safari and Apple TV addressing a total of 54 security issues and the disabling of all Flash Player plugins prior to versions and following recent reports of Adobe Flash Player zero-days. 

GHOST glibc remote code execution vulnerability affects all Linux systems: Researchers with Qualys discovered a critical vulnerability in the Linux GNU C Library (glibc) known as GHOST that can be triggered by the library’s gethostbyname functions that could allow attackers to execute code and remotely gain control of Linux machines.


Watertown insurance agent Loren Holzhueter ran $10 million Ponzi scheme, feds allege: A Watertown insurance agent and one of his companies were charged with five counts of securities fraud in federal court in Madison by the U.S. Securities and Exchange Commission for running a $10 million Ponzi scheme and failing to provide correct information to at least 122 investors on how their money was being used. 

D-Link routers vulnerable to unauthorized DNS changing: A recently published proof-of-concept exploit from a security researcher at Ethical Hacker, illustrated a vulnerability found in DSL router model D-Link DSL-2740R, which allows remoter hackers to change the device’s domain name system (DNS) settings and redirect users to malicious online locations hosting malware or phishing pages. 

Flash Player update patches two critical vulnerabilities: Adobe released an update in Flash Player to version to address a zero-day vulnerability, CVE-2015-0311, the second of two previously unreported critical flaws that have been patched in the last week, that allows attackers to install malware by visiting compromised websites or malicious ads in their browsers. 

Serious vulnerability in Blackphone exposed messages, location: A security flaw in Silent Text, an instant messaging app available on the privacy-focused Blackphone, could be exploited by a remote attacker to execute arbitrary code and enable the complete control of a targeted device. The vulnerability has been closed by Blackphone and its developer Silent Circle. 

Apple to Patch Thunderstrike, vulnerabilities disclosed by Google: Apple released updates for its OS X operating system that includes patches for several vulnerabilities including a flaw in the software that enabled the Thunderstrike boot kit attack.


Secret Service investigating ATM thefts along I-10 corridor: Whitney Bank Louisiana warned its customers and anyone who may have used their ATMs about a fraud scheme after it detected unauthorized activity at several ATM locations along the Interstate 10 corridor January 24 that may have also affected cities in Texas, Mississippi, Alabama, and Florida. The bank deactivated and will reissue approximately 7,100 debit cards as authorities are continue to investigate. 

Bucks County family accused of using massive insurance fraud scheme to finance life of luxury: A Buckingham Township woman, four members of her family, and two others were arrested and charged January 22 for allegedly conspiring to defraud insurance companies in excess of $20 million for personal use. Approximately $7 million in assets were seized as a result of an investigation that was initiated following an October 2013 fire at the family’s home, the third fire at the residence in 5 years. 

Nifty Fifty’s accountant pleads guilty to tax fraud scheme: The accountant for the restaurant chain Nifty Fifty’s, pleaded guilty in federal court January 26 for his role in a conspiracy to commit tax evasion to avoid paying millions of dollars in personal and employment taxes by failing to properly account for more than $15 million gross receipts. Five individuals previously pleaded guilty to charges for their roles in the fraud scheme. 

Super Bowl fans warned about vulnerable NFL mobile app: Researchers at Wandera, a mobile gateway company, reported a vulnerability in the official National Football League (NFL) mobile apps for iOS and Android that exposes users’ personal information immediately after the user signs into the mobile app in a secondary unencrypted API call, and can be intercepted through man-in-the-middle (MitM) attacks. 

Regin cyber-espionage platform manned by the NSA: Researchers at Kaspersky Lab discovered a link in the keylogger dubbed QWERTY, a plugin for the WARRIORPRIDE malware framework, to be identical in functionality to Regin malware plugin 50251, responsible for kernel-mode hooking. The Regin platform targets telecommunication companies, government organizations and political entities, financial institutions, academia and specific individuals. 

Supposedly clean Office documents download malware: Bitdefender is warning Microsoft Office users of a new spam campaign that resembles a tax return, a remittance, or form of bill from a bank and carries a Microsoft Word or Excel attachment that will automatically execute a piece of malware with a macro code disguised to bypass traditional antivirus if downloaded. 

Android Wi-Fi Direct DoS vulnerability discovered: A researcher from the CoreLabs Team discovered a Denial of Service (DoS) vulnerability in some Android devices that could allow an attacker to send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class. The Android security team was informed of the flaw in September 2014.


More than 150 fraudulent credit cards found during traffic stop. A Louisville driver and passenger were arrested and charged with one count of fraud January 22 after approximately 170 fraudulent credit cards were discovered in the suspect’s car during an unrelated traffic stop in Seymour by Indiana State Police. 

Wells Fargo, JPMorgan settle mortgage kickbacks probe. Wells Fargo and JPMorgan Chase agreed January 22 to pay a collective $35.7 million in penalties and consumer compensation to resolve allegations that loan officers with the 2 banks participated in a mortgage kickback scheme with a now-defunct company, Genuine Title, in exchange for cash and marketing services. More than 100 former Well Fargo loan officers in at least 18 branches located primarily in Maryland and Virginia, and at least 6 former JPMorgan Chase loan officers in 3 separate branches in Maryland, Virginia, and New York, were involved with the scheme. 

PHP 5.6.5 fixes flaw leading to remote code execution. The latest version of hypertext preprocessor (PHP) version 5.6.5 closes several security vulnerabilities including a flaw identified as CVE-2014-9427 that could be exploited by an attacker to execute code remotely on an affected machine if certain conditions are met. 

Google Apps admin panel falls for XSS, issue researcher gets $5,000. Google awarded a Blizzard Entertainment researcher for discovering a cross-site scripting (XSS) vulnerability that relied on a JavaScript code to be executed in the Google Apps administration console, which would grant an attacker full control of the Google account. 

Mobile banking apps are risky business for Android users. A RiskIQ report found that more than 40,000 of about 350,000 mobile apps used for financial transactions should be considered suspicious with many of them containing malware and adware.


SEC charges former executive at Tampa-based engineering firm with FCPA violations. Tampa-based PBSJ Corp., also known as The Atkins North America Holdings Corp., agreed to pay a $3.4 million fine, among additional agreements, January 22 in a settlement with the U.S. Securities and Exchange Commission to settle allegations of offering bribes and employment to foreign officials to obtain Qatari government contracts, violating the Foreign Corrupt Practices Act. 

Remote code execution flaw found in iPass Open Mobile Windows Client. A security researcher at Code White GmbH reported vulnerability in the iPass Open Mobile Windows Client that could allow an attacker to execute arbitrary code by sending a specially-crafted unicode string to a subprocess with SYSTEM privileges. The developers released a patch to address the flaw in the iPass network that includes free and open access hotspots, certain hotel and convention venues, and provides Internet access to trains with WiFi support as well as in-flight WiFi in airplanes. 

Three OS X vulnerabilities disclosed by Google. Google released a report containing details and proof-of-concept code for three vulnerabilities, including a code execution vulnerability, memory corruption bug, and a sandbox escapes, affecting Apple’s OS X operating system reported on October 20, October 21, and October 23. 

“Friendlier” Critroni ransomware variants spotted in the wild. Security researchers at Trend Micro discovered new strains of Critroni ransomware (CTB-Locker) in January that allows a grace period of 96 hours, the opportunity to decrypt five files, and an increase in the ransom amount.


FX options scam charged by US Court - $2.16 million penalty and trading ban. Two individuals and a company were charged by a federal court in New York January 22 for fraudulently soliciting retail clients to trade FX options with misappropriating client funds between 2001 and 2008, targeting individuals from around the world including North America and Europe and sustaining severe losses of $1.7 million trading in financial derivatives. 

SEC announces charges against Standard & Poor’s for fraudulent ratings misconduct. Standard & Poor’s Rating Services (S&P) reached a settlement January 21 with the U.S. Securities and Exchange Commission (SEC) to resolve a series of federal securities law violations for fraudulent misconduct in its ratings of commercial mortgage-backed securities. The agreement requires S&P to pay more than $58 million to the SEC and plus an additional $21 million in penalties to settle parallel cases in New York Massachusetts. 

FBI hunts gun-toting ‘Poncho Bandit’ in bank holdup spree. Authorities are searching for a suspect known as the “Poncho Bandit” responsible for four bank robberies and one attempted bank robbery throughout South Florida from May - December 2014. 

SEC charges investment adviser and manager in south Florida-based fraud. The U.S. Securities and Exchange Commission (SEC) announced January 21 fraud charges and an assets freeze against Elm Tree Investment Advisors LLC, a Florida-based investment advisory firm, its manager, and three related funds in a scheme that raised more than $17 million from investors since November 2013 and mislead them by using most of the money raised to make Ponzi-like payments. 

Angler exploit kit goes after new Adobe Flash 0-day flaw. A malware researcher discovered an unconfirmed zero-day vulnerability in Adobe Flash Player versions and that was found in the popular Angler exploit kit and exposes users of Windows XP, 7, 8 and Internet Explorer 6, 7, 8, and 10 to the Bedep trojan that makes the victims’ computer perform ad fraud calls. 

Google fixes 62 security bugs with release of Chrome 40. Google announced a release of Chrome 40 for Windows, Mac OS, and Linux, closing 62 vulnerabilities, including the disabling of SSL 3.0, a protocol found to be vulnerable to POODLE attacks. 

Remote code execution vulns hit Atlassian kit. Atlassian has released updates to patch a serious vulnerability, an Object-Graph Navigation Language (OGNL) double evaluation vulnerability found in all versions of its Confluence, Bamboo, FishEye, and Crucible products that could allow an attacker to execute Java code of their choice on systems that use the affected frameworks as long as they can access their Web interfaces 

Click-fraud malware brings thousands of dollars to YouTube scammers. Researchers at Symantec reported a two-component click-fraud malware dubbed Tubrosa, which could allow an attacker to compromise victims’ computers with the malware and use them to artificially inflate their YouTube video views and take advantage of the YouTube Partner Program validation process


Former McAllen-based CEO admits to $26M wire fraud. A former chief executive of USA Dry Van Logistics, a McAllen-based trucking company, pleaded guilty January 20 to his role in a wire fraud scheme that defrauded GE Capital Corporation out of more than $26 million between March 2008 and January 2010. The former executive admitted to falsifying documentation to hide his company’s true financial condition in order to borrow hundreds of thousands of dollars every week and allow the company to appear profitable 

‘Loan Ranger Bandit’ pleads guilty to 13 bank robberies. A suspect known as the “Loan Ranger Bandit” pleaded guilty to 13 counts of bank robbery in federal court in Waco, Texas, January 16. The suspect admitted to 11 bank robberies in Texas and 2 bank robberies in Arkansas, and is suspected of additional bank robberies in Kentucky, Mississippi, and Texas. 

Michigan police bust card fraud ring. Three suspects in connection to a payment card fraud ring were arraigned in Jackson County District Court January 12 on 1 count of criminal enterprise, racketeering proceeds and 5 counts of illegal use of sale of a financial device that caused more than 300 fraud complaints and $100,000 in bogus charges on member credit and debit cards from American 1 Credit Union. 

Siemens fixes vulnerabilities in SCALANCE, SIMATIC solutions. Siemens released firmware updates for the SCALANCE X-300 switch family and SCALANCE X408 running firmware versions prior to 4.0 to address denial of service (DoS) vulnerabilities that can be exploited by an unauthenticated attacker to cause a device to reboot by sending malformed HTTP requests or sending specifically crafted network packets to the device’s FTP server. 

Ransomware incidents on an upward trend, FBI warns. The FBI issued an alert January 20 and warned computer users of a newer variant of the CrytoWall data encryption malware that infects computers and restricts users’ access to files until a fee is paid and the files are unlocked. The malware has been spotted in the wild, featuring localized ransom messages and trying to connect to decryption services hidden in the Invisible Internet Project (I2P) network. 

Java patch plugs 19 security holes. Oracle released its quarterly patch update for Java, closing at least 19 security vulnerabilities including 13 flaws that are remotely exploitable. 

Hard-coded FTP credentials found in Schneider Electric SCADA Gateway. Schneider Electric released an update to address 2 flaws for their ETG3000 FactoryCast HMI Gateway, which is used in manufacturing, energy, water, and other industries as a Web-based SCADA system that could allow unauthenticated remote access to the device’s FTP server and configuration files. 

Potential code execution flaw haunts PolarSSL library. Researchers at Certified Secure discovered a vulnerability in PolarSSL, an open-source SSL library, which could enable an attacker to execute remote code execution and a denial of service (DoS) attack.


VideoLan says flaws exist in codecs library, not VLC. A security researcher discovered two vulnerabilities in libavcodec, a free open-source audio/video codecs library used by VLC, Xine and MPlayer media players that could allow the attacker the ability to corrupt memory and exploit arbitrary code. 

CSRF flaw allowed attackers to hijack GoDaddy domains. A security researcher discovered that Internet domain registrar GoDaddy failed to implement any cross-site request forgery (CSRF) protections for many DNS management actions which an attacker could have exploited to edit nameservers, edit DNS records, and modify automatic renewal settings. GoDaddy took measures to fix the vulnerability and introduced CSRF protections for sensitive account actions January 19. 

Oracle addresses 167 bugs in critical patch update. Oracle released its quarterly Critical Patch Update January 20, closing 167 vulnerabilities found in 48 of the company’s products. The developer’s Oracle Fusion Middleware product received 35 security patches, more than any other product, including 28 patches for vulnerabilities exploited remotely without authentication of the potential attacker. 

Verizon races out fix for email security flaw. Verizon patched a serious vulnerability in its My FiOS mobile app after a security researcher discovered a flaw that could allow a user to access any Verizon email account, scan the inbox, read individual emails, and send messages.


Ohio man accused of defrauding 19 investors out of millions. A Uniontown, Ohio man was indicted January 14 for allegedly running a Ponzi scheme between October 2009 and September 2013 that defrauded 19 investors and resulted in investor losses of about $5.5 million. 

Law firm insider faces charges in $5.6M trading scheme. The former managing clerk for New York-based law firm Simpson Thacher & Bartlett was indicted January 15 for allegedly using his position to obtain nonpublic information and pass it on to 2 other men from New Jersey and New York City who traded on the information to obtain $5.6 million in illicit profits. One of the men pleaded guilty in April 2014 and charges are pending against the other alleged participant. 

'Lunch Buddy Bandit' may be responsible for 11 Dallas bank robberies. Authorities in Dallas are searching for a suspect known as the "Lunch Buddy Bandit" believed to be responsible for 11 bank robberies in the area since December. 

Google reveals security flaw in Windows 7, 8.1, patch to be shipped in February. Researchers with Google released details and a proof of concept (PoC) for a vulnerability in Windows 7 and Windows 8.1 that could allow an attacker to encrypt or decrypt data. Microsoft stated that a fix for the vulnerability will be released in February. 

One-click mobile fraud variant throws browser for a loop. Symantec researchers observed a variant of a mobile one-click fraud scam currently being used against users in Japan that creates a continuous barrage of pop-up ads when a user tries to close the ad which directs them to sign up for a paid service. The attack incapacitates the browser but other apps can be used and the attack can be stopped by clearing the contents of the browser cache. 

Teen arrested for last year's DDoS attack on PSN and Xbox networks. Authorities in the U.K. in cooperation with the FBI arrested a man January 16 for allegedly participating in distributed denial of service (DDoS) attacks against the Sony Playstation and Microsoft Xbox gaming networks during 2014 

Typosquatting abuse of 500 most popular websites analyzed. Researchers with the University of Leuven in Belguim and Stony Brook University in the U.S. released a report on their research into typosquatting domains where attackers register domains for misspelled popular domains to attempt to capture traffic. The researchers found that half of all typosquatting domains can be traced back to four page hosters, and that 95 percent of the most popular domains are targeted by typosquatters, among other findings.


Man pleads guilty to installing credit card skimmers in Idaho Falls. A California man pleaded guilty January 14 to placing skimming devices on gas pumps at two stations in Caldwell and Idaho Falls during January and February 2014 which collected the information of about 160 payment cards. 

‘Texas Longhorn Bandit’ bank robber on the run. The FBI is searching for a suspect known as the “Texas Longhorn Bandit” believed to be responsible for 4 bank robberies in the Houston area, including the robbery of 2 Chase Bank branches January 14. 

Google AdSense used for malvertising campaign. Researchers with Sucuri identified at least two AdWords campaigns using Google’s AdSense program to modify legitimate ads in order to redirect users to fraudulent Web sites. 

LinkedIn phishing uses HTML file to steal credentials. A researcher with Symantec reported that a recent phishing campaign designed to harvest login credentials for professional networking service LinkedIn uses a modified HTML file that contains the legitimate code from LinkedIn’s login page but instead redirects the information to the attackers running the campaign. The use of an HTML file prevents users from being protected by blacklists and also allows the attacker to use several techniques to avoid automatic phishing detection methods. 

Bogus Oracle patches flung by malicious websites. Oracle posted a warning to users the week of January 12 stating that it had received information on several fraudulent Web sites claiming to provide patches for Oracle products that are in fact malware. Oracle advised users to only download patches from its official sites and asked users encountering the fraudulent sites to report them. 

Mobile malware up 77 percent in 2014. Lookout Inc., released a report on mobile malware and found that the mobile malware encounter rate for 2014 increased from 4 percent in 2013 to 7 percent, a 75 percent increase. The researchers also noted that mobile malware attacks increased in both sophistication and frequency during the past year, among other findings. 

CryptoWall makes a comeback, version 3.0 spotted in the wild. Microsoft researchers and an independent researcher identified a new version of the CryptoWall (also known as Crowti) ransomware dubbed CryptoWall 3.0 that contains localized ransom messages and directs victims to several addresses located on the I2P anonymity network, or the Tor network as a fallback. The malware encrypts victims’ files and demands a $500 ransom be paid in Bitcoin virtual currency in order to decrypt the files.


Remote overlay attack toolkit targets Brazilian bank customers. Researchers with Trusteer analyzed a piece of remote desktop connection banking malware dubbed KL-Remote being offered for sale on Brazilian underweb markets which includes the ability for attackers to manually intervene and collect online banking information and conduct transactions when users with infected systems visit banking Web sites. 

Minnesota woman charged in $2M fake death insurance scam. A Plymouth, Minnesota woman and her son were charged January 13 for allegedly conspiring with the woman’s ex-husband to fake the ex-husband’s death in the country of Moldova, fraudulently collecting $2 million in life insurance, and transferring over $1.5 million of the money to accounts in Moldova and Switzerland. 

Adobe updates Flash Player to fix 9 vulnerabilities. Adobe released updates for its Flash Player product January 13, closing nine critical vulnerabilities, including vulnerabilities that could be exploited to perform arbitrary code execution. 

Apache patches Qpid message broker against DoS condition. The developers of the Apache message broker software Qpid released a patch January 13 that closes a denial of service (DoS) condition that could be caused by unexpected protocol sequences leading to sudden termination of Qpid processes 

Mozilla fixes 9 vulnerabilities in Firefox 35. Mozilla released version 35 of its Firefox browser January 13, which includes new features and functions as well as fixes for 9 security vulnerabilities, 3 of which were rated as critical. 

Notepad++ releases “Je suis Charlie” edition, website gets defaced. Attackers identifying as the Fallaga Team claimed responsibility for defacing the Web site of open source text editor Notepad++. 

Microsoft patches critical Windows security vulnerability. Microsoft released its monthly round of Patch Tuesday updates January 13, closing a critical security vulnerability in Windows’ Telnet Service that could allow an attacker to remotely execute code on affected Windows servers, among seven other patches. 

Siemens patches SIMATIC WinCC apps for iOS against password-related flaws. Siemens released an update for the iOS version of its SIMATIC WinCC Sm@rt Client product for industrial control systems (ICS) which closes a vulnerability that could allow attackers to gain access to sensitive information from the app.


‘Bombshell Bandit’ pleads guilty to bank robberies. A Union City, California woman known as the “Bombshell Bandit” pleaded guilty January 12 to robbing four banks in Utah, Arizona, and California during 2014.

Google discloses new unpatched Windows 8.1 privilege escalation flaw. Researchers with Google disclosed a privilege escalation flaw in Windows 8.1 January 11 and released a proof of concept (PoC) for the vulnerability. Researchers confirmed that the vulnerability also affects Windows 7. 

Unpatched security flaws impact Corel software products. Core Security researchers released information on DLL hijacking vulnerabilities that could allow attackers to execute arbitrary commands in Corel DRAW, Photo Paint X7, PaintShop Pro X7, CAD 2014, Painter 2015, PDF Fusion, VideoStudio Pro X7, and Fast Flick products. The researchers initially identified and reported the vulnerabilities in December. 

Wall charger steals keystrokes from Microsoft wireless keyboards. A security researcher developed a device dubbed KeySweeper that is a wall charger modified to intercept and transmit keystrokes from a nearby Microsoft keyboard using an RF chip, the keyboard’s communications frequency, and a 2G SIM card with SMS support. 

Crayola red-faced after yellow-belly Facebook hijackers post blue jokes. Crayola stated that it regained control of its Facebook account January 11 after unknown attackers took control of it and posted inappropriate content. 

Insert ‘Skeleton Key’, unlocks Microsoft Active Directory. Simples - hackers. Dell SecureWorks researchers identified a piece of malware known as Skeleton Key that can bypass authentication on Microsoft Active Directory (AD) systems, allowing attackers to authenticate as any corporate user. The malware must be redeployed when a domain controller is restarted and requires domain administrator credentials for initial deployment 

Number of IE vulnerabilities fixed by Microsoft doubled in 2014: Report. ESET released a report on vulnerabilities closed by Microsoft in 2014 and found that the majority of the vulnerabilities affected the Internet Explorer browser. The report stated that 7 out of 240 security vulnerabilities were zero-days exploited by attackers before they were patched, and that the total number of Internet Explorer vulnerabilities doubled compared to 2013, among other findings. 

Malware coders adopt DevOps to target smut sites. A researcher with ESET reported that the attackers behind the Windigo malware campaign which infected around 25,000 Unix and Linux servers since 2013 began making several changes to the malware and their targets in response to security researcher efforts to combat the malware, including switching exploit kits and restricting targets to smaller adult content Web sites in order to avoid attention.


New variant of Vawtrak banking trojan delivered by Chanitor downloader. Researchers with Zscaler identified a new fraud campaign that delivers the Vawtrak (also known as Neverquest or Snifula) financial malware using an updated version of the Chanitor downloader. The downloader is delivered via phishing emails and the campaign uses encrypted traffic passing through the Tor anonymity network to connect with its command and control servers. 

‘Skinny Jeans Bandit’ sought in Cary bank robbery. The FBI is searching for a suspect known as the “Skinny Jeans Bandit” thought responsible for five bank robberies in Illinois and Indiana, with the most recent taking place January 7 at a BMO Harris bank branch in Crown Point, Indiana. 

SEC charges Massachusetts-based investment advisers with misappropriation of money from investment fund. The U.S. Securities and Exchange Commission filed charges January 9 against a Framingham man, three Massachusetts financial advisory firms he owns or controls, a Texas financial firm he is believed to control, and others for allegedly misappropriating at least $16 million from a fund known as the GL Beyond Income Fund. 

Buffer overflow glitch in Wonderware Server gets fix from Schneider Electric. Schneider Electric released an update for its Wonderware InTouch Access Anywhere Server human machine interface (HMI) product for industrial control systems (ICS) that closes a remotely exploitable stack-based buffer overflow vulnerability. Users were advised to apply the patch immediately due to the ease of exploiting the vulnerability. 

Pro-ISIS group hijacks Twitter accounts of regional US media. Attackers identifying themselves as the CyberCaliphate group temporarily compromised the Twitter accounts of several news media organizations in Delaware, Maryland, New Mexico, and Tennessee. The attackers also linked to a dump of Stewart County, Tennessee government documents and alleged personal data of New Mexico residents. 

Lizard Stresser runs on hacked home routers. A security researcher reported that the Lizard Stresser for-hire distributed denial of service (DDoS) attack tool associated with the Lizard Squad group was found to draw bandwidth from infected home, commercial, and educational institution routers. The malware used looks for routers which allow access through factory default login and password combinations. 

Library flaw could crash HART-based ICS field devices. Emerson Process Management released a patch for a vulnerability in the CodeWrights HART Device Type Manager (DTM) used in Emerson’s Fisher Control, Micro Motion, and Rosemount industrial control system (ICS) products that was discovered by Digital Security researchers. The vulnerability could be exploited by an attacker with physical access to a targeted system. 

Microsoft Dynamics CRM affected by self-XSS vulnerability: Researchers. Researchers with High-Tech Bridge identified an issue in the Microsoft Dynamics Customer Relationship Management (CRM) product that could allow an authenticated user to perform a self cross-site scripting (XSS) attack if manipulated into entering malicious code via social engineering.


Former Sunwest CEO pleads guilty to mail fraud. The former head of Oregon-based Sunwest Management retirement centers pleaded guilty January 8 to running an investment fraud scheme that defrauded investors out of $130 million. The former CEO misled investors in the chain of over 300 assisted-living centers by portraying the company as prosperous while it was rapidly losing money in 2006. 

Andromeda botkit used for Bitcoin mining purpose. Fortinet researchers observed attackers using an older, cracked version of the Andromeda botnet malware to deliver Bitcoin mining software to compromised computers. The malware is version 2.06 of Andromeda and can also download additional modules and updates from the attackers’ command and control servers. 

Schneider patches buffer overflow in Wonderware server. Schneider Electric issued a patch for its Wonderware InTouch Access Anywhere Server v10.6 and v11 that closes a remotely exploitable buffer overflow vulnerability. The software is used in industries including the chemical, energy, manufacturing, and water utility sectors. 

Unauthorized root command execution possible in ASUS routers. A researcher reported a vulnerability in ASUS routers where a firmware service could be used by attackers with access to the network to reconfigure the router. 

OpenSSL release patches 8 vulnerabilities. The OpenSSL Project released updates for its open-source library, closing eight vulnerabilities including two that could be used for denial of service (DoS) attacks. 

vBulletin warns of vBSEO vulnerability. The developers of vBulletin informed users of the now-defunct vBSEO search engine optimization product that a security vulnerability exists in vBSEO and offered a solution for the issue.


Attackers spread Dridex banking trojan via malicious macros. Researchers with Trustwave identified an attack campaign that uses phishing emails to attempt to spread the Dridex banking malware through Microsoft Office documents containing malicious macros. The campaign prompts users to enable macros and is currently targeting users in the U.K. 

Hackers use Pastebin to deliver backdoor code. Researchers with Sucuri Security identified several attacks targeting WordPress Web sites running outdated versions of the RevSlider plugin that downloads malicious code hosted on the Pastebin service to the targeted sites, where it is then executed. A vulnerability in the plugin is then used to install a backdoor on the targeted sites. 

Thunderstrike shocks OS X with firmware bootkit. A researcher presented at the Chaos Communications Congress security conference an outlined attack dubbed Thunderstrike that can use legacy option ROMs to replace the RSA keys in Mac OS X machines’ extensible firmware interface (EFI) and allow the installation of malicious firmware. The attack works against Macbooks released since the introduction of Thunderbolt in 2011 and requires brief physical access, though the researcher stated that it may be able to be exploited remotely. 

8chan attacked with Lizard Stresser and knocked offline. The 8chan image board service experienced a distributed denial of service (DDoS) attack January 8, preventing users from accessing the site. The Twitter account of the Lizard Squad hacktivist group stated that the group’s Lizard Stresser DDoS tool was being used in the attack. 

Stealthy ‘XOR.DDoS’ trojan infects Linux systems, installs rootkit. Researchers with Avast reported that the recently discovered XOR.DDoS malware has been targeting Linux systems and is using a rootkit to avoid detection. The malware is possibly being used by a small group to build up infrastructure for use in distributed denial of service (DDoS) attacks.


Forged gift card arrest made in Grantville. Police in Grantville arrested a man after a search during a traffic stop yielded 210 fraudulent gift cards and other items January 4. Police believe that there may be a connection between the man and three others arrested the week of December 28 due to the same types of forged cards and cartons of cigarettes in their possession. 

New Emotet variant targets banking credentials of German speakers. Researchers with Microsoft identified a new variant of the Emotet banking malware dubbed Trojan:Win32/Emotet.C which was first seen in November and currently targets German-speaking individuals in several European countries. The malware is capable of stealing online banking login information as well as login information for email and messaging services. 

Thieves jackpot ATMs with ‘Black Box’ attack. Researchers with NCR analyzed an attack on an ATM utilizing USB devices and physical access to disconnect an ATM from its computer and issue remote commands to the cash dispenser. The attack used a smartphone to issue commands from a remote attacker through a dynamic IP service, and a second USB device designed to trick the ATM into thinking it was still connected to its original computer. 

HuffPo visitors targeted with malvertising, infected with ransomware. Cyphort Lab researchers identified a malvertising campaign that placed malicious ads on the Web sites of the Huffington Post and by abusing the ad network. The campaign began December 31 and used the Neutrino or Sweet Orange exploit kits to attempt to serve the Kovter ransomware. 

CryptoWall 2.0 ransomware capable of executing 64-bit code: Cisco. Researchers with Cisco’s Talos Group published an analysis of the CryptoWall 2.0 ransomware and found that it contains several anti-sandbox and anti-security features, as well as the ability to run 64-bit code from a 32-bit dropper, among other findings. 

Wi-Fi password phishing attacks automated with new tool. A researcher released a tool dubbed Wifiphisher that can automate WiFi network password phishing by deauthenticating users, setting up a matching rogue access point using the target’s settings, and the performing a man-in-the-middle (MitM) attack using a fake firmware update notification. 

Microsoft warns of malicious macros targeting users in the UK and the US. Microsoft stated that it has observed two pieces of malware being spread via malicious emails that attempts to get users to enable macros in Microsoft Office programs in order to infect computers. The campaigns attempt to distribute the Adnel and Tarbir malware and have primarily targeted users in the U.S. and U.K.


Over $5 million stolen from Bitstamp’s Bitcoin wallets. Bitstamp stated January 6 that some of its wallet accounts for the Bitcoin virtual currency were compromised January 4, resulting in a loss of around $5 million in Bitcoins. The company suspended its services January 5 to investigate the compromise and stated that law enforcement agencies are involved in the inquiry. 

Researchers find several UEFI vulnerabilities. The Computer Emergency Response Team Coordination Center (CERT/CC) released three advisories for vulnerabilities in the Unified Extensible Firmware Interface (UEFI) identified by researchers at Bromium and MITRE Corporation. Two vulnerabilities could be exploited by a local, authenticated attacker to bypass security functions and the third is a buffer overflow vulnerability 

HTTPS can be set as your super-cookie. A researcher demonstrated that the HTTP Strict Transport Security (HSTS) mechanism in HTTPS can be used by a malicious Web site to track which Web sites a user has visited due to HSTS creating a unique identifier to remember preferences for HTTPS sites. HSTS identifiers can be cleared in the Chrome, Firefox, and Opera browsers, are not used in Internet Explorer, but cannot be cleared in the Safari browser and syncs with the iCloud service as well. 

Custom greeting card seller Moonpig fixes security blunder 17 months after responsible disclosure. Greeting card seller Moonpig closed a vulnerability in its Android app that was first reported to the company in August 2013 and could have allowed an attacker to change the customer ID and access customer names, email addresses, dates of birth, addresses, order histories, and the last four digits of payment card numbers.


Morgan Stanley fires employee, cites data theft. Morgan Stanley officials reported January 5 that the investment banking firm began notifying about 900 clients of its wealth management division that a former employee stole partial account information of up to 10 percent of the division’s client portfolio and briefly posted the information on the Internet. The information was promptly removed and the firm instituted enhanced security procedures on the affected accounts as a precaution. 

Columbia man admits to string of bank robberies. Police arrested a man for allegedly robbing at least of six banks in Columbia, Missouri, since November including the latest robbery at a Boone County National Bank branch January 3. 

Google discloses unpatched Windows 8.1 vulnerability. A security hole that was reported to Microsoft in September 2014 by Google’s Project Zero initiative was disclosed through a proof-of-concept (PoC) for a local privilege escalation vulnerability affecting Windows 8.1 which does not check the impersonation token of the caller to determine if a user is an administrator after allowing application compatibility data to be cached for quick reuse when new processes are created. Microsoft reported that it is working on an update to address the vulnerability. 

The hidden dangers of third party code in free apps. MWR InfoSecurity researchers found several ways hackers can abuse ad networks by exploiting vulnerabilities in free mobile apps due to a privileged code injected into the apps that advertisers and third parties use for tracking which could allow access to address books, SMS contents, email, or any other action on the device that the app developer is allowed to access. 

New Steam stealer malware sample gets analyzed, points to Australian national. A researcher discovered 14 active malware samples in 2014 which were used to steal game items from the accounts of Steam users and spread to the list of friends available via chat messages, prompting security researchers to urge users to refrain from running executable files delivered through comments or communication in chat. 

PayPal complete account hijacking bug gets fix, no award given. PayPal fixed a bug that was discovered by a researcher which potentially allowed an attacker to steal sensitive information from an account after a discovery that PayPal did not verify the actual contents of a file uploaded through a page, trusting the extension of the item implicitly, despite the fact that the data is served back with false (media type of the message content) MIME type. The bug would have allowed an attacker to upload any file to any PayPal subdomain in order to compromise an account.


New York man charged with credit card fraud. A New York man was arrested and charged December 25 after authorities discovered 126 fraudulent credit cards inside his vehicle during a traffic stop on Route 95 in West Greenwich. 

Want to have your server pwned? Easy: Run PHP. A researcher with Google discovered that more than 78 percent of all PHP installations were running with at least one known vulnerability after correlating statistics from a Web survey site that lists known vulnerabilities in various versions of PHP. The latest releases of PHP 5.4, 5.5, and 5.6 were all believed to be secure. 

WordPress Symposium plug-in plagued by file upload vulnerability. Researchers with Trustwave SpiderLabs and Sucuri discovered and have been monitoring a number of exploit attempts in their honeypot and scans for a vulnerability in WordPress Symposium and the public availability of proof-of-concept exploit code that allows an attacker to upload files without authentication to sites running Symposium. Researchers found the latest versions of WordPress Symposium from both the WordPress Web site and the WPSymposium site were still vulnerable and the company announced the plug-in was downloaded more than 150,000 times.


Seven face federal indictment in telemarketing scheme. Six individuals from Las Vegas and 1 from Illinois were charged by a federal grand jury in Las Vegas December 30 for their involvement in a scheme where they allegedly organized and operated 4 telemarketing companies and offered to help small business owners obtain grants from public and private entities in exchange for fees from about 2007 to 2010. 

Number of botnet control servers increased in 2014 – report. Spamhaus released a report December 31 claiming that the number of IP addresses that have served at some point during 2014 as command and control (C&C) servers increased 7.88 percent to 7,182 addresses compared to 525 in 2013. The report also found that the Zeus banking trojan was the most common type of malware followed by Citadel. 

Android malware increasingly packaged with HTML5 apps: Trend Micro. Trend Micro reported that hackers repackaged legitimate HTML5 applications into Android malware at an increase of 200 percent in 2014 compared to 2013, while the number of potentially unwanted applications (PUAs) and pieces of malware also increased, with nearly half of such Android threats being disguised as games. 

Fake Apple store purchase notification lures to phishing page. A researcher with Hoax-Slayer found a malicious email campaign that delivers messages claiming to be from Apple and informs the user that TomTom navigation has been purchased from their store, and provides a link to cancel the purchase which leads to a phishing page in an attempt to steal banking information. 

XXE bug patched in Facebook careers third-party service. Facebook rewarded a researcher who discovered a blind XXE (XML External Entity) Out of Band bug in its third-party service that handles resumes on Facebook’s careers page. The vulnerability was patched after the researcher found that he was able to upload a .docx file with some additional code that was not vetted by the third-party service, which could allow an attacker to carry out a number of malicious activities. 

Majority of 4G USB modems, SIM cards exploitable. Positive Technologies’ researchers found that 4G USB modems contain exploitable vulnerabilities which could allow attackers to gain full control of the machines to which the devices are connected to, including SIM cards via SMS over 4G networks. The vulnerabilities could also allow access to subscriber accounts on relevant carrier portals, and the impact of attack methods include smartphones, industrial control systems (ICS), and supervisory control and data acquisition (SCADA) machines.


U.S. Attorney charges Hoover man for role in Ponzi scheme that bilked millions from investors. A Hoover, Alabama man agreed to plead guilty to charges and was ordered to pay restitution December 29 for his role in a Ponzi scheme that caused about 12 investors to lose approximately $3.1 million when his investment scheme collapsed in May. The registered financial broker led some investors to believe his company, 360 Properties, was affiliated with MetLife and used the funds for personal use. 

Researchers find 64-bit version of Havex RAT. Researchers with Trend Micro found a 64-bit version of the remote access Trojan (RAT), Havex, which has been used in campaigns targeting industrial control systems (ICS). Two Windows 7 infections were discovered utilizing the 64-bit version of the threat. 

CSC pays 190M to settle 4-year-old accounting fraud case with SEC. CSC, an IT services company, agreed to pay $190 million to settle a case by the U.S. Securities and Exchange Commission that claims the company violated U.S. antifraud, reporting, and books-and-records laws related to the company’s accounting irregularities in Australia, Denmark, and its contractual relationship with the U.K. National Health Service over the failed National Program for IT.


Pershing LLC fined $3 million for reserve level, supervisory failures. The Financial Industry Regulatory Authority fined Pershing LLC, a unit of the Bank of New York Mellon Corp., $3 million December 29 for failing to maintain certain reserve levels and for supervisory failures after regulators discovered the company violated U.S. Securities and Exchange Commission’s customer protection rule. The company had reserve deficiencies ranging from $4 million to $220 million from November 2010 to August 2011 and put securities to risk by failing to maintain physical possession of some fully paid and margin securities.

Credit Suisse must face $10 billion N.Y. mortgage-fraud lawsuit. Zurich-based Credit Suisse Group was ordered by a New York State Supreme Court justice to face a $10 billion lawsuit initiated by the State’s attorney general December 24 accusing the bank of fraud in the sales of mortgage-backed securities before the 2008 financial crisis.

Twitter trouble kicks Android users out of the action. Twitter resolved a software issue which prevented Android users from posting on the site for 3 hours December 28.

Sony: PlayStation Network is back online now, really. Sony reported that its PlayStation Network was fully restored December 28 following a December 25 distributed denial of service (DDoS) attack that knocked the network offline. The Lizard Squad hacker group allegedly claimed responsibility for the DDoS attack which also took down Microsoft’s Xbox Live through December 26, and the group claimed that the Tor network was its next target for a zero-day attack.

Exploit for Android same origin policy flaw is leveraged against Facebook users. Researchers with Trend Micro, Facebook, and BlackBerry are working to detect and resolve an attack targeting Facebook users using a campaign relying on a Blackberry app to steal access tokens which uses the same origin policy (SOP) exploit flaw in the Web browser of the Android OS lower than 4.4. The attackers rely on the vulnerability to serve a malicious JavaScript file to victims which is stored in a cloud storage account.

Internet Systems Consortium website has been compromised to serve malware. The Web site of Internet Systems Consortium, which maintains BIND and relies on WordPress, was taken offline after the site was hacked with a malicious code. Administrators urged users to check their computers while they investigated the apparent issue with the content management system (CMS) after visitors were redirected to a malicious location hosting Angler Exploit Kit (EK).


Kentucky businessman pleads guilty to $53 mln tax fraud. A Kentucky man who controlled Florida payroll management company O2HR pleaded guilty December 23 to engaging in $53 million in tax fraud, defrauding and misleading regulators, and conspiring to bribe bank executives, charges that originated in the investigation of the failed New York-based Park Avenue Bank. The bank’s former president and senior vice president were previously found guilty on fraud charges and an alleged co-defendant is also scheduled to go on trial in March 2015.

Malware families distributed through malicious campaign targeting WordPress sites. Researchers with Zscaler identified a malware distribution campaign utilizing more than 50 WordPress Web sites used by exploit kits as malware drop sites. The researchers observed the Upatre and Hencitor malware droppers, Vawtrack (also known as NeverQuest) banking malware, and Extrat Xtreme remote access trojan (RAT) among the malware being distributed in the campaign.

Rackspace restored after DDOS takes out DNS. Rackspace stated that it has recovered from a distributed denial of service (DDoS) attack that began December 22 and lasted for about 11 hours, resulting in some legitimate traffic to the company’s DNS infrastructure being blocked.


Vawtrak’ banking malware continues to evolve. Researchers with Sophos identified a new variant of the Vawtrak banking malware (also known as NeverQuest or Snifula) that is capable of injecting a DLL into browser processes to infect users and compromise banking credentials. The malware variant is capable of disguising its communications and bypassing two-factor authentication, among other capabilities.

SEC charges two traders in Chile with insider trading. The U.S. Securities and Exchange Commission filed charges December 22 against 2 business associates in Chile for allegedly using insider information that 1 of the individuals gained while serving as a member of the board of CFR Pharmaceuticals S.A. to make around $10.6 million in illicit profits.

The first polymorphic ransomware emerges, spreads on its own. Researchers with ESET and Sophos identified a new piece of ransomware known as VirLock or VirRansom that acts as a virus to infect several file types and scramble the files, then de-scrambles the files when a victim attempts to open them and installs the malware. The malware then locks the screen and demands a ransom be paid to unlock it.

Apple patches NTP vulnerabilities in first automated patch. Apple released an automatic update for its Mac OS X operating system, closing several remotely exploitable vulnerabilities in Network Time Protocol (NTP) that could have allowed attackers to exploit buffer overflow vulnerabilities.

Security breach at NVIDIA triggers employee credentials reset. NVIDIA reset the credentials of an undisclosed number of employees’ accounts after an unauthorized intrusion into the company’s network occurred October 8 and was detected in early December. Security improvements were implemented to prevent future intrusions.

Tor exit node cluster shut down. The operator of a large Tor exit node cluster stated that his exit node cluster was tampered with and activity terminated December 21, and warned users not to use the affected exit nodes if they reappear online until an investigation is completed.


SEC charges investment manager F-Squared and former CEO with making false performance claims. Investment management firm F-Squared Investments agreed December 22 to pay $35 million to settle charges filed by the U.S. Securities and Exchange Commission that the company engaged in false performance claims for its AlphaSector portfolio in order to mislead investors.

FBI: ‘Play-Along Bandit’ hits 6th bank. A suspect known as the “Play-Along Bandit” was believed to be responsible for a December 20 robbery at an ABC Bank branch in the Austin neighborhood of Chicago, the sixth bank robbery linked to the suspect.

Jackson loan officer indicted in large-scale mortgage fraud. A Jackson, New Jersey loan officer for an undisclosed mortgage company was indicted December 18 for allegedly participating with others in a mortgage fraud scheme that cost financial institutions $10 million. The man was also charged with submitting falsified paperwork in order to obtain a loan modification for his home. 

Feds: Uganda-based man counterfeited $2 million. A man was charged December 18 with allegedly manufacturing over $2 million in counterfeit U.S. currency and shipping around $270,000 to the U.S. from Uganda after he was arrested by Ugandan and U.S. authorities December 11. The alleged scheme was detected by bank employees in Pittsburgh who identified a counterfeit bill and an investigation found that counterfeits were shipped to individuals in Florida, Minnesota, Texas, and Washington. 

Easily exploitable NTP vulnerabilities put ICS operators at risk. Researchers with Google’s Security Team identified and reported several vulnerabilities in the Network Time Protocol (NTP) which could allow low-skilled attackers to crash the NTP daemon or execute arbitrary code using publicly available exploits. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released an advisory regarding the vulnerabilities due to the wide use of NTP within industrial control systems (ICS) deployments. 

Hackers used sophisticated SMB Worm Tool to attack Sony. The United States Computer Emergency Readiness Team (US-CERT) issued an advisory and indicators of compromise after attackers were found to use a Server Message Block (SMB) Worm Tool in a recent destructive attack against a major entertainment company. The SMB Worm Tool contained five components, allowing it to compromise systems, enable backdoor access, and destroy hard drive contents.


New Zeus variant targets users of 150 banks. Researchers with Kaspersky Lab identified a new variant of the Zeus banking and information-stealing malware known as Chthonic that is targeting customers of 150 banks and 20 payment systems in the U.S. and 14 other countries. Chthonic shares several components with other forms of malware and is delivered by spam emails or though downloader malware already present on victims’ computers. Source: 4. December 18, U.S. Securities and Exchange Commission – (International)

SEC charges additional participant in penny stock manipulation ring. The U.S. Securities and Exchange Commission announced settled charges December 18 against a man in Nevada for setting up fake Panamanian companies and opening brokerage accounts that were used in an $11 million penny stock manipulation scheme involving the stock of now-defunct Rudy Nutrition. Thirteen other individuals were previously charged in the fraud scheme.

SEC charges Staten Island-based firm with operating boiler room scheme targeting seniors. The U.S. Securities and Exchange Commission filed charges December 18 against New York-based Premier Links Inc., its former president, and two sales representatives for allegedly operating the firm as a boiler room scheme that defrauded over 300 investors from across the country of at least $9 million. The company and its members allegedly cold-called individuals and used pressure tactics and fraudulent claims and then redirected most investments to entities the defendants controlled.

Bethlehem Township restaurant used in $160,000 credit card fraud, court records say. One person was arrested and arrest warrants were issued December 18 for three others, including the former owner of the Valley Family Restaurant, for allegedly using the business to run fraudulent transactions totaling $160,005. One of the defendants also allegedly provided a skimming device to be set up at the restaurant, though it had not yet been used.

Whittier raid nets guns, drugs hundreds of fraudulent credit cards. Police in Whittier, California, arrested four individuals in a raid December 18 that uncovered hundreds of fraudulent payment cards, card manufacturing equipment, and stolen checks and IDs.

Critical flaw on over 12M routers allows device hijacking, network compromise. Check Point researchers identified a vulnerability in over 12 million routers dubbed “Fortune Cookie” caused by an error within the HTTP cookie management component that could be remotely exploited to cause the current session to be given administrative privileges by sending a packet to a user’s public IP address. The vulnerability was found in routers manufactured by TP-Link, Huawei, Zyxel, Netcomm, SmartAX, Edimax, and others.

Privilege escalation vulnerability found in Linux kernel. A researcher at AMA Capital Management identified a vulnerability in the Linux kernel that could be used to perform a denial of service (DoS)


SEC charges Avon Products, Inc. with Fcpa violations. Avon Products Inc. agreed to pay $67 million in disgorgement and interest to settle charges filed December 17 by the U.S. Securities and Exchange Commission accusing the beauty products company of violating the Foreign Corrupt Practices Act (FCPA) by failing to put in place controls that could have detected and prevented $8 million in payments to Chinese government officials by employees and consultants at the company’s Chinese subsidiary between 2004 and 2008. 

Data compromised at Union First Market Bank. Richmond-based Union First Market Bank stated that they shut off all ATM capabilities for their customers’ debit cards after discovering skimming activities that affected over 3,000 customers’ cards. Affected customers were being contacted by the bank and issued new debit cards. 

Serious vulnerabilities found in Schneider Electric’s ProClima solution. An advisory from the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) December 16 warned that five vulnerabilities in the Schneider Electrica ProClima thermal management software were identified and reported by researchers and could be remotely exploited. The software is used in industries such as manufacturing, energy, and commercial facilities and affects ProClima versions 6.0.1 and earlier. 

“USBdriveby” emulates mouse and keyboard to hijack computers. A researcher demonstrated an attack method known as USBdriveby that can use a USB-based microcontroller to emulate a mouse and keyboard to run several tasks including disabling security measures, opening backdoors, and changing DNS settings due to many systems trusting USB devices by default. The researcher tested the method on an OS X device but believes that it can be used on Windows and Unix operating systems, and the source code and operations for the attack were made public. 

ICANN systems breached via spear-phishing emails. The Internet Corporation for Assigned Names and Numbers (ICANN) stated December 16 that it was compromised via spearphishing emails during November and attackers were potentially able to access Centralized Zone Data System (CZDS) files and salted and hashed user information and credentials. ICANN deactivated all CZDS passwords as a precaution and notified all potentially affected users. 

Syrian Electronic Army hacks website of International Business Times. Hacktivists claiming affiliation with the Syrian Electronic Army group claimed responsibility for defacing the Web site of the International Business Times December 17. 

Researcher publishes JavaScript DoS tool. A researcher with WhiteHat Security published a prototype denial of service (DoS) attack script named FlashFlood written in JavaScript December 16. The code could be used by attackers in DoS attacks or to trick victims into executing the code. 

Ars Technica readers urged to change passwords in wake of hack. Ars Technica advised its registered readers to change their passwords as a precaution after an attacker briefly gained access to one of the site’s Web servers December 14. The site stated that the attacker may have been able to access hashed email addresses and passwords.

Backdoor found in Android phones manufactured by Coolpad: Research. Researchers with Palo Alto Networks reported that at least 24 models of Android devices manufactured by Coolpad contained a backdoor that could active applications, install unwanted applications, and upload device information and location data. 

Xsser malware targeting iOS, Android devices. Researchers with Akamai identified a new mobile remote access trojan (mRAT) known as Xsser that is spread through phishing and man-in-the-middle (MitM) attacks and can steal credentials, execute code, and hijack browser sessions on Android and iOS devices. The researchers found that the mRAT is being used by an organized group currently targeting specific devices and software vendors, software-as-a-service (SaaS) providers, and Internet service providers mainly in Asia.


Credit card fraud ring used over 3,800 stolen cards. Ten men from several States were indicted December 16 for allegedly running a payment card fraud ring that operated in at least 11 States, used over 3,800 stolen credit card numbers, and made fraudulent transactions totaling more than $1.7 million. The alleged ring would use the stolen payment card information primarily to purchase tickets to sporting and other entertainment events and then resell them. 

Former Miami-area mayor found guilty in mortgage fraud scheme. The former mayor of North Miami was found guilty December 16 of participating in an $11 million mortgage fraud scheme and affinity scheme that targeted the local Caribbean community in order to recruit straw buyers. The former mayor was suspended from office in May 2014 after being indicted. 

10-year-old “mailx” vulnerability fixed in Debian, Red Hat Enterprise Linux. The developers of Red Hat Linux and Debian released updates that addressed two vulnerabilities in the operating systems’ mailx utility for Unix systems that could have been exploited by local attackers to execute arbitrary commands by using maliciously-formed email addresses. 

phpBB asking users to change passwords following hack. The developers of open source forum software phpBB shut down their network following a cyberattack December 14 after attackers potentially gained access to hashed and salted passwords. The developers asked users who had registered accounts on and to reset their passwords as a precaution. 

Researchers confirm multiple Google App Engine security sandbox bypasses. Researchers with Security Explorations were permitted by Google to continue their investigation of security issues in the Google App Engine (GAE) Java security sandbox and subsequently reported 16 proof-of-concepts (PoC) codes to Google for evaluation. The researchers stated that details of the issues would be reported after Google reviews them.


Researcher identifies XSS vulnerability affecting Citibank website. A security researcher identified and reported a cross-site scripting (XSS) vulnerability in a Web site belonging to Citibank that could allow the personal information, login credentials, and cookies of users and administrators to be stolen. 

Banking trojan abuses Pinterest in C&C routines. Researchers with Trend Micro identified a variant of the BANKER malware known as TSPY_BANKER.YYSI that is currently targeting users of South Korean banking Web sites via redirection to a phishing site and accesses comments on the Pinterest social network instead of a command and control (C&C) server. The comments are decoded into IP addresses for the server hosting the phishing page. 

CA Technologies fixes vulnerable CA Release Automation. CA Technologies released a patch for its CA Release Automation continuous delivery system that closes a cross-site request forgery (CSRF), cross-site scripting (XSS), and SQL injection vulnerability in previous versions of the product. 

Shellshock worm exploiting unpatched QNAP NAS devices. Researchers with the SANS Institute stated that network attached storage (NAS) devices manufactured by QNAP may still be vulnerable to attackers exploiting the Bash flaw that was patched previously due to the complexity and lack of automation in the patching process. The researchers published two hashes that have been used in recent attacks to perform click fraud against the JuiceADV advertising network.


Bail bondsman charged with writing fraudulent bonds. A Berks County bail bondsman and three other employees of Ace Bail Bonds were charged December 12 for allegedly writing $2 million in fraudulent bail bonds between August and September. 

‘Play-Along Bandit’ sought by the FBI. The FBI asked for the public’s help in finding a suspect known as the “Play-Along Bandit” suspected in at least five Chicago bank robberies since October 18. The most recent robbery tied to the suspect took place at a Harris Bank branch December 7. 

Court orders former managing director of the NASDAQ Stock Market to disgorge more than $898,000 in insider trading profits. A former managing director of the NASDAQ Stock Market was ordered to disgorge $898,107.92 in illicit profits plus interest for engaging in insider trading using nonpublic information entrusted to him by NASDAQ and listed companies ahead of nine announcements between August 2006 and July 2009. 

SEC charges Manhattan-based attorney with conducting Ponzi scheme. The U.S. Securities and Exchange Commission filed charges December 12 against a New York City-based attorney for allegedly conducting a $5 million Ponzi scheme that purported to invest clients’ investments in an investment fund that the attorney was not in fact affiliated with. Parallel criminal charges were also filed by the U.S. Attorney’s Office for the Southern District of New York. 

CloudFlare SSL certificate used for phishing scam. A researcher with Malwarebytes identified a new phishing email campaign that utilized a free CloudFlare certificate in order to make a malicious link appear more trustworthy. CloudFlare has since revoked the certificate. 

SoakSoak malware campaign affects over 100,000 websites. A Sucuri researcher reported that malware delivered from the Russian Web site has affected over 100,000 WordPress Web sites adding a code that adds a malicious JavaScript on every page viewed on the affected sites. Google then blacklisted more than 11,000 domains connected to the malware. 

Ursnif malware steals data, infects files in US, UK. Trend Micro researchers detected an increase in the number of Ursnif malware infections caused by a variant known as PE_URSNIF.A-O that is capable of infecting files as well as stealing passwords and other information. The largest number of the new infections were found in the U.S. and U.K. 

Batten down the patches: New vuln found in Docker container tech. A security researcher identified an arbitrary code execution vulnerability in Docker that was introduced in a November patch and could be exploited by including malicious .xz binaries in image files. The developers of Docker released a new patch that closes the vulnerability, and all users were advised to apply the patch as soon as possible.


Upatre downloader spreading Dyreza banking trojan. Microsoft warned December 11 that the Upatre downloader is being used in a wire-transfer spam campaign to spread the Dyreza banking malware, mainly targeting victims in the U.S. and Canada. The malware is able to bypass encryption in order to steal online banking credentials and other data. 

Hackable intercom lets you SPY on fellow apartment-dwellers. A researcher presenting at the Kiwicon security conference detailed how he was able to use several vulnerabilities in the GrandStream GXV3175 video intercom, including directory traversal and command injection flaws, to potentially spy on any resident in an apartment building equipped with the devices. The issues were patched by the manufacturer after the researcher reported them. 

Microsoft pulls a patch and offers PHANTOM FIX for the mess. Microsoft took down an update included in its monthly Patch Tuesday release due to the patch causing issues on systems running Windows 7 Service Pack (SP1) and Windows Server 2008 R2 SP1. A second patch was then published to address the issue. 

Malwarebytes anti-exploit upgrade mechanism vulnerable to MitM attacks. A Fox-IT researcher identified and reported vulnerabilities in consumer versions of Malwarebytes Anti-Malware 2.0.2 and earlier, and Malwarebytes Anti-Exploit 1.03 and earlier that could have left the security products vulnerable to man-in-the-middle (MitM) attacks and allowed the download of malicious content. The vulnerabilities were reported in July and August and patched in September and October.


Former TierOne Bank CEO indicted on fraud charges. The former CEO of Lincoln, Nebraska-based TierOne Bank was indicted on federal charges December 10 for allegedly concealing the failed bank’s financial condition to regulators by maintaining two sets of books and other documentation to conceal tens of millions of dollars in delinquent loans. 

SEC announces fraud charges against Buffalo-based firm and co-owners accused of misleading investors in hedge fund. The U.S. Securities and Exchange Commission announced charges December 10 against Buffalo-based Reliance Financial Advisors and its two co-owners for allegedly directing investors to invest in a hedge fund run by a manager whose experience was greatly exaggerated, causing their clients to lose most of their $12 million in investments. 

OphionLocker, the new ransomware on the block. Researchers with Trojan7Malware identified a new piece of ransomware known as OphionLocker that uses elliptic curve cryptography (ECC) to encrypt the data on victims’ systems and demand a ransom to decrypt the files. The ransomware was observed in the wild being spread by the RIG exploit kit in drive-by download attacks. 

Elderly zombie Asprox botnet STILL mauling biz bods, says survey. A report by Palo Alto Networks found that the Asprox botnet (also known as Kuluoz) was responsible for around 80 percent of recorded attacks during October across almost 2,000 organizations in sectors including the healthcare, financial services, and retail industries. The botnet malware plants malicious code in vulnerable Web sites via SQL injection attacks and has been used in phishing, malware distribution, and other attacks. 

Patch against critical flaw in HD FLV Player still leaves the plug-in vulnerable. A researcher with Sucuri reported that a recent patch closing a vulnerability that could have allowed unauthenticated arbitrary file downloads in the HD FLV Player component for Joomla, WordPress, and custom Web sites did not close a similar vulnerability that could allow an unauthenticated attacker to send out emails from an affected site. 

FreeBSD developers VANQUISH Demon bug. Researchers with Norse identified and reported a vulnerability in FreeBSD that could have allowed an attacker to inject malicious code into systems running the software. The developers of FreeBSD released a patch after receiving the report, closing the vulnerability. 

Black Energy malware may be exploiting patched WinCC flaw. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an update to a previous alert concerning the Black Energy malware seen targeting human-machine interface (HMI) products, which stated that the malware may be exploiting vulnerabilities in the Siemens SIMATIC WinCC software that was patched by Siemens November 11. 

Taxi app Uber plugs ‘privacy threatening’ web security flaw. Ride-sharing service Uber closed a cross-site scripting (XSS) vulnerability in its Web site after a security researcher identified and reported the issue. The vulnerability could have exposed users’ cookies, personal information, browser history, and authentication credentials. 

Critical’ security bugs dating back to 1987 found in X Window. The developers of the X Window System for Linux and other Unix operating systems issued patches closing several vulnerabilities that could be exploited to crash the system or run malicious code as the root user after they were identified and reported by a researcher at IOActive.


Hackers breached payment solutions provider CHARGE Anywhere: Undetected since 2009. Electronic payment solutions provider CHARGE Anywhere stated December 9 that attackers had gained access to its network as early as November 2009 using a previously unknown and undetected piece of malware and were able to capture payment card data from some communications that did not have encryption. The company discovered the compromise September 22 and an investigation found that network traffic capture occurred between August 17 and September 24. 

Red October cyber spy op goes mobile via spear-phishing. Researchers with Blue Coat and Kaspersky Lab identified and analyzed a cyber-espionage campaign that appears similar to the RedOctober campaign dubbed Cloud Atlas or Inception Framework that has been targeting the Android, iOS, and BlackBerry devices of specific users in the government, finance, energy, military, and engineering sectors in several countries via spearphishing. The malware appears to primarily be designed to record phone conversations and can also track locations, monitor text messages, and read contact lists. 

Trihedral fixes vulnerability in SCADA monitoring and control software. Trihedral Engineering Ltd., released software updates for its VTScada (VTS) supervisory control and data acquisition (SCADA) software to close a vulnerability that could be used by an unauthenticated attacker to crash VTS servers. The software is used in industries including the energy, chemical, manufacturing, agriculture, transportation, and communications sectors. 

Flash Player fixes remote code execution bug exploited in the wild. Adobe released patches for six vulnerabilities in its Flash Player software, including a vulnerability reported by a researcher that could allow arbitrary code to be executed on affected systems. The arbitrary code execution vulnerability has been observed being exploited in the wild and all users were advised to update their versions of Flash Player as soon as possible. 

SQL injection, other vulnerabilities found in InfiniteWP admin panel. A researcher with Slik identified and reported several vulnerabilities in the InfiniteWP administration application for WordPress Web sites, including SQL injection vulnerabilities that could be used by an unauthenticated attacker to gain control of WordPress sites. 

Flaw in AirWatch by VMware leaks info in multi-tenant environments. VMware released an update for its AirWatch enterprise mobile management and security platform December 10 that closes vulnerabilities that could allow a user that manages a deployment in a multi-tenant environment to view the statistics and organizational information of another tenant. 

Recursive DNS resolvers affected by serious vulnerability. The Computer Emergency Response Team Coordination Center (CERT/CC) reported December 9 that recursive Domain Name System (DNS) resolvers are vulnerable to an issue where a malicious authoritative server can cause them to follow an infinite chain of referrals, leading to a denial of service (DoS) state. 

Third-party bundling made IBM products most vulnerable: Study. Secunia released a report on security vulnerabilities disclosed between August and October and found that vulnerabilities increased by 40 percent compared to the previous year to a total of 1,841 vulnerabilities in the 20 most vulnerable products, among other findings. The report also found that Google Chrome had the largest number of disclosed security issues, and that IBM was the most vulnerable vendor due to products being bundled with third-party software. 

Microsoft releases critical IE security update on Patch Tuesday. Microsoft released its monthly Patch Tuesday round of updates for its products December 9, which included 7 security bulletins addressing 24 vulnerabilities. Three vulnerabilities were considered critical and affected Internet Explorer, Microsoft Word and Office Web Apps, and the VBScript scripting engine. 

New version of Destover malware signed by stolen Sony certificate. Researchers at Kaspersky Lab identified a new variant of the Destover malware used in an attack on Sony Pictures Entertainment that uses a stolen, legitimate certificate from Sony. The malware is basically identical to previous versions except for the use of a certificate. 

SEO poisoning campaign ensnares several thousand websites, security expert finds. A webmaster identified and researchers from Websense and High-Tech Bridge confirmed that several thousand legitimate Web sites hosted on GoDaddy and other services had been compromised to improve the search engine optimization (SEO) ranking of other sites by inserting links into the legitimate sites. GoDaddy stated that the company was investigating the issue.


Deutsche Bank sued by U.S. over alleged tax scheme. Federal charges were filed against Deutsche Bank December 8 seeking $190 million in taxes, interest, and penalties for the bank’s alleged use of three underfunded shell companies to evade U.S. taxes. 

TD Bank settles Massachusetts data breach probe, to pay $625,000. TD Bank agreed December 8 to a settlement with the State of Massachusetts to pay $625,000 and improve security practices to resolve a probe of a 2012 data breach that exposed the personal information of more than 260,000 customers. The incident was caused by the loss of unencrypted back-up tapes in March 2012 and Massachusetts officials stated that the bank was too slow in reporting the breach to authorities in October. 

Federal fraud charges filed against Copley man for $17 million Ponzi scheme with 70 victims. A Copley Township man who was a co-owner and operator of KGTA Petroleum Ltd., was charged December 8 for allegedly operating the company as a Ponzi scheme, defrauding 70 investors of around $17 million between 2010 and 2014. The man and others, including three PrimeSolutions Securities Inc. representatives, also allegedly failed to file appropriate documentation with the U.S. Securities and Exchange Commission for the company. 

Former Arrow CEO indicted on 23 counts of bank, tax fraud. The former CEO of nationwide trucking company Arrow Trucking Co., pleaded guilty December 5 in federal court in Texas for allegedly conspiring with others to defraud the Internal Revenue Service and a Utah bank of $24 million in a fraud and tax evasion scheme that operated in 2009. The former CFO of the company previously pleaded guilty December 4 to tax fraud and bank fraud charges. 

Newly discovered ‘Turla’ malware targets Linux systems. Kaspersky Lab researchers identified a piece of malware targeting Linux systems associated with the Turla advanced persistent threat (APT) group (also known as Uroburos or Snake) that is based on the cd00r proof-of-concept backdoor and is capable of hidden network communications, remote management, and arbitrary remote command execution. Previous versions of Turla malware have targeted Windows systems in government agencies, military groups, educational institutions, pharmaceutical companies, and other targets in more than 45 countries. 

Fraud from bots represents a loss of $6 bln in digital advertising. The Association of National Advertisers and researchers with White Ops released a report December 9 which found that around 25 percent of video ads and 11 percent of display ads online are viewed by automated bots set up by cyber criminals to inflate Web site audiences. The researchers stated that such fraud could cost advertisers an estimated $6.3 billion in the next year. 

POODLE attack also affects some TLS implementations. A researcher with Google reported that certain implementations of Transport Layer Security (TLS) with an SSL 3.0 decoding function can be exploited through POODLE attacks to decrypt sensitive information. The researcher identified the vulnerability in older versions of Network Security Services (NSS) as well as in Web sites administered by Bank of America with load balancing devices from A10 Networks and F5 Networks. 

Info on millions of AliExpress customers could have been harvested due to site flaw. A security researcher identified and reported a flaw in the AliExpress online marketplace that could have allowed a logged-in user to exploit an insecure direct object reference vulnerability to view other users’ names, addresses, and phone numbers. Alibaba, parent company of AliExpress, closed the vulnerability after the researcher’s report. 

Yik Yak flaw de-anonymizes user, allows control over account. SilverSky researchers identified and reported a vulnerability in the Yik Yak anonymous social media platform for iOS that could allow an attacker to discover the identity of a user and take over their account due to the Flurry advertising tool sending the app’s secure ID used by the app in the place of a password without encryption. The researchers reported the issue to Yik Yak and a patch was released in December.


New variant of Neverquest banking trojan targets North America. Researchers with IBM Trusteer reported December 5 that they have observed a new variant of the Neverquest banking trojan being used predominantly against financial institutions in North America, with some additional targets in the media, gaming, and social networking industries. The malware has been distributed by drive-by downloads using exploit kits as well as by the Chaintor and Zemot trojan downloaders.

Pizza orders reveal credit card scheme, and a secondhand market. Police in New York City conducted a sweep that led to 14 arrests November 13-14 after it was found that criminals using stolen payment card information were placing orders through a Domino’s mobile app in order to test which stolen card numbers were able to be charged to. Card numbers that were able to be successfully charged to were then used for larger fraudulent purchases. Source:

Hamilton County man arrested for investment scheme. A Hamilton County, Indiana man was arrested on criminal charges December 4 for allegedly operating his firm, Guaranty Reserves Trust LLC, as a fraud scheme that defrauded 16 investors of around $6 million from 2010 to 2013. The man was previously indicted on civil charges for the same alleged fraud.

Google App Engine plagued by tens of vulnerabilities: Researchers. Security Explorations researchers reported identifying several vulnerabilities in the Google App Engine platform-as-a-service (PaaS) product, including issues that could be used to achieve a complete sandbox escape. Google confirmed that it received the researchers’ report and was analyzing the reported issues.

Attackers knock PlayStation Network offline for hours. Sony Computer Entertainment America acknowledged that some users of its Sony Playstation Network (PSN) were unable to access the service for several hours December 7 due to an apparent attack. Attackers identifying themselves as the Lizard Squad group claimed credit for the disruption.


4 Miami residents accused of bank fraud arrested. Four individuals from Miami, Florida, were arrested December 4 on charges that they allegedly operated a bank fraud and payment card fraud operation that defrauded financial institutions of more than $100,000.

2 O.C. residents charged in $11M Ponzi scheme. The Orange County-based owner and operator of MBP Insurance Services Inc., and an agent at the company were charged December 3 for allegedly operating the company as a Ponzi scheme that defrauded victims of more than $11.3 million.

Striped hoodie bandit arrested in Huntsville, Ala., on Tuesday. A suspect known as the “Striped Hoodie Bandit” wanted for three bank robberies in North Carolina was arrested in Huntsville, Alabama, December 2. The suspect was wanted in connection to bank robberies in High Point, Asheboro, and Huntersville in North Carolina as well as for a convenience store robbery in the State.

‘Sign in with LinkedIn’ spoof allows baddies to penetrate Slashdot, and more. Researchers with IBM identified and reported a vulnerability that could have allowed attackers to gain access to Web sites that use MyDigiPass to enable logins using social media accounts due to LinkedIn and Amazon allowing the use of accounts without confirmed email addresses. The issue was closed before the findings were disclosed and affected Web sites including, Slashdot, Crowdfunder, and among many others 

VMware warns of vCenter cross-site-scripting bug. VMware released six patches for vulnerabilities in its vCenter Server Appliance, one of which could allow cross-site scripting (XSS) attacks if a user is logged-in to vCenter and is tricked into clicking a malicious link or visiting a malicious Web page. 

‘DeathRing’ malware found pre-installed on smartphones. Researchers with Lookout published a report that found that low-cost and counterfeit smartphones manufactured in Asia and Africa that come with a piece of pre-loaded malware known as DeathRing originates from China. The command and control server for the malware appears to be offline, and the malware could be used for SMS or browser phishing.

Details emerge on Sony wiper malware Destover. Kaspersky Lab researchers released a report analyzing the Destover wiper malware used in the recent attack on Sony Pictures Entertainment and stated that the malware appeared to use similar driver files and to have been developed on a similar timeline to the malware used in the Shamoon attack on Saudi Aramco and the DarkSeoul attack against South Korea in 2013.

Critical remote code execution flaw found in WordPress plugin. Researchers with Sucuri identified and reported a vulnerability in the WP Download Manager plugin for WordPress that could have allowed attackers to implant a backdoor or gain access to administrative accounts on vulnerable Web sites. The developers of WP Download Manager released an update to close the vulnerability the week of December 1.


Critical PayPal bug left all accounts vulnerable to hijacking. A security researcher identified and reported a cross-site request forgery (CSRF) vulnerability that could have been used with other flaws to allow an attacker to link their email address to a victim’s account by capturing a reusable authentication token that was valid for all PayPal accounts. The vulnerability was fixed by PayPal before the researcher publicly disclosed his findings, and the researcher was awarded $10,000 from PayPal’s Bug Bounty program. 

Investigation reveals how Florida man ripped off DEA. A report from the U.S. Department of Justice’s Office of the Inspector General found that a now-deceased Jacksonville man who ran the FEBG Bond Fund operated the fund as a Ponzi scheme that defrauded around 130 individuals of over $30 million, more than half of whom were current or former Drug Enforcement Agency (DEA) employees or connected to DEA employees. The report found that some DEA personnel exercised poor judgment in giving the man access to DEA personnel and facilities and receiving gifts from the man. 

Charlotte man pleads guilty to role in Wax House scheme. A Charlotte, North Carolina man pleaded guilty December 3 for his role in the $75 million Operation Wax House mortgage and investment fraud scheme in North Carolina and South Carolina. The man was charged with laundering over $200,000 in loan proceeds through his Perry Masonry Construction company and for working as a promoter to recruit straw buyers. 

Big Blue patches big blooper in Endpoint Manager for mobes. IBM released a patch for its Endpoint Manager for Mobile Devices product that allowed attackers to gain remote access and compromise mobile devices connected to the network. 

Asprox operators have started recruiting for a larger botnet. Researchers with Malcovery found that the operators of the Asprox botnet began a campaign using spam emails purporting to be order confirmation from major retailers such as HomeDepot, WalMart, CostCo, and Target in order to infect more users and expand the Asprox botnet. 

Vulnerability in WhatsApp leads to losing conversations. Two security researchers reported and released a proof-of-concept (PoC) for a flaw in WhatsApp where an attacker could send a 2KB text containing special characters that would cause the app to crash unless the conversation thread is deleted. The researchers stated that the app affects WhatsApp versions 2.11.431 and 2.11.432 on Android devices. 

DNSimple suffers downtime due to 25 Gbps DDoS attack. Florida-based DNS provider DNSimple reported that it experienced a distributed denial of service (DDoS) attack December 1 that peaked at 25 Gbps and lasted around 12 hours, causing outages for the company and its customers. The company stated that DNSimple was not targeted but was affected by the DDoS attack after domains already under attack were delegated to the company. 

LastPass master password can be decrypted. Researchers presenting at the DefCamp 2014 conference during the November 29-30 weekend demonstrated how an attacker could use a man-in-the-middle (MitM) attack to trick users into running a malicious payload that could expose LastPass password manager passwords under certain conditions.


Former TigerDirect executives plead guilty to fraud. Two former senior executives at Miami-based electronics retailer TigerDirect pleaded guilty December 2 to securities and tax fraud charges in a $9.5 million bribery scheme that involved kickbacks from suppliers and concealing taxable income. 

Two men plead guilty in check fraud ring. Connecticut authorities reported that a New Haven man and a man from North Carolina pleaded guilty December 1 and December 2 to running a stolen check cashing ring that successfully cashed 37 altered checks totaling $104,070.

Unauthorized intruders gain access to ART Payroll database. Payroll service American Residuals and Talent (ART Payroll) notified current and former customers that unauthorized intruders were able to gain access to its Web application October 18 and determined November 10 that customers’ personal and financial information may have been accessed. The information included names, addresses, dates of birth, Social Security numbers, bank account information, and other information.

Iranian CLEAVER hacks through airport security, Cisco boxes. Researchers with Cylance published a report on a suspected Iranian hacking group that has compromised a variety of targets including government and military systems, telecommunications companies, research facilities, airports, defense contractors, and utilities in a campaign dubbed Operation Cleaver. The researchers stated that the group compromised critical infrastructure assets and Cisco networking equipment but did not engage in manipulation of those systems. 

Firmware update kills Lenovo Home Media Network HDDs. Here’s how to resurrect them. Lenovo stated that it was responding to customer reports of a firmware update causing its Home Media Network Hard Drive to fail to restart after installation of the update. 

Lizard Squad announces DDoS attacks for Christmas time. Attackers claiming to be the Lizard Squad hacking group claimed responsibility for conducting a distributed denial of service (DDoS) attack against the Xbox Live network after users complained December 1 that they experienced issues connecting to the network.


Florida men plead guilty in St. Louis to fraud scheme. Two Miami, Florida men pleaded guilty December 1 in U.S. District Court in St. Louis to stealing personal information from over 400 people in 2011 and 2012 and using the information to file fraudulent tax returns seeking more than $2.25 million in refunds, leading to around $500,000 in losses.

FBI investigating Sony Pictures hack possibly linked to leaked footage of ‘Annie,’ Mr. Turner’ movies. Sony Pictures Entertainment issued a statement December 1 confirming that the company is continuing to respond to issues created by a cyberattack that occurred during the week of November 24. The FBI confirmed that the agency is investigating the incident.

OpenVPN versions released since 2005 affected by critical flaw. The developers of the open-source virtual private network software OpenVPN released a new version of the software to address a critical denial of service (DoS) vulnerability which could allow authenticated attackers to cause servers to crash. The vulnerability affects all OpenVPN 2.x versions released since 2005 as well as OpenVPN Access Server versions prior to version 2.0.11.

Mozilla fixes vulnerabilities, disables SSL 3.0 in Firefox 34. Mozilla released the latest version of its Firefox browser, Firefox 34, closing three critical vulnerabilities and five others, as well as disabling Secure Sockets Layer (SSL) 3.0 support to protect users against POODLE attacks.


FIN4 attack group targets firms for stock market profit. FireEye researchers published a report on a group of attackers known as FIN4 that have targeted high-level figures at various financial services companies, advisory firms, and regulators in order to obtain inside information on business decisions for possible use in stock trading. The group has been active since mid-2013 and uses visual basic applications (VBA) macros in Microsoft Word documents and links to fake Outlook Web App login pages in order to obtain user names and passwords.

Officials seize 292 domain names to protect consumers during holiday season. U.S. authorities, Europol, and law enforcement agencies in 19 countries seized 292 domain names as part of a coordinated operation to shut down Web sites selling counterfeit goods in order to protect consumers, Europol reported December 1.


Syrian Electronic Army Thanksgiving hack of Microsoft, NBC, Dell, Forbes used Gigya comment platform. The creators of the Gigya comment platform announced that they closed a vulnerability in the product that allowed attackers claiming affiliation with the Syrian Electronic Army hacktivist group to place pop-up messages on the Web sites of several major technology, news, and other entities November 27. The attackers took advantage of GoDaddy to alter Gigya’s Domain Name System (DNS) in order to place the messages. fixes web application vulnerabilities. The Weather Channel fixed a Web application security issue on its Web site after a student researcher identified and reported the issue which made most links from the Web site vulnerable to cross-site scripting (XSS) attacks.

Man pleads guilty to selling StealthGenie spyware. A Danish citizen pleaded guilty in federal court November 25 and was ordered to pay a $500,000 fine for advertising and selling the StealthGenie mobile device spyware.

Advisory of “Shellshock” Vulnerability

On September 24, 2014, multiple security experts began reporting on a security vulnerability, Shellshock, which affects an application called Bash.

The vulnerability:

1. Bash, which stands for the GNU Bourne Again Shell exists in the GNU Operating System (free software) that is distributed with most versions of Linux and Unix free software;

2. Could enable attackers, without authentication, to obtain information, modify authentication parameters, and disrupt service; and

3. Is currently given the highest possible ratings (“10”) for Severity, Impact, and Exploitability based on the Common Vulnerability Scoring System (CVSS).

In response, it is recommended that business clients work with their IT professionals to:

1. Identify, filter and block internet protocol (IP) addresses that may be maliciously scanning systems.

2. Review all systems and services to identify any systems that may be vulnerable to this exploit.

3. Actively work to identify effective patching for this vulnerability, and patch any systems and services that are vulnerable.

Shellshock known vulnerabilities and vendor statues: