Cybercrime Week in Review 19 September 2015
Fraud Alert: Criminals Test Stolen Credit-Card Numbers on Charity Websites (#Philanthropy)
Criminals are using poorly protected charity websites to test the validity of stolen credit-card numbers, cybersecurity experts said this week, costing some groups thousands of dollars. Simplified online donation pages make it easy for people to give — but also serve as prime testing ground for credit-card thieves.
Small hospitals are big targets for hackers worldwide (#WFAA)
Hospitals are a treasure trove of valuable data. Patient information — including Social Security numbers, addresses, email address, and credit card numbers — is gold on the international black market. All a hacker has to do is pierce the hospital’s firewall and scoop up the goodies.
Attackers go on malware-free diet (#CSO)
To avoid detection, some hackers are ditching malware and living “off the land” — using whatever tools are already available in the compromised systems, according to a new report from Dell SecureWorks.
Tracking a Bluetooth Skimmer Gang in Mexico (#Krebs on Security)
In June 2015, I heard from a source at an ATM firm who wanted advice and help in reaching out to the right people about what he described as an ongoing ATM fraud campaign of unprecedented sophistication, organization and breadth. Given my focus on ATM skimming technology and innovations, I was immediately interested.
UK Consumers Call for Harsher Breach Penalties (#Info Security)
British consumers are fast losing patience with the business they patronize, with a majority calling for fines and compensation for those which fail to adequately protect customer information, according to new research.
SYNful Knock: Cisco router malware in the wild (#Fortune)
Security researchers say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected.
Vodafone’s hack deemed ‘an attack on freedom’ (#Business Review)
The hacking of a journalist’s phone by Vodafone was an “attack on democracy” and the response by the telco this week to the revelations was “offensively inadequate”, the NSW Regulation Minister, Victor Dominello, says.
In other Security News…
Newly Active Malware Campaign, Apple AirDrop Bug, Russian Cyberespionage
A new, active malware campaign has compromised thousands of WordPress sites, redirecting visitors to a Nuclear Exploit Kit landing page. According to SucuriLabs, the landing pages will try a variety of available browser exploits to infect the computers of unsuspecting visitors. “We detected thousands of sites compromised just today and 95% of them are using WordPress,” said Sucuri CTO Daniel Cid. The campaign appears to have started only 15 days ago, but has quickly gained traction. SucuriLabs shared a snapshot of the daily infection rates, thus far:
Apple’s iOS 9 was released this week, fixing a serious vulnerability in AirDrop – the over-the-air file sharing service for both iPhones and Macs. Australian researcher Mark Dowd at Azimuth Security found that this particular flaw could allow anyone within range of an AirDrop user to install malware on a device and manipulate operating system settings in order to force the exploit to work, even if the victim did not accept the incoming AirDrop file. You can see Dowd demonstrate the exploit in a video here. iOS 9 resolves the issue for iPhones, and OS X El Capitan – launching September 30 – will also resolve the issue for Mac computers.
Telecommunications giant Vodafone Australia is under fire following the revelation that a journalist’s call and text records were accessed in an attempt to uncover the source for a story on a serious security issue in the Siebel data system used by Vodafone. Journalist Natalie O’Brien reported that the data system was available online and easily accessible through generic passwords, which were being shared around the company. Vodafone previously denied allegations, but has since released a statement apologizing for the “unacceptable and potentially criminal behavior.”
Researchers at F-Secure released a report detailing evidence of the Russian government’s alleged involvement with the seven-year malware campaign targeting government institutions, political think tanks and other high-level organizations. The report includes research dating back to 2008, outlining numerous incidents executed by a “well-resourced, highly dedicated and organized cyberespionage group” believed to be working for the Russian Federation.
A new survey by Kaspersky Labs says that about a third (32 percent) of serious distributed denial of service (DDoS) attacks are accompanied by a network intrusion. According to survey respondents, small businesses were most likely to lose data as a result of a DDoS attack – 31 percent of SMBs reported data loss, compared to 22 percent of enterprises. Furthermore, the average DDoS attack was found to cost SMBs more than $50,000 in recovery expenses, while enterprises typically dish out more than $417,000 to recover.
Schneider Electric pushed out a critical patch to an industrial control system, which transmitted user login credentials between client and server machines in plain text. CVE-2015-3962 – with a CVSS base score of 10.0 – affects Struxureware Building Expert, prior to version 2.15. The vulnerable system handles air conditioning, lighting and metering, and is estimated to be used worldwide.
A U.S. judge ruled that banks can proceed with a class action suit filed against Target for the massive data breach that occurred in 2013. The St. Paul, Minnesota, U.S. District Court judge affirmed Target’s negligence in the data hack, which compromised upwards of 40 million credit cards. The decision enables the $5 million class action to be maintained under the representation of the five primary plaintiffs: Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain.
Notable news stories and security related happenings:
Smartwatch Sensors can be Used to Eavesdrop on the Keys You’re Typing. “Researchers have shown that a smartwatch’s motion sensors can be used to detect what keys you’re pressing with your left hand (or whatever hand the watch is on) and thus guess at the words you’re typing. Their findings suggest that it’s possible for cybercrooks to come up with an app that camouflages itself – for example, as a pedometer – and use it to track what someone types.” (Source: #Sophos’s Naked Security Blog)
Most DDoS Attacks Hiding Something More Sinister, Neustar Warns. “Most distributed denial of service (DDoS) attacks now appear to be aimed at distracting IT and security teams, a survey by communications and analysis firm Neustar has revealed.” (Source: #Computer Weekly)
Heartbleed is Far from Dead. 200,000+ Vulnerable Devices on the Internet. “After all the hullabaloo about Heartbleed, and the action taken by many IT professionals in the wake of the Heartbleed announcement, you would like to think that almost 18 months later the problem has gone away. (Source: #Graham Cluley’s Blog)
Online Extortionists Reset Android PINs, Take Data on Virtual Drives Hostage. “The attack has been spread in typical fashion – disguised as an Android app called “Porn Droid” that claims to be an X-rated video streaming utility. With Porn Droid installed, the malware then attempts to seize admin privileges by displaying a bogus “Update Patch Installation” dialog.” (Source: #Lumension Blog)
Windows XP Still Running on a Third of Business, Public Sector PCs in Some Eastern European Countries. “Ukraine leads the nostalgic group. Windows XP runs on 41.2 percent of business and public computers that use Bitdefender’s antivirus software. Hungary follows with 37.5 percent, while Romania ranks third with 34 percent.” (Source: #ZDNet)
Cisco Routers Vulnerable to New Attack, Cyber Firm FireEye Says. “Security researchers say they have uncovered previously unknown attacks on the core devices used to route traffic around the Internet, allowing hackers to harvest vast amounts of data while going undetected by existing cybersecurity defences.” (Source: #Reuters)
Cyberinsurance: Protective or Perilous? “While it’s not a replacement for IT security, cyber-insurance creates a second line of defense to mitigate cyber incidents. But it can also pose new problems.” (Source: #Legal Tech News)
New Android Lockscreen Hack Gives Attackers Full Access to Locked Devices. “The hack involves dumping an extremely long string into the password field after swiping open the camera from a locked phone. Unless updated in the past few days, devices running 5.0 to 5.1.1 will choke on the unwieldy number of characters and unlock, even though the password is incorrect. From there, the attacker can do anything with the phone the rightful owner can do.” (Source: #Ars Technica)
230,000 New Malware Samples Detected Each Day. “PandaLabs has confirmed a record increase in the creation of new malware samples. In the second quarter of 2015 alone there were an average of 230,000 new malware samples detected each day, which means a total of 21 million new types in these three months.” (Source: #Help Net Security)
Users Want Data Leakers Hit by Fines and Compensation Claims. “The channel should be at the forefront of leading efforts to encourage users to get on top of data breaches as users express frustration with current situation.” (Source: #MicroScope)
Bug in iOS and OS X Allows Writing of Arbitrary Files Via AirDrop. “There is a major vulnerability in a library in iOS that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog.” (#Kaspersky’s ThreatPost)
Hackers Target Google Webmaster Tools to Prolong Website Infections. “Hackers who compromise websites are using additional measures to prevent legitimate owners from detecting the presence of malicious or spam content that is inserted into their sites, according to a report by security vendor Securi.” (Source: #Fierce IT Security)
Backdoored Business Routers An Emerging Threat. “The implant is basically a clandestine modification of the router’s lOS image and allows attackers to maintain persistence on a compromised system even through reboots, FireEye said. The vendor described the implant as fully modular and customizable in design and capable of being remotely updated after installation.” (Source: #Dark Reading)
Significant Threats to Data Security Lurk Within, Professionals Say. “According to a recent investigative report on data breaches1, an estimated $400 million has been lost from a predicted 700 million compromised records in 2015. So which security controls are the most important in thwarting cyber crime against businesses? Anti-malware? Physical security? Believe it or not, according to a recent survey, PEOPLE are a main concern.” (Source: #Business Wire)
What Happens When the Hackers Get Hacked: Inside the Hackers-for-Hire Business. “Evaluating data from the Hacking Team breach does, however, provide a fascinating glimpse into the world of professional hackers. From the nuts and bolts of attack vectors to the technical infrastructure of the RCS spying tool itself, there are some key learning points enterprise security professionals should take away from the Hacking Team incident.” (Source: #Information Age)
China will Work with U.S. on Hacking, Defend Its Interests: Official. “Obama told executives on Wednesday the United States had emphasized to China that industrial espionage in cyberspace would be considered an “act of aggression”, and called for an international framework to prevent the Internet from being “weaponized”.” (Source: #Reuters)
Error Exposes 1.5 Million People’s Private Medical Records on Amazon Web Services. “Police injury reports, drug tests, detailed doctor visit notes, social security numbers—all were inexplicably unveiled on a public subdomain of Amazon Web Services. Welcome to the next big data breach horror show. Instead of hackers, it’s old-fashioned neglect from companies managing data that exposed your most sensitive information.” (Source: #Gizmodo)
Active Malware Campaign Uses Thousands of WordPress Sites to Infect Visitors. “The campaign began 15 days ago, but over the past 48 hours the number of compromised sites has spiked, from about 1,000 per day on Tuesday to close to 6,000 on Thursday, Daniel Cid, CTO of security firm Sucuri, said in a blog post. The hijacked sites are being used to redirect visitors to a server hosting attack code made available through the Nuclear exploit kit, which is sold on the black market. The server tries a variety of different exploits depending on the operating system and available apps used by the visitor.” (Source: #Ars Technica)
Australia a Top-10 Attacker as Cybercrime Target Mobile-Commerce Growth. “The latest ThreatMetrix Cybercrime Report, which reflects the flow of more than 1 billion global transactions transiting the company’s ThreatMetrix Digital Identity Network per month, painted a sobering picture of the changing threat facing CSOs as they try to ensure that increasingly flexible methods of data and systems access don’t compromise underlying security controls.” (Source: #CSO – Australia)
The New Art of War: How Trolls, Hackers and Spies are Rewriting the Rules of Conflict. “Cyberwar isn’t going to be about hacking power stations. It’s going to be far more subtle, and more dangerous.” (Source: #TechRepublic)