Cybercrime Week in Review 3 October 2015
Indian Hackers Deface Over 40 Pakistani Websites Hours After Two Indian Government Portals Were Hacked (Inquisitr)
Hours after an Indian website was hacked by a Pakistani hacker, a wave of cyber attacks targeted at Pakistan have left dozens of Pakistani websites defaced or hacked. According to a report by the Hindu, the latest chapter in the long drawn feud between Indian and Pakistani hackers was added when a Pakistani hacker decided to hack the official website of the Government of Kerala, a southern Indian state.
New DDoS attack uses smartphone browsers to flood site with 4.5bn requests (ZDNet)
Researchers suspect a mobile advertising network has been used to point hundreds of thousands of smartphone browsers at a website with the aim of knocking it offline.
Banks: Card Breach at Hilton Hotel Properties (Krebs on Security)
Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims.
Developers find themselves in hackers’ crosshairs (CSO)
Attackers have long targeted application vulnerabilities in order to breach systems and steal data, but recently they’ve been skipping a step and going directly after the tools developers use to actually build those applications.
Trump hotels hacked, credit card data at risk (Money CNN)
Apparently, hackers managed to hide inside the company’s computers for a long time. The hotel chain warned that anyone who visited a Trump hotel between May 19, 2014 and June 2, 2015 “may have been affected.”
Stagefright Bug 2.0 – One Billion Android Smartphones Vulnerable to Hacking (Hacker News)
More than 1 Billion Android devices are vulnerable to hackers once again – Thanks to newly disclosed two new Android Stagefright vulnerabilities.
Gigabytes of user data from hack of Patreon donations site dumped online (Ars Technica)
The data has been circulating in various online locations and was reposted here by someone who said it wasn’t immediately possible to confirm the authenticity of the data. Security researcher Troy Hunt has since downloaded the archive file, inspected its contents, and concluded that they almost certainly came from Patreon servers. He said the amount and type of data posted by the hackers suggest the breach was more extensive and potentially damaging to users than he previously assumed.
Hack Brief: Hackers Steal 15M T-Mobile Customers’ Data From Experian (Wired)
For hackers looking for fraud victims, few targets are as tempting as the data brokers that make a business out of assembling millions of people’s private information. That’s a lesson T-Mobile is learning now that its partnership with one such data collector, Experian, has resulted in the theft of 15 million T-Mobile customers’ private details.
In other Security News…
Experian and T-Mobile Breach, Linux Botnet, Android Stagefright 2.0
A massive data breach at Experian – one of largest credit reporting bureaus in the US – has led to the exposure of the personal information of more than 15 million T-Mobile consumers. In a letter addressed to customers, the mobile carrier stated that the records accessed included names, addresses, birthdates, as well as encrypted fields with Social Security numbers and driver’s licenses or passport numbers. T-Mobile CEO John Legere responded in a statement:
“Obviously I am incredibly angry about this data breach and this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected.”
Retail brokerage firm Scottrade Inc. also disclosed a breach this week involving contact information and possibly Social Security numbers of approximately 4.6 million customers, according to security journalist Brian Krebs. The company said it was alerted by federal law enforcement about crimes involving the theft of information from Scottrade in addition to other financial services firms. “Importantly, we have no reason to believe that Scottrade’s trading platforms or any client funds were compromised,” said the company.
A 22-year-old Russian man responsible for distributing and installing the notorious Citadel banking Trojan has been sentenced to four and half years in prison. According to the Federal Bureau of Investigation, Dimitry Belorossov, also known as Rainerfox, pleaded guilty last year to conspiracy to commit computer fraud. In addition to time in prison, Belorossov was ordered to pay more than $322,000 in restitution, and was placed on supervised release for three years.
A security researcher disclosed a critical flaw in WinRAR – a popular Windows unzipping tool used for decompressing .ZIP, .RAR and .7Z files. The vulnerability is said to affect the latest version of the software, causing it to execute arbitrary code as a user unzips an SFX archive. The security risk of the flaw gave it a 9.2 score on the CVSS scale.
A group of security researchers discovered a Linux-based botnet that is reportedly capable of launching distributed denial-of-service (DDoS) attacks of over 150 gigabits per second, taking many of its victims completely offline. Akamai’s Security Intelligence Response Team reported the network – known as XOR DDoS Botnet – targets more than 20 websites per day, with the gaming sector being the primary target, followed by educational institutions. The researchers said the malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords.
More than one billion Android phones and devices are vulnerable to a new set of Stagefright bugs, warned researchers at mobile security firm Zimperium. Dubbed Stagefright 2.0, the two vulnerabilities manifest when processing specially crafted MP3 audio or MP4 video files, allowing attackers to execute malicious code. The first vulnerability impacts devices running outdated versions (as far as 1.0), while the second vulnerability affects devices running more recent versions (up to 5.0).
According to IBM, the UK’s financial services sector is seeing a spike in banking Trojan attacks from two families connected with the Zeus Trojan: Sphinx and Kronos. Researchers claim the Sphinx malware is actively attacking financial institutions in the wild, including several major UK banks and one Polish bank. Meanwhile, Kronos appears to have recently reemerged, showing “no technical advancements but a change in turf that [also] focuses on UK banks,” said IBM.
There were some big Internet-related announcements at the UN General Assembly this week. Facebook CEO Mark Zuckerberg called for universal Internet access as a “force for peace.” He’s partnering with Bono to hold world leaders accountable to the new Sustainable Development Goal of universal Internet access by 2020. Zuckerberg also revealed a plan to partner with the UN High Commissioner for Refugees to provide Internet access in refugee camps through Facebook’s Internet.org program, recently renamed Free Basics by Facebook in response to concerns raised by net neutrality proponents that Facebook is only providing a curated version of the Internet, not the whole thing. Still at the UN, the U.S. Department of State launched the “Global Connect” initiative in partnership with the World Bank to provide Internet access to 1.5 billion people by 2020. If the plan is to have everyone online by 2020 and the ITU calculates that roughly four billion still lack access, are there any takers to help connect the remaining 2.5 billion in five years?
The working group in charge of recommending changes to make the Internet Corporation for Assigned Names and Numbers (ICANN) accountable in a post-IANA transition environment met last week, and by some accounts, it did not go well. The U.S. government, which contracts the IANA functions to ICANN, has said that it will not approve a transition plan unless it has broad support of the Internet community. The community can’t seem to agree to a governance model that would replace the U.S. government’s role oversight role. According to Kieren McCarthy at the Register, there are two main camps. One wants to amend ICANN’s corporate structure to allow its members to have more say in decision making, have the power to remove ICANN board members, and change the organization’s by-laws. The other camp, mainly current and former ICANN board members and staffers, views the proposed changes as a threat to its power and are opposed, though the board seems to recognize that some changes are required. Despite prodding from U.S. government officials at the meeting, the deadlock remains. While the entire IANA transition process isn’t in jeopardy (yet), it could put the exercise at risk if both sides don’t resolve their differences.
Google is back under the FTC’s antitrust lens for noncompetitive practices with regard to the Android mobile OS, Bloomberg reported last week. While Android is open source and offered to developers for free, Microsoft, Nokia, and Expedia say that Google’s requirement that Android come bundled with Google apps makes it impossible for their alternative products to compete on a level playing field. While that argument has recently held water with EU regulators, the FTC decided not to pursue a similar case against Google three years ago; it’s unclear if they’ll take up the case this time around. The FTC also launched a lawsuit this week against a Florida company that included a “gag clause” against unfavorable online reviews in its terms of service; the regulator says companies can’t offer consumers contracts with such a clause.
A week has passed since the United States and China negotiated a cybersecurity agreement on economic espionage, and the Net Politics team has weighed in. While lauding the inclusion of an “escalation option” and explicit CERT-CERT enforcement mechanism, Rob proposes “a third party, independent mechanism to process and track requests for mutual legal assistance.” David highlights the new “global potential” of the United States’ norm against IP theft and suggests that the deal may open the door for international legal restrictions on espionage. And in my post, I raise questions about implementation, attribution, and the use of proxies in cybertheft.
As the ten-year review of the World Summit on the Information Society approaches, the Internet Society has posted a matrix outlining states’ positions on Internet governance, the digital divide, and cybersecurity, among other issues. The tool is pretty hand if you’re a government looking to get a sense of your colleagues’ negotiating positions. It’s also handy if you’re a casual observer trying to make sense of it all.
Notable news stories and security related happenings:
Mobile Advertising DDoS JavaScript Drip Serves Site with 4.5bn Hits. “CloudFlare has turned up an unusual form of denial-of-service attack: mobile advertisements that are pumping out around 275,000 HTTP requests per second. The cloud outfit didn’t name the victim, but said the Layer 7 HTTP floods hitting the target is the latest example of a once-theoretical attack turning up in the real world.” (Source: The Register)
More Law Firms Embrace Cloud-Based IT. “In addition to intrusion detection systems and spam filters, ‘we are able to build one environment and then house all of these firms in one environment where they are all separate from each other, almost like hardware,’ he added. ‘Most solo practitioners law firms… we see them storing a lot of data on their laptops. I am always harping on them to make sure they keep that data encrypted.’” (Source: Legal Tech News)
Two New PoS Malware Affecting US SMBs. “Following the seemingly quiet state of point-of-sale (PoS) malware these past few months, we are now faced with two new PoS malware named Katrina and CenterPoS now available to cybercriminals.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
Rise of Bitcoin Extortionist Group Threatens HK Banks Says Akamai. “Some regional banks in Hong Kong have been preyed upon by bitcoin extortionist group known as DD4BC, according to Akamai Technologies. […] As DD4BC is starting to flex its muscles in markets outside North America and Europe, Akamai is warning companies in Hong Kong to brace themselves against more aggressive tactics from the extortionist group.” (Source: Enterprise Innovation)
With Stolen Cards, Fraudsters Shop to Drop. “A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity.” (Source: Krebs on Security)
Apple Watch Security Risks (and Benefits). “A recent HP Fortify study of 10 popular smartwatches (HP didn’t identify which brands were tested) found that every one contained significant vulnerabilities, including insufficient user authentication, lack of transport encryption, insecure interfaces, insecure firmware and privacy concerns. In 90 percent of cases, the study found, communications to and from the watch were easily intercepted.” (Source: eSecurity Planet)
Celebrity Search Results Loaded with Malware, Study Shows. “The results of searches relating to breaking news events and celebrities continue to be loaded with malware, a study has revealed. Model and TV personality Kelly Brook is the most dangerous celebrity to search online, according to Intel Security’s ninth annual survey of risky search topics.” (Source: Computer Weekly)
Microsoft Reaffirms Privacy Commitment, but Windows will Keep Collecting Data. “The privacy implications of Windows 10 and its data collection have been a talking point since the operating system was released. And today, Microsoft published a response of sorts. For the most part, the new blog post reiterates the company’s (lengthy) privacy policy.” (Source: Ars Technica)
Majority of Cybersecurity Experts Say Mobile Payments Data Breaches will Grow. “A survey by ISACA of more than 900 cybersecurity experts shows that an overwhelming majority (87 per cent) expect to see an increase in mobile payment data breaches over the next 12 months. Yet 42 per cent of respondents have used this payment method in 2015.” (Source: CIO)
Scammers Use Google AdWords, Fake Windows BSOD to Steal Money from Users. “Faced with the infamous Windows Blue Screen of Death (BSOD), many inexperienced computer users’ first reaction is panic. If that screen contains a toll free number ostensibly manned by Microsoft technicians who are there to help users overcome this problem, many are probably tempted to pick up the phone.” (Source: Help Net Security)
Drop-dead Simple Exploit Completely Bypasses Mac’s Malware Gatekeeper. “Patrick Wardle, director of research of security firm Synack, said the bypass stems from a key shortcoming in the design of Gatekeeper rather than a defect in the way it operates. Gatekeeper’s sole function is to check the digital certificate of a downloaded app before it’s installed to see if it’s signed by an Apple-recognized developer or originated from the official Apple App Store.” (Source: Ars Technica)
Fresh Ransomware Campaign has a 0% Detection Rate. “So how to protect oneself? Users should exercise extreme caution when it comes to opening emails from unknown senders—but should also make sure everything on their systems is up to date.” (Source: Info Security Magazine)
Opinion: Fight Phishing Without Blaming Victims. “Yes, anti-phishing training is effective. But only to a certain point. Training can reduce the number of malicious links that get clicked on within an organization but it will never eliminate the threat. Criminal hackers are crafty, and there will always be that perfectly designed e-mail that’ll fool even the savviest recipient. So, if your security policy is to rely 100 percent on anti-phishing training, you’re about to have a very bad day.” (Source: Christian Science Monitor)
Experian Data Breach Hits More than 15M T-Mobile Customers, Applicants. “The data includes personal information for a combination of about 15 million customers and applicants in the U.S. who at one point may have applied for T-Mobile service. The company said that the incident did not impact its own consumer credit database.” (Source: CNBC)
Stagefright Bug 2.0 — One Billion Android SmartPhones Vulnerable to Hacking. “Yes, Android Stagefright bug is Back… …and this time, the flaw allows an attacker to hack Android smartphones just by tricking users into visiting a website that contains a malicious multimedia file, either MP3 or MP4.” (Source: The Hackers News)
Tens of Thousands of Routers, IP Cams Infected by Vigilante Malware. “Symantec researchers have avoided calling Wifatch a piece of malware because it doesn’t actually do anything malicious. Instead, it appears to be the work of what experts call an “Internet of Things (IoT) vigilante” who wants to protect routers and other IoT devices from malicious actors.” (Source: Security Week)
AT&T sues inside attackers for unlocking thousands of phones – Ars Technica
Hackers hack each other and sell the data – Motherboard
MI5 director also wants access to snooping on encrypted data – BBC
Article on catching ransomware criminals – IT Pro
Malware helps authors cheat at online poker – Ars Technica
Vulnerabilities found in DHS websites – Reuters
Many systems still vulnerable to Heartbleed – The Register
Are we finally really our of IPv4 addresses (again) – Ars Technica
Obama’s administration nixes backdooring encryption – The Register
Forbes’ website servers malicious ads this month – Forbes
Twitter makes its shortened links HTTPS – Techdirt
Korean government approved parental spyware leaks data – Techdirt
Symantec (rightly) fires employees for issuing rogue HTTPS cert – Ars Technica
Gray hat vulnerability market company offers $1M bounty on iOS 9 hack – Wired
Malicious brain test app made it onto Google Play market – IBTimes
GhostPush virus infected over 600K android devices – CMCM blog
Russia allegedly the victim of nation state cyber espionage – Tech News World
Others can easily hijack Chinese Android botnet – The Register
Malicious images uploaded to Imgur – The Register
Bad cookies can hose HTTPS – PC World
President Obama and President Xi discuss cyber espionage – SC Magazine
Video of Obama and Xi’s meeting – Bloomberg
Hilton hotels may have suffered a breach – Krebs on Security
Resources for report – ThreatConnect
Cisco makes a tool to identify SYNful Knock – The Register
Porn sites hit with malware again – BBC
Why your identity is only worth a buck on the underground – NBC
New report highlights new APT actors – ThreatConnect
0day flaws in Kaspersky software – Project Zero
Attackers increasingly relying on memory resident attacks – Computer World
Pandalabs discovered 21M new malware variants Q2 2015 – BetaNews
Taking war driving to the next level – Forbes
New VXWork vulnerability could affect the Mars rover – The Register
FBI tells consumers to watch out for IoT – IC3.gov
Neustar claims that most DDoS attacks are a distraction – Computer Weekly
Latest on the old CVS and Costco Photo Center breach – SC Magazine
Firefox addon warns you if a site has been breached recently – Ghacks
New malvertising campaign keep on popping up – Malwarebytes
Some analysis on the 11M cracked Ashley Madison pwds – Ars Technica
US DoE had over a hundred cyber attacks in 4 years – Computer World
Memories of a teenager (reformed) virus author – The Register
IT pros spend most their time patching flaws – CIO
The latest on Android Stagefright flaw, including PoC – Zimperium
Best engineering school (MIT) has the worst security!? – Ars Technica
Apparently many US citizen’s support government backdoors – Forbes
New Android malware changes your PIN – Ars Technica
Another way for attackers to learn about Mozilla’s flaws – Wired
A good article on the real vs perceived threats – Tech Republic