Cybercrime Week in Review 5 September 2015
Account Takeovers: Did FFIEC Guidance Make a Difference? (Bank Info Security)
It’s been four years since the Federal Financial Institutions Examination Council issued its updated authentication guidance, which focuses on helping banks and credit unions defend against account takeover schemes. Since then, institutions have made significant investments to shore up their defenses and boost their ability to detect and prevent account takeovers.
Amazon dumps Flash, and the Web is better off (CSO)
Amazon will stop accepting Flash ads on its advertising network on Tuesday, and it will help make the entire Web more secure, security experts say.
Teenagers Collared for Using Lizard Squad DDoS Tool (Info Security)
Police from around the UK, working with the country’s National Crime Agency (NCA), have arrested six teenagers in connection with the ‘malicious deployment’ of Lizard Squad DDoS tool LizardStresser.
Jailbreaking pirates popped in world’s largest iCloud raid – 225,000 accounts hit (The Register)
The largest Apple iCloud raid in history has seen nearly a quarter of a million accounts compromised by malware targeting app pirates.
Big hacks, big data add up to blackmailer’s dream (ZDNet)
While breach reports often fixate on the number of records stolen, accounts compromised and people affected, the real question is what will hackers eventually do with the data they’ve collected.
9 baby monitors wide open to hacks that expose users’ most private moments (ARS Technica)
The security of Internet-connected baby monitors got a failing grade from researchers who found critical vulnerabilities in all nine of the models they reviewed.
Match.com UK Daters Spread Nasty Infection — From Malware (IB Times)
Security researchers discovered that by paying just 36 cents, operators of the malware campaign were able to place malicious ads on the company’s website. If a visitor clicked on one of these ads, they would be led through a series of links to a site that would check if the browser being used had any one of a number of flaws. If it discovered one, then malware or ransomware would be silently downloaded onto a victim’s PC without their knowledge.
Like Kaspersky, Russian Antivirus Firm Dr.Web Tested Rivals (Krebs on Security)
A recent Reuters story accusing Russian security firm Kaspersky Lab of faking malware to harm rivals prompted denials from the company’s eponymous chief executive — Eugene Kaspersky — who called the story “complete BS” and noted that his firm was a victim of such activity. But according to interviews with the CEO of Dr.Web — Kaspersky’s main competitor in Russia — both companies experimented with ways to expose antivirus vendors who blindly accepted malware intelligence shared by rival firms.
In other Security News…
Malware Hits iPhones, Lizard Squad Attacks NCA Website, Malvertising Campaign Targets Match.com
On the one-year anniversary of ‘The Fappening,’ an incident in which hundreds of explicit images of some of Hollywood’s most well known female celebrities including Jennifer Lawrence and Jennifer Upton were leaked online, investigators still have yet to attribute who is responsible for the hack. According to The Daily Mail, the Federal Bureau of Investigations has in the past year searched several addresses and seized some electronic equipment, but little is known about those responsible beyond the fact that they allegedly used a tool to launch brute force attacks in order to guess their victims’ login credentials. In total, the hack is believed to have compromised some 500 Apple iCloud accounts.
According to Palo Alto Networks and a group of Chinese iPhone developers named Weiptech, some 225,000 iPhones have been infected by “KeyRaider,” a piece of mobile malware that intercepts users’ iTune login credentials. This information, in turn, allows attackers to hijack victims’ payment credentials and install paid apps on other iOS devices. As of this writing, individuals who have previously jailbroken their iOS devices are most susceptible to KeyRaider, with the vast majority of victims being located in China.
Researchers with IBM Security X-Force have discovered a new banking Trojan they have nicknamed “Shifu,” which is Japanese for “thief.” The malware, which is currently targeting 14 separate banks in Japan, is a highly sophisticated banking Trojan to the extent that it incorporates features from other malicious programs, including a domain generation algorithm (DGA) from the Shiz Trojan, string obfuscation and anti-research techniques from Zeus VM, and stealth tactics from the Gozi/ISFB Trojan.
Xen released a patch for a vulnerability that could allow domains given partial management control to deny service to other parts of the system. The problem apparently results from XENMAPSPACE_gmfn_foreign being able to dump the p2m, on ARM, when it fails to retrieve a reference on the foreign page. Dump_p2m_lookup does not use rate-limited printk, which could therefore allow a malicious infrastructure domain to flood the Xen console. Sysadmins could reduce the hypervisor log level so that it sends out fewer messages, as The Register notes. However, patching is recommended.
Five months after the Office of Personnel Management first discovered that it had been breached, U.S. officials stated this week that they will begin sending notification letters to the 21.5 million victims at the end of September. As of this week, those individuals will also begin receiving free credit monitoring and identity protection services from a firm called “I.D. Experts.” This $133 million contract, as well as the OPM’s overall credit monitoring strategy, has been criticized by some well known voices in the information security community.
The Lizard Squad hacker group launched a distributed denial-of-service (DDoS) attack against Britain’s National Crime Agency’s (NCA) website this week in retaliation for the NCA having arrested six users of the group’s DDoS attack tool. The agency’s website was taken down as a result of the attack. However, a spokesman for the NCA stated that the outage in no way affected their operational capacity and in reality constituted only “a temporary inconvenience” to users wishing to visit the site.
Security researcher Joel Land discovered a number of zero-day vulnerabilities in Belkin’s N600 routers that, if exploited, could allow an attacker to block firmware updates, gain privileged access to the device’s web management interface, and execute cross-site request forgery (CSRF) attacks. Until these vulnerabilities are fixed, the United States Computer Emergency Response Team recommends that users not allow untrusted hosts to connect to their LAN, not browse the Internet while the web management interface has an active session in a browser tab, and implement strong passwords for WiFi connectivity.
Brian Krebs reported earlier this week that security firm Dr.Web experimented with ways to expose how anti-virus companies might be blindly accepting threat intelligence feeds from rival firms. This story mirrors the allegations of two former Kaspersky Lab employees who claim that their past employer deliberately told the antivirus scanning service Virustotal.com that 10 benign files were malicious in an attempt to cause problems for rival companies. This campaign is said to have targeted AVG, Avast, and Microsoft, among others.
A security researcher for Check Point’s malware research team has discovered a new variant of the Simplocker Android ransomware that masquerades as a legitimate application on app stores and download pages. The ransomware requests administrative privileges upon installation, which it in turn uses to encrypt the device’s files. Victims are then told that the encryption is the result of NSA activities and that they must pay a fine of $500USD to recover their files. Check Point believes that the attackers behind this malicious program have collected hundreds of thousands of dollars in ransom payments thus far.
Security provider Malwarebytes recently found that a malvertising campaign is targeting the UK version of the popular dating website Match.com. The campaign appears to use Google shortened URLs that lead to the Angler Exploit Kit, which is known to drop the Bedep ad fraud Trojan as well as Cryptowall ransomware. Match.com has since released a statement claiming it is not aware of any users who have reported having been affected by those malicious adverts.