Cybercrime Week in Review 28 November 2015
ProtonMail comes back online, shores up DDoS defenses (#CSO)
ProtonMail, the Switzerland-based encrypted email service, has found its footing again after a wild ride over the past week.
After Paris Attacks, Beware Rush to Weaken Crypto (#Bank Info Security)
The Paris attacks have provoked security questions about whether European countries can – and should – be sharing better actionable intelligence on terrorism-related suspects. In addition, some officials in Europe and the United States have used the attacks to repeat their calls for strong cryptography and encrypted communications tools to be weakened, and for governments to be allowed to collect, monitor and analyze more bulk communications data.
Exploit Kit DNS Activity Soars 75% in Q3 (#Info Security)
The third quarter saw the creation of DNS infrastructure for exploit kits rise 75% from the same time a year ago, pointing to a coming storm of cyber attacks, according to security vendor Infoblox.
Secure Network Time Protocol goes beta (#ZDNet)
Without Network Time Protocl (NTP) the Internet couldn’t work. With it, though, some of the worst Distributed Denial of Service (DDoS) attacks ever have crippled parts of the Internet. The answer? The NTP Security Project’s first public development release of NTPsec.
Report: Everyone Should Get a Security Freeze (#KrebsOnSecurity)
This author has frequently urged readers to place a security freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.
Criminal are mostly hacking-by-numbers with exploit kits (#The Register)
UK police have busted nine people over allegedly spoofing phone calls from victims’ banks to drain them of a total of £60 million ($92 million).
eBay scammer steals identity of agent investigating him (#Naked Security)
He had the eBay/PayPal/parcel insurance scam chugging away, with dozens of accounts set up to file claims on packages. In actuality, the packages were empty boxes, sent to switched addresses, that purportedly never showed up.
Three Secure Holiday Shopping Moves (#Forbes)
You’re going to get annoyed this holiday season dealing with new chip-card readers, now making their way into stores. I know I have. It will take time before they perfect this technology.
In other Security News…
70M Prisoner Call Records Leaked, New PoS Malware, Arrests in JPMorgan Hack
More than 70 million records of phone calls made by United States inmates were leaked to reporters of The Intercept by an anonymous hacker. The publication reported that the data points to a major security breach at Securus Technologies, a provider of phone services inside the nation’s jails and prisons. Not only did the database include links downloadable recordings of the calls but also at least 14,000 conversations between inmates and attorneys, a violation of prisoners’ rights to confidential attorney-client communications.
“This may be the most massive breach of the attorney-client privilege in modern U.S. history, and that’s certainly something to be concerned about,” said David Fathi, director of the ACLU’s National Prison Project. “A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not.”
According to the director of the anonymizing service The Tor Project, the FBI paid researchers at Carnegie Mellon University “at least $1 million” to unmask users and reveal their IP addresses as part of a large criminal investigation. An FBI spokesperson has responded, saying the allegations are “inaccurate.” Meanwhile, Ed Desautels, a spokesman for Carnegie Mellon’s Software Engineering Institute, did not deny the accusations directly, stating: “I’d like to see the substantiations for their claim. I’m not aware of any payment.
US authorities announced multiple arrests and indictments in connection with the separate hacks at some of the nation’s largest financial institutions and brokerage firms, including JP Morgan Chase, eTrade and Scottrade. According to US Attorney Preet Bharara, the hacking was done to support a series of stock-manipulation schemes, as well as gambling and payment-processing schemes. The incidents resulted in the theft of more than 100 million customer records – 80 million from one financial firm alone.
A breach of Comcast customer credentials prompted the cable provider to reset more than 200,000 accounts after a database of users’ email addresses and corresponding passwords were found for sale on the Dark Web. The list contained details of approximately 590,000 accounts for a total price of $1,000. However, only around 200,000 of those combinations were reportedly still current. Although it’s unclear how the breach occurred, Comcast claims its systems were not compromised.
Researchers have discovered two new strains of point-of-sale (PoS) malware, including one that’s gone largely undetected for nearly five years, reported Threatpost. Dubbed ‘Cherry Picker,’ the malware has been targeting businesses selling food and beverage since 2011, stealthily using a combination of configuration files, encryption, obfuscation and command line arguments. The other type of PoS malware – known as ‘Abbadon’ – is the “latest in a long line of sophisticated PoS malware samples that have popped up,” said Kevin Epstein, VP of Threat Operations at Proofpoint.
“AbbadonPOS appears to have features for anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data. Much like malware as a general category, the sophistication of this new malware over prior malware continues to increase,” said Epstein.
A Belgian court has ordered Facebook to stop collecting digital information about users who don’t have accounts with the social media site or face fines of up to €250,000 ($269,000) a day. The ruling comes after the Belgian Privacy Commission filed a civil suit against the company in June, saying it tracks users who visit the site or use the “like” or “share” buttons, regardless of whether they own a Facebook account or not. The company said in a statement it plans to appeal the ruling, arguing the country’s data protection watchdog has no jurisdiction over its European business, as its headquartered in Ireland.
Notable news stories and security related happenings:
Android Gmail App Security Hole Lets You Pretend to be Anyone Online. “A bug which allows you to pose as anyone when sending an email through the Gmail application has been deemed a non-issue despite the risk of exploit via phishing campaigns. In order to spoof your email address and masquerade as someone else when sending an email, you need only change your display name in account settings, which hides your legitimate email address.” (Source: #ZDNet)
Windows Update for Business Lets IT Admins Defer Damaging Patches. “New options for controlling the timing of Windows 10 upgrades and updates arrived as part of Windows 10 version 1511, the upgrade that began rolling out Thursday.” (Source: #Computer World)
Google Play will Start Labeling Ad-supported Apps. “According to Droid Life, Mountain View has notified developers (see the full email below the fold) that they’re required to sign into their consoles and declare whether their applications have advertisements. And, if they lie about it, they could face suspension.” (Source: #Engadget)
Android Adware can Install Itself Even When Users Explicitly Reject It. “The hijacking happens after a user has installed a Trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices.” (Source: #Ars Technica)
Edgy Online Shoppers Face Dyre Christmas as Malware Mutates. “The banking bomb has ripped untold fortunes from victims and passed them into the hands of its authors. In at least one instance alone IBM says more than one million dollars was plundered from an organisation.” (Source: #The Register)
Amazon Now Offers Two-factor Authentication to Make Your Account More Secure. “While two-factor authentication adds a bit of a hassle to your login process, it’s worth it, as it makes your account a lot safer from hacking attempts, even if someone manages to steal your password. If you change your mind, you’ll be able to turn off two-factor authentication later.” (Source: #Mashable)
Yahoo is Locking Down Mail Access for Some People with Ad Blockers. “Although Yahoo is hardly the first to experiment with detecting ad-blocking software and then prompting users to disable it — many news sites, for example, have taken that action — it’s more rare that a critical service like email is put behind such a wall.” (Source: The Verge)
Security Flaw in Samsung Galaxy Devices Lets Attackers Record Phone Calls. “A telephone tower-like device (IMSI-catcher) can be used for recording phone calls from the latest versions of Samsung Galaxy, demonstrated by two German researchers.” (Source: #HackRead)
Don’t Allow Your Wi-Fi to Become a Security Risk. “It is important to step back and consider the way in which Wi-Fi is used – by both staff and guests – and assess the risks. Under the current legislation an organisation needs to be able to demonstrate a robust intent to prevent people – both employees and guests – from breaking the law.” (Source: IT Security Guru)
Phishers are Targeting Millions of DHL Customers. “This is also the time of year when cyber crooks usually start to ramp up their phishing and malware delivery campaigns, which often take the form of emails made to look like legitimate ones coming from popular package delivery companies.” (Source: #Help Net Security)
BadBarcode: Poisoned Barcodes can be Used to Take Over Systems. “Researchers from Tencent’s Xuanwu Lab have proved that a specially crafted barcode can be used to execute commands on a target system, saddle it with malware, or perform other malicious operations.” (Source: #Help Net Security)
The Evolution of Ransomware: Is Cryptowall 5.0 Around the Corner? “When the original Cryptolocker infrastructure was removed last year, we projected that the next logical step for cyber criminals would be smaller, more agile attacks, which would better elude a takedown. That presumption was correct, but cyber criminals improved ransomware to achieve much more than just that.” (Source: #Heimdal Security Blog)
Police Body Cams Found Pre-installed with Notorious Conficker Worm. “According to a blog post published last week by security firm iPower, multiple police cams manufactured by Martel Electronics came pre-installed with Win32/Conficker.B!inf. When one such camera was attached to a computer in the iPower lab, it immediately triggered the PC’s antivirus program.” (Source: #Ars Technica)
Apple’s Siri can Leak Personal Data. “Further security and privacy risks to users of Siri, Apple’s personal assistant, have been revealed that could allow anyone to gain entry to personal data on someone else’s Siri-enabled iOS device, regardless if the device is locked.” (Source: #SC Magazine)