Monthly Archives: March 2016

TreasureHunt POS malware looks to steal your data before it’s too late

FireEye researchers spotted a point-of-sale (POS) malware dubbed TreasureHunt that appears to have been custom-built for a “dump shop” that sells stolen credit card data.

The malware enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control (CNC) server, according a Mar. 28 blog post.

Cyber crooks are looking to take advantage of memory scrapping POS malware like TreasureHunt before more secure chip and PIN technologies render the data scrapping techniques obsolete, researchers said in the blog. There are currently about 1.2 million merchants that accept the 600 million chip cards now used in the United States.

The researchers said cybercriminals often gain access to the POS systems to implant the malware using previously stolen credentials or brute force login attempts with common passwords.

Via: scmagazine

Speeding Ticket Spam Targeting Users with Fake Email Citations

Authorities are warning users to be on the lookout for a speeding ticket scam that attempts to extort money from victims using fake email citations.

Earlier in March, the Tredyffrin Police Department wrote a post on the web portal for Chester County, Pennsylvania in which it explains how it came across the spam campaign.

“A local corporation contacted the police department advising that an employee had received an email indicating that he/she was speeding on local roads and needed to remit funds (in the form a fine) to ‘Citation@safe-browsing.com’ which provided a link and attachments for sending the funds,” the police department writes.

The scam email sent to the employee included the individual’s name as well as their correct speed, time, and location, which has raised the Tredyffrin Police Department’s suspicions that a “free mobility or traffic app” containing drivers’ information might have been hacked.

You can view a template for this spam campaign’s fake emails below:

Source: Chester County, PA

In commenting on this scam, Salted Hash posits that attackers could have obtained the GPS information from a benign application and are now using it for malicious purposes. Alternatively, scammers could have accessed the information from a database that was left open online to the public, such as a poorly configured MongoDB.

Police departments and local courts in and around Chester County have been made aware of this campaign, though it is not clear how many users might have been exposed to the scam already.

“Many consumers will readily dismiss the possibility that someone would care about their location data, but this is a prime example of how this seemingly low value data can play into a larger attack,” said Craig Young, a cybersecurity researcher for Tripwire. “While a fake speeding ticket email might ordinarily be recognized as fake and ignored, including a person’s name along with a road they regularly drive immediately gives authenticity to the scam making it far more likely that the attack will succeed. Social engineering is one of the most fundamental tools in the hacking toolkit and every hacker knows that realism is key in these efforts.”

As it investigates this ongoing campaign, Tredyffrin Police Department would like to remind users that it never sends out citations in the form of an email or an email attachment.

It is also careful to point out that those who come across this scam should not open the email attachment, as attackers commonly disguise ransomware, spyware, and other malicious programs as seemingly legitimate email attachments and disseminate them via phishing attacks.

Softpedia reports that no malware is believed to have been distributed by this scam at this time.

Via: tripwire

Ransomware Forces Hospitals to Shut Down Network, Resort to Paper

A strain of ransomware has infected the computer systems of MedStar Health, a healthcare provider operates ten hospitals across the Washington DC and Baltimore region.

The attack has resulted in the organisation taking an extreme measure to stop the infection from spreading further: it has shut down large portions of its network.

As The Washington Post reports, the malware is thought to have been discovered early on Monday morning, and some staff have claimed that they saw ransom demands had popped up on infected PC’s screens demanding payment in “some kind of internet currency”.

In a Facebook post, MedStar Health issued a statement confirming it had fallen victim, and that users had experienced problems accessing their computers.

Via: tripwire

Over 60% of Federal Agencies Have Suffered a Data Breach, Says Study

According to a recent study, the overwhelming majority (90 percent) of U.S. federal agencies report feeling vulnerable to data threats.

The survey, conducted by analyst firm 451 Research in collaboration with Vormetric, analyzed the responses of 1,100 senior IT security executives at large enterprises worldwide, including more than 100 U.S. federal government organizations.

The report (PDF) revealed that 61 percent of U.S. federal government organizations had been subject to a data breach in the past, with nearly one in five respondents indicating the breach occurred in the last year.

Although many agencies also noted plans to increase security spending over the next 12 months, the report suggests their budgets may not be properly allocated to prevent the theft of sensitive data.

“The results showed that federal IT security professionals are like generals fighting today’s wars with the weapons of yesterday,” said Garrett Bekker, senior analyst at 451 Research.

U.S. government respondents listed network defenses (53 percent), such as firewalls, intrusion protection systems (IPS) and DLP, as well as analysis and correlation tools (46 percent) as the top categories for increased spending.

Meanwhile, data-in-motion and data-at-rest defenses, such as encryption, were at the bottom of the list in U.S. federal spending plans, with 40 percent and 30 percent, respectively.

“… Spending intentions reflected a tendency to stick with what has worked in the past… Clearly, there’s still a big disconnect between what we are spending the most of our security budget on and what’s needed to ensure that our sensitive data remains secure,” said Bekker.

Other key findings from the study included:

  • Skill shortages (44 percent) and budget constraints (34 percent) were named the top barriers to the adoption of strong data security.
  • 64 percent viewed compliance as either “very effective” or “extremely effective” (17 percent) for protecting sensitive data – up from 58 percent last year.
  • 76 percent of respondents identified cybercriminals and privileged users (64 percent) as the top external and internal threat actors.

Via: tripwire

Remotely Exploitable Bug in Truecaller Puts Over 100 Million Users at Risk



Security researchers have discovered a remotely exploitable vulnerability in Called ID app “Truecaller” that could expose personal details of Millions of its users.

Truecaller is a popular service that claims to “search and identify any phone number,” as well as helps users block incoming calls or SMSes from phone numbers categorized as spammers and telemarketers.

The service has mobile apps for Android, iOS, Windows, Symbian devices and BlackBerry phones.

The vulnerability, discovered by Cheetah Mobile Security Research Lab, affects Truecaller Android version of the app that has been downloaded more than 100 Million times.

The actual problem resides in the way Truecaller identify users in its systems.

While installation, Truecaller Android app asks users to enter their phone number, email address, and other personal details, which is verified by phone call or SMS message. After this, whenever users open the app, no login screen is ever shown again.

This is because Truecaller uses the device’s IMEI to authenticate users, according to researchers.

“Anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including the phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers,” Cheetah Mobile wrote in a blog post.

Cheetah Mobile researchers told The Hacker News that they were able to retrieve personal data belonged to other users with the help of exploit code just by interacting with Truecaller’s servers.

On a successful exploitation of this flaw, the attackers can:

  • Steal personal information like account name, gender, e-mail, profile pic, home address, and more.
  • Modify a user’s application settings.
  • Disable spam blockers.
  • Add to a black list for users.
  • Delete a user’s blacklist.

Cheetah Mobile informed Truecaller of this flaw, and the company updated their servers as well as released an upgraded version of its Android app on March 22 in order to prevent abuse exploiting this flaw.

Truecaller said in its blog post published Monday that the vulnerability did not compromise any of its user information.

If you haven’t, download the latest version of Truecaller for your Android devices from the Google Play Store Now!

Via: thehackernews

Petya ransomware leverages Dropbox and overwrites hard drives

Trend Micro researchers spotted a new ransomware variant dubbed Petya that is delivered to victims who believe they are linking to a resume stored on a cloud storage site like Dropbox.

Using a cloud storage site as the infection source is not new, but using the cloud storage site to promote ransomware infections appears to be a new technique, Trend Micro Senior Global Marketing Manager Jon Clay said in comments emailed to SCMagazine.com.

The ransomware overwrites the affected system’s hard drive master boot record (MBR) in order to lock out users, according to a Mar. 25 blog post. The process of overwriting the MBR of the system and putting the ransom note in the startup process of the machine makes this variant of ransomware unique.

“It makes the system unusable and will display their ransom note during bootup,” Clay said, adding researchers are also seeing new and improved graphics with the ransom notes in their attack, possibly to improve the look and feel of the popups.

The scam starts with the attackers using phishing emails disguised to look and read like an applicant seeking a job, researchers said in the blog.

The email provides a link to, in the case studied by Trend Micro, a Dropbox storage location. The email is supposed to link to the applicant’s resume, but instead the link is connected to a self-extracting executable file that unleashes a trojan into the system.

Researchers said the trojan blinds any antivirus programs defending the computer before downloading and executing the ransomware. Trend Micro said the cybercriminals asked for 0.99 Bitcoins to unlock the computer.

Once executed, Petya overwrites the entire hard drive MBR to prevent the victim’s device from loading Windows normally or even restarting in Safe Mode. If the victim tries to reboot their computer they will be greeted by an ASCII skull and given an ultimatum to pay the ransom or have the files deleted.

Trend Micro has informed Dropbox about the malicious files hosted on their service. These have reportedly been removed along with other related files.

Clay said users can avoid infection by improving their email security and implementing messaging solutions that employ advanced detection features specific to phishing and socially engineered emails.

Tim O’Brien director of threat research at the cloud security automation firm Palerra said in comments, that “end user awareness and training regarding the screening of emails and downloading files is the first line of defense” to prevent infection.

Via: scmagazine

Netflix Party lets long distance friends watch together

Ain’t no party like a Netflix party cause a Netflix party eventually stops after a weekend of bingeing on House Of Cards and doesn’t start again until Netflix releases the new season the next year.

But now there’s Netflix Party, a chrome extension that lets viewers sync their Netflix viewing session across time and space and adds a group chat sidebar for good measure. Remember Xbox Live’s Netflix Party? Yeah, it’s like that but in a browser window.

This extension is not from Netflix so install at your own risk.

Netflix Party is easy enough to install. Download the plug-in and start watching a video on Netflix. The plug-in then becomes active and creates a sharable link. It’s that easy. Now you don’t have to cry alone when watching Where The Red Fern Grows.

Via: techcrunch

1.5M Verizon Enterprise Customer Records Found For Sale on Dark Web

Verizon Enterprise Solutions – a B2B division of the telecommunications company that provides data breach response services – is reportedly facing a breach of its own.

According to a report by investigative journalist Brian Krebs, a database containing the contact information of approximately 1.5 million Verizon Enterprise customers was found for sale on the Dark Web earlier this week.

An advertisement for the stolen information was seen posted by “a prominent member of a closely guarded underground cybercrime forum,” said Krebs, who noted the seller offered the entire package for a total of $100,000, or 100,000 records for $10,000 apiece.

Additionally, Krebs said the hacker also offered to sell information about the security vulnerabilities found in Verizon’s Web site.

Verizon Enterprise Solutions acknowledged the incident, stating:

“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal. Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”

The company did not disclose how many customers were impacted in the breach but said affected clients would be notified.

“The irony in this breach is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place,” wrote Krebs.

“It’s a fair bet that if cyber thieves buy all or some of the Verizon Enterprise customer database, some of these customers may be easy marks for phishing and other targeted attacks,” he said.

Verizon Enterprise claims to serve 97 percent of the Fortune 500 companies.

“Even if it is limited to the contact data for technical managers at companies that use Verizon Enterprise Solutions, this is bound to be a target-rich list,” warned Krebs.

Via: tripwire

Mac OS X Zero-Day Exploit Can Bypass Apple’s Latest Protection Feature

A critical zero-day vulnerability has been discovered in all versions of Apple’s OS X operating system that allows hackers to exploit the company’s newest protection feature and steal sensitive data from affected devices.

With the release of OS X El Capitan, Apple introduced a security protection feature to the OS X kernel called System Integrity Protection (SIP). The feature is designed to prevent potentially malicious or bad software from modifying protected files and folders on your Mac.

The purpose of SIP is to restrict the root account of OS X devices and limit the actions a root user can perform on protected parts of the system in an effort to reduce the chance of malicious code hijacking a device or performing privilege escalation.

However, SentinelOne security researcher Pedro Vilaça has uncovered a critical vulnerability in both OS X and iOS that allows for local privilege escalation as well as bypasses SIP without kernel exploit, impacting all versions to date.

Bypass SIP to Protect Malware

The zero-day vulnerability (CVE-2016-1757) is a Non-Memory Corruption bug that allows hackers to execute arbitrary code on any targeted machine, perform remote code execution (RCE) or sandbox escapes, according to the researcher.

The attacker then escalates the malware’s privileges to bypass SIP, alter system files, and then stay on the infected system.

“The same exploit allows someone to escalate privileges and also to bypass system integrity,” the researcher explains in a blog post. “In this way, the same OS X security feature designed to protect users from malware can be used to achieve malware persistency.”

By default, System Integrity Protection or SIP protects these folders: /System, /usr, /bin, /sbin, along with applications that come pre-installed with OS X.

Easy-to-Exploit and Tough to Detect-&-Remove

According to Vilaça, the zero-day vulnerability is easy to exploit, and a simple spear-phishing or browser-based attack would be more than enough to compromise the target machine.

“It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes,” Vilaça says. “This kind of exploit could typically be used in highly targeted or state-sponsored attacks.”

The most worrisome part is that the infection is difficult to detect, and even if users ever discover it, it would be impossible for them to remove the infection, since SIP would work against them, preventing users from reaching or altering the malware-laced system file.

Although the zero-day vulnerability was discovered in early 2015 and was reported to Apple in January this year, the good news is that the bug doesn’t seem to have been used in the wild.

Apple has patched the vulnerability, but only in updates for El Capitan 10.11.4, and iOS 9.3 that were released on 21st March.

Other versions do not appear to have a patch update for this specific vulnerability from Apple, meaning they are left vulnerable to this specific zero-day bug.

Via: thehackernews

PCI may be in jeopardy with federal investigation underway!

Since there are no laws regulating credit card security the Federal Trade Commission (FTC) ordered Special Reports from 9 companies to disclose their “data security compliance auditing and its role in protecting consumers’ information and privacy” under the PCI (Payment Card Industry) compliance assessment for DSS (Data Security Standards) and Forensic Audits. On March 7, 2016 the FTC issued a press release entitled “FTC To Study Credit Card Industry Data Security Auditing” included these reasons for the Order:

The FTC is seeking details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits.

Information collected by the FTC will be used to study the state of PCI DSS assessments.

Within 45 days these 9 vendors were ordered to respond:

Foresite MSP, LLC

Freed Maxick CPAs, P.C.

GuidePoint Security, LLC

Mandiant

NDB LLP

PricewaterhouseCoopers LLP

SecurityMetrics Sword and Shield Enterprise Security, Inc. and

Verizon Enterprise Solutions (also known as CyberTrust)

The FTC’s action may lead to laws regulating credit card data rather than PCI dictating their rules to companies that process credit card information.

Via: lexology