Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit: http://onguardonline.gov/

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.

1/18/17

Justice Department and State partners secure nearly $864 million settlement with Moody’s arising from conduct in the lead up to the financial crisis. The U.S. Department of Justice, 21 States, and the District of Columbia reached a nearly $864 million settlement with Moody’s Investors Service Inc., Moody’s Analytics Inc., and their parent, Moody’s Corporation January 13 to resolve allegations that the firm deviated from its credit rating standards and methodologies for Residential Mortgage-Backed Securities (RMBS) and Collateralized Debt Obligations (CDO) and failed to disclose those changes to the public, causing people to make poor investment decisions. The Statement of Facts included in the settlement acknowledges that beginning in 2001, Moody’s RMBS group used an internal RMBS rating tool that did not calculate the loss given default or expected loss for RMBS below AAA and failed to integrate Moody’s own rating standards, among other violations.

Flaws found in Carlo Gavazzi energy monitoring products. Carlo Gavazzi released firmware updates after a security researcher found that the company’s VMU-C product was plagued with a flaw that grants a malicious actor access to most of the application’s functions without authentication, as well as a cross-site request forgery (CSRF) issue that can be exploited to change configuration parameters. The researcher also found the product stores some sensitive information in clear text, and warned that the flaws can be remotely exploited if the device’s administrator interface is accessible from the Internet or local network.

New RIG campaign distributes Cerber ransomware. Researchers from Heimdal Security found that a recently spotted campaign is leveraging the Empire Pack version of the RIG exploit kit (EK) to exploit one of eight vulnerabilities plaguing outdated versions of Adobe Flash Player, Microsoft Internet Explorer, Microsoft Edge, and Microsoft Silverlight in order to compromise a victim’s device and download and install the Cerber ransomware. The researchers reported that users must keep their software updated at all times to ensure protection against such attacks.

Virginia college student pleads guilty to federal computer malware charges. A student at James Madison University in Virginia pleaded guilty January 13 to Federal charges after he developed malicious keylogger software and sold the malware to more than 3,000 users, who subsequently used the software to infect more than 16,000 computers.

Advantech WebAccess flaws allow access to sensitive data. Advantech released patches addressing several serious vulnerabilities in version 8.1 of its WebAccess software package after researchers from Tenable Network Security discovered that the product was impacted by a critical Structured Query Language (SQL) injection flaw and a critical authentication bypass issue, which could enable a remote attacker to access potentially sensitive information.

1/17/17

ITG paying $24 million for improper handling of ADRs. The U.S. Securities and Exchange Commission announced January 12 that Investment Technology Group, Inc. (ITG) agreed to pay over $24.4 million to settle charges that it violated Federal securities laws from 2011 – 2014 by facilitating pre-releases of American Depository Receipts (ADRs) to its counterparties without owning the foreign shares or taking the necessary steps to ensure they were protected by the counterparty on whose behalf they were being acquired. Many of the ADRs obtained by ITG through pre-releases were ultimately used to engage in short selling and dividend arbitrage although that they may not have been backed by foreign shares, leaving them exposed to market abuse.

New Ploutus ATM malware variant at large. Security researchers from FireEye reported that a new variant of the Ploutus ATM malware targeting machines from Diebold, dubbed Ploutus-D is capable of significantly expanding its list of targets with minor code changes, as it is capable of interacting with KAL’s Kalignite multivendor ATM platform which runs on 40 different ATM vendors in 80 countries. The new variant requires an attacker or money mule to open the top portion of the ATM, connect a keyboard to the machine, and use an activation code that is provided by the actor in charge of the operation in order to dispense the money from the machine.

GoDaddy revokes nearly 9,000 SSL certificates. GoDaddy revoked nearly 9,000 Secure Sockets Layer (SSL) certificates after discovering that a software bug, which was introduced in July 2016 as part of a routine code change intended to improve the certificate issuance process, can cause the domain validation process to be unreliable. GoDaddy provides the customer a random code and directs the customer to place it in a specific location on their Website in order to validate the domain name for a certificate, however the systems were observed validating domains even if the code was not found.

1/13/17

Eight vulnerabilities patched in WordPress. WordPress version 4.7.1 was released, resolving a total of 8 security flaws and 62 bugs including 2 cross-site request forgery (CSRF) flaws, several cross-site scripting (XSS) vulnerabilities, and a weak crypto issue related to multisite activation keys.

Four high severity DoS flaws patched in BIND. The Internet Systems Consortium (ICS) released BIND versions 9.9.9-P5, 9.10.4-P5, 9.11.0-P2, and 9.9.9-S7 addressing four high severity denial-of-service (DoS) flaws that can be remotely exploited to cause the BIND name server process to encounter an assertion failure and stop executing. ICS stated it was not aware of the vulnerabilities being actively exploited.

Command execution vulnerability patched in Ansible. Red Hat released updates for the Ansible IT automation platform addressing a security bypass vulnerability after security researchers from Computest found that a flaw in the controller, the central node in an Ansible installation, could be leveraged by an attacker to bypass filters and gain control of certain facts to execute arbitrary code on the controller, and subsequently move to the other hosts.

Powerful “Spora” ransomware lets victims pay for immunity. Security researchers from Emsisoft warned that a newly observed ransomware, dubbed Spora is distributed via spam emails masked as invoices and leverages Windows CyrptoAPI for encryption, using a mix of RSA and Advanced Encryption Standard (AES) that allows the ransomware to encrypt files without a command and control (C&C) server connection, as well as ensuring that a decryption tool developed for one victim will not work for another victim. The researchers also found that Spora is able to determine how much ransom a victim should pay by creating creates statistics of the targets to encrypt and saving them to a .KEY file as a set of six numbers.

RIG grabs 35% of exploit kit market in December. Symantec researchers reported that the RIG exploit kit (EK) was responsible for nearly 35 percent of the total EK activity during December 2016, with Fiesta at roughly 4 percent, and the Magnitude EK at about 3 percent. The number of Web attacks blocked by Symantec increased by about 33 percent in December 2016 after the company blocked 388,000 attacks per day in comparison to the 291,000 attacks blocked per day in November 2016.

1/12/17

Bank of America sued for $542 million over FDIC risk rule. The U.S. Federal Deposit Insurance Corporation (FDIC) filed a $542 million lawsuit against Bank of America Corp. January 9 for reportedly failing to pay the FDIC for deposit insurance protection from 2013 – 2014 after the bank ignored FDIC instructions and improperly calculated exposure faced by its parent-level firms, thereby causing the bank to understate how much it owed in insurance protection for its 20 largest counterparties. The FDIC claims the bank owes a total of more than $1 billion in underpayments made since 2011.

Operator of unlawful Bitcoin exchange pleads guilty in multimillion-dollar money laundering and fraud scheme. The former operator of Coin.mx, an Internet-based Bitcoin exchange, pleaded guilty January 9 to violating Federal anti-money laundering laws and regulations by processing over $10 million in illegal Bitcoin transactions from 2013 – July 2015 via a sham front company, Collectables Club that the operator and co-conspirators created in order to avoid detection. To further avoid scrutiny from financial institutions about the nature of Coin.mx’s business, the group gained control of New Jersey-based Helping Other People Excel Federal Credit Union in 2014 after making more than $150,000 in illegal bribes.

Microsoft patches flaws in Windows, Office, Edge. Microsoft released a total of four security bulletins, including a critical bulletin that resolves a memory corruption flaw in Office that can be exploited by convincing a targeted user to open a maliciously crafted file or to visit a Website hosting a malicious file due to the way the software handles objects in memory. Microsoft also released bulletins patching a privilege escalation flaw in Edge, a denial-of-service (DoS) flaw, as well as vulnerabilities in Adobe Flash Player used in several versions of Windows.

SAP patches multiple XSS and missing authorization vulnerabilities. SAP released its January 2017 security patches resolving a total of 23 flaws across its products, including a severe buffer overflaw bug that an attacker could leverage to inject malicious code into memory and cause a compromised application to execute it, enabling the attacker to take complete control of an application, cause a denial-of-service (DoS) condition, or execute arbitrary commands, among other malicious actions. The patches also addressed a critical Structured Query Language (SQL) injection flaw in SAP Business Intelligence Platform that could allow a malicious actor using specially crafted SQL queries to access and modify sensitive information from a database, remove the data, and execute administration operations, among other addressed flaws.

Adobe patches 42 flaws in Reader, Acrobat, Flash. Adobe released security updates addressing a total of 42 vulnerabilities in its products, including 29 issues affecting Acrobat and Reader versions 11 and 15 that could allow a malicious actor to take control of impacted system. The updates also resolve 13 critical security flaws in Flash Player, which can lead to arbitrary code execution or information disclosure.

New Terror exploit kit emerges. Security researchers from Trustwave reported cybercriminals started leveraging a new exploit kit (EK), dubbed Terror which packs at least eight different operational exploits for Microsoft Internet Explorer, Adobe Flash Player, and Mozilla Firefox that are a combination of metasploit exploits and ones borrowed from the Hunter or Sundown EKs. The developer of Terror was observed leveraging the EK to deliver a cryptocurrency miner to the compromised device.

1/11/17

Police seize 87 fraudulent credit cards from suspects Sunday at Tysons shopping center. Authorities in Fairfax County, Virginia, arrested and charged 3 suspects after they seized 87 fraudulent credit cards in the suspects’ possession at Tysons Corner Center January 8. Further investigation revealed the suspects also possessed several items used to manufacture fake credit cards and identification cards.

Rockwell Automation addresses flaws in programmable controllers. Rockwell Automation released firmware updates for its Allen-Bradley programmable automation controllers, programmable logic controllers, and safety programmable controllers after Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that versions 16 –21 of the devices were plagued with a critical stack-based buffer overflow flaw that could be remotely exploited to execute arbitrary code on a controller or cause the device to enter a denial-of-service (DoS) condition by sending maliciously crafted common industrial protocol (CIP) packets to the targeted device.

Edge exploits added to Sundown EK. A security researcher discovered that the operators of the Sundown exploit kit (EK) started leveraging two memory corruption flaws in Microsoft Edge that can be remotely exploited to execute arbitrary code in the context of the user by tricking a victim into accessing a maliciously crafted Website.

Mac crashing attack method used in tech support scam. Malwarebytes Labs security researchers discovered that attackers are leveraging drive-by downloads to deliver malicious code targeting Apple’s Safari browser on Macs via a newly registered scam Website that pushes two different types of denial-of-service malware as part of a campaign to trick victims into calling a fake tech support service. The researchers stated that the attack does not work against machines running Mac’s operating system Sierra 10.12.2 or above.

1/10/17

Former vice president of publicly traded company charged with orchestrating $100 million securities fraud scheme. A former vice president of U.S. operations at now-bankrupt Poseidon Concepts Corporation in Calgary, Canada, was charged January 5 for his role in a securities fraud scheme where from November 2011 to December 2012, he allegedly caused the company to fictitiously report roughly $100 million in revenue from purported contracts with oil and natural gas companies. The charges allege that the defendant executed the scheme to enrich himself through the continued receipt of funds and stock appreciation, while causing the firm’s shares to lose nearly $1 billion in value.

New “Ghost Host” technique boosts botnet resiliency. Cyren security researchers reported that malware developers have started leveraging a new technique, dubbed ghost host, which fools Web security and Uniform Resource Locator (URL) filtering systems by inserting non-malicious host names that are both registered and unregistered into the Hypertext Transfer Protocol (HTTP) host fields of a botnet’s communications, in order to guarantee communication with the command and control (C&C) server is not blocked by security systems. The botnet operator can also manipulate the server to respond differently when messages using different ghost host names are received, including commanding the botnet to download a specific type of malware onto a device.

1/9/17

Valley businessman pleads guilty in Mexico corruption probe. A Mission, Texas-based businessman pleaded guilty January 3 to using the U.S. banking system to help former governors from Coahuila, Aguascalientes, and Tamaulipas, Mexico, launder tens of millions of dollars by compelling the officials to direct inflated payments for road work to the defendant’s Mexican asphalt company, which the defendant subsequently moved to his account for his U.S. firm, Rodmax Inc. The defendant had the exclusive rights to sell a certain kind of paving machine and paid bribes to the Mexican government representatives in exchange for contracts to perform the road work.

Police investigating ATM skimming incidents at banks in New Jersey. New Jersey authorities are investigating after recent ATM skimming incidents at banks across the State, including the Lakeland Bank branch in Oak Ridge from December 2016 – January 2017, as well as at banks in Bloomingdale and Lincoln Park. More than 100 potential victims of these ATM skimming incidents have been identified to date.

CFPB orders TransUnion and Equifax to pay for deceiving consumers in marketing credit scores and credit products. The U.S. Consumer Financial Protection Bureau (CFPB) January 3 ordered TransUnion, Equifax, Inc., and their subsidiaries to pay more than $17.6 million in restitution to consumers and fines worth $5.5 million to the CFPB for misleading consumers about the usefulness and actual cost of credit scores the companies sold by leading consumers to think they were the same credit scores lenders commonly used to make credit decisions, and for persuading consumers to pay expensive recurring fees for credit scores and credit-related products that the firm’s falsely claimed were free or low-cost, from at least July 2011 – March 2014. As part of the settlement, TransUnion and Equifax must clearly notify consumers about the nature of credit scores they are selling, must obtain the consumer’s consent prior to enrolling them in any credit-related product with a negative option feature, and must offer consumers a simple way to cancel the purchase of any credit-related product.

KillDisk malware targets Linux machines. ESET security researchers reported that the KillDisk malware recently observed adding encryption capabilities and behaving like ransomware is now targeting Linux systems, including workstations and servers. The Linux variant of the malware overwrites the bootloader entries and displays the ransom text within the GRUB bootloader

“MM Core” APT malware now targets United States. Forcepoint security researchers reported that two new versions of the malware “MM Core,” dubbed BigBoss and SillyGoose, have been used to target the news and media, government (defense), oil and gas, and telecommunications industries in Africa and the U.S. The trojan was designed to collect information on the infected computer and set up a backdoor for remote access.

1/6/17

Deutsche Bank settles tax fraud suit for $95 million. Deutsche Bank AG agreed January 4 to pay the U.S. Government $95 million to settle a tax fraud lawsuit filed in 2014 after the bank allegedly used shell companies to avoid paying tens of millions of dollars in Federal taxes in 2000, including as much as $190 million in taxes, penalties, and interest.

Ex-fast food employee admits to card skimming. A West Lafayette, Indiana woman pleaded guilty January 4 to skimming 100 customer credit cards through the cash register and another handheld device while employed at a West Lafayette McDonald’s restaurant in December 2015. The woman and two co-conspirators reportedly used the stolen card information to create counterfeit credit cards and make fraudulent purchases at stores in Lafayette and Chicago.

FireCrypt ransomware packs DDoS code. The MalwareHunterTeam discovered that the FireCrypt ransomware is able to encrypt victims’ files, as well as launch a distributed denial-of-service (DDoS) attack against a Uniform Resource Locator (URL) hardcoded in the source code. The researchers found the URL FireCrypt targets cannot be modified using the ransomware’s builder, and reported that in order for the malware’s DDoS attack to cause significant damage, FireCrypt would have to infect thousands of devices simultaneously.

Google patches 22 critical Android vulnerabilities. Google released its January 2017 Android Security Bulletin addressing a total of 95 vulnerabilities, including 23 flaws that impact various Android components and 72 bugs that affect drivers and other original design manufacturer (ODM) software, as well as Nexus and Pixel devices. The patches resolve a total of 22 critical vulnerabilities, including 21 elevation of privilege flaws in the Qualcomm bootloader, kernel file system, and Qualcomm video driver, among other components.

MongoDB databases actively hijacked for extortion. A security researcher and co-founder of GDI Foundation found that a hacker, known as Harak1r1, is searching for vulnerable MongoDB databases exposed to the Internet and subsequently hijacks them to steal and replace the databases content with one called “Warning” before demanding a ransom in exchange for the data. The researcher reported that the malicious actor targets only those databases that contain important data, as companies are more likely to pay a high ransom to regain access to the content.

1/5/17

Seattle-area developer charged with fraud after collecting $150M from Asian investors. A Bellevue, Washington-based commercial developer was charged January 3 for allegedly orchestrating a scheme that defrauded hundreds of Asian investors who hoped to receive green cards through the Federal Government’s EB-5 program out of about $150 million, the Federal agency that approved the conditional green cards based on the developer’s false assurances, as well as American and Chinese companies that raised tens of millions of dollars for the job creation projects. The charges allege that the scheme threatened the permanent green card status of more than 200 foreign investors, as well as the financial institutions that approved the defendant for $85 million in loans.

Pseudo-Darkleech remains prominent distributor of ransomware. Palo Alto Networks security researchers reported that the pseudo-Darkleech campaign is expected to remain a prominent ransomware distributor in 2017 after finding the campaign’s operators were able to quickly adapt to major exploit kit (EK) and ransomware landscape changes during 2016 to maintain the high level of attacks and to ensure the campaign remained relevant. The researchers found, however, that the pseudo-Darkleech campaign’s infection method remains the same, in that it directs a victim who visits a compromised Website with malicious script to an EK landing page designed to fingerprint the device to find vulnerable applications and exploit them.

Google researcher finds certificate flaws in Kaspersky products. Kaspersky Lab resolved two flaws in its anti-malware products after a Google Project Zero security researcher found the products were plagued with a critical flaw related to how Kaspersky Antivirus inspects Secure Sockets Layer (SSL)/Transport Layer Security (TLS) connections that could allow an attacker to intercept all traffic to a certain domain by sending the targeted Kaspersky Antivirus user two certificates with the same key. The researcher also found a high severity flaw involving improper protection of the private key for the local certificate authority (CA) root which could allow any unprivileged user to become a CA.

XSS flaws decline, DoS becomes more common: Imperva. Imperva analyzed Web application vulnerability trends in 2016, and found that the total number of vulnerabilities discovered since 2015 has increased, while the number of issues impacting Web applications has declined potentially due to a shift in research focus, and not due to Web applications being more secure than before. Imperva found that more than 25 percent of flaws observed were classified as high priority, and that the number of denial-of-service (DoS) bugs has significantly increased, but the amount of cross-site scripting (XSS) flaws has declined, among other findings.

1/4/17

Nottingham woman indicted on embezzlement, fraud charges. The former senior vice president of a Maryland-based bank was indicted December 31 after she allegedly embezzled more than $1.8 million from 6 customers’ bank accounts from April 2010 – July 2016 by making unauthorized transfers and withdrawals from the accounts in order to pay for personal expenses. The charges allege that the executive abused her position at the bank to override notifications of the suspicious transactions.

California tax return preparer pleads guilty to preparing false tax returns. The owner and operator of El Cajon, California-based Cunningham’s Tax Service pleaded guilty December 30 to preparing false individual income tax returns for her clients for tax years 2008 – 2010 which included fraudulent medical and dental expenses, education credits, and false charitable deductions, causing the U.S. Internal Revenue Service more than $1.2 million in losses.

Libpng patches flaw introduced in 1995. The developers of the Slackware Linux distribution released updates for the libpng official Portable Network Graphics (PNG) reference library resolving a null pointer dereference vulnerability impacting PNG image editors that could be exploited to cause a denial-of-service (DoS) condition.

1/3/17

Feds arrest two in complex Charlotte credit-card fraud scheme. Two individuals were charged the week of December 19 for allegedly using their accounts at a Rock Hill, North Carolina-based business known as P.A. to obtain the Social Security numbers and other personal information of Charlotte area residents by using skiptracing services provided by another company, TransUnion Risk and Alternative Data Solutions, Inc., to run queries on 10,000 victims and acquire at least 80 fraudulent credit cards in their names. The charges allege that one of the suspects stole the credit cards that they fraudulently applied for out of residents’ mailboxes

Sundown exploit kit starts using steganography. Trend Micro security researchers reported that a new version of the Sundown exploit kit (EK) leverages steganography to hide its malicious traffic in legitimate-seeming Portable Network Graphics (PNG) image files to disguise various exploits, including those targeting Microsoft’s Internet Explorer and Adobe’s Flash Player.