Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit: http://onguardonline.gov/

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.

1/17/17

ITG paying $24 million for improper handling of ADRs. The U.S. Securities and Exchange Commission announced January 12 that Investment Technology Group, Inc. (ITG) agreed to pay over $24.4 million to settle charges that it violated Federal securities laws from 2011 – 2014 by facilitating pre-releases of American Depository Receipts (ADRs) to its counterparties without owning the foreign shares or taking the necessary steps to ensure they were protected by the counterparty on whose behalf they were being acquired. Many of the ADRs obtained by ITG through pre-releases were ultimately used to engage in short selling and dividend arbitrage although that they may not have been backed by foreign shares, leaving them exposed to market abuse.

New Ploutus ATM malware variant at large. Security researchers from FireEye reported that a new variant of the Ploutus ATM malware targeting machines from Diebold, dubbed Ploutus-D is capable of significantly expanding its list of targets with minor code changes, as it is capable of interacting with KAL’s Kalignite multivendor ATM platform which runs on 40 different ATM vendors in 80 countries. The new variant requires an attacker or money mule to open the top portion of the ATM, connect a keyboard to the machine, and use an activation code that is provided by the actor in charge of the operation in order to dispense the money from the machine.

GoDaddy revokes nearly 9,000 SSL certificates. GoDaddy revoked nearly 9,000 Secure Sockets Layer (SSL) certificates after discovering that a software bug, which was introduced in July 2016 as part of a routine code change intended to improve the certificate issuance process, can cause the domain validation process to be unreliable. GoDaddy provides the customer a random code and directs the customer to place it in a specific location on their Website in order to validate the domain name for a certificate, however the systems were observed validating domains even if the code was not found.

1/13/17

Eight vulnerabilities patched in WordPress. WordPress version 4.7.1 was released, resolving a total of 8 security flaws and 62 bugs including 2 cross-site request forgery (CSRF) flaws, several cross-site scripting (XSS) vulnerabilities, and a weak crypto issue related to multisite activation keys.

Four high severity DoS flaws patched in BIND. The Internet Systems Consortium (ICS) released BIND versions 9.9.9-P5, 9.10.4-P5, 9.11.0-P2, and 9.9.9-S7 addressing four high severity denial-of-service (DoS) flaws that can be remotely exploited to cause the BIND name server process to encounter an assertion failure and stop executing. ICS stated it was not aware of the vulnerabilities being actively exploited.

Command execution vulnerability patched in Ansible. Red Hat released updates for the Ansible IT automation platform addressing a security bypass vulnerability after security researchers from Computest found that a flaw in the controller, the central node in an Ansible installation, could be leveraged by an attacker to bypass filters and gain control of certain facts to execute arbitrary code on the controller, and subsequently move to the other hosts.

Powerful “Spora” ransomware lets victims pay for immunity. Security researchers from Emsisoft warned that a newly observed ransomware, dubbed Spora is distributed via spam emails masked as invoices and leverages Windows CyrptoAPI for encryption, using a mix of RSA and Advanced Encryption Standard (AES) that allows the ransomware to encrypt files without a command and control (C&C) server connection, as well as ensuring that a decryption tool developed for one victim will not work for another victim. The researchers also found that Spora is able to determine how much ransom a victim should pay by creating creates statistics of the targets to encrypt and saving them to a .KEY file as a set of six numbers.

RIG grabs 35% of exploit kit market in December. Symantec researchers reported that the RIG exploit kit (EK) was responsible for nearly 35 percent of the total EK activity during December 2016, with Fiesta at roughly 4 percent, and the Magnitude EK at about 3 percent. The number of Web attacks blocked by Symantec increased by about 33 percent in December 2016 after the company blocked 388,000 attacks per day in comparison to the 291,000 attacks blocked per day in November 2016.

1/12/17

Bank of America sued for $542 million over FDIC risk rule. The U.S. Federal Deposit Insurance Corporation (FDIC) filed a $542 million lawsuit against Bank of America Corp. January 9 for reportedly failing to pay the FDIC for deposit insurance protection from 2013 – 2014 after the bank ignored FDIC instructions and improperly calculated exposure faced by its parent-level firms, thereby causing the bank to understate how much it owed in insurance protection for its 20 largest counterparties. The FDIC claims the bank owes a total of more than $1 billion in underpayments made since 2011.

Operator of unlawful Bitcoin exchange pleads guilty in multimillion-dollar money laundering and fraud scheme. The former operator of Coin.mx, an Internet-based Bitcoin exchange, pleaded guilty January 9 to violating Federal anti-money laundering laws and regulations by processing over $10 million in illegal Bitcoin transactions from 2013 – July 2015 via a sham front company, Collectables Club that the operator and co-conspirators created in order to avoid detection. To further avoid scrutiny from financial institutions about the nature of Coin.mx’s business, the group gained control of New Jersey-based Helping Other People Excel Federal Credit Union in 2014 after making more than $150,000 in illegal bribes.

Microsoft patches flaws in Windows, Office, Edge. Microsoft released a total of four security bulletins, including a critical bulletin that resolves a memory corruption flaw in Office that can be exploited by convincing a targeted user to open a maliciously crafted file or to visit a Website hosting a malicious file due to the way the software handles objects in memory. Microsoft also released bulletins patching a privilege escalation flaw in Edge, a denial-of-service (DoS) flaw, as well as vulnerabilities in Adobe Flash Player used in several versions of Windows.

SAP patches multiple XSS and missing authorization vulnerabilities. SAP released its January 2017 security patches resolving a total of 23 flaws across its products, including a severe buffer overflaw bug that an attacker could leverage to inject malicious code into memory and cause a compromised application to execute it, enabling the attacker to take complete control of an application, cause a denial-of-service (DoS) condition, or execute arbitrary commands, among other malicious actions. The patches also addressed a critical Structured Query Language (SQL) injection flaw in SAP Business Intelligence Platform that could allow a malicious actor using specially crafted SQL queries to access and modify sensitive information from a database, remove the data, and execute administration operations, among other addressed flaws.

Adobe patches 42 flaws in Reader, Acrobat, Flash. Adobe released security updates addressing a total of 42 vulnerabilities in its products, including 29 issues affecting Acrobat and Reader versions 11 and 15 that could allow a malicious actor to take control of impacted system. The updates also resolve 13 critical security flaws in Flash Player, which can lead to arbitrary code execution or information disclosure.

New Terror exploit kit emerges. Security researchers from Trustwave reported cybercriminals started leveraging a new exploit kit (EK), dubbed Terror which packs at least eight different operational exploits for Microsoft Internet Explorer, Adobe Flash Player, and Mozilla Firefox that are a combination of metasploit exploits and ones borrowed from the Hunter or Sundown EKs. The developer of Terror was observed leveraging the EK to deliver a cryptocurrency miner to the compromised device.

1/11/17

Police seize 87 fraudulent credit cards from suspects Sunday at Tysons shopping center. Authorities in Fairfax County, Virginia, arrested and charged 3 suspects after they seized 87 fraudulent credit cards in the suspects’ possession at Tysons Corner Center January 8. Further investigation revealed the suspects also possessed several items used to manufacture fake credit cards and identification cards.

Rockwell Automation addresses flaws in programmable controllers. Rockwell Automation released firmware updates for its Allen-Bradley programmable automation controllers, programmable logic controllers, and safety programmable controllers after Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that versions 16 –21 of the devices were plagued with a critical stack-based buffer overflow flaw that could be remotely exploited to execute arbitrary code on a controller or cause the device to enter a denial-of-service (DoS) condition by sending maliciously crafted common industrial protocol (CIP) packets to the targeted device.

Edge exploits added to Sundown EK. A security researcher discovered that the operators of the Sundown exploit kit (EK) started leveraging two memory corruption flaws in Microsoft Edge that can be remotely exploited to execute arbitrary code in the context of the user by tricking a victim into accessing a maliciously crafted Website.

Mac crashing attack method used in tech support scam. Malwarebytes Labs security researchers discovered that attackers are leveraging drive-by downloads to deliver malicious code targeting Apple’s Safari browser on Macs via a newly registered scam Website that pushes two different types of denial-of-service malware as part of a campaign to trick victims into calling a fake tech support service. The researchers stated that the attack does not work against machines running Mac’s operating system Sierra 10.12.2 or above.

1/10/17

Former vice president of publicly traded company charged with orchestrating $100 million securities fraud scheme. A former vice president of U.S. operations at now-bankrupt Poseidon Concepts Corporation in Calgary, Canada, was charged January 5 for his role in a securities fraud scheme where from November 2011 to December 2012, he allegedly caused the company to fictitiously report roughly $100 million in revenue from purported contracts with oil and natural gas companies. The charges allege that the defendant executed the scheme to enrich himself through the continued receipt of funds and stock appreciation, while causing the firm’s shares to lose nearly $1 billion in value.

New “Ghost Host” technique boosts botnet resiliency. Cyren security researchers reported that malware developers have started leveraging a new technique, dubbed ghost host, which fools Web security and Uniform Resource Locator (URL) filtering systems by inserting non-malicious host names that are both registered and unregistered into the Hypertext Transfer Protocol (HTTP) host fields of a botnet’s communications, in order to guarantee communication with the command and control (C&C) server is not blocked by security systems. The botnet operator can also manipulate the server to respond differently when messages using different ghost host names are received, including commanding the botnet to download a specific type of malware onto a device.

1/9/17

Valley businessman pleads guilty in Mexico corruption probe. A Mission, Texas-based businessman pleaded guilty January 3 to using the U.S. banking system to help former governors from Coahuila, Aguascalientes, and Tamaulipas, Mexico, launder tens of millions of dollars by compelling the officials to direct inflated payments for road work to the defendant’s Mexican asphalt company, which the defendant subsequently moved to his account for his U.S. firm, Rodmax Inc. The defendant had the exclusive rights to sell a certain kind of paving machine and paid bribes to the Mexican government representatives in exchange for contracts to perform the road work.

Police investigating ATM skimming incidents at banks in New Jersey. New Jersey authorities are investigating after recent ATM skimming incidents at banks across the State, including the Lakeland Bank branch in Oak Ridge from December 2016 – January 2017, as well as at banks in Bloomingdale and Lincoln Park. More than 100 potential victims of these ATM skimming incidents have been identified to date.

CFPB orders TransUnion and Equifax to pay for deceiving consumers in marketing credit scores and credit products. The U.S. Consumer Financial Protection Bureau (CFPB) January 3 ordered TransUnion, Equifax, Inc., and their subsidiaries to pay more than $17.6 million in restitution to consumers and fines worth $5.5 million to the CFPB for misleading consumers about the usefulness and actual cost of credit scores the companies sold by leading consumers to think they were the same credit scores lenders commonly used to make credit decisions, and for persuading consumers to pay expensive recurring fees for credit scores and credit-related products that the firm’s falsely claimed were free or low-cost, from at least July 2011 – March 2014. As part of the settlement, TransUnion and Equifax must clearly notify consumers about the nature of credit scores they are selling, must obtain the consumer’s consent prior to enrolling them in any credit-related product with a negative option feature, and must offer consumers a simple way to cancel the purchase of any credit-related product.

KillDisk malware targets Linux machines. ESET security researchers reported that the KillDisk malware recently observed adding encryption capabilities and behaving like ransomware is now targeting Linux systems, including workstations and servers. The Linux variant of the malware overwrites the bootloader entries and displays the ransom text within the GRUB bootloader

“MM Core” APT malware now targets United States. Forcepoint security researchers reported that two new versions of the malware “MM Core,” dubbed BigBoss and SillyGoose, have been used to target the news and media, government (defense), oil and gas, and telecommunications industries in Africa and the U.S. The trojan was designed to collect information on the infected computer and set up a backdoor for remote access.

1/6/17

Deutsche Bank settles tax fraud suit for $95 million. Deutsche Bank AG agreed January 4 to pay the U.S. Government $95 million to settle a tax fraud lawsuit filed in 2014 after the bank allegedly used shell companies to avoid paying tens of millions of dollars in Federal taxes in 2000, including as much as $190 million in taxes, penalties, and interest.

Ex-fast food employee admits to card skimming. A West Lafayette, Indiana woman pleaded guilty January 4 to skimming 100 customer credit cards through the cash register and another handheld device while employed at a West Lafayette McDonald’s restaurant in December 2015. The woman and two co-conspirators reportedly used the stolen card information to create counterfeit credit cards and make fraudulent purchases at stores in Lafayette and Chicago.

FireCrypt ransomware packs DDoS code. The MalwareHunterTeam discovered that the FireCrypt ransomware is able to encrypt victims’ files, as well as launch a distributed denial-of-service (DDoS) attack against a Uniform Resource Locator (URL) hardcoded in the source code. The researchers found the URL FireCrypt targets cannot be modified using the ransomware’s builder, and reported that in order for the malware’s DDoS attack to cause significant damage, FireCrypt would have to infect thousands of devices simultaneously.

Google patches 22 critical Android vulnerabilities. Google released its January 2017 Android Security Bulletin addressing a total of 95 vulnerabilities, including 23 flaws that impact various Android components and 72 bugs that affect drivers and other original design manufacturer (ODM) software, as well as Nexus and Pixel devices. The patches resolve a total of 22 critical vulnerabilities, including 21 elevation of privilege flaws in the Qualcomm bootloader, kernel file system, and Qualcomm video driver, among other components.

MongoDB databases actively hijacked for extortion. A security researcher and co-founder of GDI Foundation found that a hacker, known as Harak1r1, is searching for vulnerable MongoDB databases exposed to the Internet and subsequently hijacks them to steal and replace the databases content with one called “Warning” before demanding a ransom in exchange for the data. The researcher reported that the malicious actor targets only those databases that contain important data, as companies are more likely to pay a high ransom to regain access to the content.

1/5/17

Seattle-area developer charged with fraud after collecting $150M from Asian investors. A Bellevue, Washington-based commercial developer was charged January 3 for allegedly orchestrating a scheme that defrauded hundreds of Asian investors who hoped to receive green cards through the Federal Government’s EB-5 program out of about $150 million, the Federal agency that approved the conditional green cards based on the developer’s false assurances, as well as American and Chinese companies that raised tens of millions of dollars for the job creation projects. The charges allege that the scheme threatened the permanent green card status of more than 200 foreign investors, as well as the financial institutions that approved the defendant for $85 million in loans.

Pseudo-Darkleech remains prominent distributor of ransomware. Palo Alto Networks security researchers reported that the pseudo-Darkleech campaign is expected to remain a prominent ransomware distributor in 2017 after finding the campaign’s operators were able to quickly adapt to major exploit kit (EK) and ransomware landscape changes during 2016 to maintain the high level of attacks and to ensure the campaign remained relevant. The researchers found, however, that the pseudo-Darkleech campaign’s infection method remains the same, in that it directs a victim who visits a compromised Website with malicious script to an EK landing page designed to fingerprint the device to find vulnerable applications and exploit them.

Google researcher finds certificate flaws in Kaspersky products. Kaspersky Lab resolved two flaws in its anti-malware products after a Google Project Zero security researcher found the products were plagued with a critical flaw related to how Kaspersky Antivirus inspects Secure Sockets Layer (SSL)/Transport Layer Security (TLS) connections that could allow an attacker to intercept all traffic to a certain domain by sending the targeted Kaspersky Antivirus user two certificates with the same key. The researcher also found a high severity flaw involving improper protection of the private key for the local certificate authority (CA) root which could allow any unprivileged user to become a CA.

XSS flaws decline, DoS becomes more common: Imperva. Imperva analyzed Web application vulnerability trends in 2016, and found that the total number of vulnerabilities discovered since 2015 has increased, while the number of issues impacting Web applications has declined potentially due to a shift in research focus, and not due to Web applications being more secure than before. Imperva found that more than 25 percent of flaws observed were classified as high priority, and that the number of denial-of-service (DoS) bugs has significantly increased, but the amount of cross-site scripting (XSS) flaws has declined, among other findings.

1/4/17

Nottingham woman indicted on embezzlement, fraud charges. The former senior vice president of a Maryland-based bank was indicted December 31 after she allegedly embezzled more than $1.8 million from 6 customers’ bank accounts from April 2010 – July 2016 by making unauthorized transfers and withdrawals from the accounts in order to pay for personal expenses. The charges allege that the executive abused her position at the bank to override notifications of the suspicious transactions.

California tax return preparer pleads guilty to preparing false tax returns. The owner and operator of El Cajon, California-based Cunningham’s Tax Service pleaded guilty December 30 to preparing false individual income tax returns for her clients for tax years 2008 – 2010 which included fraudulent medical and dental expenses, education credits, and false charitable deductions, causing the U.S. Internal Revenue Service more than $1.2 million in losses.

Libpng patches flaw introduced in 1995. The developers of the Slackware Linux distribution released updates for the libpng official Portable Network Graphics (PNG) reference library resolving a null pointer dereference vulnerability impacting PNG image editors that could be exploited to cause a denial-of-service (DoS) condition.

1/3/17

Feds arrest two in complex Charlotte credit-card fraud scheme. Two individuals were charged the week of December 19 for allegedly using their accounts at a Rock Hill, North Carolina-based business known as P.A. to obtain the Social Security numbers and other personal information of Charlotte area residents by using skiptracing services provided by another company, TransUnion Risk and Alternative Data Solutions, Inc., to run queries on 10,000 victims and acquire at least 80 fraudulent credit cards in their names. The charges allege that one of the suspects stole the credit cards that they fraudulently applied for out of residents’ mailboxes

Sundown exploit kit starts using steganography. Trend Micro security researchers reported that a new version of the Sundown exploit kit (EK) leverages steganography to hide its malicious traffic in legitimate-seeming Portable Network Graphics (PNG) image files to disguise various exploits, including those targeting Microsoft’s Internet Explorer and Adobe’s Flash Player.

12/30/16

United Shore Financial Services LLC agrees to pay $48 million to resolve alleged False Claims Act liability arising from FHA-insured mortgage lending. Troy, Michigan-based United Shore Financial Services LLC (USFS) agreed December 28 to pay $48 million to resolve alleged violations of the False Claims Act by deliberately originating and underwriting mortgage loans insured by the U.S. Department of Housing and Urban Development (HUD)’s Federal Housing Administration (FHA) from January 2006 – December 2011 that did not meet relevant requirements, causing HUD to insure hundreds of loans approved by USFS that were not eligible for FHA mortgage insurance under the Direct Endorsement program. As part of the settlement, USFS admitted it inappropriately pressured underwriters to approve FHA mortgages, and falsely certified that direct endorsement underwriters personally reviewed appraisal reports before USFS approved and endorsed mortgages for FHA insurance, among other violations.

Roseville police: Woman ran up fraudulent credit card charges of salon, day spa customers. The owner and marketing director of Salon Success Strategies was arrested December 21 in Roseville, California, for allegedly bilking 10 or more of her clients’ customers in California, Florida, Canada, and Australia out of more than $100,000 by fraudulently charging their credit cards since 2014.

Feds: ATM skimmer admits stealing $127,000. A Romanian citizen pleaded guilty December 28 to stealing $127,000 through skimming devices he and a co-conspirator installed on ATMs at First Niagara Bank, TrustCo Bank, and Berkshire Bank branches in Chatham and Delmar, New York, and in Great Barrington, Massachusetts, between August and October 2015.

Destructive KillDisk malware turns into ransomware. A CyberX security researcher reported that a recently observed variant of the KillDisk malware encrypts each file with a specific Advanced Encryption Standard (AES) key, which are subsequently encrypted using an RSA 1028 key stored in the body of the malware, and holds the files for ransom instead of deleting them. The ransomware is designed to encrypt select types of files, including source code, emails and media files, and documents, among other file types, and requires elevated privileges.

Vulnerabilities plague PHP 7’s unserialize mechanism. Check Point security researchers reported that PHP 7’s unserialize function is plagued with three vulnerabilities that can be exploited to read memory, forge objects, and achieve code execution on the impacted server. The researchers found that the first two flaws could enable a malicious actor to take total control of the affected server, while the third flaw can be used to create a denial-of-service (DoS) attack. 

12/29/16

SEC charges lawyer with stealing investor money in EB-5 offerings. A California-based attorney and operator of marketing firm PDC Capital Group, LLC was charged December 27 after he allegedly used PDC Capital to defraud investors in China into investing $72 million in several EB-5 immigrant investor program projects, which included opening Caffe Primo restaurants, and developing assisted living facilities, among other projects, and then outright stole at least $9.6 million to fund his own businesses and personal expenses despite his supposed awareness that his actions would violate Federal regulations and jeopardize the visas of the foreign investors.

IBM reports significant increase in ICS attacks. IBM Managed Security Services reported that the number of attacks targeting industrial control systems (ICS) increased by 110 percent in 2016 compared to 2015 due to brute force attacks on supervisory control and data acquisition (SCADA) systems. IBM stated that the U.S. was both the top destination and top source of ICS attacks observed since the beginning of 2016, with nearly 90 percent of ICS attacks targeting the U.S. and 60 percent coming from the U.S.

12/28/16

Phishers adopt malware distribution-like tactics. Proofpoint security researchers reported that a recently spotted phishing campaign designed to steal credit card information was employing a technique previously associated with malware distribution, which involves the distribution of a malicious Hypertext Markup Language (HTML) attachment that is XOR-encoded inside a password protected .zip archive to make detection more difficult and to convince victims that the email is legitimate. The spam emails also leveraged stolen branding and social engineering to trick users into giving away their credit card information by telling the spam recipients that they need to update their credit card security information in order to receive a new card equipped with a chip.

Card skimmers strike Monona, Cottage Grove: Information gathered after thieves use readers, cameras at bank, credit union ATMs. Authorities in Monona, Wisconsin, are searching December 23 for 4 Romanian nationals suspected of installing card readers and cameras at outside ATMs at Monona State Bank, Old National Bank, and University of Wisconsin Credit Union locations in Monona, as well as at a Cottage Grove branch of Monona State Bank between November and December 2016.

Critical RCE flaw patched in PHPMailer. The developers of PHPMailer released version 5.2.18 of the product to resolve a critical remote code execution (RCE) flaw after a security researcher from Legal Hackers found the flaw can be exploited by a remote, unauthenticated attacker for arbitrary code execution in the context of the Web server user in order to compromise a targeted Web application. The researcher found the vulnerability can be exploited through Website components including feedback forms, registration forms, and password reset features that use a version of PHPMailer for sending emails that is impacted by the security hole.

12/22/16

Former owner and president of unregistered broker-dealer indicted in a $9 million securities fraud scheme. The former owner and president of Staten Island, New York-based Premier Links, Inc. were arrested December 20 for allegedly stealing $9.3 million from more than 300 investors in roughly 40 States from approximately 2005 – 2012 through their unregistered broker-dealer business by persuading investors to purchase shares of worthless businesses with the promise of large returns. The charges allege that the executives operated Premier Links as a “boiler room,” using cold callers and other means to compel victims to invest their money in securities, and converted investors’ money upon receipt into cash through more than 900 ATM and teller withdrawals, among other fraudulent actions.

North Carolina owner of tax preparation business pleads guilty to conspiracy to defraud the IRS. The former owner and operator of a Rockingham, North Carolina-based tax preparation business, Herb’s Helping Hands, pleaded guilty December 19 after he caused the U.S. Internal Revenue Service (IRS) over $10 million in losses by preparing and filing fraudulent electronic Federal income tax returns that claimed fictitious refunds for clients, and reporting fake or inflated income and dependency exemptions to produce false or inflated Earned Income Tax Credits, fake business income and deficits, and fraudulent deductions, among other fraudulent actions. The owner and his co-conspirators bought or stole the personal identifying information of minors and other individuals, falsely listing them as dependents on returns to generate larger fraudulent client refunds, and directed some of the clients’ refunds into his own bank account or an account he controlled.

VMware patches VDP, ESXi vulnerabilities. VMware released patches addressing a flaw in vSphere Data Protection (VDP) which could be exploited to log into the affected appliance with root privileges, as well as a cross-site scripting (XSS) vulnerability in the ESXi hypervisor where an attacker with permission to manage virtual machines (VM) via the ESXi Host Client can import a maliciously crafted VM to trigger the flaw, or can trick a vSphere administrator into importing the specially crafted VM.

12/21/16

FBI seeks leads on ‘Blues Bandit’ bank robber who struck in Phoenix, Glendale. The FBI is searching December 19 for a man dubbed the “Blues Bandit” who is suspected of robbing 3 Desert Schools Federal Credit Union locations inside Walmart stores in Phoenix and Glendale, Arizona, between October and December 2016.

Spear phishing attacks target industrial firms. Kaspersky Lab researchers warned that a spear phishing campaign has targeted roughly 500 organizations in the smelting, power generation and transmission, construction, and engineering industries across 50 countries since August 2016 in order to spy on users and steal sensitive data. The phishing emails contain a subject line with text used in a company’s correspondence in order to trick the victim into opening the malicious Rich Text Format (RTF) file attached, which downloads a malware that can diminish the ability of antivirus products.

Brute force attacks on WordPress Websites soar. WordPress security firm Wordfence warned that the number of brute force attacks targeting WordPress Websites have increased to more than 700,000 attacks per day since November 24, and the number of unique attack Internet Protocols (IPs) has increased from an average of about 13,000 per day in the period between October 16 and November 24 to over 30,000 per day. The firm reported it has blocked up to 23 million brute force attack attempts per day.

12/20/16

Recognize the Valley's 'Skipper Bandit' bank robber? The FBI continued to search December 16 for a man dubbed the “Skipper Bandit,” who has allegedly robbed or attempted to rob 6 banks, primarily in California’s San Fernando Valley, between July 2015 and July 2016.

Suburban investment advisor charged with securities fraud for engaging in fraudulent allocation scheme. The president of Lisle, Illinois-based Capital Management Associates Inc. was charged December 14 for allegedly placing more than $400 million in securities trades without disclosing in advance if he was trading personal funds or client funds, waiting up to 5 days to allocate the trades so that he could choose the profitable ones for his personal accounts and assign the losing ones to the accounts of unsuspecting clients, as well as withdrawing more than $1 million in profits earned from the scheme from his personal accounts between July 2008 and August 2012. The charges allege that the defendant bought over 16,000 publicly traded securities, including shares in The Walgreen Company, British Petroleum, and Caterpillar Inc., among other firms.

Deutsche Bank settles charges of misleading clients about order router. The U.S. Securities and Exchange Commission (SEC) and New York Attorney General’s office announced December 16 that Deutsche Bank AG agreed to pay a total of $37 million to resolve charges that the firm made materially false statements and omissions to its clients regarding the Dark Pool Ranking Model feature of one of its order routers, SuperX+, where, due to a coding error, the bank updated the ranking model only once during a 2-year period, causing at least 2 dark pools to receive inflated rankings and consequently generate millions of orders that SuperX+ would have sent elsewhere if the system was operating the way the bank described. The SEC also discovered that the firm manually overrode the Dark Pool rankings in select instances and manually assigned fill rates for new venues based on subjective judgment that was inconsistent with the venues’ real performance.

Privilege escalation, RCE flaws patched in Nagios Core. A security researcher from Legal Hackers discovered the Nagios Core alerting and monitoring software is plagued by two vulnerabilities, one of which is a remote code execution (RCE) flaw that can be exploited by a man-in-the-middle (MitM) attacker via the Rich Site Summary (RSS) feed feature, allowing the malicious actor to read and write arbitrary files on the compromised server, as well as execute code in the context of a Nagios user. Once an attacker achieves this level of access, the actor can exploit the second flaw to elevate their privileges to root, potentially causing the entire system to be compromised.

LinkedIn’s Lynda.com notifies users of data breach. Lynda.com, LinkedIn’s online learning platform, announced it will notify about 9.5 million users worldwide that their user information may have been compromised after the company became aware that a database containing user information had been accessed by an unauthorized third party. LinkedIn stated the passwords of roughly 55,000 Lynda.com users have been reset as a precaution, and there is no evidence that passwords were exposed or that any data was made publicly available.

MacBooks leak disk encryption password. A security researcher discovered that an attacker with physical access to a locked or sleeping Apple MacBook can retrieve the FileVault 2 password in clear text by connecting a special device to the targeted device’s Thunderbolt port due to the fact that the direct memory access (DMA) attack protections are not active before the operating system (OS) has booted, thereby enabling an attacker to read and write memory from a MacBook device via the Thunderbolt device. The researcher found that the attack does not work if the targeted MacBook has been turned off as the password is no longer available in the memory.

Updated Tordow Android malware gets ransomware capabilities. Comodo security researchers warned that an updated version of the Tordow Android malware, dubbed Tordow v2.0 was spotted and is now able to act as a ransomware, steal login credentials, and manipulate banking data, as well as encrypt and decrypt files, and remove security software. The malware spreads through compromised variants of popular social media and gaming applications that are available for download via third-party Websites and behave like the legitimate apps, while they include embedded and encrypted malicious functions.

Three Romanian nationals indicted in $4 million cyber fraud scheme that infected at least 60,000 computers and sent 11 million malicious emails. Three Romanian nationals were extradited to the U.S. the week of December 12 and charged for their alleged roles in a $4 million cyber fraud scheme where the trio infected at least 60,000 devices, primarily in the U.S., by sending more than 11 million malicious emails that contained a malware that the group created in order to harvest personally identifiable information, such as credit card information and user names and passwords from the infected devices. The trio reportedly used the stolen credit card information to fund their criminal activities.

12/19/16

Feds: Man suspected as ‘Buckeye Bandit’ indicted in Ohio. A man dubbed the “Buckeye Bandit” was indicted December 15 for allegedly committing 7 armed bank robberies across central Ohio since 2013. He was previously indicted for one armed bank robbery in November, when authorities discovered over $53,000 in his possession.

U.S. citizen charged with conspiring to provide unlawful services to Iran and international money laundering conspiracy. An Anchorage, Alaska man was indicted December 15 for his alleged role in a scheme where he and 4 co-conspirators provided services to Iran that resulted in the unlawful distribution of roughly $1 billion U.S. dollars equivalent of Iranian owned funds between January 2011 and at least April 2014 after the man stored the proceeds from fictitious sales of marble and other construction materials to an Iranian shell company in controlled South Korean bank accounts, and then converted the proceeds into more easily tradeable currencies by convincing the Korean regulators the transactions were lawful before transferring the finances to over 10 countries. The charges allege the man received between $10 million and $17 million from Iranian nationals for his criminal activities.

Manhattan U.S. Attorney announces charges against six individuals in international high-yield investment fraud scheme. Six individuals were charged in an indictment unsealed December 13 for their alleged roles in a $50 million investment fraud scheme that defrauded investors in the U.S. and several foreign countries between at least June 2013 and August 2016 by purporting that their Cities Upliftment Program (CUP) would produce considerably high returns, claiming that half of the returns would help rejuvenate American cities recovering from the 2008 financial crisis, while the other half would be paid back to the investors at the rate of $1 million per day for 75 banking days, and by using forged and counterfeit New York Fed documents, among other material misrepresentations, to persuade victims to invest in the CUP scheme. The group reportedly laundered the proceeds through various domestic and overseas bank accounts held in the names of shell companies they operated.

Joomla patches dangerous security flaws. Joomla released version 3.6.5 to resolve three security issues, including a high severity flaw plaguing all Joomla iterations from 1.6.0 – 3.6.4 which could be exploited to allow an attacker to modify existing user accounts including altering usernames, user group assignments, and passwords. In addition to the patches, the update included additional security hardening mechanisms.

Suspect arrested in JPMorgan, Dow Jones data theft case. A U.S. citizen living in Moscow was arrested at John F. Kennedy International Airport in New York December 14 after he allegedly orchestrated computer hacking crimes against U.S. financial institutions, brokerage firms, and financial news publishers, including a hack that compromised the data on 7 million businesses and 76 million household customers of JPMorgan Chase & Co and other firms. The man and his co-conspirators also allegedly operated an Internet gambling scheme, an unlawful bitcoin exchange, and an illicit payment processing operation for fraudulent online pharmaceutical sellers

Over 8,800 WordPress plugins have flaws: Study. RIPS Technologies researchers released a report after analyzing 44,705 plugins in the official WordPress plugins directory, which found a total of 67,486 vulnerabilities in the plugins, including 41 critical flaws, 2,799 high severity flaws, and more than 4,600 medium severity security holes. The study also revealed that more than 68 percent of the vulnerabilities discovered are cross-site scripting (XSS) issues and over 20 percent are Structured Query Language (SQL) injection flaws.

Nymaim trojan fingerprints MAC addresses to bypass virtualization. SophosLabs security researchers reported that the Nymaim trojan was spotted comparing a targeted machine’s media access control (MAC) address against a hardcoded list of blacklisted vendors, enabling the malware to avoid virtual environments and hinder analysis tools. The researchers also found that the trojan includes a list of checks and continues running even after those checks fail in order to hide its failure.

12/15/16

Brooklyn gang members used fake credit cards to buy American Girl dolls, guns: Officials. Thirty-five individuals connected to the Brooklyn, New York-based Hoodstarz street gang and associated crews were charged December 13 for allegedly buying more than 750 credit card numbers from the Dark Web and using the numbers to create fraudulent credit cards, which the group used to buy dolls, concert tickets, and weapons, as well as to fund violent crimes. The charges allege that the group tested the fraudulent credit cards by charging $1 at parking meters.

Stolen PINs net nearly $5 million in tax fraud. A Nigerian national pleaded guilty December 12 for his role in a roughly $4.7 million scheme to file thousands of fraudulent Federal and Oregon State tax returns from 2012 – May 2015 where he and 5 co-conspirators obtained the personal information of more than 250,000 people from an overseas hacker, and used the information to get PIN numbers used by the victims to electronically file U.S. Internal Revenue Service (IRS) returns. The IRS paid refunds directly to prepaid debit cards or third-party bank accounts the group opened, and the co-conspirators subsequently wired some of the refunds to Nigeria via the Western Union Company

Apple patches 72 vulnerabilities in macOS Sierra. Apple released version 10.12.2 of its Sierra operating system (OS) patching a total of 72 vulnerabilities in Apache, Audio, Bluetooth, security, the kernel, and Disk Images, among other components, after security researchers discovered that the flaws could be exploited to cause an application to enter a denial-of-service (DoS) condition, execute arbitrary code with elevated privileges, leak memory data, and overwrite existing files, among other nefarious actions. Apple also released security updates for iCloud for Microsoft Windows, iTunes for Windows, and Safari 10.0.2, which resolved two dozen flaws.

Microsoft patches several publicly disclosed flaws. Microsoft released its December 2016 security updates which include a total of 12 critical and important security bulletins that resolve flaws in Windows, Office, Edge, and Internet Explorer, including 11 flaws in Edge, an information disclosure and 2 remote code execution bugs in Windows graphics component, and 16 privilege escalation, information disclosure, and arbitrary code execution flaws, among other flaws, in Office and Office for Apple Mac. One of the critical bulletins also includes patches for Adobe Flash Player, in which Adobe resolved a total of 17 vulnerabilities, including a zero-day flaw that was being exploited in targeted attacks.

More Android-powered devices found with trojans in their firmware. Doctor Web security researchers discovered two types of downloader trojans incorporated in the firmware of several Android-powered devices that are used to deliver ad-showing apps that push users to download additional apps, and are capable of updating themselves, contacting their command and control (C&C) servers, receiving instructions on which apps to covertly download and run, and start running each time the device is turned on. One of the trojans, dubbed Android.Sprovider.7 was found inserted into the firmware of Lenovo smartphones and can open specified links in a browser, as well as show ads on top of apps and in the status bar, among other malicious actions.

Corporate Office 365 users hit with clever phishing attack. Security researchers reported that phishers are targeting users of Microsoft’s Corporate Office 365 service to bypass its email filters and default security protections using a trick that makes the user see one Uniform Resource Locator (URL) in the link and anti-phishing filters another link, while the actual link leads the victim to a third, phishing URL. The malicious actors exploit the way that Office 365 anti-phishing and URL-reputation security layers translate Punycode, the method for encoding domain names with Unicode characters.

93% of SOC managers unable to triage all potential threats. Intel Security released a report after interviewing 400 Security Operations Center (SOC) managers across several countries, industries, and company sizes, which revealed that on average, organizations are unable to adequately investigate 25 percent of security alerts, as many as 93 percent of SOCs are unable to triage all potential threats, and that the most common threat detection signals for 64 percent of companies come from traditional security control points, including firewall and intrusion prevention systems, among other findings

Apple patches 12 vulnerabilities in iOS, tvOS, and watchOS. Apple released version 10.2 of its mobile operating system (iOS) resolving 12 vulnerabilities affecting several components in iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, including a memory corruption issue in the Profiles component, which was also found to impact 4th generation Apple TV and all Apple Watch models, that could allow an attacker to achieve arbitrary code execution if the victim opened a specially crafted certificate on a vulnerable device.

 

12/14/16

Chelsea man charged with series of bank robberies. A man dubbed the “Spelling Bee Bandit” was charged December 12 for allegedly committing 4 bank robberies in the Greater Boston area between October and November 2016.

2 charged in securities fraud plot netting $26M illegally. Two New Jersey men were charged December 12 for allegedly orchestrating a securities fraud scheme that netted over $26 million in illegal proceeds by using dozens of brokerage accounts, some of which were listed in the names of family members or other individuals, to drive up the cost of $10 billion in securities, and subsequently sell the securities they owned at inflated prices. The duo was barred from future trading in securities on others’ accounts.

Meade couple pleads guilty to money laundering. A Meade, Kansas couple pleaded guilty December 12 for their roles in a trade based money laundering conspiracy where the duo deposited at least $1.6 million in undeclared cash and $5.2 million worth of undeclared third-party checks that the husband received from his trips to Mexico into a joint account they kept at Plains State Bank in Plains, Kansas. The couple would then transfer the funds in the account to buy genetically modified corn seed that was transported to Mexico.

Ostap backdoor installs banking trojans, PoS malware. Proofpoint security researchers reported that a newly spotted backdoor, dubbed Ostap was being leveraged by a threat group to install banking trojans such as Dridex, Ursnif, and Tinba, as well as point-of-sale (PoS) malware on devices belonging to financial services companies in several countries. Proofpoint found that the threat group leveraged spam emails with malicious Microsoft Word attachments for distribution, and the backdoor remains active on a targeted device after the Word attachment has been closed, and writes a copy of itself to the victim’s Startup folder for persistence, among other malicious actions

Flaw in PwC security tool exposes SAP systems to attacks. Security researchers at ESNC discovered PricewaterhouseCoopers Automated Controls Evaluator (ACE) tool was plagued with a remote code execution flaw that could be exploited to remotely inject and execute malicious Advanced Business Application Programming (ABAP) code on a targeted Systems, Applications and Products (SAP) system. The flaw could allow a malicious actor to manipulate accounting documents and financial results, bypass segregation of duties restrictions, and bypass change management controls, potentially resulting in fraud, theft or manipulation of sensitive data, and unauthorized payment transactions and transfer of money.

Serious vulnerabilities found in McAfee Enterprise product. A security researcher discovered Intel Security’s McAfee VirusScan Enterprise for Linux (VSEL) product versions 2.0.3 and earlier are plagued by 10 vulnerabilities, including information disclosure flaws, cross-site request forgery (CSRF) bugs, remote code execution flaws, and privilege escalation issues, among others vulnerabilities, 4 of which can be chained to achieve remote code execution with root privileges. Intel Security advised users to upgrade to Endpoint Security for Linux (ENSL) 10.2 or later to avoid the flaws.

Flaws allow remote hacking of Moxa MiiNePort devices. Moxa released firmware updates for its MiiNePort embedded serial device servers after a security researcher found the devices were plagued with two vulnerabilities, one of which can be exploited to brute-force an active session cookie and download a device’s configuration file containing sensitive information such as the administrator password remotely from the Internet, which could give a malicious actor unrestricted privileges and allow the attacker access to the device. The second vulnerability relates to how the configuration data is stored in a file without being encrypted.

Users warned of Zcash miner infections. Kaspersky Lab reported that cybercriminals have covertly infected roughly 1,000 devices with software that mine for Zcash (ZEC), a new cryptocurrency worth about $49 per ZEC, in order to make a significant profit. Kaspersky Lab stated cybercriminals were disguising the miners as legitimate applications and distributing them via torrent Websites, and reported that no attempts to install the miners using Website vulnerabilities or email spam campaigns have been spotted.

Alpha version of Sandboxed Tor Browser available for Linux. The Tor developer known as Yawning Angel released Sandboxed Tor Browser 0.0.2, a version of the browser designed to offer additional security to users as it traps exploits and prevents them from accessing files, real Internet Protocols (IPs) and media access control (MAC) addresses from the host. The developer warned the new version has unresolved issues affecting security and fingerprinting, and the application is only compatible with Linux systems as it leverages bubblewrap, a sandboxing utility for Linux.

12/13/16

Two charged for allegedly scamming credit unions for over $300K. A Wisconsin couple was charged December 6 after the duo allegedly defrauded Enterprise Credit Union in Brookfield out of more than $300,000 after one of the defendants, who managed the bank’s accounts, had her co-conspirator cash bank checks worth $980 several times each week beginning in May 2015. The charges allege that the couple used the money to buy drugs.

Homebuilder ordered to pay $11 million for “builder bailout” scam. A northern California residential developer and president of Discovery Sales, Inc. pleaded guilty on behalf of his company December 8 to a builder bailout scheme where former Discovery Sales employees secured mortgages for buyers of more than 325 Seeno-built homes through illicit means and opened at least $1.24 billion in construction lines of credit, resulting in over $200 million in sales and roughly $75 million in losses to Wells Fargo & Company and JP Morgan Chase & Co. from 2006 – 2008. The executive agreed to pay $3 million in restitution to Fannie Mae and Freddie Mac as well as an $8 million fine, and the firm was placed on probation for 5 years.

Executive pleads guilty to $10.5 million bank fraud. The former president of Culpeper, Virginia-based Capitol Components and Millwork, Inc. (CCM) pleaded guilty December 9 to a $10.5 million bank fraud scheme where the former executive fraudulently maintained a credit line at Fauquier Bankshares, Inc. by misrepresenting the company’s true financial condition and submitting documents to the bank in October 2015 that fraudulently claimed there was roughly $17 million of total accounts receivable and inventory securing the bank’s $11.5 million credit line, while in reality there was no more than $3.4 million of total accounts receivable and inventory. CCM was unable to repay the interest or principal amount of the loan.

New AirDroid releases fix major security issues. The AirDroid team released mobile version 4.0.0.3 and Microsoft Windows and Apple Mac version 3.3.5.3 of its remote management tool for Android after Zimperium security researchers found the app does not verify if a served update is legitimate, and sends and receives information over insecure channels, thereby exposing users on unsecured networks to man-in-the-middle (MitM) attacks. In addition to the security improvements, the AirDroid developers also upgraded the communication channels to Hypertext Transfer Protocol Secure (HTTPS) and enhanced the encryption method.

Dozens of teens arrested over DDoS attacks. Europol announced that 34 arrests were made as part of a multi-national operation targeting users of distributed denial-of-service (DDoS) cyber-attack tools after the individuals allegedly paid for stressers and booters services to deploy malicious software to launch DDoS attacks. Authorities believe the tools used in the attacks are part of the illicit DDoS-for-hire services where a hacker can pay to have an attack carried out against a targeted victim.

Samas ransomware gang made $450,000 in one year analysis. Palo Alto Networks researchers reported that the cybercriminals behind the Samas, or SamSa ransomware were carrying out targeted attacks against the healthcare industry and have collected over $450,000 in ransom payments from their targets since the beginning of 2016. The ransomware has undergone a series of modifications since it was first spotted, including changes to the encrypted filename extensions that are appended to files after encryption takes place in order to make analysis and reverse-engineering more difficult.

New minimum code signing requirements for use by all CAs. The Certificate Authority Security Council (CASC) announced that the Code Signing Working Group released new Minimum Requirements for Code Signing for use by all Certificate Authorities (CA) which represent the first standardized code signing guidelines and incorporate several new features to help businesses defend their systems from cyber-attacks, including stronger protection for private keys, certificate revocation, and improved code signatures time-stamping, among other features. Microsoft is the first applications software vendor to adopt the guidelines and will require CAs that issue code signing certificates for Windows platforms to adhere to the new requirements beginning February 1, 2017.

Microsoft Edge’s malware alerts can be faked, researchers say. Security researchers discovered that malicious actors can abuse Microsoft’s Edge Web browser to display legitimate-appearing malware warning messages by altering URL characters and appending a hash and a URL of a Website that appears to be authentic to forge a technical support scam page due to flaws in Edge’s “ms-appx:” and “ms-appx-web:” protocols. The fraudulent warnings replace Edge’s SmartScreen messages, which are displayed if the browser detects suspected malicious Websites, indicating that a nominated site displayed in the address bar is infected.

12/12/16

Ex-JPMorgan employee accused of $5 million scheme to defraud bank. A former operations manager for JPMorgan Chase & Co.’s broker-dealer services was charged December 7 after he allegedly made or attempted to make 22 wire transfers for over $5 million from a bank account that was supposedly JPMorgan-owned to an account at another bank belonging to an unidentified individual from July 2014 – February 2016. The former manager reportedly defrauded the bank in order to pay personal debts.

Yahoo pays out $10,000 bounty for critical mail flaw. A security researcher from Finland-based software company Klikki Oy discovered a critical flaw in Yahoo! Mail that could allow attackers to steal a user’s emails and create a worm that spreads by attaching itself to outgoing emails. The researcher found the flaw is related to code inserted into an email when a victim uses the “Share files from cloud providers” attachment option to attach files from their cloud storage accounts, and reported that the code is executed as soon as the email is opened.

Most external PowerShell scripts are malicious: Symantec. Symantec researchers reported that more than 95 percent of scripts using PowerShell were found to be malicious after the Symantec Blue Coat Malware Analysis sandbox observed 49,127 PowerShell scripts submitted in 2016 and analyzed 4,782 samples that represent a total of 111 malware families abusing the PowerShell command line. The researchers reported that attackers leverage PowerShell scripts due to the flexibility of the framework, and found that attackers use the scripts post-compromise to download additional payloads.

Petya variant Goldeneye emerges. BleepingComputer security researchers warned that a new variant of the Petya ransomware, dubbed Goldeneye was recently spotted and leverages resume-themed spam emails for distribution. The emails include two malicious documents containing macros, which once enabled, launch and save embedded base64 strings into an executable file in the temp folder, which is executed to start encrypting the files on a device.

12/9/16

Louisiana criminal defense attorney pleads guilty to tax evasion. A criminal defense attorney from Baton Rouge, Louisiana, pleaded guilty December 7 to evading payment of roughly $1 million in Federal income tax, penalties, and interest, as well as employment tax, penalties, and interest between 2003 and 2013 while operating a criminal defense law practice in Hammond. In an effort to hide the ownership of his property and avoid the payment of his tax liabilities, the attorney used nominees and the trusts he beneficially owned to buy his primary residence for $435,000 in January 2007, and deposited $416,283 into the nominee bank account with funds from the trusts and other accounts not under his ownership between January 2007 and January 2014.

August stealer uses PowerShell for fileless infection. Proofpoint security researchers warned that a new information stealing malware, dubbed August leverages Microsoft Word documents containing malicious macros, which once enabled, launch a PowerShell command to download and install the August stealer on a machine for a fileless infection. The malicious payload is downloaded from a remote site as a PowerShell byte array, and targets customer service and managerial staff at retail stores to steal credentials and sensitive documents from the affected devices.

323,000 pieces of malware detected daily. Kaspersky Lab reported that the number of new malware files detected by its products increased to 323,000 per day in 2016, an increase of 13,000 from the amount of files detected in 2015.

Over 400,000 phishing sites have been observed each month during 2016. Webroot security researchers reported that phishing Websites have become more sophisticated and carefully crafted, as 84 percent of phishing sites observed in 2016 existed for less than 24 hours, making any organization or person susceptible to having sensitive information stolen. Webroot also found that during 2016, an average of more than 400,000 phishing Websites were observed each month and nearly all of the phishing URLs are hidden with benign domains, among other findings

Hackers can exploit Roundcube flaw by sending an email. RIPS Technologies discovered that Roundcube, an open source Webmail software was plagued with a critical vulnerability related to the Hypertext Preprocessor (PHP) function “mail()” that an attacker with access to the targeted system can exploit to execute arbitrary commands on the system by sending an email. The security firm found that the user input is not properly sanitized in the fifth parameter of the “mail()” function, which allows an attacker to pass arbitrary arguments and create a malicious PHP file in the system’s Web root directory, enabling the malicious actor to execute commands and conduct malicious activities.

12/8/16

Buffalo man convicted of multiple bank robberies. A Buffalo, New York resident pleaded guilty December 6 to committing or helping to commit six bank robberies at First Niagara Bank and KeyBank branches in Buffalo, Lancaster, and Depew, New York.

Florida woman guilty of interstate stolen credit card scheme. A Ft. Lauderdale, Florida woman pleaded guilty December 6 after she and co-conspirators used stolen credit cards to fraudulently purchase Apple iPads, iPods, MacBooks, and other electronic goods and gift cards from Target Corporation, Best Buy, and other stores in central Pennsylvania over the course of roughly 8 months from 2014 – 2015, resulting in an estimated total loss of $179,500. The group broke into vehicles from Florida to Pennsylvania in order to steal the credit cards and victims’ identification documents before making the fraudulent purchases.

Windows 10 Creators Update brings new security capabilities. Microsoft reported that the Windows 10 Creators Update, which is scheduled to be released in the spring of 2017, will include several security enhancements including improved detection, intelligence, and remediation capabilities in Windows Defender Advanced Threat Protection (ATP), a feature that will link the Windows Security Center to Office 365 ATP to allow administrators to track a threat across endpoints and email, as well as expanded ATP sensors to detect kernel-level exploits and threats that occur only in memory, among other updated features.

Locky variant Osiris distributed via Excel documents. BleepingComputer security researchers discovered that the Locky ransomware began appending the .osiris extension to encrypted files, while leveraging malicious Microsoft Excel spreadsheets for distribution. The Excel documents are hidden inside ZIP archives and attached to spam emails concealed as invoices, which contain macros that download and install Locky on a victim’s device once enabled.

Google patches 74 vulnerabilities in Android. Google released its December 2016 Android Security Bulletin which includes patches for a total of 74 vulnerabilities, including 11 critical flaws, a total of 43 high severity flaws, and 20 medium risk vulnerabilities. The critical flaw patches include a fix for the Dirty COW vulnerability, as well as an elevation of privilege vulnerability in kernel memory subsystem affecting Pixel C, Pixel, and Pixel XL devices, and elevation of privilege issues in NVIDIA GPU Driver, kernel, kernel ION driver, and the Qualcomm Mobile Station Modem (MSM) interface, among other patched flaws.

Flash Player remains main target of exploit kits: report. Threat intelligence firm Recorded Future released a report after performing an analysis of 141 exploit kits (EKs), which found that Adobe Flash Player, Microsoft Windows, Internet Explorer, and Silverlight were the main targets of EKs in 2016. Flash Player accounted for 6 of the top 10 flaws leveraged by EKs, and an Internet Explorer flaw tracked as CVE-2016-0189, which was integrated into several EKs including Sundown, Neutrino, and RIG, was the most referenced vulnerability on security blogs and dark Websites.

12/7/16

Conn. investment firm fined $22 million for running Ponzi scheme. A Federal court fined Sharon, Connecticut-based Wilkinson Financial Opportunity Fund $22 million December 3 for orchestrating a Ponzi scheme that bilked 30 investors out of $11 million. Beginning in 2005, a member of the firm’s board of directors falsely promised friends, relatives, and business partners 10 to 30 percent returns from their investments, and paid off old clients with earnings coming in from new clients when the promised returns failed to materialize.

Franklin man convicted on 31 counts of conspiracy, computer access and wire fraud. Two men were convicted December 2 for altering the denomination distribution amounts of cash dispensed from Safe Cash Systems, LLC ATMs at convenience stores, bars, and restaurants in Nashville, Tennessee, from January 2009 – March 2010 using passwords that one of the co-conspirators knew from his previous employment as a Safe Cash ATM technician. Once the denomination distribution amounts were changed, the duo made more than 800 withdrawals from Safe Cash ATMs using 9 bank accounts and 17 bank cards to steal over $600,000 from the company, 20 times the amount that was debited from their bank accounts.

Jury convicts Minnesota chiropractor of tax evasion. A Minnesota chiropractor was convicted December 2 after he neglected to file individual income tax returns from 2004 – 2014, created a religious organization, Sovereign Christian Mission, to conceal his income and pay personal expenses, and presented a fraudulent financial instrument allegedly worth $300 million to the U.S. Internal Revenue Service (IRS), claiming it covered the taxes he was responsible for. The chiropractor tried to conceal his income by diverting money to a warehouse bank, MYICIS, cashing more than $800,000 in business checks, and submitting fictitious money orders and other financial instruments to the IRS.

Chrome 55 patches 36 flaws, blocks Flash by default. Google released Chrome 55 patching a total of 36 security flaws including 12 high risk flaws in PDFium, Blink, DevTools, and V8, as well as 9 medium severity issues, and 5 low risk flaws, among other patched vulnerabilities. In addition to resolving the security flaws, Chrome 55 enhances user security by blocking Websites that contain Adobe Flash content out-of-the-box.

Avalanche network dismantled in international cyber operation. The U.S. Department of Justice announced December 5 that a multinational operation involving arrests and searches in four countries successfully dismantled Avalanche, a complex network of computer servers that allegedly hosted more than two dozen of the most severe types of malicious software and facilitated financial crimes and money laundering campaigns worldwide. The Avalanche network reportedly served clients operating as many as 500,000 infected computers worldwide on a daily basis and caused hundreds of millions of dollars in losses.

12/6/16

Woman pleads guilty to defrauding Chevy Chase financial company of more than $1 million. A Germantown, Maryland resident pleaded guilty December 1 to embezzling at least $1.02 million from her employer, a Chevy Chase-based financial institution, between December 2007 and June 2014. The charges allege that the defendant sent banks fictitious invoices where she forged the signature of another employee of her financial firm, and deposited over 60 checks issued by various banks including U.S. Bank, Bank of America, and JPMorgan Chase & Co. into her personal financial accounts.

Couple pleads guilty to stealing 50K identities in tax fraud scam. A Houston couple pleaded guilty December 2 to stealing the identities of 50,000 victims and using the identities to apply for and obtain 230 debit cards from January 2014 – May 2015. The duo used the stolen identities to earn $250,000 in fraudulent Federal tax returns, while attempting to obtain a total of $1.9 million in tax refunds.

Eight vulnerabilities found in Moxa NPort devices. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that Moxa’s NPort serial device servers are plagued by eight vulnerabilities after security researchers discovered three critical flaws that can be exploited to retrieve an administrator password without authentication, update the device’s firmware without authentication, and use brute force to bypass authentication, as well as high security flaws that can be exploited to cause a denial-of-service (DoS) condition and remotely execute arbitrary code, among other flaws. Moxa released firmware updates for most of the affected servers and advised its customers to install the updates.

12/5/16

5 facing federal charge for $33M mortgage fraud. Five co-conspirators were charged December 1 for their roles in a $33 million mortgage fraud conspiracy after their company, Terra Foundation filed nearly 60 fraudulent mortgage discharges in Westchester and Putnam counties in New York and in Connecticut that made it appear as though Terra’s clients’ mortgages were paid off. In order to make a profit, Terra charged monthly fees for services including audits that were never performed, and convinced clients to take out a second or reverse mortgage and retained large portions of the proceeds.

AirDroid app opens millions of Android users to device compromise. Zimperium security researchers reported that tens of millions of users of Android’s remote management tool, AirDroid are vulnerable to man-in-the-middle (MitM) attacks that could compromise their devices through fraudulent updates and result in data theft. If a user is on the same unsecured network as a malicious actor, the attacker could perform a MitM network attack to access the device authentication information, decrypt any Hypertext Transfer Protocol (HTTP) request the application performs, and redirect and modify the HTTP traffic sent and received by the device when it checks for updates, and then plant a malicious update for the app to use.

Bug allows activation lock bypass on iPhone, iPad. Security researchers discovered two variations of a flaw that can be exploited to bypass Apple’s Activation Lock feature and access the homescreen of locked iPhones and iPads running Apple’s mobile operating system (iOS) 10.1 and iOS 10.1.1. Once a locked device is started, users are required to connect to a WiFi network and attackers can enter long strings into the username and password fields to trigger a crash that display’s the device’s homescreen.

12/2/16

PayPal fixes security flaw allowing hackers to steal OAuth tokens. PayPal Holdings, Inc. patched a critical security flaw in its application after an Adobe Systems security researcher found a vulnerability that could allow attackers to steal OAuth tokens due to the way PayPal allows developers to register their apps with PayPal through a dashboard that generates token requests which are submitted to a central authentication server. The researcher found a hacker can trick the authentication server into using a localhost as a redirect_uri parameter to redirect a PayPal validation to a third-party domain where an attacker could access the data.

Kelihos botnet spreading Troldesh ransomware. Security researchers reported the Kelihos botnet was spotted distributing the Troldesh encryption ransomware to targeted devices via spam emails that contain URLs that redirect a victim to a JavaScript file and a Microsoft Word document before encrypting users’ files and adding the .no_more_ransom extension. The Troldesh ransomware displays a spam message impersonating Bank of America that convinces a user to open a malicious attachment claiming to have information on an outstanding debt, but instead downloads the malware and Pony info-stealer onto a victim’s device.

Gooligan Android malware used to breach a million Google accounts. Check Point security researchers discovered a new variant of an Android malware campaign dubbed Gooligan that has breached the security of more than 1 million Google accounts since August 2016 by rooting Android devices and stealing email addresses and authentication tokens stored on them, thereby enabling a malicious actor to access users’ sensitive data from Gmail, Google Docs, Google Photos, and Google Drive, among other programs. The researchers found the Gooligan campaign infects 13,000 devices daily and installs at least 30,000 apps on those infected devices each day, among other findings.

Flaws found in Emerson DeltaV, Liebert products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published three advisories outlining flaws affecting Emerson’s DeltaV and Liebert products after a security researcher from Positive Technologies found that Emerson’s Liebert SiteScan tool versions 6.5 and earlier are plagued with an Extensible Markup Language (XML) external entity (XXE) flaw that can be remotely exploited to execute arbitrary code or access files from a server or connected network. The advisory also describes a vulnerability in the DeltaV Easy Security Management app that could be exploited to elevate privileges on the control system, among other flaws.

12/1/16

Former office worker pleads guilty to stealing nearly $290,000 from three different employers. A Rockville, Maryland resident pleaded guilty November 29 to embezzling nearly $290,000 from 3 of her employers between September 2012 and September 2015 while she worked as an office manager or executive assistant for the companies and had access to the firms’ financial information and accounts. The charges state the woman stole $218,802 from a consulting firm from September 2012 – February 2014, $41,240 from a non-profit organization, and an additional $29,598 from a management consulting company during the course of her employment.

Tor users targeted with Firefox zero-day exploit. Mozilla’s Firefox team and Tor Browser developers are working to release updates after Trail of Bits security researchers spotted a JavaScript exploit leveraging a zero-day use-after-free vulnerability in the Scalable Vector Graphics (SVG) parser in Firefox to target Tor users. The exploit reportedly consists of one Hypertext Markup Language (HTML) file and one Cascading Style Sheet (CSS) file.

158% increase in Android platform vulnerabilities. Quick Heal released a report which revealed a 14 percent increase in the detection count of malware on Microsoft Windows-based computers in the third quarter of 2016, a 33 percent rise in the amount of mobile ransomware in comparison to the second quarter, and a 25 percent increase in the detection of mobile banking trojans in the third quarter, among other findings.