Posts Tagged ‘UK’

Wednesday, June 18, 2014 @ 04:06 PM gHale

XP may be gone in Microsoft’s eyes, but it is still going strong with small to medium businesses, a new study said.

Almost one in five small and medium businesses worldwide are currently exposed to major security risks as they are still using Windows XP after Microsoft ended support for the operating system in April, said security firm Bitdefender.

RELATED STORIES
Warning over XP Update Trap
How to Mitigate Potential XP Vulnerabilities
Microsoft Extends Update Deadline
Microsoft Strengthens Cloud Security

The research, conducted in countries including the UK, Germany, Spain and the U.S., shows businesses still rely on the legacy Microsoft OS despite security concerns. Millions of malware attacks target companies every month and hackers try to steal confidential data by taking advantage of the system’s vulnerabilities.

The Bitdefender study, carried out from March to May 2014 on a sample of over 5,000 companies in areas including retail, healthcare and education, found enterprises that continue to run Windows XP since the April 8 end-of-support date are now more vulnerable to cyber attacks.

Users of the operating system no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.

“A few weeks after the end of support announcement, a new Internet Explorer Zero Day vulnerability turned into a permanent threat for XP users,” said Catalin Cosoi, chief security strategist at Bitdefender. “That was until Microsoft issued a patch that was made available for Windows XP users as well. However, this was an exception that shouldn’t make enterprises believe it will happen again, so the swift migration from XP is a must for all users.”

The most targeted company in the three-month analysis was a web marketing business that had to deal with almost 800 million malware attacks. Other SMBs in the top targeted industries included a logistic services firm based in the UK and an Irish retail company.

Bitdefender’s research showed that 37 percent of SMB employees are working remotely or from home, increasing BYOD trends and security risks. At the same time, 17 percent of SMBs allow employee-owned mobile devices full access to the VPN.

The study also showed 53 percent of the companies upgraded to the more secure system Windows 7 Professional. Only a small percentage of the analyzed SMBs are using other Windows versions such as 7 Home Premium and Windows 8.1 Pro, while a few have also installed dedicated server products.

Wednesday, May 28, 2014 @ 06:05 PM gHale

Point of sale (PoS) terminals appear to still be some low hanging fruit for the bad guys as a global cybercriminal operation infected almost 1,500 terminals, accounting systems and other retail back-office platforms from businesses in 36 countries, researchers said.

The infected systems joined together in a botnet researchers from cybercrime intelligence firm IntelCrawler called Nemanja. The researchers believe the attackers behind the operation might be from Serbia.

RELATED STORIES
Data Breach Leader: E-commerce Sites
Malware Attack Approach: Deceptive Tactics
Top Q1 Mobile Threat Target: Android
Firms Watch Data Walk Out the Door

The size of the botnet and the worldwide distribution of infected systems brings into perspective the security problems faced by retailers from around the world, problems also highlighted by PoS breaches at several large U.S. retailers.

Past incidents suggest an increased attention from cybercriminals toward retailers and small businesses that use PoS terminals, the IntelCrawler researchers said Thursday in a blog post.

“We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers’ backoffice systems and cash registers,” the researchers said.

The Nemanja botnet included 1,478 infected systems in countries on most continents including the U.S., the U.K., Canada, Australia, China, Russia, Brazil and Mexico, IntelCrawler said.

An analysis of the Nemanja botnet found the compromised systems were running a wide variety of PoS, grocery store management and accounting software popular in different countries. The IntelCrawler researchers identified at least 25 different such software programs used on those systems.

This doesn’t mean the identified applications are particularly vulnerable or insecure for further use, but shows the Nemanja PoS malware is able to work with different software. Despite the ability to collect credit card data, the malware also had keylogging functionality to intercept credentials that could provide access to other systems and databases that contained payment or personally identifiable information.

IntelCrawler predicts that very soon modern PoS malware will end up incorporated as modules into malicious remote access tools (RATs) or other Trojan programs and will see use along other components, like those for keylogging or network traffic sniffing.

The other countries where the Nemanja botnet ended up detected were Argentina, Austria, Bangladesh, Belgium, Chile, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Portugal, South Africa, Spain, Switzerland, Taiwan, Turkey, Uruguay, Venezuela and Zambia.

Tuesday, May 27, 2014 @ 05:05 PM gHale

The iPhone hack that started in Australia and New Zealand is spreading to the United States and the United Kingdom.

In a forum thread Apple users said the widely-reported ransomware attack under the name of Oleg Pliss spread to the U.S. and the United Kingdom, in addition to Australia and New Zealand.

RELATED STORIES
Siri Allows iPhone Break-in
AirPort Update to Fend Off Heartbleed
Galaxy S5 Fingerprint Scanner Hacked
Multiple Attacks for Android Trojan

“I’m in the US. Never been to Australia. Hacked last night by the Oleg Pliss nonsense. Currently restoring to try and get it back online,” said wheelman2188 on the Apple Support Communities forum thread.

This attack could spread globally, and many users could actually fall for the scam and pay up the $100/€100 without any guarantees that the crooks will unlock their Apple IDs.

The whole attack could have come about through a phishing email.

Phishing is a common practice used by cybercriminals to steal user names and passwords, and the Apple community has had its fair share these attacks for the past few years. Suffice to say iOS is on its way to becoming what Windows has been for the hacking community for the past decade: A sea of opportunities.

Earlier this month, an email purporting to be from Apple was sent to various iOS/OS X users with the following message:
“Dear Apple Customer,
“Your Apple ID has been Disabled for Security Reasons!
“Someone just tried to sign in into your Apple account from other IP Address.
Please confirm your identity today or your account will be Disabled due to concerns we have for the safety and integrity of the Apple Community.
“To confirm your identity, we recommend that you go to
“Regards
“Apple”

This note came from a user who managed to avoid getting hit by the hack, but others may not be so fortunate. If you know you’ve answered to this email as instructed, change your Apple ID password ASAP.

Wednesday, May 21, 2014 @ 07:05 PM gHale

Cyber crime and investigations know no boundaries and last week 300 houses ended up raided and over 100 people arrested as part of an international law enforcement operation targeting people believed to be responsible for selling, creating and using the BlackShades Remote Access Trojan (RAT).

News of the operation came out last week, when the members of hacker forums said police raided them. On Monday, Europol confirmed the operation and provided more details.

RELATED STORIES
Feds Charge 5 Chinese for Hacking
More Charges against Accused Hacker
Ex-Gore Engineer Faces IP Theft Charges
Windows Code Leaker Pleads Guilty

Raids took place in over 10 countries, including Belgium, France, the Netherlands, Germany, UK, Estonia, Austria, Canada, U.S., Denmark, Chile, Italy and Croatia.

Investigators seized over 1,000 computers, laptops, mobile phones, USB sticks, external hard drives and routers.

“This case is yet another example of the critical need for coordinated law enforcement operations against the growing number of cyber criminals operating on an EU and global level,” said Troels Oerting, head of the European Cybercrime Centre (EC3).

“EC3 will continue — together with Eurojust and other partners — to work tirelessly to support our partners in the fight against fraudsters and other cyber criminals who take advantage of the Internet to commit crime. The work is far from over, but our cooperation to work together across borders has increased and we are dealing with cases on an ongoing basis.”

The BlackShades RAT, which sells for between $40 and $100, is a popular tool among cybercriminals. The malware can hijack webcams, steal files, log keystrokes, and launch denial-of-service attacks against a designated target.

In a recent case in the Netherlands, an 18-year-old used it to infect over 2,000 computers. The teen hijacked the webcams of infected devices in an effort to capture intimate pictures of women.

The FBI arrested Michael Hogue, one of the creators of BlackShades, back in 2012. However, others continued to improve the RAT even after Hogue’s arrest. In November 2013, Symantec said the use of BlackShades had increased in the previous five months.

“This case is a strong reminder that no one is safe while using the Internet, and should serve as a warning and deterrent to those involved in the manufacture and use of this software,” said Koen Hermans, assistant to the National Member for the Netherlands.

“This applies not only to victims, but also to the perpetrators of criminal and malicious acts. The number of countries involved in this operation has shown the inherent value in Eurojust’s coordination meetings and coordination centers.”

Friday, April 25, 2014 @ 03:04 PM gHale

Nine members of a cybercrime group responsible for stealing $2.1 million from bank accounts received sentences totaling 24 years and 9 months by the United Kingdom’s Southwark Crown Court.

The group used KMW (Keyboard, Video, Mouse) switches to transfer money from bank accounts at Barclays and Santander. They also made fraudulent purchases with payment cards obtained after intercepting or stealing around one million letters.

RELATED STORIES
Hacking Verdict Overturned on Appeal
Two Plead Guilty to Hacking Charges
Windows Code Leaker Pleads Guilty
Ex-Microsoft Worker Busted for Leak

They used the cards to purchase expensive watches, jewelry and other high-value items worth more than $1.68 million, court officials said.

Lanre Mullins-Abudu, 25, received eight years in prison for one count of conspiracy to commit fraud, two counts of conspiracy to steal and one count of possession of articles for use in fraud. Steven Hannah, 53, got 5 years and 10 months in prison for conspiracy to commit fraud and possession of drugs with intent to supply.

The list also includes Tony Colston-Hayter (5 years and 6 months in prison), Darius Valentin Boldor (2 years and 6 months in prison), Dean Outram (3 years in prison), Segun Ogunfidodo (9 months suspended, community work and tag-monitored curfew), Adam Raeburn Jefferson (1 year and 9 months suspended and tag-monitored curfew for 6 months), and Dola Leroy Oduns (9 months suspended, community work and curfew).

James Lewis Murphy received six months in prison, but he has already served his sentence while in custody.

“Today’s convictions are the culmination of a long and highly complex investigation into an organized crime group whose aim was to steal millions of pounds from London banks and credit card companies,” said Detective Chief Inspector Jason Tunn, of the MPS Cyber Crime Unit.

“Through working with industry partners such as Santander and Barclays, whose efforts in assisting us were immense, we have been able to bring this group to justice,” he said.

“This case demonstrates the sheer investigative skill we are able to apply to tackling cyber crime, as we continue working to keep London people and businesses safe from cyber criminals. We are determined to make London a hostile place for cyber criminals and not allow the Internet to be a hiding place for those who defraud people in the capital,” Tunn said.

Wednesday, March 19, 2014 @ 02:03 PM gHale

There is a new operation just discovered that has over 25,000 Unix servers suffering from an infection for the past two years.

Called “Windigo” after the mythical creature from Algonquian Native American folklore, the servers are sending out 35 million spam emails each day, putting around 500,000 computers at risk of malware infection.

“Each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.

Most of the infected servers are in the U.S., Germany, France and the UK. Many of the affected servers belong to hosting providers. The list of victims includes companies such as cPanel and kernel.org.

ESET has been investigating the campaign for around one year. In total, 25,000 servers suffered infection, of which 10,000 still have the issue.

Mac users are not out in the cold as Windows users end up directed to malware-serving exploit kits. People who visit the infected websites from Macs end up pushed to adult content or served ads for dating sites.

Léveillé highlights the Ebury backdoor deployed by the attackers doesn’t exploit Linux or OpenSSH vulnerabilities. Instead, it ends up planted manually.

“The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment,” Léveillé said.

Pierre-Marc Bureau, security intelligence program manager at ESET, said they are investigating the campaign because cybercriminal operations that rely on Linux malware are not something we get to see every day, particularly when it comes to an operation as complex as Windigo.

Bureau said this is the biggest botnet of servers they have ever seen. What they do know is the bot masters are very good in programming and the administration of Linux systems. Additionally, they probably have good connections in the underground, considering their capabilities to send spam and install malware.

The complete paper of the Windigo operation is available on ESET’s website.

Monday, January 27, 2014 @ 06:01 PM gHale

The Xtreme RAT malware has not only hit Israeli police systems, it has also targeted governments in the U.S., UK, and other countries, researchers said.

The attackers sent rogue messages with a .RAR attachment to email addresses within the targeted government agencies, said researchers at antivirus developer Trend Micro.

RELATED STORIES
Energy Sector Under Attack
Report: Security Needs Proactive Approach
Report: Execs Still Lack Security Understanding
Senior Mgt Biggest Security Violators

The archive contained a malicious executable that looks like a Word document that, when run, installed the Xtreme RAT malware and opened a decoy document with a news report about a Palestinian missile attack.

The attack came to light at the end of October when the Israeli police shut down its computer network in order to clean the malware from its systems. Like most remote access Trojan programs (RATs), Xtreme RAT gives attackers control over the infected machine and allows them to upload documents and other files back to their servers.

After analyzing malware samples used in the Israeli police attack, security researchers from Norway-based antivirus vendor Norman uncovered a series of older attacks from earlier this year and late 2011 that targeted organizations in Israel and the Palestinian territories. Their findings painted the picture of a year-long cyber espionage operation performed by the same group of attackers in the region.

According to data found by Trend Micro, the campaign’s scope appears to be much larger.

“We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel,” Trend Micro senior threat researcher Nart Villeneuve, said in a blog post earlier this week. “One of the emails was sent to 294 email addresses.”

“While the vast majority of the emails were sent to the Government of Israel at ‘mfa.gov.il’ [Israeli Ministry of Foreign Affairs], ‘idf.gov.il’ [Israel Defense Forces], and ‘mod.gov.il’ [Israeli Ministry of Defense], a significant amount were also sent to the U.S. Government at ‘state.gov’ [U.S. Department of State] email addresses,” Villeneuve said. “Other U.S. government targets also included ‘senate.gov’ [U.S. Senate] and ‘house.gov’ [U.S. House of Representatives] email addresses. The email was also sent to ‘usaid.gov’ [U.S. Agency for International Development] email addresses.”

The list of targets also included ‘fco.gov.uk’ (British Foreign & Commonwealth Office) and ‘mfa.gov.tr’ (Turkish Ministry of Foreign Affairs) email addresses, as well as addresses from government institutions in Slovenia, Macedonia, New Zealand, and Latvia, the researcher said. Some non-governmental organizations like the BBC and the Office of the Quartet Representative, also ended up a target.

The Trend Micro researchers used metadata from the decoy documents to track down some of their authors to an online forum. One of them used the alias “aert” to talk about various malware applications including DarkComet and Xtreme RAT or to exchange goods and services with other forum members, Villeneuve said.

Monday, January 6, 2014 @ 03:01 PM gHale

Europe users clicking on Yahoo.com had a good chance of having their computers infected with malware from malicious ads over a four-day time frame.

Cybercriminals were able to place compromised ads.yahoo.com as early as December 30, said researchers at security firm Fox-IT. Malicious iframes placed on the website redirected users to domains hosting the Magnitude exploit kit.

RELATED STORIES
Webcams Can Watch Without User Knowing
Ransomware Uses Webcam in Scam
Teen Hacked, Blackmailed
Old Trojan Remains Effective

The exploit kit leveraged Java vulnerabilities to push various pieces of malware, including ZeuS, Andromeda, Dorkbot, Tinba (Zusy), and Necurs.

Yahoo said users from Europe are the only ones that can suffer from the issue. Fox-IT said most infections were in Romania, the UK, and France.

Yahoo cleared up the problem by January 3. However, researchers from HitmanPro said there could be as much as 2.5 million computers infected with the malware.

The victims did not have to click on the malicious ads in order to have their devices infected with malware. Users from Europe who visited Yahoo.com from a computer running a vulnerable version of Java should immediately scan their computers with an up-to-date antivirus program to make sure they’re not a victim of the attack.

Wednesday, October 30, 2013 @ 04:10 PM gHale

A United Kingdom man is facing charges of breaching thousands of computer systems in the United States and elsewhere – including the computer networks of federal agencies – to steal massive quantities of confidential data.

Lauri Love, 28, of Stradishall, England, is facing one count of accessing a U.S. department or agency computer without authorization and one count of conspiring to do the same, according to a federal indictment handed up from the New Jersey U.S. Attorney’s office.

RELATED STORIES
Charges Filed in Cyber Fraud Case
4 Dutch Men Face Cyber Theft Charges
Identity Theft Service Suspect Arrested
Feds Bust 2 in Skimming Device Scam

An investigation led by the U.S. Army Criminal Investigation Command-Computer Crime Investigative Unit and the FBI in Newark found Love illegally infiltrated U.S. government computer systems – including those of the U.S. Army, U.S. Missile Defense Agency, Environmental Protection Agency and National Aeronautics and Space Administration – resulting in millions of dollars in losses.

Law enforcement authorities in the United Kingdom, including investigators with the Cyber Crime Unit of the National Crime Agency (NCA), said they arrested Love at his residence Oct. 25. Love faced charges previously in New Jersey on a federal complaint, also unsealed in connection with his arrest. He also faces charges in a criminal complaint in the Eastern District of Virginia related to other intrusions.

According to the indictment, between October 2012 and October 2013, Love and fellow conspirators sought out and hacked into thousands of computer systems. Once inside the compromised networks, Love and his conspirators placed hidden back doors within the networks, which allowed them to return to the compromised computer systems at a later date and steal confidential data.

The stolen data included the personally identifying information (PII) of thousands of individuals, some of whom were military servicemen and servicewomen, as well as other nonpublic material.

Love and his conspirators planned and executed the attacks in secure online chat forums. They communicated in these chats about identifying and locating computer networks vulnerable to cyber attacks and gaining access to and stealing massive amounts of data from those networks. They also discussed the object of the conspiracy, which was to hack into the computer networks of the government victims and steal large quantities of non-public data, including PII, to disrupt the operations and infrastructure of the United States government.

To gain entry to the government victims’ computer servers, Love and conspirators often deployed SQL injection attacks. They also exploited vulnerabilities in the ColdFusion web application platform. Like SQL Injection attacks, this method of hacking allowed the conspirators to gain unauthorized access to secure databases of the victims. Once they got into the network, they created back doors, leaving the system vulnerable and helping them maintain access, officials said.

Love and his conspirators took steps to conceal their identities and illegal hacking activities. To mask their IP addresses, the conspirators used proxy and Tor servers to launch the attacks. They also frequently changed their nicknames in online chat rooms, using multiple identities to communicate with each other.

If convicted, the Love faces a maximum potential penalty of five years in prison and a $250,000 fine, or twice the gross gain or loss from the offense.

 
 
Archived Entries