Posts Tagged ‘UK’

Monday, March 9, 2015 @ 03:03 PM gHale

The National Cyber Crime Unit (NCCU) of the National Crime Agency (NCA) in the UK spearheaded a nationwide cyber crime “strike week” last week resulting in the arrest of 57 people in 25 separate operations.

Those arrested have participated in DDoS attacks, phishing schemes, cyber-enabled fraud, theft of intellectual property, network intrusions, and the development and distribution of malware. Click here for more details on the arrests.

Guilty Plea in Data Smuggling Case
Hack Case: Russian Pleads Not Guilty
Silk Road Operator Guilty
Guilty Plea in ATM Skimming Plan

Among them is a 23-year old man from Sutton Coldfield, West Midlands UK, who police arrested for breaching the networks of the U.S. Department of Defense in June 2014.

“The network intrusion (hacking) attack occurred on June 15, 2014 and obtained data used as part of an international satellite message dissemination system (Enhanced Mobile Satellite Services) used by the U.S. Department of Defense to communicate with employees via email or phone around the world,” the NCA said.

“The data loss consisted of non-confidential contact information for approximately 800 people including name, title, email addresses and phone numbers. It also included device information for approximately 34,400 devices including IMEI numbers which are the unique codes used to identify a mobile device. No sensitive data was obtained and none of the data obtained could be used as personally identifiable information or compromise US national security interests.”

The suspect then posted evidence of the hack on Pastebin, along with a message taunting the Lizard Squad hackers.

This strike week worked in conjunction with Ten Regional Organized Crime Units, Police Scotland and Police Service of Northern Ireland visiting some 60 businesses whose servers within the UK ended up compromised.

“The compromises could be used to send out spam email, launch attacks against websites or servers, or install phishing websites to gain access to sensitive information. The NCA said organizations acting on this advice could, between them, clean up to half of the phishing attacks that typically originate from the UK each month,” they said.

Monday, March 9, 2015 @ 02:03 PM gHale

New versions of the Cryptowall ransomware hitting email inboxes may appear innocuous, but it can encrypt files on systems demanding money from victims to unlock the computer.

Cryptowall is an advanced version of Cryptolocker, a file-encrypting ransomware.

IL Police Meet Ransomware Demands
DDoS Attack Costs on Rise
Security a Differentiator for Users
Security: A Presidential Mandate

An email blast went out in February, targeting users from around the world, including the U.S., UK, the Netherlands, Denmark, Sweden, Slovakia and Australia, said researchers at Bitdefender Labs. Following analysis, the spam servers appear to be in Vietnam, India, Australia, U.S., Romania and Spain.

“Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments,” said Catalin Cosoi, chief security strategist at Bitdefender.

Chm is an extension for the Compiled HTML file format, a type of file used to deliver user manuals along with software applications. CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM.

“Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed,” Cosoi said.

HTML files end up compressed and delivered as a binary file with the .chm extension. This format consists of compressed HTML documents, images and JavaScript files, along with a hyperlinked table of contents, an index and full text searching. The fake incoming fax report email claims to be from a machine in the users’ domain. Bitdefender Labs researchers think the aim of this approach is to target employees from different organizations in order to infiltrate company networks.

Once the content of the .chm archive ends up accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.

Wednesday, June 18, 2014 @ 04:06 PM gHale

XP may be gone in Microsoft’s eyes, but it is still going strong with small to medium businesses, a new study said.

Almost one in five small and medium businesses worldwide are currently exposed to major security risks as they are still using Windows XP after Microsoft ended support for the operating system in April, said security firm Bitdefender.

Warning over XP Update Trap
How to Mitigate Potential XP Vulnerabilities
Microsoft Extends Update Deadline
Microsoft Strengthens Cloud Security

The research, conducted in countries including the UK, Germany, Spain and the U.S., shows businesses still rely on the legacy Microsoft OS despite security concerns. Millions of malware attacks target companies every month and hackers try to steal confidential data by taking advantage of the system’s vulnerabilities.

The Bitdefender study, carried out from March to May 2014 on a sample of over 5,000 companies in areas including retail, healthcare and education, found enterprises that continue to run Windows XP since the April 8 end-of-support date are now more vulnerable to cyber attacks.

Users of the operating system no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.

“A few weeks after the end of support announcement, a new Internet Explorer Zero Day vulnerability turned into a permanent threat for XP users,” said Catalin Cosoi, chief security strategist at Bitdefender. “That was until Microsoft issued a patch that was made available for Windows XP users as well. However, this was an exception that shouldn’t make enterprises believe it will happen again, so the swift migration from XP is a must for all users.”

The most targeted company in the three-month analysis was a web marketing business that had to deal with almost 800 million malware attacks. Other SMBs in the top targeted industries included a logistic services firm based in the UK and an Irish retail company.

Bitdefender’s research showed that 37 percent of SMB employees are working remotely or from home, increasing BYOD trends and security risks. At the same time, 17 percent of SMBs allow employee-owned mobile devices full access to the VPN.

The study also showed 53 percent of the companies upgraded to the more secure system Windows 7 Professional. Only a small percentage of the analyzed SMBs are using other Windows versions such as 7 Home Premium and Windows 8.1 Pro, while a few have also installed dedicated server products.

Wednesday, May 28, 2014 @ 06:05 PM gHale

Point of sale (PoS) terminals appear to still be some low hanging fruit for the bad guys as a global cybercriminal operation infected almost 1,500 terminals, accounting systems and other retail back-office platforms from businesses in 36 countries, researchers said.

The infected systems joined together in a botnet researchers from cybercrime intelligence firm IntelCrawler called Nemanja. The researchers believe the attackers behind the operation might be from Serbia.

Data Breach Leader: E-commerce Sites
Malware Attack Approach: Deceptive Tactics
Top Q1 Mobile Threat Target: Android
Firms Watch Data Walk Out the Door

The size of the botnet and the worldwide distribution of infected systems brings into perspective the security problems faced by retailers from around the world, problems also highlighted by PoS breaches at several large U.S. retailers.

Past incidents suggest an increased attention from cybercriminals toward retailers and small businesses that use PoS terminals, the IntelCrawler researchers said Thursday in a blog post.

“We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers’ backoffice systems and cash registers,” the researchers said.

The Nemanja botnet included 1,478 infected systems in countries on most continents including the U.S., the U.K., Canada, Australia, China, Russia, Brazil and Mexico, IntelCrawler said.

An analysis of the Nemanja botnet found the compromised systems were running a wide variety of PoS, grocery store management and accounting software popular in different countries. The IntelCrawler researchers identified at least 25 different such software programs used on those systems.

This doesn’t mean the identified applications are particularly vulnerable or insecure for further use, but shows the Nemanja PoS malware is able to work with different software. Despite the ability to collect credit card data, the malware also had keylogging functionality to intercept credentials that could provide access to other systems and databases that contained payment or personally identifiable information.

IntelCrawler predicts that very soon modern PoS malware will end up incorporated as modules into malicious remote access tools (RATs) or other Trojan programs and will see use along other components, like those for keylogging or network traffic sniffing.

The other countries where the Nemanja botnet ended up detected were Argentina, Austria, Bangladesh, Belgium, Chile, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Portugal, South Africa, Spain, Switzerland, Taiwan, Turkey, Uruguay, Venezuela and Zambia.

Tuesday, May 27, 2014 @ 05:05 PM gHale

The iPhone hack that started in Australia and New Zealand is spreading to the United States and the United Kingdom.

In a forum thread Apple users said the widely-reported ransomware attack under the name of Oleg Pliss spread to the U.S. and the United Kingdom, in addition to Australia and New Zealand.

Siri Allows iPhone Break-in
AirPort Update to Fend Off Heartbleed
Galaxy S5 Fingerprint Scanner Hacked
Multiple Attacks for Android Trojan

“I’m in the US. Never been to Australia. Hacked last night by the Oleg Pliss nonsense. Currently restoring to try and get it back online,” said wheelman2188 on the Apple Support Communities forum thread.

This attack could spread globally, and many users could actually fall for the scam and pay up the $100/€100 without any guarantees that the crooks will unlock their Apple IDs.

The whole attack could have come about through a phishing email.

Phishing is a common practice used by cybercriminals to steal user names and passwords, and the Apple community has had its fair share these attacks for the past few years. Suffice to say iOS is on its way to becoming what Windows has been for the hacking community for the past decade: A sea of opportunities.

Earlier this month, an email purporting to be from Apple was sent to various iOS/OS X users with the following message:
“Dear Apple Customer,
“Your Apple ID has been Disabled for Security Reasons!
“Someone just tried to sign in into your Apple account from other IP Address.
Please confirm your identity today or your account will be Disabled due to concerns we have for the safety and integrity of the Apple Community.
“To confirm your identity, we recommend that you go to

This note came from a user who managed to avoid getting hit by the hack, but others may not be so fortunate. If you know you’ve answered to this email as instructed, change your Apple ID password ASAP.

Wednesday, May 21, 2014 @ 07:05 PM gHale

Cyber crime and investigations know no boundaries and last week 300 houses ended up raided and over 100 people arrested as part of an international law enforcement operation targeting people believed to be responsible for selling, creating and using the BlackShades Remote Access Trojan (RAT).

News of the operation came out last week, when the members of hacker forums said police raided them. On Monday, Europol confirmed the operation and provided more details.

Feds Charge 5 Chinese for Hacking
More Charges against Accused Hacker
Ex-Gore Engineer Faces IP Theft Charges
Windows Code Leaker Pleads Guilty

Raids took place in over 10 countries, including Belgium, France, the Netherlands, Germany, UK, Estonia, Austria, Canada, U.S., Denmark, Chile, Italy and Croatia.

Investigators seized over 1,000 computers, laptops, mobile phones, USB sticks, external hard drives and routers.

“This case is yet another example of the critical need for coordinated law enforcement operations against the growing number of cyber criminals operating on an EU and global level,” said Troels Oerting, head of the European Cybercrime Centre (EC3).

“EC3 will continue — together with Eurojust and other partners — to work tirelessly to support our partners in the fight against fraudsters and other cyber criminals who take advantage of the Internet to commit crime. The work is far from over, but our cooperation to work together across borders has increased and we are dealing with cases on an ongoing basis.”

The BlackShades RAT, which sells for between $40 and $100, is a popular tool among cybercriminals. The malware can hijack webcams, steal files, log keystrokes, and launch denial-of-service attacks against a designated target.

In a recent case in the Netherlands, an 18-year-old used it to infect over 2,000 computers. The teen hijacked the webcams of infected devices in an effort to capture intimate pictures of women.

The FBI arrested Michael Hogue, one of the creators of BlackShades, back in 2012. However, others continued to improve the RAT even after Hogue’s arrest. In November 2013, Symantec said the use of BlackShades had increased in the previous five months.

“This case is a strong reminder that no one is safe while using the Internet, and should serve as a warning and deterrent to those involved in the manufacture and use of this software,” said Koen Hermans, assistant to the National Member for the Netherlands.

“This applies not only to victims, but also to the perpetrators of criminal and malicious acts. The number of countries involved in this operation has shown the inherent value in Eurojust’s coordination meetings and coordination centers.”

Friday, April 25, 2014 @ 03:04 PM gHale

Nine members of a cybercrime group responsible for stealing $2.1 million from bank accounts received sentences totaling 24 years and 9 months by the United Kingdom’s Southwark Crown Court.

The group used KMW (Keyboard, Video, Mouse) switches to transfer money from bank accounts at Barclays and Santander. They also made fraudulent purchases with payment cards obtained after intercepting or stealing around one million letters.

Hacking Verdict Overturned on Appeal
Two Plead Guilty to Hacking Charges
Windows Code Leaker Pleads Guilty
Ex-Microsoft Worker Busted for Leak

They used the cards to purchase expensive watches, jewelry and other high-value items worth more than $1.68 million, court officials said.

Lanre Mullins-Abudu, 25, received eight years in prison for one count of conspiracy to commit fraud, two counts of conspiracy to steal and one count of possession of articles for use in fraud. Steven Hannah, 53, got 5 years and 10 months in prison for conspiracy to commit fraud and possession of drugs with intent to supply.

The list also includes Tony Colston-Hayter (5 years and 6 months in prison), Darius Valentin Boldor (2 years and 6 months in prison), Dean Outram (3 years in prison), Segun Ogunfidodo (9 months suspended, community work and tag-monitored curfew), Adam Raeburn Jefferson (1 year and 9 months suspended and tag-monitored curfew for 6 months), and Dola Leroy Oduns (9 months suspended, community work and curfew).

James Lewis Murphy received six months in prison, but he has already served his sentence while in custody.

“Today’s convictions are the culmination of a long and highly complex investigation into an organized crime group whose aim was to steal millions of pounds from London banks and credit card companies,” said Detective Chief Inspector Jason Tunn, of the MPS Cyber Crime Unit.

“Through working with industry partners such as Santander and Barclays, whose efforts in assisting us were immense, we have been able to bring this group to justice,” he said.

“This case demonstrates the sheer investigative skill we are able to apply to tackling cyber crime, as we continue working to keep London people and businesses safe from cyber criminals. We are determined to make London a hostile place for cyber criminals and not allow the Internet to be a hiding place for those who defraud people in the capital,” Tunn said.

Wednesday, March 19, 2014 @ 02:03 PM gHale

There is a new operation just discovered that has over 25,000 Unix servers suffering from an infection for the past two years.

Called “Windigo” after the mythical creature from Algonquian Native American folklore, the servers are sending out 35 million spam emails each day, putting around 500,000 computers at risk of malware infection.

“Each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.

Most of the infected servers are in the U.S., Germany, France and the UK. Many of the affected servers belong to hosting providers. The list of victims includes companies such as cPanel and

ESET has been investigating the campaign for around one year. In total, 25,000 servers suffered infection, of which 10,000 still have the issue.

Mac users are not out in the cold as Windows users end up directed to malware-serving exploit kits. People who visit the infected websites from Macs end up pushed to adult content or served ads for dating sites.

Léveillé highlights the Ebury backdoor deployed by the attackers doesn’t exploit Linux or OpenSSH vulnerabilities. Instead, it ends up planted manually.

“The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment,” Léveillé said.

Pierre-Marc Bureau, security intelligence program manager at ESET, said they are investigating the campaign because cybercriminal operations that rely on Linux malware are not something we get to see every day, particularly when it comes to an operation as complex as Windigo.

Bureau said this is the biggest botnet of servers they have ever seen. What they do know is the bot masters are very good in programming and the administration of Linux systems. Additionally, they probably have good connections in the underground, considering their capabilities to send spam and install malware.

The complete paper of the Windigo operation is available on ESET’s website.

Monday, January 27, 2014 @ 06:01 PM gHale

The Xtreme RAT malware has not only hit Israeli police systems, it has also targeted governments in the U.S., UK, and other countries, researchers said.

The attackers sent rogue messages with a .RAR attachment to email addresses within the targeted government agencies, said researchers at antivirus developer Trend Micro.

Energy Sector Under Attack
Report: Security Needs Proactive Approach
Report: Execs Still Lack Security Understanding
Senior Mgt Biggest Security Violators

The archive contained a malicious executable that looks like a Word document that, when run, installed the Xtreme RAT malware and opened a decoy document with a news report about a Palestinian missile attack.

The attack came to light at the end of October when the Israeli police shut down its computer network in order to clean the malware from its systems. Like most remote access Trojan programs (RATs), Xtreme RAT gives attackers control over the infected machine and allows them to upload documents and other files back to their servers.

After analyzing malware samples used in the Israeli police attack, security researchers from Norway-based antivirus vendor Norman uncovered a series of older attacks from earlier this year and late 2011 that targeted organizations in Israel and the Palestinian territories. Their findings painted the picture of a year-long cyber espionage operation performed by the same group of attackers in the region.

According to data found by Trend Micro, the campaign’s scope appears to be much larger.

“We discovered two emails sent from {BLOCKED} on Nov 11 and Nov 8 that primarily targeted the Government of Israel,” Trend Micro senior threat researcher Nart Villeneuve, said in a blog post earlier this week. “One of the emails was sent to 294 email addresses.”

“While the vast majority of the emails were sent to the Government of Israel at ‘’ [Israeli Ministry of Foreign Affairs], ‘’ [Israel Defense Forces], and ‘’ [Israeli Ministry of Defense], a significant amount were also sent to the U.S. Government at ‘’ [U.S. Department of State] email addresses,” Villeneuve said. “Other U.S. government targets also included ‘’ [U.S. Senate] and ‘’ [U.S. House of Representatives] email addresses. The email was also sent to ‘’ [U.S. Agency for International Development] email addresses.”

The list of targets also included ‘’ (British Foreign & Commonwealth Office) and ‘’ (Turkish Ministry of Foreign Affairs) email addresses, as well as addresses from government institutions in Slovenia, Macedonia, New Zealand, and Latvia, the researcher said. Some non-governmental organizations like the BBC and the Office of the Quartet Representative, also ended up a target.

The Trend Micro researchers used metadata from the decoy documents to track down some of their authors to an online forum. One of them used the alias “aert” to talk about various malware applications including DarkComet and Xtreme RAT or to exchange goods and services with other forum members, Villeneuve said.

Monday, January 6, 2014 @ 03:01 PM gHale

Europe users clicking on had a good chance of having their computers infected with malware from malicious ads over a four-day time frame.

Cybercriminals were able to place compromised as early as December 30, said researchers at security firm Fox-IT. Malicious iframes placed on the website redirected users to domains hosting the Magnitude exploit kit.

Webcams Can Watch Without User Knowing
Ransomware Uses Webcam in Scam
Teen Hacked, Blackmailed
Old Trojan Remains Effective

The exploit kit leveraged Java vulnerabilities to push various pieces of malware, including ZeuS, Andromeda, Dorkbot, Tinba (Zusy), and Necurs.

Yahoo said users from Europe are the only ones that can suffer from the issue. Fox-IT said most infections were in Romania, the UK, and France.

Yahoo cleared up the problem by January 3. However, researchers from HitmanPro said there could be as much as 2.5 million computers infected with the malware.

The victims did not have to click on the malicious ads in order to have their devices infected with malware. Users from Europe who visited from a computer running a vulnerable version of Java should immediately scan their computers with an up-to-date antivirus program to make sure they’re not a victim of the attack.

Archived Entries