Posts Tagged ‘UK’
Monday, March 9, 2015 @ 03:03 PM gHale
The National Cyber Crime Unit (NCCU) of the National Crime Agency (NCA) in the UK spearheaded a nationwide cyber crime “strike week” last week resulting in the arrest of 57 people in 25 separate operations.
Those arrested have participated in DDoS attacks, phishing schemes, cyber-enabled fraud, theft of intellectual property, network intrusions, and the development and distribution of malware. Click here for more details on the arrests.
Among them is a 23-year old man from Sutton Coldfield, West Midlands UK, who police arrested for breaching the networks of the U.S. Department of Defense in June 2014.
“The network intrusion (hacking) attack occurred on June 15, 2014 and obtained data used as part of an international satellite message dissemination system (Enhanced Mobile Satellite Services) used by the U.S. Department of Defense to communicate with employees via email or phone around the world,” the NCA said.
“The data loss consisted of non-confidential contact information for approximately 800 people including name, title, email addresses and phone numbers. It also included device information for approximately 34,400 devices including IMEI numbers which are the unique codes used to identify a mobile device. No sensitive data was obtained and none of the data obtained could be used as personally identifiable information or compromise US national security interests.”
The suspect then posted evidence of the hack on Pastebin, along with a message taunting the Lizard Squad hackers.
This strike week worked in conjunction with Ten Regional Organized Crime Units, Police Scotland and Police Service of Northern Ireland visiting some 60 businesses whose servers within the UK ended up compromised.
“The compromises could be used to send out spam email, launch attacks against websites or servers, or install phishing websites to gain access to sensitive information. The NCA said organizations acting on this advice could, between them, clean up to half of the phishing attacks that typically originate from the UK each month,” they said.
Monday, March 9, 2015 @ 02:03 PM gHale
New versions of the Cryptowall ransomware hitting email inboxes may appear innocuous, but it can encrypt files on systems demanding money from victims to unlock the computer.
Cryptowall is an advanced version of Cryptolocker, a file-encrypting ransomware.
An email blast went out in February, targeting users from around the world, including the U.S., UK, the Netherlands, Denmark, Sweden, Slovakia and Australia, said researchers at Bitdefender Labs. Following analysis, the spam servers appear to be in Vietnam, India, Australia, U.S., Romania and Spain.
“Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments,” said Catalin Cosoi, chief security strategist at Bitdefender.
“Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed,” Cosoi said.
Once the content of the .chm archive ends up accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.
Wednesday, May 28, 2014 @ 06:05 PM gHale
Point of sale (PoS) terminals appear to still be some low hanging fruit for the bad guys as a global cybercriminal operation infected almost 1,500 terminals, accounting systems and other retail back-office platforms from businesses in 36 countries, researchers said.
The infected systems joined together in a botnet researchers from cybercrime intelligence firm IntelCrawler called Nemanja. The researchers believe the attackers behind the operation might be from Serbia.
The size of the botnet and the worldwide distribution of infected systems brings into perspective the security problems faced by retailers from around the world, problems also highlighted by PoS breaches at several large U.S. retailers.
Past incidents suggest an increased attention from cybercriminals toward retailers and small businesses that use PoS terminals, the IntelCrawler researchers said Thursday in a blog post.
“We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers’ backoffice systems and cash registers,” the researchers said.
The Nemanja botnet included 1,478 infected systems in countries on most continents including the U.S., the U.K., Canada, Australia, China, Russia, Brazil and Mexico, IntelCrawler said.
An analysis of the Nemanja botnet found the compromised systems were running a wide variety of PoS, grocery store management and accounting software popular in different countries. The IntelCrawler researchers identified at least 25 different such software programs used on those systems.
This doesn’t mean the identified applications are particularly vulnerable or insecure for further use, but shows the Nemanja PoS malware is able to work with different software. Despite the ability to collect credit card data, the malware also had keylogging functionality to intercept credentials that could provide access to other systems and databases that contained payment or personally identifiable information.
IntelCrawler predicts that very soon modern PoS malware will end up incorporated as modules into malicious remote access tools (RATs) or other Trojan programs and will see use along other components, like those for keylogging or network traffic sniffing.
The other countries where the Nemanja botnet ended up detected were Argentina, Austria, Bangladesh, Belgium, Chile, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Portugal, South Africa, Spain, Switzerland, Taiwan, Turkey, Uruguay, Venezuela and Zambia.
Tuesday, May 27, 2014 @ 05:05 PM gHale
The iPhone hack that started in Australia and New Zealand is spreading to the United States and the United Kingdom.
In a forum thread Apple users said the widely-reported ransomware attack under the name of Oleg Pliss spread to the U.S. and the United Kingdom, in addition to Australia and New Zealand.
“I’m in the US. Never been to Australia. Hacked last night by the Oleg Pliss nonsense. Currently restoring to try and get it back online,” said wheelman2188 on the Apple Support Communities forum thread.
This attack could spread globally, and many users could actually fall for the scam and pay up the $100/€100 without any guarantees that the crooks will unlock their Apple IDs.
The whole attack could have come about through a phishing email.
Phishing is a common practice used by cybercriminals to steal user names and passwords, and the Apple community has had its fair share these attacks for the past few years. Suffice to say iOS is on its way to becoming what Windows has been for the hacking community for the past decade: A sea of opportunities.
Earlier this month, an email purporting to be from Apple was sent to various iOS/OS X users with the following message:
“Dear Apple Customer,
“Your Apple ID has been Disabled for Security Reasons!
“Someone just tried to sign in into your Apple account from other IP Address.
Please confirm your identity today or your account will be Disabled due to concerns we have for the safety and integrity of the Apple Community.
“To confirm your identity, we recommend that you go to
This note came from a user who managed to avoid getting hit by the hack, but others may not be so fortunate. If you know you’ve answered to this email as instructed, change your Apple ID password ASAP.
Wednesday, May 21, 2014 @ 07:05 PM gHale
Cyber crime and investigations know no boundaries and last week 300 houses ended up raided and over 100 people arrested as part of an international law enforcement operation targeting people believed to be responsible for selling, creating and using the BlackShades Remote Access Trojan (RAT).
News of the operation came out last week, when the members of hacker forums said police raided them. On Monday, Europol confirmed the operation and provided more details.
Raids took place in over 10 countries, including Belgium, France, the Netherlands, Germany, UK, Estonia, Austria, Canada, U.S., Denmark, Chile, Italy and Croatia.
Investigators seized over 1,000 computers, laptops, mobile phones, USB sticks, external hard drives and routers.
“This case is yet another example of the critical need for coordinated law enforcement operations against the growing number of cyber criminals operating on an EU and global level,” said Troels Oerting, head of the European Cybercrime Centre (EC3).
“EC3 will continue — together with Eurojust and other partners — to work tirelessly to support our partners in the fight against fraudsters and other cyber criminals who take advantage of the Internet to commit crime. The work is far from over, but our cooperation to work together across borders has increased and we are dealing with cases on an ongoing basis.”
The BlackShades RAT, which sells for between $40 and $100, is a popular tool among cybercriminals. The malware can hijack webcams, steal files, log keystrokes, and launch denial-of-service attacks against a designated target.
In a recent case in the Netherlands, an 18-year-old used it to infect over 2,000 computers. The teen hijacked the webcams of infected devices in an effort to capture intimate pictures of women.
The FBI arrested Michael Hogue, one of the creators of BlackShades, back in 2012. However, others continued to improve the RAT even after Hogue’s arrest. In November 2013, Symantec said the use of BlackShades had increased in the previous five months.
“This case is a strong reminder that no one is safe while using the Internet, and should serve as a warning and deterrent to those involved in the manufacture and use of this software,” said Koen Hermans, assistant to the National Member for the Netherlands.
“This applies not only to victims, but also to the perpetrators of criminal and malicious acts. The number of countries involved in this operation has shown the inherent value in Eurojust’s coordination meetings and coordination centers.”
Friday, April 25, 2014 @ 03:04 PM gHale
Nine members of a cybercrime group responsible for stealing $2.1 million from bank accounts received sentences totaling 24 years and 9 months by the United Kingdom’s Southwark Crown Court.
The group used KMW (Keyboard, Video, Mouse) switches to transfer money from bank accounts at Barclays and Santander. They also made fraudulent purchases with payment cards obtained after intercepting or stealing around one million letters.
They used the cards to purchase expensive watches, jewelry and other high-value items worth more than $1.68 million, court officials said.
Lanre Mullins-Abudu, 25, received eight years in prison for one count of conspiracy to commit fraud, two counts of conspiracy to steal and one count of possession of articles for use in fraud. Steven Hannah, 53, got 5 years and 10 months in prison for conspiracy to commit fraud and possession of drugs with intent to supply.
The list also includes Tony Colston-Hayter (5 years and 6 months in prison), Darius Valentin Boldor (2 years and 6 months in prison), Dean Outram (3 years in prison), Segun Ogunfidodo (9 months suspended, community work and tag-monitored curfew), Adam Raeburn Jefferson (1 year and 9 months suspended and tag-monitored curfew for 6 months), and Dola Leroy Oduns (9 months suspended, community work and curfew).
James Lewis Murphy received six months in prison, but he has already served his sentence while in custody.
“Today’s convictions are the culmination of a long and highly complex investigation into an organized crime group whose aim was to steal millions of pounds from London banks and credit card companies,” said Detective Chief Inspector Jason Tunn, of the MPS Cyber Crime Unit.
“Through working with industry partners such as Santander and Barclays, whose efforts in assisting us were immense, we have been able to bring this group to justice,” he said.
“This case demonstrates the sheer investigative skill we are able to apply to tackling cyber crime, as we continue working to keep London people and businesses safe from cyber criminals. We are determined to make London a hostile place for cyber criminals and not allow the Internet to be a hiding place for those who defraud people in the capital,” Tunn said.
Wednesday, March 19, 2014 @ 02:03 PM gHale
There is a new operation just discovered that has over 25,000 Unix servers suffering from an infection for the past two years.
Called “Windigo” after the mythical creature from Algonquian Native American folklore, the servers are sending out 35 million spam emails each day, putting around 500,000 computers at risk of malware infection.
“Each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.
Most of the infected servers are in the U.S., Germany, France and the UK. Many of the affected servers belong to hosting providers. The list of victims includes companies such as cPanel and kernel.org.
ESET has been investigating the campaign for around one year. In total, 25,000 servers suffered infection, of which 10,000 still have the issue.
Mac users are not out in the cold as Windows users end up directed to malware-serving exploit kits. People who visit the infected websites from Macs end up pushed to adult content or served ads for dating sites.
Léveillé highlights the Ebury backdoor deployed by the attackers doesn’t exploit Linux or OpenSSH vulnerabilities. Instead, it ends up planted manually.
“The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment,” Léveillé said.
Pierre-Marc Bureau, security intelligence program manager at ESET, said they are investigating the campaign because cybercriminal operations that rely on Linux malware are not something we get to see every day, particularly when it comes to an operation as complex as Windigo.
Bureau said this is the biggest botnet of servers they have ever seen. What they do know is the bot masters are very good in programming and the administration of Linux systems. Additionally, they probably have good connections in the underground, considering their capabilities to send spam and install malware.
The complete paper of the Windigo operation is available on ESET’s website.
Monday, January 6, 2014 @ 03:01 PM gHale
Europe users clicking on Yahoo.com had a good chance of having their computers infected with malware from malicious ads over a four-day time frame.
Cybercriminals were able to place compromised ads.yahoo.com as early as December 30, said researchers at security firm Fox-IT. Malicious iframes placed on the website redirected users to domains hosting the Magnitude exploit kit.
The exploit kit leveraged Java vulnerabilities to push various pieces of malware, including ZeuS, Andromeda, Dorkbot, Tinba (Zusy), and Necurs.
Yahoo said users from Europe are the only ones that can suffer from the issue. Fox-IT said most infections were in Romania, the UK, and France.
Yahoo cleared up the problem by January 3. However, researchers from HitmanPro said there could be as much as 2.5 million computers infected with the malware.
The victims did not have to click on the malicious ads in order to have their devices infected with malware. Users from Europe who visited Yahoo.com from a computer running a vulnerable version of Java should immediately scan their computers with an up-to-date antivirus program to make sure they’re not a victim of the attack.