Internet threat news

Researchers at IBM Trusteer recently discovered a new banking Trojan which has been dubbed Tsukuba. This relatively simple, but effective example of financial malware is a part of the ‘proxy changers’ family that uses social engineering techniques to harvest victims’ online banking credentials and other personal information. In a recent blog post about Tsukuba, researchers explain that the malware operates using a three part process.

A critical vulnerability has been discovered in one of the most popular WordPress plugins in use today. This plugin, known as WordPress SEO by Yoast, reports more than 14 million downloads (according to the Yoast website) – making it one of the most widely used plugins for WordPress. This means that tens of millions of websites around the world are at risk of being attacked by hackers looking to exploit this newly discovered vulnerability.

High level security researchers recently discovered a vulnerability in all supported versions of Microsoft Windows that affects the security afforded by industry-standard encryption protocols. This flaw, which has been dubbed “FREAK” (Factoring RSA Export Keys), was originally thought to only affect Apple’s Safari and Google’s Android browsers, but has now been found to affect all versions of Microsoft Windows as well. Specifically, Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are the encryption protocols within Windows that are vulnerable to FREAK.

The Angler Exploit Kit has quickly become one of the most powerful, advanced, and notorious exploit kits on the market, beating out even the venerable Blackhole exploit kit that has caused so much damage to PCs in the past. Angler features an assortment of zero-day exploits specifically designed to penetrate popular browser plugins such as Java, Microsoft Silverlight, and Adobe Flash. Once a vulnerability has been found, Angler is capable of dropping assorted malicious payloads onto the target computer using a technique known as a drive-by download.

Last year this blog reported on a dangerous banking Trojan known as Vawtrak. Originally discovered by researchers at Trend Micro, Vawtrak works by targeting a feature of Windows known as Software Restriction Policies (SRP). Essentially, SRP prevents infected systems from running programs specified by the creators of malware. In the case of Vawtrak, blocked programs include over 53 antivirus and security programs including products from Trend Micro, AVG, ESET, Symantec, Intel, and Microsoft. The idea is simple: by disarming local security features found on most PCs, Vawtrak is able to perform its primary task – stealing online banking credentials – without so much as a peep from the operating system.

Last week this blog reported a story about Lenovo, one of the world’s largest manufacturers of PCs and tablets, and how the company has been installing adware on its products at the factory. This adware, dubbed Superfish, is designed to intercept encrypted Web connections relying on SSL technology. Unfortunately, a flaw in the program design allows hackers to intercept these transmissions in the form of a man-in-the-middle attack – potentially putting the secure personal information of millions of PC users at risk. Discovery of Superfish has already landed Lenovo in hot water.

According to Russian cybersecurity company Kaspersky Labs, the banking industry has just been catapulted into “a new era in cybercrime.” This statement comes after Kaspersky concluded an 18 month long investigation into a sophisticated cyberattack that has been targeting financial institutions worldwide since 2013. Although the actual amount of money stolen via this complex attack varies between $300 million and $1 billion depending on the source, what is clear is that the group responsible for this attack represents one of the most complex cyberattacks ever discovered. Kaspersky was first invited to investigate the matter after a Ukrainian ATM began spitting out cash at random without anyone inserting a card or touching any buttons on the machine.

Lenovo has become one of the most popular PC manufacturers in recent years due mostly to competitive pricing and an assortment of products catering to every customer need. Unfortunately, security experts have recently uncovered that Lenovo is also shipping these popular computers with invasive marketing software that borders on malware. This malware could easily open up doors for cybercriminals and hackers – let alone the fact that Lenovo doesn’t seem to have a problem spying on its very own customers to make a few extra bucks. This software, known as Superfish Malware, is designed to analyze users’ Internet habits and inject third-party advertising in popular web browsers including Google Chrome and Internet Explorer with the PC user’s permission. Superfish Malware has been on all new consumer-grade Lenovo laptops sold prior to January 2015. The malware is immediately activated when the machine is turned on for first-use and Lenovo customers are using the malware without knowing the dangers inherent to malware like Superfish.

An Indian security researcher recently discovered a startling vulnerability in Facebook, perhaps the most widely used social media platform in the world. This vulnerability allows a hacker to modify the access token typically required by Facebook’s Graph API mechanism – the API responsible for uploading, deleting, and maintaining all photos on all Facebook accounts (both public and private). The researcher who discovered the bug, Laxman Muthiyah, realized that the Graph API corresponded directly to the “Delete Album” button found during a legitimate user session and by using his own access token via Facebook for Android, Muthiyah was able to change the parameters of a simple HTTP request to delete the photos from any Facebook account.

This blog recently reported on the massive data breach at Anthem Inc., the second largest provider of health insurance in the country. The data breach, which forensic investigators are now reporting could have begun as early as April of last year, has the potential to affect over 50 million people currently insured through Anthem or one its subsidiaries. In response to this breach, Anthem has sent out many emails to customers explaining the breach, the nature of the information obtained by the hackers responsible for the attack, and what these customers can do to protect themselves from additional exposure. In an official statement issued once the breach was made public, Anthem insists that it will notify all affected customers by mail to describe exactly what protections are being offered.

TurboTax, an Intuit product used by millions each year to file income taxes at home, recently announced that state e-filed returns will not be transmitted while the company investigates a surge in customer complaints indicating that tax returns have already been filed in their name. Tax fraud this time of year is hardly news, however, if a breach occurred at one of the largest e-file companies in the country, the recent complaints could only be the tip of the proverbial iceberg. Intuit also reported that it has noticed an increase in suspicious filing this year which indicates that criminals are using stolen financial information to file fraudulent returns and claim the associated tax refunds.

Anthem Inc., the second largest health insurer in the country, recently announced that it was the victim of a massive data theft of sensitive customer information including Social Security numbers. This is by far the biggest breach of customer information to occur recently as nearly 69 million people are currently served by Anthem and its affiliate companies. In the statement issued by Anthem, the company acknowledges that all business units were compromised during the breach, but refrained from reporting how many customers are affected. Anthem also stated that all affected customers will be notified in writing pending an extensive IT forensic investigation. All that’s known as this time is that a “very sophisticated cyberattack” was able to expose the names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, and employment information of customers in every unit of the Anthem infrastructure, according to the official company statement.

There was no shortage of verified Zeus malware campaigns reported by this blog in early 2014, but by the end of the year, it seemed like Zeus may have become a thing of this past. Apparently, however, that is not the case at all. An improved version of the notorious banking Trojan has been spotted in the wild that is just different enough from the original malware so as to avoid detection by popular antivirus products. This new version of Zeus targets Canadian banks including the Bank of Montreal, Royal Bank of Canada, and National Bank of Canada (the largest banks in the country).

It’s no secret that the NSA has been spying on the American populous for years – facts that were proven when Edward Snowden began sharing secret government files proving as much. From phone tapping to elaborate malware deployments created to spy on other countries (and American citizens), the NSA seems to have no shortage of tricks up its sleeve. But what happens when even the NSA doesn’t have the resources available to commit its next great act of treason? Simple… It simply leverages the power of existing botnets. Botnets, which by many accounts, are the very thing organizations like the NSA should be protecting us from.