CryptoWall ransom infections spike to 830,000 in matter of weeks

October 23, 2014 – 5:01 PM

Dell SecureWorks has updated its figures on the number of PCs infected by the awful CryptoWall ransom malware and the news isn’t good – the number of systems has spiked suddenly to 830,000.

The firm’s last statistic in late August was 625,000, itself a large number of infected systems, which means that CryptoWall has boosted its haul of victims by 25 percent in a matter of weeks.

Looking at the UK statistics, Dell SecureWorks estimates that CryptoWall has affacted 40,000 PCs, with 75 victims handing over ransoms to the tune of $47,250 (£29,000), a stark figure that arrives in time for the UK’s Get Safe Online week.

A few days back, the National Fraud and Intelligence Bureau (NFIB) estimated that online fraud is costing UK citizens £670 million a year. Given that very few of the ransoms paid in the hope of getting rid of CryptoWall were probably reported to the national fraud reporting service Action Fraud, this figure is surely an underestimate.

Source:
http://news.techworld.com/security/3582271/cryptowall-ransom-infections-spike-to-830000-in-matter-of-weeks/

Microsoft Windows Hit By New Zero-Day Attack

October 22, 2014 – 5:40 AM

Microsoft has disclosed that a new zero-day vulnerability is present in Windows, and is exploited via Microsoft Office files. According to Microsoft Security Advistory 3010060, the vulnerability is present in all supported versions of Windows except Windows Server 2003.

The vulnerability (designated as CVE-2014-6352) is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack.

The specially crafted files contain a malicious Object Linking and Embedding (OLE) object. This technology is used to share data between various applications; it is in this component of Windows where this vulnerability may be found. Exploiting it allows for malicious code to run with the privileges of the user. To get administrator access, a separate exploit must be used. In addition, under default settings a User Access Control popup is displayed, which may alert the user that something unusual is going on.

Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle. Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand. The Microsoft bulletin also includes several workarounds and temporary fixes, including settings for users of the Enhanced Mitigation Experience Toolkit (EMET) utility.

Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-windows-hit-by-new-zero-day-attack/

Officials warn 500 million financial records hacked

October 21, 2014 – 5:58 PM

Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.

“We’re in a day when a person can commit about 15,000 bank robberies sitting in their basement,” said Robert Anderson, executive assistant director of the FBI’s Criminal Cyber Response and Services Branch.

The U.S. financial sector is one of the most targeted in the world, FBI and Secret Service officials told business leaders at a cybersecurity event organized by the Financial Services Roundtable. The event came in the wake of mass hacking attacks against Target, Home Depot, JPMorgan Chase and other financial institutions.

“You’re going to be hacked,” Joseph Demarest, assistant director of the FBI’s cyberdivision, told the business leaders. “Have a plan.”

Source:
http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/

Strengthening 2-Step Verification with Security Key

October 21, 2014 – 5:17 PM

2-Step Verification offers a strong extra layer of protection for Google Accounts. Once enabled, you’re asked for a verification code from your phone in addition to your password, to prove that it’s really you signing in from an unfamiliar device. Hackers usually work from afar, so this second factor makes it much harder for a hacker who has your password to access your account, since they don’t have your phone.

Today we’re adding even stronger protection for particularly security-sensitive individuals. Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.

Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.

Source:
http://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html

Banks: Credit Card Breach at Staples Stores

October 20, 2014 – 8:35 PM

Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement.

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Framingham, Mass.-based Staples has more than 1,800 stores nationwide, but so far the banks contacted by this reporter have traced a pattern of fraudulent transactions on a group of cards that had all previously been used at a small number of Staples locations in the Northeast.

The fraudulent charges occurred at other (non-Staples) businesses, such as supermarkets and other big-box retailers. This suggests that the cash registers in at least some Staples locations may have fallen victim to card-stealing malware that lets thieves create counterfeit copies of cards that customers swipe at compromised payment terminals.

Source:
http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/