Cyber crooks have targeted travel firm Booking.com in a bid to steal hundreds of thousands of pounds from customers. Users were sent WhatsApp and text messages claiming a security breach meant they needed to change their password.
But the link gave hackers access to bookings and they then sent follow-up messages demanding full payment for holidays in advance with bogus bank details provided. These appeared genuine as they included personal data including names, addresses, phone numbers, dates and prices of bookings, and reference numbers. Marketing manager David Watts got a WhatsApp message but realised it was a scam.Read more
Thieves siphoned hundreds of millions of pesos out of Mexican banks, including No. 2 Banorte, by creating phantom orders that wired funds to bogus accounts and promptly withdrew the money, two sources close to the government’s investigation said.
Hackers sent hundreds of false orders to move amounts ranging from tens of thousands to hundreds of thousands of pesos from banks including Banorte, to fake accounts in other banks, the sources said, and accomplices then emptied the accounts in cash withdrawals in dozens of branch offices. The thieves transferred more than 300 million pesos ($15.4 million).Read more
Russia's Fancy Bear APT group is likely behind the malicious command and control domains found in Lojack agents, according to the Arbor Security Engineering & Response Team.
LoJack, a popular laptop recovery solution, “makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution,” researchers said, noting that while “the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads.” Because many antivirus programs don't flag the malware as a concern, it's largely able to do its dirty work without detection.Read more
One of the most interesting revelations from researchers at Kaspersky Security Analyst Summit (SAS) this year was a report on a highly sophisticated cyberespionage campaign called Slingshot.
The first part to understand is the means of infection. What makes this initial attack vector unique is that, according to research, many victims were attacked through compromised routers made by MikroTik. Routers download and run various DLL files in the normal course of business. Attackers found a way to compromise the devices by adding a malicious DLL to an otherwise legitimate package of other DLLs.Read more
The team of security researchers—who last month demonstrated how attackers could steal data from air-gapped computers protected inside a Faraday cage—are back with its new research showing how two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves.
Air-gapped computers are believed to be the most secure setup wherein the systems remain isolated from the Internet and local networks, requiring physical access to access data via a USB flash drive or other removable media.Read more
The flaw in question, CVE-2018-4878, is a use-after-free bug that Adobe patched on February 6, following reports that North Korean hackers had been exploiting the vulnerability in attacks aimed at South Korea.
The threat group, tracked as APT37, Reaper, Group123 and ScarCruft, has been expanding the scope and sophistication of its campaigns. After Adobe patched the security hole, which allows remote code execution, other malicious actors started looking into ways to exploit CVE-2018-4878. Morphisec said it spotted a campaign on February 22, which had been using a version of the exploit similar to the one developed by APT37.Read more
Cryptojacking only really coalesced as a class of attack about six months ago, but already the approach has evolved and matured into a ubiquitous threat. Hacks that co-opt computing power for illicit cryptocurrency mining now target a diverse array of victims, from individual consumers to massive institutions—even industrial control systems.
But the latest victim isn't some faceless internet denizen or a Starbucks in Buenos Aires. It's Tesla. Researchers published findings on Tuesday that some of Tesla's Amazon Web Services cloud infrastructure was running mining malware in a far-reaching and well-hidden cryptojacking campaign.Read more
India’s City Union Bank said on Sunday that “cyber criminals” had hacked its systems and transferred nearly $2 million through three unauthorized remittances to lenders overseas via the SWIFT financial platform.
The comments come after the small private lender on Saturday had disclosed it had discovered the three “fraudulent remittances”, which were sent via correspondent banks to accounts in Dubai, Turkey and China. Chief Executive Officer N. Kamakodi called it a “conspiracy” involving multiple countries, and added the lender was still investigating how it had happened. “This is basically a cyber attack by international cyber criminals,” he told.Read more
Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free.
The attacks do not generate the same type of default warning from Microsoft associated with macro-based attacks, according to research published Wednesday by Trustwave’s SpiderLabs. When opening attachments, there are no warnings or pop-ups alerting victims, researchers said. The attack uses malicious Word attachments.Read more
An aggressive and sophisticated malware campaign is currently underway, targeting Linux and Windows servers with an assortment of exploits with the goal of installing malware that mines the Monero cryptocurrency.
The campaign was detected by security researchers from F5 Networks, who named it Zealot, after zealot.zip, one of the files dropped on targeted servers. According to Maxim Zavodchik and Liron Segal, two security researchers for F5 Networks, the attackers are scanning the Internet for particular servers and using two exploits, one for Apache Struts and one for the DotNetNuke ASP.NET CMS, to get a foothold on unpatched machines.Read more