Online skimming is a new form of card fraud. In November 2015, the first case was reported. Upon investigating, I scanned a sample of 255K online stores globally and found 3501 stores to be skimmed. It is now ten months later. Are the culprits in jail yet? Not quite, here are the numbers of compromised stores:

November 2015 3501
March 2016 4476 +28%
September 2016 5925 +69%

Victims vary from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse, Heels.com), to pop stars (Bjork) to NGOs (Science Museum, Washington Cathedral).

At least 159 hacked stores use Magento Enterprise Edition, which is used only by the largest online stores.

754 stores who are skimming today, were already skimming in 2015. Apparently you can skim cards undisturbed for months.

Source: 5900 online stores found skimming [analysis]

VIDEO Chinese hackers have attacked Tesla electric cars from afar, using exploits that can activate brakes, unlock doors, and fold mirrors from up to 20 kilometres (12 miles) away while the cars are in motion.

Keen Security Lab senior researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated the hacks against a Tesla Model S P85 and 75D and say their efforts will work on multiple Tesla models.

The Shanghai, China-based hacking firm has withheld details of the world-first zero day attacks and privately disclosed the flaws to Tesla.

The firm worked on the attack for several months, eventually gaining access to the motor that moves the driver’s seat, turning on indicators, opening the car’s sunroof and activating window wipers.

Keen Security Lab’s attacks also appear to compromise the touch screen that controls many of a Tesla’s functions.

“We are able to fold the side mirrors when drivers are changing lanes,” Nie says in the demonstration.

“All attacks are contactless without physically modifying the car.”

Source: Hackers hijack Tesla Model S from afar, while the cars are moving

The answer is simpler than you might think: The defense of an innocent, learning disabled, 15-year-old girl. In the criminal complaint, she’s called “Patient A,” but to me, she has a name, Justina Pelletier. Boston Children’s Hospital disagreed with her diagnosis. They said her symptoms were psychological. They made misleading statements on an affidavit, went to court, and had Justina’s parents stripped of custody. They stopped her painkillers, leaving her in agony. They stopped her heart medication, leaving her tachycardic. They said she was a danger to herself, and locked her in a psych ward. They said her family was part of the problem, so they limited, monitored, and censored her contact with them.Justina resorted to sneaking notes, hidden in origami, to tell her family what she wasn’t allowed to say around eavesdroppers. Hospital staff pushed her to do things she was physically incapable of, due to the physical condition they refused to acknowledge she has. They laughed at her as she struggled futilely. They left her on a toilet for hours when she couldn’t void her bowels. They left her secluded in a bare room, or alone in the hallway, sometimes for days when she couldn’t wheel herself elsewhere.

Source: Why I Knocked Boston Children’s Hospital Off The Internet: A Statement From Martin Gottesfeld | Huffington Post

A Medical horror story

The Russian government “directed the recent compromises of emails from US persons and institutions,” the US Department of Homeland Security and the Office of the Director of National Intelligence said on Friday, an accusation that gives formal recognition to a claim previously voiced through unnamed sources.

In late July, The New York Times reported that federal officials briefed on the views of American intelligence agencies had “high confidence” that the Russian government was behind the theft of email and other documents from the Democratic National Committee.

Source: US govt straight up accuses Russia of hacking prez election

The problem occurred with Spotify Free, which lets people to stream music gratis in exchange for being played and shown adverts. One advertiser sneakily embedded nasty software code into its Spotify ads that hijacked browsers on macOS and Linux systems.

We’re told the ads caused the computers’ default browsers to open up dodgy websites that then attempted to install malware or steal victims’ passwords.

“OS X and Linux users claim to have been hit with redirects to phishing and tech support scams,” said Pieter Arntz, a malware intelligence researcher at Malwarebytes Labs.

Source: Is this the real life? Is this just fantasy? Spotify serving malware, no escape from reality

The world’s largest distributed denial of service (DDoS) attack has been clocked from the same network of 152,463 compromised low-powered cameras and internet-of-things devices which punted a media outlet off the internet.

Last days, we got lot of huge DDoS. Here, the list of “bigger that 100Gbps” only. You can see the
simultaneous DDoS are close to 1Tbps ! pic.twitter.com/XmlwAU9JZ6
— Octave Klaba / Oles (@olesovhcom) September 22, 2016

Two concurrent attacks against French hosting provider OVH clocked in at a combined 990Gbps, larger than any other reported.

The same fleet of networked junk also scored the world’s largest single DDoS largest attack when it offed cyber crime publication Krebs On Security in attacks tipping 620Gbps.

OVH chief technology officer Octave Klaba says the growing fleet of cameras and digital video recorders has the capability to deliver a multi-vector 1.5 Tbps DDoS attack.

Source: 152k cameras in 990Gbps record-breaking dual DDoS

The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen

Yahoo

For some reason they are blaming a state sponsored actor, but don’t really back up this claim. Also, not the use of the words: may and majority.

It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.

The magazine first thought that the sheer volume of interest in its scoop was the cause for the outage, but quickly realized that something more sinister was afoot.

The site was being bombarded by junk traffic from servers all around the world, but the majority came from Russia, the editor in chief Jim Impoco has now said.

“Last night we were on the receiving end of what our IT chief called a ‘massive’ DoS [denial of service] attack,” he told Talking Points Memo.

“As with any DDoS [distributed DoS] attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything. We are still investigating.”

Source: Criticize Donald Trump, get your site smashed offline from Russia

systemd fails an assertion in manager_invoke_notify_message when a zero-length message is received over /run/systemd/notify. This allows a local user to perform a denial-of-service attack against PID 1.Proof-of-concept:NOTIFY_SOCKET=/run/systemd/notify systemd-notify “”

Source: Assertion failure when PID 1 receives a zero-length message over notify socket · Issue #4234 · systemd/systemd · GitHub

By creating config files you can escalate through the mysqld_safe script using malloc_lib

Source: Bad news: MySQL can dish out root access to cunning miscreants

ClixSense, a site which pays users to view ads and take surveys, was the victim of a massive data breach compromising around 6.6 million user accounts.

Usually when there’s a data breach of this size, the information stolen contains usernames, passwords, and some other personal information, but due to the nature of ClixSense and the service it provided, home addresses, payment histories, and other banking details have also been compromised.

Source: Reset those passwords — again: Over 6 million ClixSense users compromised by data breach

Perhaps feeling a little bent out of shape about how much shit their country caught for running a massive, Cold War-style doping program for Olympic athletes, a group of Russian hackers have obtained confidential documents that they claim prove American Olympians are also big fat cheaters. The only problem is that the leaked documents don’t actually contain any evidence of cheating.

Source: Russian Hackers Get Into WADA Data, Find Nothing Incriminating

How hackers broke into millions of US govt personnel files

Source: Read the damning dossier on the security stupidity that let China ransack OPM’s systems

It’s hard to detect because once it infects it deletes the files and lays dormant in memory. It executes now and again to find and infect other hosts and can be used as part of a botnet.
Malwaremustdie

HITB Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams… and they hate him for it.

The director of SEC Consult’s Singapore office has made a name striking back at so-called “whaling” scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police.

Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers’ main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.

It works. The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year. Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.

Harpooned companies include Mattel, which shipped and by dumb luck recouped $3m its executive sent to a hacker’s Chinese bank account; Ubiquiti, which lost $46.7m in June last year; and Belgian bank Crelan, which lost $78m in January.

They join Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.

Lukavsky told The Reg of his work on the back of his presentation at August’s Hack in the Box in Singapore, where he explained that he uses the attacker’s tactics to compromise scammers’ Microsoft accounts.

“Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters,” Lukavsky says.

“We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information.”

“We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook.”

Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper.

The information Lukavsky passed on to police from that attack late last year lead to the arrest of the scammers located in Africa.

Source: Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops

If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked). (..or do even more, but we’ll save that for another time, this post is already too long)

Source: Snagging creds from locked machines · Room362

One in five firms that pay ransom fail to get their data back, according to new research from Trend Micro.

A poll of IT managers at 300 UK businesses sponsored by Trend Micro found that 44 per cent of UK businesses have been infected by ransomware in the last two years.

The study also found that around two-thirds (65 per cent) of UK companies confronted with a ransomware infected end up paying out in the hopes of getting their data back.

The average amount of ransom requested in the UK was £540, although 20 per cent of companies reported ransoms of more than £1,000. The majority – 57 per cent of companies – reported having been given under 24 hours to pay up.

Organisations affected by ransomware estimate they spent 33 person-hours on average fixing the problem.

The ransomware problem is growing. Trend Micro has identified 79 new ransomware families so far this year, compared to 29 in the whole of the 2015.

Source: When you’ve paid the ransom but you don’t get your data back

That’s a case for not paying the ransom then…

Music service Last.fm was hacked on March 22nd, 2012 for a total of 43,570,999 users. This data set was provided to us by daykalif@xmpp.jp and Last.fm already knows about the breach but the data is just becoming public now like all the others. Each record contains a username, email address, password, join date, and some other internal data. We verified the legitimacy of this data set with Softpedia reporter Catalin C who was in the breach himself along with his colleagues.
[…]
Passwords were stored using unsalted MD5 hashing. This algorithm is so insecure it took us two hours to crack and convert over 96% of them to visible passwords, a sizeable increase from prior mega breaches made possible because we have significantly invested in our password cracking capabilities for the benefit of our users. Here are the top 50:

Rank Password Frequency
1 123456 255,319
2 password 92,652
3 lastfm 66,857
4 123456789 63,984
5 qwerty 46,201
6 abc123 36,367
7 abcdefg 34,050
8 12345 33,785
9 1234 30,938
10 music 27,975
11 12345678 25,876
12 111111 25,313
13 abcdefg123 21,555
14 aaaaaa 19,098
15 123123 18,147
16 123 17,225
17 liverpool 17,191
18 1234567 17,168
19 000000 16,941
20 monkey 16,787

Source: LeakedSource Analysis of Last.fm Hack

(ok, top 20 here, go to leakedsource for the rest)

Dubbed USBee, the technique turns a computer’s USB ports into mini RF transmitters by modulating the data fed at high speed to plugged-in devices. By banging out a string of ‘0’ bits to a USB port, the voltage changes in the interface generate detectable emissions between 240MHz and 480MHz, according to Guri.

Next, by writing sequences of ‘0’ and ‘1’, we’re told you can create a carrier wave from the rapid voltage changes on the interface’s data pins. You can then use binary frequency shift keying (B-FSK) to encode useful information into the wave.

Guri reckons you can beam 80 bytes per second over the air using this technique, which is fast enough to send a 4,096-bit crypto key to a nearby receiver in less than 10 seconds.

Source: USBee stings air-gapped PCs: Wirelessly leak secrets with a file write

A data dump purported to contain 60 million Dropbox user IDs [and passwords] is the real thing, with the company confirming it to The Register, and independent verification from security researcher Troy Hunt.

Source: Dropbox: 2012 credentials file is real

At its then peak, Angler was behind a whopping 40 percent of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually for its authors.

Source: Angler’s obituary: Super exploit kit was the work of Russia’s Lurk group

The explanation is first rate and will allow anyone to perform a non-technical man in the middle attack, going from eavesdropping to exploitation.

Source: Tinder Social Engineering Attack – HERT

Infowars, created by famed radio host and conspiracy theorist Alex Jones, produces radio, documentaries and written pieces. The dumped data relates to Prison Planet TV, which gives paying subscribers access to a variety of Infowars content. The data includes email addresses, usernames, and poorly hashed passwords.

The administrator of breach notification site Databases.Land provided a copy of 100,223 records to Motherboard for verification purposes. Vigilante.PW, another breach notification service, also has the Infowars dump listed on its site, and says the data comes from 2014. However, every record appears to have been included twice in the data, making the actual number of user accounts closer to 50,000.

Source: Tens of Thousands of Infowars Accounts Hacked