FBI: $11 million worth of unauthorized wire transfers to China

Very interesting report via the Financial Services Information Sharing and Analysis Center, in cooperation with the FBI, on unauthorized wire transfers to China.  When I say “interesting,” I mean I don’t understand it…not sure what the implications are, if any.  Get the basics of the report, just not sure who the perp is supposed to be? Chinese, Russian, US?  So, smart blog reading people help me out.  Full PDF report on the unauthorized wire transfers here and the two paragraphs that have me scratching my head:
“The unauthorized wire transfers range from $50,000 to $985,000. In most cases, they tend to be above $900,000, but the malicious actors have been more successful in receiving the funds when the unauthorized wire transfers were under $500,000. When the transfers went through successfully, the money was immediately withdrawn from or transferred out of the recipients’ accounts.
In addition to the large wire transfers, the malicious actors also sent domestic ACH and wire transfers to money mules in the United States within minutes of conducting the overseas transfers. The domestic wire transfers range from $200 to $200,000. The intended recipients are money mules, individuals who the victim company has done business with in the past, and in one instance, a utility company located in another U.S. state. The additional ACH transfers initiated using compromised accounts range from $222,500 to $1,275,000.”

Target hack strips banks and credit unions of $200M

 

Not only were as many as 110 million Target customers affected by the massive hack on the retailer in December, but banks have also had to deal with the security breach. The hack is said to have cost banks and credit unions more than $200 million, according to data gathered by the Consumer Bankers Association and the Credit Union National Association. Originally, the two associations estimated that losses tallied around $178 million but now say those costs are rising.
In all, 40 million credit and debit cards were compromised in the breach. So far, banks and credit unions have replaced 54.5 percent, or 21.8 million cards. The cost to banks could increase if additional fraudulent activity occurs with the compromised cards.
The security breach, which yielded the personal information of an estimated 110 million customers, was first identified on December 15. Apparently, cybercriminals accessed customers' private information at point-of-sale terminals during checkout. Target said the breach occurred between November 27 and December 15 and resulted in the theft of names, mailing addresses, phone numbers, e-mail addresses, and debit and credit card data of people who shopped at the retailer during those dates.
Working to gain consumer confidence in the aftermath of the breach, Target has offered affected customers one year of free credit monitoring and begun development of high-security smart credit cards embedded with microprocessor chips. According to a report earlier this month, the retailer is said to be paying up to $420 million to cover such costs associated with the breach.

Microsoft crash reports reveal Houdini hack campaign hitting firms

A new hack campaign using the Houdini malware has been uncovered by security firm Websense.
Websense ‎director of security research Alex Watson told V3 the company spotted a campaign targeting an unnamed mobile network operator and government body using the Houdini remote access Trojan (RAT) while testing a new detection strategy. He said the strategy involves researchers cross-referencing Microsoft application and software crash reports to spot cyber attacks.
"Every time an application crashes it sends a report to Microsoft. The report includes a variety of information about the app and the computer. This isn't just application software data. It includes everything from information about the computer's basic input/output system [BIOS], down to hardware changes. It will even let you know if someone's plugged a USB or smartphone into the machine," he said.
"In general, this is so Microsoft can prioritise fixes, but we thought about using it for a different application and using the information to detect attack activity. We wanted to use it to make an anomaly detector."
Watson said while testing the technique, Websense examined 16 million crash reports, five of which indicated potential foul play. The Websense director said the company discovered the attacks while examining the five potential positive alerts.
"We reversed exploits from the point of fail [crashes] and took in 16 million reports over four months from third-party feeds. Of these we found five matches, four of which indicated the possibility an exploit had tried to get into the networks. Upon further investigation we found two organisations had Houdini in their systems," he said.
Houdini is a particularly dangerous remote access Trojan that can be used by criminals for a variety of purposes. "Houdini opens the door for pretty much anything [a hacker] could want to do. It can be used for everything from installing password trackers, to grabbing information about the network or pulling files," Watson said.
Watson said Websense also uncovered evidence of a new variant of the notorious Zeus malware targeting a "large clothing retailer" located in the eastern United States. He said the crash logs used in the investigation indicated hackers had tried to infect the company with a similar malware to the Zeus Trojan.
He added that despite having similar data-stealing powers the malware interacted with command and control servers in an atypical manner, indicating it could be tailored to target the wholesale and retail industry.
The Houdini and Zeus campaigns are two of many advanced threats discovered this year. Researchers from advanced threat protection specialist FireEye reported uncovering a fresh cyber campaign targeting US military veterans' website VFW.org, codenamed Operation Snowman, earlier in February.

Security experts from Kaspersky Labs Global Research and Analysis Team reported uncovering another advanced "Mask" hack campaign targeting numerous governments and companies mere days earlier.

Hackers dropping Zeus in favour of Xtreme RAT Trojan, reports FireEye

Hackers are dropping standard malware such as Zeus, in favour of more advanced but harder-to-use remote access Trojans (RATs) such as Xtreme RAT, according to security firm FireEye.
Senior researcher at FireEye Nart Villeneuve reported uncovering the trend in a blog post. "During our investigation we found that the majority of Xtreme RAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware," he said. "This seems odd, considering RATs require manual labour as opposed to automated banking Trojans."
Xtreme RAT is a notorious RAT that has been freely available on a number of cyber black markets since June 2010. The RAT is dangerous as it can be used for a variety of purposes, including interacting with the victim machine via a remote shell, uploading and downloading files, interacting with the registry and manipulating running processes and services.
There have also been recorded variants able to force infected machines to capture images of the desktop, and record from connected devices, such as webcams and microphones. Hackers can also customise Xtreme RAT to add new abilities, as its source code has been leaked online.
Villeneuve told V3 the attacks have in general been fairly basic spam-related attacks and is yet to see criminals use its increased powers for more advanced purposes.
"Xtreme RAT is now being used in some high-volume attacks. It is being distributed as a payload of traditional large-volume spam runs," he said. "So far, Xtreme RAT has not been used as the payload of advanced exploits. Rather users are lured into installing the RAT through a variety of social engineering schemes."
The attacks have reportedly hit numerous industries. Villeneuve explained: "Using telemetry from FireEye's Dynamic Threat Intelligence (DTI) cloud, we examined 165 Xtreme RAT samples from attacks that primarily hit the energy, utilities, petroleum refining, financial services and high-tech sectors."
He added that FireEye did uncover evidence linking four of the 165 examples to the notorious MoleRats campaign. The original MoleRats campaign began in 2012 and saw hackers target a number of government groups in Israel and Palestine with a wave of data-stealing cyber attacks. The attackers have a track record for upgrading their tools and were caught experimenting with the Poison Ivy malware in August 2013.

Silk Road admins: Sorry for the hack, we're sorting out refunds

The masterminds of the SilkRoad 2.0 underground market have vowed to pay back all of the funds lost in a recent Bitcoin hack.
Administrator Defcon said that the team behind the darknet market would be donating all commissions it gathers on transactions towards reimbursing funds which were lifted from its escrow account by hackers last week.
"This leadership and this community will not stop until you are completely repaid," Defcon vowed.
"We know you feel defenseless right now. You are naked. Many of you are convinced there is no logical reason any darknet admin would ever fight to get your coins back."
The post puts to rest fears that Silk Road 2.0 would not attempt to relaunch in the wake of last week's incident which saw some $2.7m worth of Bitcoin vanish when an attacker exploited a transaction malleability vulnerability to empty all of the funds from Silk Road's transaction escrow wallet. According to administrators, 26 per cent of Silk Road's active users saw their entire Silk Road account funds wiped out in the attack.
The site has relaunched but has eliminated any central escrow plan (like the one which was hacked.) Rather, users and vendors will have the option of dealing directly with highly-trusted parties or using a reputation-based decentralized escrow system to hold funds pending delivery.
Additionally, the site said that it will launch support and dispute resolution services to help sort out transactions which were thrown for a loop by the attack itself.
Under the plan, Defcon vowed that the management would not collect any commission for itself until users were refunded "even if it takes a year." Or, perhaps more likely, until law enforcement shuts down the marketplace as it did the first Silk Road iteration.
"This is not an ideal climate, but it is the reality of the darknet today. I cannot emphasize strongly enough that every market which uses centralized escrow will fail," Defcon said.
"Centralization makes a market a huge target for attackers, and a huge target for dishonest administrators."
Meanwhile, Silk Road administrators say they are continuing to pore over information they have received on who might have been behind the hack. Defcon said that early indications are that no members of the administration were behind or complacent in the attack.

Facebook in Blockbuster Deal to Acquire WhatsApp for $16 Billion

Seeking to become a worldwide leader in messaging, Facebook on Wednesday announced that it would purchase cross-platform mobile messaging solution WhatsApp for an incredible $16 billion. And the value of the deal could rise to $19 billion if WhatsApp's employees remain with Facebook for four years.
The incredible acquisition deal was revealed in a US Securities and Exchange Commission filing, which notes that WhatsApp will become a wholly owned subsidiary of Facebook. The social networking giant then further explained the deal.
"Facebook has reached a definitive agreement to acquire WhatsApp, a rapidly growing cross-platform mobile messaging company, for a total of approximately $16 billion, including $4 billion in cash and approximately $12 billion worth of Facebook shares," a Facebook statement notes.
WhatsApp is available on Android, iPhone, Blackberry, Windows Phone and even Nokia Symbian phones. The service claims over 450 million users, over 70 percent of which are considered "active" in that they use the service's mobile app each day. Usage is growing at a rate of over one million new users per day.
WhatsApp maintains that nothing will change for its users.
"WhatsApp will remain autonomous and operate independently," WhatsApps cofounder and CEO Jan Koum writes on the firm's corporate blog. "You can continue to enjoy the service for a nominal fee. You can continue to use WhatsApp no matter where in the world you are, or what smartphone you're using. And you can still count on absolutely no ads interrupting your communication. There would have been no partnership between our two companies if we had to compromise on the core principles that will always define our company, our vision and our product."
Facebook reportedly offered to purchase a rival chat service, SnapChat, for $3 billion but was turned down. Facebook previously purchased Instagram for $1 billion.

Rebekah Brooks to start defense in phone hacking trial

Former News International chief executive Rebekah Brooks arrives at the Old Bailey on February 19, 2014 in London, England

Rebekah Brooks, the former boss of News International, begins her defense Wednesday against allegations that she was part of a conspiracy to intercept the voicemails of high-profile figures in Britain.

Dubbed the phone hacking trial, it has ensnared big names, including Andy Coulson, a former Downing Street communications director.

Brooks faces three counts of conspiracy to pervert the course of justice linked to claims she plotted to remove boxes of documents from News International offices, and hide computers and documents from police. She denies any wrongdoing.

She resigned as chief executive of Rupert Murdoch's News International in July 2011 amid outrage over claims of widespread hacking by staff at its News of the World newspaper.

Once feted as a rising star in British media, she was the youngest person to edit a national British newspaper.

She held the top job at News International, News Corp.'s British subsidiary, for two years after editing the country's best-selling daily tabloid, The Sun, and its best-selling Sunday tabloid, News of the World.

But following sweeping allegations of illegal eavesdropping by News of the World journalists when she was editor, she has seen her fortunes fade, and was arrested and questioned several times by police investigating hacking, prior to being charged.

News International is News Corp.'s British newspaper arm . The fallout forced Murdoch to shut down the News of the World in 2011.

Former UK PM Blair offered to help Murdoch over phone-hacking

Former British prime minister Tony Blair offered to act as a secret adviser to Rupert Murdoch during his media empire's phone-hacking scandal, suggesting the firm follow steps he took to calm public anger over the Iraq war, a London court heard on Wednesday.
Rebekah Brooks, the ex-boss of Murdoch's British newspapers, wrote an email to Murdoch's son James detailing advice Blair had given her during an hour-long phone call in July 2011 at the height of a furor over phone-hacking allegations at the media mogul's News of the World tabloid.
The disclosure came as the prosecution wrapped up its case against Brooks, who is on trial at London's Old Bailey on charges relating to phone-hacking which she denies.
"He (Blair) is available to you, KRM and me as an unofficial adviser but needs to be between us," said the email from Brooks to James Murdoch, who at the time ran News Corp. operations in Britain. KRM refers to Rupert Murdoch's initials.
Brooks said Blair had counseled: "It will pass. Tough up." Four days later she quit her job and she was arrested by police two days after that.
The email was sent the day after News Corp closed the 168-year-old News of the World in the face of huge public anger over revelations that its staff had hacked into the voicemail messages of a murdered schoolgirl.
Blair's suggestions to Brooks contrast with a public statement he made three days before their phone call, when he had denounced the hacking scandal as "beyond disgusting".
The email also demonstrates just how close Brooks and Rupert Murdoch were to Britain's elite, a relationship critics said allowed him to use his British newspapers to influence politicians for the benefit of his business interests.
A spokesman for Blair, who is now a Middle East peace envoy, said the former prime minister was "simply giving informal advice" and had made it clear to Brooks that in a such a serious situation it was vital to have "a fully transparent and independent process" to find out what had happened.
According to Brooks's email, Blair's advice included setting up an internal investigation, led by a member of the "great and the good". The scenario he envisaged was based on the investigation which cleared him of any wrongdoing in the build-up to the 2003 U.S.-led invasion of Iraq.
"Get them to investigate me and others and publish a Hutton style report," Brooks said in the email relaying the comments of Blair, who is godfather to one of Murdoch's children.
"Publish part one of the report at same time as the police closes its inquiry and clear you and accept shortcomings and new solutions and process," the email said.
"WHITEWASH"
The reference to the Hutton inquiry could prove hugely embarrassing for the former Labour leader, who won three elections to lead Britain from 1997 to 2007 but who has had to repeatedly defend himself over his decision to join the United States in going to war in Iraq.
Lord Hutton was appointed by Blair to investigate the circumstances which led to the British Broadcasting Corporation (BBC) reporting that the government had "sexed up" the case for the invasion of Iraq.
That near six-month investigation cleared the government of any wrongdoing and laid the blame firmly at the door of the BBC, leading to the resignation of two of its most senior executives. A poll of Britons in the wake of the inquiry found that half believed the report was a "whitewash".
The report was leaked to Murdoch's daily Sun tabloid, which published the findings before its official release in 2004. Brooks was editor of the paper at the time and, despite an official investigation, the leak's source was never discovered.
In May 2012, at an inquiry set up in the wake of the phone-hacking scandal, Blair said British leaders had no choice but to court powerful media barons such as Murdoch or risk savage press attacks from a media he once described as "feral beasts".
The email, which also included a suggestion that Brooks should take sleeping tablets, was read to the jury at the Old Bailey as prosecutors concluded their case against her and six others over phone-hacking and other offences, which they deny.
Another email read out in court from Brooks to James Murdoch detailed a "Plan B" in which they would "slam" other executives and leak an internal report stating that their previous attempts to get to the bottom of the story had been woeful.
Brooks herself had been expected to launch her defense on Wednesday but because of legal issues she is now due to take the stand on Thursday.

Syrian hackers hijack FC Barcelona’s Twitter account

Talk about putting the boot in…
The notorious Syrian Electronic Army (SEA) claimed another scalp overnight, hijacking the Twitter account of the world-famous Barcelona football club.
The Catalan football team’s Twitter account, which has over 11 million fervent fans, was commandeered by the hackers who posted a message in the hours following a victory over Manchester City.

Dear FC Barcelona management, don’t let the Qatari money funds you, it’s full of blood and kill

A later tweet, sent before FC Barcelona realised they had a problem and deleted the offending tweets, sent a special message to one of their rival teams.

Special hi to Real Madrid

Chances are that the hack was perpetrated by the SEA after phishing the password for the account from FC Barcelona’s social media staff.
Past victims of the SEA have included The Guardian, ITV, The Telegraph, the Washington Post, Viber, Skype, PayPal, Thomson Reuters, and most recently Forbes, amongst many others.
There seems little doubt to me that FC Barcelona could have avoided this hack if they had followed best practices – which would have included training staff to never re-use passwords and to be suspicious of unsolicited emails, checked that they were only entering their passwords on legitimate websites, and – crucially – enabled two factor authentication on their account.

Pastebin publishes over 300,000 hacked account details in 12 months

The security researchers at High-Tech Bridge have been taking a close look at Pastebin.com, a site which is used legitimately by programmers to share code – but also popular with hackers who wish to anonymously dump stolen data to provide evidence of a successful breach.
Having discarded from its study obvious fakes, duplicates and minor information leaks involving more than 100 users, High-Tech Bridge discovered evidence that details of 311,095 compromised accounts (usernames and passwords) had been published on Pastebin in the last 12 months.
And it didn’t stop there, according to the Swiss firm, which noted that on average each leak recorded on Pastebin contained 1000 user credentials:

In many cases other personal details, such as credit card numbers, addresses and phone numbers of the victims were also published by the hackers.

Worst of all, according to researchers, the details published on Pastebin often reflected a mere “0.01% – 1% of the total information compromised by the hackers.”
High-Tech Bridge CEO Ilia Ilia Kolochenko believes the problem seen on Pastebin to be just the tip of the iceberg:

“300,000 compromised user accounts during the last twelve months is a huge number if we take into consideration that this amount of information is being stored just on one single legitimate website. Moreover, these 300,000 are just a small percentage of the stolen information posted publically by hackers. It’s impossible to make a precise estimate of how many user accounts were really compromised, but I think we can speak about several hundreds of millions at least. People finally need to understand that the Internet is very hostile place, while online service providers need to finally start taking network security seriously.”

Effectively, the hackers are using Pastebin as a means to advertise their hacks, and their capabilities, whilst still impacting thousands of computer users and firms around the world.
Some companies have become so worried about their private data appearing on Pastebin that they use search engine bots to automatically scour the site at regular intervals, hunting for confidential information which may relate to their business.
So what kind of information is being leaked on Pastebin?
As the following chart shows, the most common source for the leaked information published on Pastebin are email systems:

Main source of leakages posted on Pastebin

Source of Leakage	Percentage from Total
Email Systems	40.9%
Miscellaneous / Mixed / Unknown	40.6%
Social Networks	13.1%
Online Games	2.8%
Online Payment Systems	1.5%
Online Shops	1.1%

Two webmail services rule the roost when it comes to the most likely leaked credentials: Gmail and Yahoo. Perhaps that’s not surprising considering the popularity of the email services.

Most frequent compromised emails posted on Pastebin

Most Popular Domain	Percentage from Total
gmail.com	25.1%
yahoo.com	22.0%
hotmail.com	7.6%
mail.ru	5.2%
Others	38.2%

By the way, in case you are wondering, social networking login credentials are often frequently posted on Pastebin by hackers. And there are no surprises at all which social network tops the chart.
Facebook accounts for a massive 92% of all compromised social network accounts listed on Pastebin, with Twitter taking up most of the remaining space with 7.8%.
For its part, Pastebin says that it receives a large volume of emails from users reporting abuse on its site, and does attempt to take “appropriate action” within 24 hours.
Of course, by then it’s often too late.
You can learn more about High-Tech Bridge’s examination of compromised accounts published on Pastebin, on the security firm’s website.

Wurm MMORPG offers 10,000 Euros reward after DDoS attack

Wurm, the 3D massively multiplayer online role-playing game (MMORPG), has offered a reward totalling 10,000 Euros for information which might lead to the conviction of hackers who launched a distributed denial-of-service (DDoS) attack against the site.
Wurm co-creator Rolf Jansson posted a status report on the website to explain Wurm Online becoming (temporarily one hopes) Wurm Offline:

Shortly after todays update we were the target of a DDOS attack and our hosting provider had to pull us off the grid for now. We will be back as soon as possible but things are out of our hands since their other customers are affected. As we wrote in a previous news post we are planning on changing hosting anyways which should improve things for the future. We can offer 10 000 Euro for any tips or evidence leading to a conviction of the person responsible for this attack.

According to an update posted on the website, the Wurm game will be offline until noon CET today.
Fans of Wurm are less than impressed with the antics of the DDoS attackers, and some have contributed to a message board thread entitled “Dear DDoS Attacker” which doesn’t mince its words…

You sir, are an arse.
I am a recent convert to Wurm and on the whole, have been thoroughly enjoying my experience. As I have only been playing a few months, I don’t have any ‘history’ with the game, I cannot claim to have been here since beta and I do not have longevity as yet. What I do have, is an enthusiasm and enjoyment, for an interesting and challenging game and little patience for tantrums such as you have displayed.

Wurm has suffered from denial-of-service attacks in the past, so it’s clear that someone either might have a grudge against the game or believe that there is an opportunity to make money by attacking it.
Online games are no strangers to being on the receiving end from DDoS attackers, who swamp a website with so much traffic that it can no longer work effectively and can be made utterly inaccessible. In the past gaming and gambling websites have often become the victims of internet blackmailers who – by launching a DDoS attack – threaten to damage an online company’s ability to generate revenue.