CyberInsecure.com

US Security Firm Stratfor Hit By ‘Anonymous’, Clients Credit Cards And Passwords Stolen

The hacking group “Anonymous” on Sunday Christmas claimed it has stolen thousands of credit card numbers and personal information of clients of the U.S. based security think-tank Stratfor and pilfered funds it gave away as Christmas donations to charity.

Anonymous said it stole information from organizations and individuals that were clients of Stratfor, including Apple Inc., U.S. Air Force the Miami Police Department. They said they obtained more than 4,000 credit card numbers, passwords and home addresses. Some clients of Stratfor have confirmed unauthorized transactions linked to their credit cards.

Stratfor is a company providing services to help clients manage risk. The company charges subscribers for reports and analysis it issues. The company’s main website was down in Sunday with the message: “site is currently undergoing maintenance.” Most of the victims were individual subscribers and not companies and government agencies. Anonymous in a Twitter message taunted Stratfor, saying: “Not so private and secret anymore?” The group promised that Stratfor was only the beginning of attacks to come.

Anonymous claims that it was able to steal as much as 200 gigabytes of information from Stratfor because Stratfor did not bother to encrypt them. This Revelation, if true, is serious indictment of a security services related company. The hackers published a list of what they claimed was Stratfor’s client list and tweeted a link to encrypted files with stolen names, phone numbers, emails addresses, credit card and account details. The hackers claimed that the information they have published so far is only a small part of what they stole from Stratfor.

PC Magazine reports that besides using the stolen funds for donations to charity the attackers said they were also hoping to use the incident to draw attention to the case of Pfc. Bradley Manning of the U.S. Army who is on trial over alleged involvement in leak of hundred of thousands of confidential military documents. A statement that claimed to be from the hackers said: “We hereby ask that Bradley Manning be given a delicious meal this Lulzxmas, and no, not the ‘holiday special’ in the prison chow hall. We want him out on the streets at a fancy restaurant of his choosing, and we want this to happen in less than five hours.”

values greatly. This hack is most definitely not the work of Anonymous.”
Huffington Post said that credit card owners whose cards have been hacked may contact the credit card company to dispute the charge. A member of Anonymous said on Twitter that 90,000 credit cards from law enforcement, the intelligence community and journalists have been hacked and used “steal a million dollars” for charity donations. The statement mentioned “corporate/exec accounts of people like Fox” News. But Huffington Post reports it was not possible to verify the claims.

Credit: DigitalJournal.com

Ultimate Bet Players Accounts Compromised, 3.5 Million Records Freely Available Online For Weeks Still In Google Cache

In a breach of security at Ultimate Bet, information from every player’s account had been publicly posted on the internet, revealing personal information of approximately 3.5 million poker players holding accounts at the nearly-dead poker site.

A popular poker forum website posted a link to the account information via an anonymous posting, but removed the link roughly eight minutes later. In that short span of time, enough people identified the link and apparently passed the information around privately.

The data leaked from the accounts included each player’s name and screen name; birth date; email, mailing and IP addresses; phone number; deposit methods typically used; VIP, affiliate and blacklist statuses; account balance; and players’ UB account numbers, but not bank account numbers as far as we know.

The data listed was organized by specific countries, with about 2 million accounts from the U.S., 319,000 Canadian accounts, 137,000 United Kingdom accounts, and approximately 1 million accounts from all other countries combined. The data contained more than a dozen other columns which were not clearly identifiable. The unidentifiable columns were not labeled and contained inconsistent information. For example, one column that listed IP addresses also contained physical addresses and another column listing screen names for some users contained account numbers for different users.

The data is still partially available in Google cache. Files organized by country:

One of the files showing details in XLS format in Google cache:

Financial information of each player, excluding account balances and deposit methods, was not listed. And no personal credit card numbers were shown either. It is not known who leaked the account information or the reason why.

Ultimate Bet and Absolute Poker, who together make up the Cereus Network and were the third largest internet poker network prior to Black Friday, have been virtually defunct since the U.S. Department of Justice’s actions that seized their domains and much of their assets and indicted the company’s principals in mid-April. Since that time, most of the poker room’s players haven’t been able to cashout, while some overseas non-U.S. players have been able to withdraw small amounts sporadically. In mid-June, it was reported that both poker sites combined had only approximately ten percent of the funds owed to players, said to be $54 million. Toward the end of October, the Kahnawake Gaming Commission, who issued the operator’s license to the Cereus Network, announced that company owners were planning to liquidate assets to reimburse players with money in their account balances at the sites. However, the company’s full assets are not known.

The data leaked on the internet was exclusive to Ultimate Bet players and did not include Absolute Poker players. Ultimate Bet players with valid accounts on the site should be vigilant in realizing that personal account information may have gotten into the wrong hands and to be wary of suspicious phone calls or emails received. Account holders would also do well to ensure that their online passwords to email addresses and other login information to various accounts is sufficiently secure to ward off any possibilities of identity theft or fraudulent activity.

Various players at the Cereus Network have reported the inability to join real money sit-n-go tables the last two days. It is possible to log onto the network, but attempting to join a sit-n-go table results in nothing happening. There are a couple players listed as sitting at sit-n-go tables waiting for more players, but these are believed to be props. At the time of this writing, there was only one real money table in action, a $.01/.02 no-limit hold’em table with an average pot of $.44. At the lone table, 57% of players were seeing the flop and 120 hands were being played per hour. However, play money tables are quite populated and going strong.

Credit: PokerNewsReport.com

Restaurant Depot, Jetro Cash & Carry Processing System Compromised, Credit Cards Sold On Russian Blackmarket

If you used a credit card between the dates of Sept. 21 and Nov. 18th at national restaurant wholesalers Restaurant Depot or Jetro Cash & Carry, then you should probably know that Russian cyberthugs wearing leather blazers and gold chains and stinking of Armani Aqua di Gio are currently selling your information on the black market.

The following is an excerpt of the letter currently being sent to all customers deemed to be at risk:

“We recently determined that computer hackers stole credit and debit card information from the card processing system we use…”

“You are receiving this letter because we believe your credit or debit card information was stolen. This letter explains actions we have taken in response to the theft and describes some actions you can take to protect yourself against fraud.”

“How the thieves stole the card information — The investigators determined that the thieves inserted malicious software or ‘malware’ into the credit and debit card processing systems we use in our stores. The malware collected card information as it was processed, stored it temporarily, and then sent it to a computer server in Russia.”

If you’re wondering if you’ve ever shopped at a Restaurant Depot but aren’t quite sure, run through this simple checklist:

1. Do I regularly purchase kitchen items like bacon and mayonnaise in bulk?
If you answered NO, please skip to step 5.
If you answered YES, continue to:

2. Do I belong to Restaurant Depot?
If you answered NO, please skip to step 5.
If you answered YES, continue to:

3. Have I noticed any strange charges on my accounts lately, say, for one dozen lynx fur jackets with fox trim?
If you answered NO, please skip to step 5.
If you answered YES, continue to:

4. You MAY be at risk for credit card fraud. Please contact your credit card company immediately.

5. You are NOT at risk for credit card fraud. Continue gorging yourself on bacon and mayonnaise in sensible quantities, free from worry.

Credit: Gawker.com

Internationalcheckout.com Database Hacked, Customers Credit Cards Abused

International Checkout customers began receiving emails that alert them on the fact that the organization has recently fallen victim to a cyberattack which resulted in the theft of a large quantity of personal information, including credit card details.

“International Checkout was recently the victim of a system intruder who was able to access encrypted credit card information,” reads the email provided by SpywareSucks.

“You are receiving this email from International Checkout because your credit card information was in the database which was compromised.”

It seems as the breach was discovered sometime in mid-September and an investigation has immediately commenced. Besides the fact that the authorities were notified of the issue, the credit card information from the databases was removed to make sure no one still had access.

Even though the information was encrypted, the attacker managed to obtain the encryption key that was stored in a separate location.

“As a precaution, International Checkout is providing notification to people whose information may have been in the database that was accessed so that if it turns out the information was compromised in any way, they can take the appropriate measures to protect themselves,” the notification adds.

The company is advising customers to closely monitor their bank account statements for any suspicious transactions. Bank account numbers were not exposed, but credit cards numbers were and in some situations the financial institutions involved may even recommend the changing of the account number.

An important thing customers should know is that they will not be directly contacted by International Checkout, unless they call them first. They alert individuals on the fact that some might profit from the situation and call them pretending to represent the firm, requesting sensitive information.

“We will not call you to ask for bank account information or personal identification numbers (PINs) or for your full credit card or social security number.”

Unfortunately, a lot of companies are on International Checkout’s partner list so the number of potential victims is high and people are already starting to complain about abusive transactions made with their credit cards. Some of the websites listed on http://www.internationalcheckoutsolutions.com/merchant-partners.php include TahoeMountainSports.com, MoreschiShoes.com, LaurenKlein.com, SofiaBean.com, EnvyCig.com, WTeaShop.com, PromoStadium.com, PTTechSolutions.com, ViveDecor.com, HUFWorldwide.com, SavingLots.com, MGallerie.com, Audioque.com, LuckyTeria.com, FrankliWild.com, Vivarati.com, BuyRailings.com, RackMountSales.com, Angara.com.

Credit: Softpedia.com News

Software Offered By CNET Bundled With Trojans, Spread Through Download.com

One of the developers of a network exploration and security auditing tool called Nmap is accusing CNET of bundling free software with Trojans and shady toolbars, and serving them on their Download.com website.

Gordon Lyon, also known as Fyodor claims he discovered that Nmap and other free applications such as VLC are downloaded with pieces of malware attached and according to the Virus Total submission, 10 out of 39 vendors detect the Nmap installer as containing a Trojan.

“They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap’s real installer,” Fyodor said.

He’s also upset with the fact that CNET utilizes their Nmap trademark as if they were involved in the fact that the tool is not actually clean.

“In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap’s copyright,” he adds.

He states that in many cases users will not look at what they’re downloading or installing and they’ll just end up with a changed homepage, an extra toolbar and maybe even a malicious element.

His biggest fear is that Nmap users will believe that all these extras actually come from the developers, thus ruining their reputation.

“We’ve long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net’s Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!”

CNET offered them the opportunity to opt out of the Download.com Installer, but Fyodor says he’s not going to stop here. He is now in search of a copyright attorney as he’s sure his rights have been violated.

At the time of writing, the Nmap installer on download.com seems to be clean so maybe the company already acted on the warnings received from the devs.

Credit: Softpedia.com News

Unpatched Yahoo! Messenger Flaw Allows Status Updates Remote Hijacking

Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user’s status message.

Hijacked status updates are a handy way to persuade a victim’s contacts to click on a link and lead them to a dangerous website. Worse still, the bug in version 11.x of the Messenger client requires minimal user interaction to work, unlike previous exploits that relied on conning prospective marks.

The attacker sends a supposed file to a target that is actually an iframe that swaps the status message for the attacker’s customized text, as explained in a net security firm BitDefender blog. The message might be, and in most attack scenarios would be, sent firm outside a targeted user’s contact list.

If successfully executed, a victim will have no indication that his or her status message has been rewritten. The ruse might be used to gain affiliate incomes by promoting dodgy sites as well as directing users towards sites loaded with exploits or scareware scams.

Bitdefender said it has notified Yahoo about the vulnerability. Attacks based on the as yet unfixed flaw have already been detected in the wild, the Romanian security firm warns.

It advises users to change the setting of their IM client to “ignore anyone who is not in your Yahoo! Contacts” (which is off by default) as a precaution pending the release of a patch. In addition, some security suites include a web filter function that ought to defend users from this attack.

Credit: The Register

Adidas Websites Taken Down After Attack, Adidas.com, Reebok.com Affected

The popular sports equipment maker took down some of its websites after a security breach that targeted their network was discovered on November 3. The affected locations include adidas.com, reebok.com, miCoach.com, adidas-group.com and some local e-commerce shops. They were all taken down in order to protect the individuals that might visit them.

“Our preliminary investigation has found no evidence that any consumer data is impacted. But while we continue our thorough forensic review, we have taken down affected sites,” reads a company statement. “Since learning about the issue, we have put in place a number of additional data security measures. The changes reflect enhancements to the high standards consumers have come to expect from the adidas Group and its brands”

The reasons for such an attack are not yet known but it might very well be one of those situations where the cybercriminals are doing it just to have some fun.

“The attack on Adidas is an example of how cyber crime has become an International sport in the past year or so, as we have seen more and more big brands compromised worldwide,” said Eddy Willems, security evangelist at G Data, according to SC Magazine.

“The good thing is that Adidas, unlike many recent cyber crime victims, seems to be acting quickly and has security in mind. The hack appears to be only to the website and not the databases, which suggests that no customer data has been compromised.”

He also claims that in these situations hackers just want to prove their powers to the world. In some cases it’s not about money or data theft, instead the attackers want to attract attention and gain fame.

Some of the websites were restored but others are still recovering from the hit. In the meantime, it will remain to be seen if anyone comes forward to claim the attack.

Private Canadian Children’s Ministry Papers Dumped In Trash, Contain Names, Addresses, Birth Dates

The B.C. government is dealing with another privacy breach after confidential documents from the Ministry of Children and Family Development were found dumped in a garbage bin. The documents were discovered dumped in a green dumpster behind a Victoria apartment building last week, and contain client names, addresses, birth dates and health card numbers.

At first, the ministry said the papers were merely for training purposes, but officials have now confirmed that private client information was also included. “The priority is to identify those people whose privacy may have been breached and to inform them as quickly as possible,” cabinet spokeswoman Mary Polak said. “We will continue to work closely with the Office of the Information and Privacy Commissioner.”

Police were called in to secure the documents, while the ministry struggled to determine what they contained. It’s believed that the papers were dumped by a former employee who left government several months ago. Civil servants are required to return all private information when they leave their jobs, and alls documents are supposed to follow a strict policy for disposal.

NDP critic John Horgan says the breach is a cause for serious worry. “I’m concerned that the most sensitive ministry in government — the Ministry for Children and Family Development — would allow a week to languish without confirming or denying the release of private information to the public. Throwing documents into a dumpster is unacceptable in the 21st century,” he said.

The discovery of the documents marks the second time in a week that the province has had to deal with news of an embarrassing privacy breach. Last week, CTV News revealed that the private health records of 450 patients at Vancouver General Hospital were compromised when a medical resident lost his laptop and USB drive at the airport in Toronto.

Credit: CTV News (ctvbc.ctv.ca)

Numerous Defense And Chemical Firms Targeted In Industrial Espionage Campaign

Dozens of companies in the defense and chemical industries have been targeted in an industrial espionage campaign that steals confidential data from computers infected with malware, researchers from Symantec said.

At least 29 companies involved in the research, development, and manufacture of chemicals and an additional 19 firms in defense and other industries have been attacked since the middle of July, Symantec researchers wrote in the report released Monday. The unknown attackers used back door trojans, including a variant of the publicly available Poison Ivy, to exfiltrate data from victims - including multiple Fortune 100 companies involved in the research and development of chemical compounds and advanced materials.

“These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage, military institutions, and governmental organizations often in search of documents related to current political events and human rights organizations,” the eight-page Symantec report stated. “This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs, formulas, and manufacturing processes.”

The campaign, which the Symantec researchers have dubbed “Nitro,” wasn’t disrupted until the middle of September.

The majority of infected machines found connecting to command and control servers were located in the US, Bangladesh, and the UK. Other infected computers came from an additional 17 countries, including Argentina, Singapore, and China.

Some of the attacks have been traced to a computer that acted as a virtual private server by an individual located in the Hebei region of China. While a person calling himself Covert Grove claimed he used the system for legitimate reasons, the researchers said his denial seemed “suspicious.”

“We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role,” they wrote. “Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.”

The attacks typically begin with emails purporting to warn of unpatched vulnerabilities in the Adobe Reader program from the recipient’s IT department. When the recipient clicks on one of two files included, Poison Ivy or Backdoor.0divy is installed. Security provider Norman ASA has technical information about the malicious payloads at blogs.norman.com.

Several other groups that appear to be unrelated are targeting some of the same chemical companies with malicious documents that exploit vulnerabilities in Adobe Reader and Microsoft Office. As a result, the victims are infected with Backdoor.Sogu, the same custom-developed threat used to steal personal information from as many as 35 million users of a South Korean social network, the Symantec researchers said.

Credit: The Register

Phishing Campaign Fake Legitimate Apple Emails, Steals Victims ID And Password

A phishing campaign which involves the reputation of Apple has been seen invading inboxes. The rogue message perfectly replicates alerts received by customers when the company notifies them on changes of their accounts.

A Trend Micro researcher came across a message that looked very much like the genuine message he had received not long ago from the Cupertino
firm.

The fake email seems to come from “do_not_reply@itunes.com” and is sent via smtp.com. Coming with the subject “Account Info Change,” it perfectly replicates most visual aspects of the real deal.

The content of the message reads:

The following information for your Apple ID was updated on [date]:
Name
If these changes were made in error Report Problem.
To review and update your security settings sign in to appleid.apple.com.
This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.

The link mentioned before is masked to look authentic, but in fact it leads the unsuspecting user to a phishing site hosted on a free domain. It asks the customer to provide an ID and a password, the information being sent to the masterminds that designed the whole scheme.

These operations can be highly dangerous for your savings as they gives access to your Apple account which contains a lot of sensitive data such as credit card info, address and phone numbers.

Itunes fraud is not uncommon because cybercriminals noticed how easy it is to phish out a set of credentials which can then be used to purchase all sorts of products in the Apple Store.

Even if the email looks to be legit, once you click on the link it contains, you can check out the address in your browser to see if it really belongs to the genuine company. Email addresses can be easily spoofed but website names always give away the true identity of a page.

Credit: Softpedia.com News