On Q Professional Investigations

(Reuters) - The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment.

Cybersecurity experts said the malicious software described in the alert appeared to describe the one that affected Sony, which would mark first major destructive cyber attack waged against a company on U.S. soil. Such attacks have been launched in Asia and the Middle East, but none have been reported in the United States. The FBI report did not say how many companies had been victims of destructive attacks.

“I believe the coordinated cyberattack with destructive payloads against a corporation in the U.S. represents a watershed event,” said Tom Kellermann, chief cybersecurity officer with security software maker Trend Micro Inc. “Geopolitics now serve as harbingers for destructive cyberattacks.”

The five-page, confidential “flash” FBI warning issued to businesses late on Monday provided some technical details about the malicious software used in the attack. It provided advice on how to respond to the malware and asked businesses to contact the FBI if they identified similar malware.

The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up.

“The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods,” the report said.

The document was sent to security staff at some U.S. companies in an email that asked them not to share the information.

The FBI released the document in the wake of last Monday’s unprecedented attack on Sony Pictures Entertainment, which brought corporate email down for a week and crippled other systems as the company prepares to release several highly anticipated films during the crucial holiday film season.

A Sony spokeswoman said the company had “restored a number of important services” and was “working closely with law enforcement officials to investigate the matter.”

Read More

It’s rare. On an average day, only nine in 1 million accounts gets stolen. But when it happens, the operation is swift. These are professional criminals at work, looking through your email to steal your bank account information.

The criminals are concentrated in five countries. Most of them live in China, Ivory Coast, Malaysia, Nigeria and South Africa. But they attack people worldwide, duping them into handing over Gmail usernames and passwords.

Google has effective scans to block them and emergency options to get your account back. But criminals still manage to pull off the attacks.
Here’s some more of what Google found in its three-year study.

In the mind of a hacker

Effective scams work 45% of the time. This number sounds huge, but well-crafted scams can be convincing. They send official-looking emails requesting your login credentials. And sometimes they redirect you to a page that looks like a Google login, but it’s not.

Safety tip: Don’t ever email your username or password — anywhere. And always check the Internet address in the URL above to ensure you’re at the actual Gmail site.

They usually steal your account in less than a day. Once they have your login credentials, the average criminal hijacks your account within seven hours. For an unlucky 20%, the bad guys do it in just 30 minutes. Then they change your password to lock you out.

Read More

It’s as if a robber were to break into a bank today and stay there until Christmas before someone noticed.

That’s how long hackers had access to JPMorgan Chase’s computer system, The New York Times reported this week. If two months seems like an eternity for cyberthieves to wander through the computers of the country’s largest bank, consider that hackers have had free rein for even longer at several major retailers this past year.

Hackers resided on the computers of Neiman Marcus for five months, Home Depot for five months, arts and crafts store Michaels for eight months and Goodwill, the thrift store, for a year and a half.

That hackers were able to roam through JPMorgan’s computer network for two months is another sign that companies are struggling not only with keeping cybercriminals out, but with spotting them once they get in.

A spokesman for JPMorgan did not respond to a request for comment. The bank said earlier this month that hackers had compromised the data of 76 million households, but that no money or Social Security numbers were stolen and the bank hadn’t seen any unusual customer fraud.

The length of time that hackers reside on a computer system doesn’t always correlate to the number of people affected. The size of the company’s customer base also makes a difference. Target, for example, said 40 million customers had their payment card data compromised during an attack last fall that lasted just two weeks, while Michaels said that a much smaller number — 3 million people — were affected during its eight-month attack.

Still, the length of time of a data breach matters. Unlike real-life bank robbers who escape in minutes, digital bank robbers can take weeks or months before they gain access to the data they’re after.

“A lot of people think hacking happens overnight and the the bad guys break into the network and they’re done,” said Aleksandr Yampolskiy, chief executive officer of SecurityScorecard, a cybersecurity firm. “The reality is it takes a long time.”

Hackers are able to go undetected for so long because they use numerous techniques to disguise their activities. For one, they often attack computers using malicious software that doesn’t set off alarms with anti-virus programs. And once inside, they route the data they steal through a series of intermediary computers, for example at a church or a public school, according to Yampolskiy. Such computers seem innocent to security teams and avoid raising red flags by communicating directly with computers in Russia, where many hackers are based, he said.

Read More

NEW YORK (AP) — Home Depot said Thursday that a data breach that lasted for months at its stores in the U.S. and Canada affected 56 million debit and credit cards, far more than a pre-Christmas 2013 attack on Target customers.

The size of the theft at Home Depot trails only that of TJX Companies’ heist of 90 million records disclosed in 2007. Target’s breach compromised 40 million credit and debit cards.

Home Depot, the nation’s largest home improvement retailer, said that the malware used in the data breach that took place between April and September has been eliminated.

It said there was no evidence that debit PIN numbers were compromised or that the breach affected stores in Mexico or customers who shopped online at Homedepot.com. It said it has also completed a “major” payment security project that provides enhanced encryption of customers’ payment data in the company’s U.S. stores.

But unlike Target’s breach, which sent the retailer’s sales and profits falling as wary shoppers went elsewhere, customers seem to have stuck with Atlanta-based Home Depot. Still, the breach’s ultimate cost to the company remains unknown. Greg Melich, an analyst at International Strategy & Investment Group LLC, estimates the costs will run in the several hundred million dollars, similar to Target’s breach.

“This is a massive breach, and a lot of people are affected,” said John Kindervag, vice president and principal analyst at Forrester Research. But he added, “Home Depot is very lucky that Target happened because there is this numbness factor.”
Customers appear to be growing used to breaches, following a string of them this past year, including at Michaels, SuperValu and Neiman Marcus. Home Depot might have also benefited from the disclosure of the breach coming in September, months after the spring season, which is the busiest time of year for home improvement.

And unlike Target, which has a myriad of competitors, analysts note that home-improvement shoppers don’t have many options. Moreover, Home Depot’s customer base is different from Target’s. Nearly 40 percent of Home Depot’s sales come from professional and contractor services. Those buyers tend to be fiercely loyal and shop a couple of times a week for supplies.

Home Depot on Thursday confirmed its sales-growth estimates for the fiscal year and said it expects to earn $4.54 per share in fiscal 2014, up 2 cents from its prior guidance. The company’s fiscal 2014 outlook includes estimates for the cost to investigate the data breach, providing credit monitoring services to its customers, increasing call center staffing and paying legal and professional services.

Read More

It’s time to change your Gmail password — again.

Around 5 million Gmail usernames and associated passwords were leaked on a Russian Internet forum on Tuesday.

Thankfully, less than 2 percent of real, current username and password combinations, or about 100,000, were released, Google’s Spam & Abuse Team wrote in a blog post. Many are old and many don’t match — for example, the user name is for Gmail, but the password is for Facebook.

If your current Gmail password and username were compromised, Gmail would have let you know by now.

“It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems,” Google wrote. “Often, these credentials are obtained through a combination of other sources.”

Hackers may have gotten these names and passwords from other sites. If people used the same usernames and passwords on Gmail as they do on a site that was hacked, your Gmail could be compromised. We’ve said it before and we’ll say it again: don’t repeat or reuse passwords.

There’s a link being passed around called IsLeaked.com, where you can allegedly check to see if your Gmail was hacked. DO NOT DO THAT!

Some point out that the website launched right before the hacks, and may be a trap to gather more email addresses.

When in doubt, just change your password.

View Source

Before companies like Microsoft and Apple release new software, the code is reviewed and tested to ensure it works as planned and to find any bugs.

Hackers and cybercrooks do the same. The last thing you want if you’re a cyberthug is for your banking Trojan to crash a victim’s system and be exposed. More importantly, you don’t want your victim’s antivirus engine to detect the malicious tool.

So how do you maintain your stealth? You submit your code to Google’s VirusTotal site and let it do the testing for you.

It’s long been suspected that hackers and nation-state spies are using Google’s antivirus site to test their tools before unleashing them on victims. Now Brandon Dixon, an independent security researcher, has caught them in the act, tracking several high-profile hacking groups—including, surprisingly, two well-known nation-state teams—as they used VirusTotal to hone their code and develop their tradecraft.

“There’s certainly irony” in their use of the site, Dixon says. “I wouldn’t have expected a nation state to use a public system to do their testing.”

VirusTotal is a free online service—launched in 2004 by Hispasec Sistemas in Spain and acquired by Google in 2012—that aggregates more than three dozen antivirus scanners made by Symantec, Kaspersky Lab, F-Secure and others. Researchers, and anyone else who finds a suspicious file on their system, can upload the file to the site to see if any of the scanners tag it malicious. But the site, meant to protect us from hackers, also inadvertently provides hackers the opportunity to tweak and test their code until it bypasses the site’s suite of antivirus tools.

Dixon has been tracking submissions to the site for years and, using data associated with each uploaded file, has identified several distinct hackers or hacker teams as they’ve used VirusTotal to refine their code. He’s even been able to identify some of their intended targets.

He can do this because every uploaded file leaves a trail of metadata available to subscribers of VirusTotal’s professional-grade service. The data includes the file’s name and a timestamp of when it was uploaded, as well as a hash derived from the uploader’s IP address and the country from which the file was submitted based on the IP address. Though Google masks the IP address to make it difficult to derive from the hash, the hash still is helpful in identifying multiple submissions from the same address. And, strangely, some of the groups Dixon monitored used the same addresses repeatedly to submit their malicious code.

Using an algorithm he created to parse the metadata, Dixon spotted patterns and clusters of files submitted by two well-known cyberespionage teams believed to be based in China, and a group that appears to be in Iran. Over weeks and months, Dixon watched as the attackers tweaked and developed their code and the number of scanners detecting it dropped. He could even in some cases predict when they might launch their attack and identify when some of the victims were hit—code that he saw submitted by some of the attackers for testing later showed up at VirusTotal again when a victim spotted it on a machine and submitted it for detection.

Read More

The scope of yesterday’s computer attack against JPMorgan Chase and at least one other bank appears to be much larger than initially reported.

In addition to possibly affecting seven financial organizations, instead of two as originally reported, some bank records at JPMorgan were altered and possibly deleted, reported CNN, citing unnamed sources. The source of the attacks is not yet known.

Getting access to bank records is uncommon but not unheard for hackers, who often change computer logs to cover their tracks but can’t always get to more sensitive data, said RedSeal cybersecurity expert Robert Capps.

“Being able to change bank records is an interesting, but not novel, approach to unlawful enrichment,” he said. “There have been reports of embezzlement and outright theft by malicious insiders, since computerized banking records have been in existence.”

This case, however, involved outsiders who targeted specific employees at JPMorgan Chase to gain access to their computers and the bank databases. The Federal Bureau of Investigation and the Secret Service, which are investigating the breach, have not said whether customer bank records or identity details were compromised.

Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said that it wasn’t likely that this kind of attack came from your “average cybercriminal.”

“If hackers are capable of accomplishing this, it means they have spent a significant amount of time studying the [bank's] records system before attempting any kind of serious manipulation,” he said. “It’s not impossible, however, if they were able to modify records using high-level credentials and do it in a way that was undetected.”

The scope of the damage has not been made public yet, and likely will take time to determine. Banks use redundancy systems and backups to ensure that data that’s altered for any reason can be restored.

FBI spokesman Joshua Campbell wouldn’t confirm whether bank records had been accessed or altered, saying that the FBI and Secret Service are attempting “to determine the scope” of attacks against “several American financial institutions.”

“Combating cyberthreats and criminals remains a top priority for the United States Government, and we are constantly working with American companies to fight cyber attacks,” he said in a prepared statement.

JPMorgan did not respond to a request for comment on the possibility that the hackers altered or deleted bank records. Yesterday, JPMorgan spokeswoman Trish Wexler told CNET, “We have multiple layers of defense to counteract any threats and constantly monitor fraud levels.”

Read More

Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information.

Although it was tested only on an Android phone, the team believes that the method could be used across all three operating systems because all three share a similar feature: all apps can access a mobile device’s shared memory.

“The assumption has always been that these apps can’t interfere with each other easily,” said Zhiyun Qian, an associate professor at UC Riverside. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

To demonstrate the method of attack, first a user must download an app that appears benign, such as a wallpaper, but actually contains malicious code. Once installed, the researchers can use it to access the shared memory statistics of any process, which doesn’t require any special privileges.

The researchers then monitor the changes in this shared memory and are able to correlate changes to various activities — such as logging into Gmail, H&R Block, or taking a picture of a cheque to deposit it online via Chase Bank — the three apps that were most vulnerable to the attack, with a success rate of 82 to 92 percent. Using a few other side channels, the team was able to accurately track what a user was doing in real-time.

In order to pull off a successful attack, two things need to happen: first, the attack needs to take place at the exact moment that the user is performing the action. Second, the attack needs to be conducted in such a way that the user is unaware of it. The team managed to pull this off by carefully timing the attacks.

“We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen,” said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. “It’s seamless because we have this timing.”

Of the seven apps tested, Amazon was the hardest to crack, with a 48 percent success rate. This is because the app allows one activity to transition to another activity, making it harder to guess what the user will do next.

Read More

Russian hackers have stolen 1.2 billion user names and passwords in a series of Internet heists affecting 420,000 websites, according to a report published Tuesday.

The thievery was described in a New York Times story based on the findings of Hold Security, a Milwaukee firm that has a history of uncovering online security breaches.

Hold Security didn’t immediately respond to inquiries from The Associated Press.

The identities of the websites that were broken into weren’t identified by the Times, which cited nondisclosure agreements that required Hold Security to keep some information confidential.

The reported break-ins are the latest incidents to raise doubts about the security measures that both big and small companies use to protect people’s information online.

Security experts believe hackers will continue breaking into computer networks unless companies become more vigilant.

“Companies that rely on usernames and passwords have to develop a sense of urgency about changing this,” Avivah Litan, a security analyst at the research firm Gartner told the Times.

Retailer Target Corp. is still struggling to win back its shoppers’ trust after hackers believed to be attacking from Eastern Europe stole 40 million credit card numbers and 70 million addresses, phone numbers and other personal information last winter.

Alex Holden, the founder and chief information security officer of Hold Security, told the Times that most of the sites hit by the Russian hackers are still vulnerable to further break-ins. Besides filching 1.2 billion online passwords, the hackers also have amassed 500 million email addresses that could help them engineer other crimes, according to Hold Security.

So, far little of the information stolen in the wave of attacks appears to have been sold to other online crooks, according to the Times. Instead, the information is being used to send marketing pitches, schemes and other junk messages on social networks on Twitter, the newspaper said.

The breadth of these break-ins should serve as a chilling reminder of the skullduggery that has been going undetected on the Internet for years, said John Prisco, CEO of another security firm, Triumfant.

“This issue reminds me of an iceberg, where 90 percent of it is actually underwater,” Prisco said in an emailed statement. “That’s what is going on here… So many cyber breaches today are not actually reported, often times because companies are losing information and they are not even aware of it.”

View Source

WASHINGTON — Federal agents over the weekend secretly seized control of two computer networks that hackers used to steal millions of dollars from unsuspecting victims. In doing so, the Justice Department disrupted the circulation of two of the world’s most pernicious viruses and turned a 30-year-old Russian computer hacker into a most-wanted fugitive.

The strike, coordinated with the European authorities, was aimed at malware called GameOver Zeus, which is known to steal bank information and send it to overseas hackers, and CryptoLocker, which burrows into computers and encrypts personal data. The hackers then demand a ransom to unlock the files.

“By the time the victims learned that their computers had been infected, it was far too late,” Leslie R. Caldwell, the assistant attorney general in charge of the criminal division, said Monday.

Together, the Justice Department estimates, the two malicious programs have infected between 500,000 and a million computers and cost people more than $100 million in direct and indirect losses.

Authorities had been investigating the two viruses separately, but along the way, they realized that GameOver Zeus was the main vehicle by which CryptoLocker was spread, the Justice Department said.

They also determined that the operations were run by the same man, whom the Justice Department identified as Evgeniy M. Bogachev, of Anapa, Russia. Investigators were hunting for him even before they knew his name. Inside the F.B.I., he has long been one of the government’s most sought-after individual cybercriminals, through his screen name, Lucky12345.

While both pieces of software are distributed through spam emails, they accomplish different things, each highly damaging.

Once inside a computer, GameOver Zeus quietly tracks each keystroke. When the software detects someone logging into a bank account, it records the password. Armed with that information, hackers log in and drain the account. Often they stole more than $1 million from businesses, prosecutors said, with at least one theft exceeding $6 million.

CryptoLocker spreads through emails that look like they are from legitimate businesses, including fake tracking notices from FedEx and U.P.S. Once inside a network, such as a company’s computer system, the virus can spread from one computer to the next. As it spreads, the software locks up computer files behind unbreakable encryption, then demands hundreds of dollars in exchange for the code that unlocks it.

Read More