Patch Tuesday, March 2019 Edition

Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you abuse Microsoft products, it's time once again to start thinking about getting your patches on. Malware or...

Insert Skimmer + Camera Cover PIN Stealer

Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PINs. These little video bandits can be hidden 100 different ways, but they're frequently disguised as ATM security features -- such as an extra PIN pad...

MyEquifax.com Bypasses Credit Freeze PIN

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number PIN which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don't already have an account at the credit bureau's new myEquifax portal, it m...

Hackers Sell Access to Bait-and-Switch Empire

Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people...

Booter Boss Interviewed in 2014 Pleads Guilty

A 20-year-old Illinois man has pleaded guilty to running multiple DDoS-for-hire services that launched millions of attacks over several years. The plea deal comes almost exactly five years after KrebsOnSecurity interviewed both the admitted felon and his father and urged the latter to take a more...

Crypto Mining Service Coinhive to Call it Quits

Roughly one year ago, KrebsOnSecurity published a lengthy investigation into the individuals behind Coinhive.com, a cryptocurrency mining service that has been heavily abused to force hacked Web sites to mine virtual currency. On Tuesday, Coinhive announced plans to pull the plug on the project...

Former Russian Cybersecurity Chief Sentenced to 22 Years in Prison

A Russian court has handed down lengthy prison terms for two men convicted on treason charges for allegedly sharing information about Russian cybercriminals with U.S. law enforcement officials. The men -- a former Russian cyber intelligence official and an executive at Russian security firm...

Payroll Provider Gives Extortionists a Payday

Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company's customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the...

New Breed of Fuel Pump Skimmer? Not Really

Fraud investigators say they've uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message. KrebsOnSecurity has since learned those claims simply don't hold water. An earlier version of this story...

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

The U.S. government -- along with a number of leading security companies -- recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private...

Bomb Threat Hoaxer Exposed by Hacked Gaming Site

Federal authorities this week arrested a North Carolina man who allegedly ran with a group of online hooligans that attacked Web sites including this one, took requests on Twitter to call in bomb threats to thousands of schools, and tried to frame various online gaming sites as the culprits. In a...

Patch Tuesday, February 2019 Edition

Microsoft on Tuesday issued a bevy of patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month's patch batch tackles some notable threats to enterprises -- including multiple flaws that...

Email Provider VFEmail Suffers ‘Catastrophic’ Hack

Email provider VFEmail has suffered what the company is calling "catastrophic destruction" at the hands of an as-yet unknown intruder who trashed all of the company's primary and backup data in the United States. The firm's founder says he now fears some 18 years' worth of customer email may be...

Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions

A highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at credit unions, and many credit union sources say they suspect the non-public da...

More Alleged SIM Swappers Face Justice

Prosecutors in Northern California have charged two men with using unauthorized SIM swaps to steal and extort money from victims. One of the individuals charged allegedly used a hacker nickname belonging to a key figure in the underground who's built a solid reputation hijacking mobile phone...

Crooks Continue to Exploit GoDaddy Hole

Godaddy.com, the world's largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy's fix hasn't gone far enough, and that scammer...

250 Webstresser Users to Face Legal Action

More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union's law enforcement agency. In April 2018, investigators in the U.S., U....

Three Charged for Working With Serial Swatter

The U.S. Justice Department has filed criminal charges against three U.S. men accused of swatting, or making hoax reports of bomb threats or murders in a bid to trigger a heavily armed police response to a target's address. Investigators say the men, aged 19 to 23, all carried out the attacks wit...

How the U.S. Govt. Shutdown Harms Security

The ongoing partial U.S. federal government shutdown is having a tangible, negative impact on cybercrime investigations, according to interviews with federal law enforcement investigators and a report issued this week by a group representing the interests of FBI agents. Even if lawmakers move...

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months -- including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year -- were made possible thanks to an authentication...

773M Password ‘Megabreach’ is Years Old

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessl...

“Stole $24 Million But Still Can’t Keep a Friend”

Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged...

Courts Hand Down Hard Jail Time for DDoS

Seldom do people responsible for launching crippling cyberattacks face justice, but increasingly courts around the world are making examples of the few who do get busted for such crimes. On Friday, a 34-year-old Connecticut man received a whopping 10-year prison sentence for carrying out...

Secret Service: Theft Rings Turn to Fuze Cards

Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret...

Patch Tuesday, January 2019 Edition

Microsoft on Tuesday released updates to fix roughly four dozen security issues with its Windows operating systems and related software. All things considered, this first Patch Tuesday of 2019 is fairly mild, bereft as it is of any new Adobe Flash updates or zero-day exploits. But there are a few...

Dirt-Cheap, Legit, Windows Software: Pick Two

Buying heavily discounted, popular software from second-hand sources online has always been something of an iffy security proposition. But purchasing steeply discounted licenses for cloud-based subscription products like recent versions of Microsoft Office can be an extremely risky transaction,...

Apple Phone Phishing Scams Getting Better

A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display's Apple's logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then...

Cloud Hosting Provider DataResolution.net Battling Christmas Eve Ransomware Attack

Cloud hosting provider Dataresolution.net is struggling to bring its systems back online after suffering a ransomware infestation on Christmas Eve, KrebsOnSecurity has learned. The company says its systems were hit by the Ryuk ransomware, the same malware strain that crippled printing and deliver...

Happy 9th Birthday, KrebsOnSecurity!

Hard to believe we've gone another revolution around the Sun: Today marks the 9th anniversary of KrebsOnSecurity.com! This past year featured some 150 blog posts, but as usual the biggest contribution to this site came from the amazing community of readers here who have generously contributed the...

Serial Swatter and Stalker Mir Islam Arrested for Allegedly Dumping Body in River

A 22-year-old man convicted of cyberstalking and carrying out numerous bomb threats and swatting attacks -- including a 2013 swatting incident at my home -- was arrested Sunday morning in the Philippines after allegedly helping his best friend dump the body of a housemate into a local river...

Feds Charge Three in Mass Seizure of Attack-for-hire Services

Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different "booter" or "stresser" sites -- attack-for-hire services that helped paying customers launch tens of thousands of digital sieges...

Microsoft Issues Emergency Fix for IE Zero Day

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer IE Web browser that attackers are already using to break into Windows computers. The software giant said it learned about the weakness CVE-2018-8653 after receiving a report from Google...

A Chief Security Concern for Executive Teams

Virtually all companies like to say they take their customers' privacy and security seriously, make it a top priority, blah blah. But you'd be forgiven if you couldn't tell this by studying the executive leadership page of each company's Web site. That's because very few of the world's biggest...

Spammed Bomb Threat Hoax Demands Bitcoin

A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient's building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day. Sources at multiple U.S. based financial institutions reported receiving the...

Scanning for Flaws, Scoring for Security

Is it fair to judge an organization's information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are usin...

Patch Tuesday, December 2018 Edition

Adobe and Microsoft each released updates today to tackle critical security weaknesses in their software. Microsoft's December patch batch is relatively light, addressing more than three dozen vulnerabilities in Windows and related applications. Adobe has issued security fixes for its Acrobat and...

How Internet Savvy are Your Leaders?

Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn't pay a bill for some kind of dubious-looking service I'd never heard of. But it wasn't until the past week that it become clear ho...

Bomb Threat Hoaxer, DDos Boss Gets 3 Years

The ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched distributed denial-of-service DDoS attacks against Web sites -- including KrebsOnSecurity on multiple occasions -- has been sentenced to three years in a U.K. prison, and faces the...

A Breach, or Just a Forced Password Reset?

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefil...

Jared, Kay Jewelers Parent Fixes Data Leak

The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers. In mid-November 2018, KrebsOnSecurity heard from a Jared customer who found something curious after receiving a receip...

What the Marriott Breach Says About Security

We don't yet know the root causes that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause ...

Marriott: Data on 500 Million Guests Stolen in 4-Year Breach

Hospitality giant Marriott today disclosed a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years. Marriott said the breach involved unauthorized access to a...

Half of all Phishing Sites Now Have the Padlock

Maybe you were once advised to "look for the padlock" as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address...

How to Shop Online Like a Security Pro

'Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. So here's a quick refresher course on how to make it through the next few weeks without getting snookered...

USPS Site Exposed Data on 60 Million Users

U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf. Image: USPS.com KrebsOnSecurity was contacted last week by a researcher who...

Calif. Man Pleads Guilty in Fatal Swatting Case, Faces 20+ Years in Prison

A California man who pleaded guilty Tuesday to causing dozens of swatting attacks -- including a deadly incident in Kansas last year -- now faces 20 or more years in prison. Tyler Raj Barriss, in an undated selfie. Tyler Barriss, 25, went by the nickname SWAuTistic on Twitter, and reveled in...

Patch Tuesday, November 2018 Edition

Microsoft on Tuesday released 16 software updates to fix more than 60 security holes in various flavors of Windows and other Microsoft products. Adobe also has security patches available for Flash Player, Acrobat and Reader users. As per usual, most of the critical flaws -- those that can be...

That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards

If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card detail...

Bug Bounty Hunter Ran ISP Doxing Service

A Connecticut man who's earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their Web sites secretly operated a service that leveraged these same flaws to sell their customers' personal data, KrebsOnSecurity has learned. In May...

U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service

A year ago, KrebsOnSecurity warned that "Informed Delivery," a new offering from the U.S. Postal Service USPS that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and ma...