Reported Paris Hilton hacker cops to new intrusions targeting police

A Massachusetts man who reportedly illegally accessed the cell phone of socialite Paris Hilton 10 years ago has agreed to serve four years in federal prison for a more recent hacking spree that targeted computer networks around the country, including those belonging to law enforcement organizations that stored sensitive data and communications.

Cameron Lacroix, 25, of New Bedford, Massachusetts, submitted a written agreement to plead guilty to two counts of computer intrusion and one count of access device fraud, documents filed in Boston federal court alleged. Over a two-year span beginning in May 2011, the man pursued a hacking spree that targeted a multitude of groups, prosecutors said. One of the hacked networks belonged to a local Massachusetts police department and exposed an e-mail account belonging to the unidentified department's chief of police. Lacroix is also accused of repeatedly penetrating the defenses of other law enforcement computer servers containing sensitive information, including police reports, intelligence reports, arrest warrants, and sex offender information.

Another prong of his alleged two-year hacking spree was the Bristol Community College. Prosecutors said Lacroix breached the college's servers on multiple occasions from September 2012 to December 2013 so he could change his grades and those of two other students. Lacroix allegedly used stolen login credentials belonging to three instructors to gain illegal access. The man is also accused of obtaining and possessing payment card data for more than 14,000 unique account holders. As part of the plea agreement, Lacroix is expected to be sentenced to four years in prison to be followed by three years of supervised release.

Read 1 remaining paragraphs | Comments

Bugs in widely used WordPress plug-in leave sites vulnerable to hijacking

Security researchers have discovered vulnerabilities in a widely used WordPress extension that leaves sites susceptible to remote hijacking.

WordPress-powered sites that use the All in One SEO Pack should promptly install an update that fixes the privilege escalation vulnerabilities, Marc-Alexandre Montpas, a researcher with security firm Sucuri wrote in a blog post published Saturday. Administrators can upgrade by logging in to the admin panel, selecting plug-ins, and choosing the All in One title. The just-released version that fixes the vulnerabilities is 2.1.6.

The worst of the attacks made possible by the bugs can allow attackers to inject malicious code into the admin control panel, Montpas warned. Malicious hackers could then change an admin's password or insert backdoor code into the underlying websites. People could also remotely tamper with a site's search engine optimization settings. To exploit the bugs, attackers need only an unprivileged account on the site, such as one for posting reader comments. In some cases, the privilege escalation and cross-site scripting bugs in All in One SEO are combined with another vulnerability that Montpas didn't elaborate on.

Read 2 remaining paragraphs | Comments

Energy Bill Spam Campaign Serves Up New Crypto Malware

Everyone hates getting bills, and with each new one it seems like the amount due just keeps getting higher and higher. However, Symantec recently discovered an energy bill currently being emailed to people that will hit more than just your bank account.

A recent spam campaign sending out emails masquerading as an Australian energy company is serving up the Cryptolocker malware…or at least that’s what the spammers want you to think. Once users become infected, they are told they are infected with Cryptolocker (Trojan.Cryptolocker) however, upon further research, Symantec discovered that the malware is not related to the original Cryptolocker virus and is merely a copycat attempting to cash in on the hype and infamy of Cryptolocker.

Energy bill gives users a shock
This particular spam campaign requires a lot of work from the victim to work but once it does, the user’s files will be encrypted and all the spammers have to do is wait for their ransom payment.

To infect users with the crypto malware, the spammers use a fake bill to lure recipients to a malicious website; however, the malware is not hosted here and it is just an evasive manoeuvre to evade any link-following technologies.

The email appears to be a legitimate electronic bill from an Australian energy company, complete with a balance outstanding. The recipient just has to click a link to view their bill.

Ebill Crypto 1.png

Figure 1. Energy bill spam email

Once the link is clicked the user is directed to a website that appears to be a CAPTCHA entry page, but the numbers never change. Once the user enters the fake CAPTCHA and hits submit, they are directed to the next page, which contains a link to download the energy bill.

Ebill Crypto 2.png

Figure 2. Fake CAPTCHA page

Ebill Crypto 3.png

Figure 3. Download page

Clicking on the download link will save a zip file to the user’s computer. The folder contains an executable file disguised with a PDF icon in an effort to trick unsuspecting users into opening it. Opening this malicious file will cause all files on the compromised computer to be encrypted. Following this, a text file opens, informing the user that they have been hacked and that they must send an email to a specific address in order to get their files decrypted.

Ebill Crypto 4.jpg

Figure 4. Text file

Ebill Crypto 5.jpg

Figure 5. Notification of compromise

The malware also checks to see if Outlook or Thunderbird is installed on the compromised computer and, if so, harvests the email addresses in the user’s contact list. The addresses, which are presumably used to further spread the malware, are uploaded to the following remote location:

[https://]royalgourp.org/[REMOVED].php

Protection
Symantec advises users to be cautious of emails that request new or updated personal information. Users should also avoid clicking on links in suspicious messages.

Symantec detects this malware as Trojan.Cryptolocker.F

It’s ‘Game Over’ for Zeus and CryptoLocker

Under Operation Tovar, global law enforcement—in conjunction with the private sector and McAfee—has launched an action to dismantle the Gameover Zeus and CryptoLocker infrastructure. Disrupting the criminal infrastructure by taking control of the domains that form part of the communications network provides a rare window for owners of infected systems to remove the malware and take back control of their digital lives.

If you, or anybody you know, receive a notification from your Internet service provider, then please do not ignore it. Use the removal tool to delete the malware from your system, and ensure you have appropriate protection to prevent future infections.

The removal tool is available at the following URL:

http://www.mcafee.com/stinger

We anticipate the criminal infrastructure of both Gameover Zeus and CryptoLocker will re-establish operations as quickly as they can. Thus you need to take action quickly.

What do Gameover Zeus and CryptoLocker do?

The two are in fact very different. Once Gameover Zeus finds its way onto a victim’s computer, it attempts to steal information from the victim. It has been used successfully by cybercriminals in all manner of attacks. From the theft of online banking credentials, credit card numbers, and even the login credentials for online job boards, the trail of destruction behind Gameover Zeus has netted criminals millions of dollars. For example, in August 2012 alone one estimate suggests that more than 600,000 systems were infected, many of these in Fortune 500 firms.

Gameover Zeus is based on the original Zeus, but works differently in that it decentralizes the control system and creates a peer-based network. The malware injects itself into legitimate Windows processes to maintain persistence, and also hooks system and browser functions to inject “fake” content into a user’s browser to conceal fraudulent activity.

This method is highly effective when the criminal wants to wire out large sums of money from a business account, but needs to conceal the activity for as long as possible until the funds are gone and have posted to the criminal’s account. Variants of Gameover Zeus operate in a peer-to-peer manner, getting their updates and configurations from available hosts on the peer network—making it much more difficult to disrupt. Gameover Zeus also has a function to dynamically update the configuration file that contains the payload usually designed to steal funds from a user’s bank account.

The functionality of Gameover Zeus ranges from simple credential stealing to advanced methods that involve hijacking a victim’s bank account in real time, enabling the criminal to wire out large amounts undetected.

Victims are typically infected via spear phishing campaigns that use various browser- and web-based exploits to deliver the malware onto the target system. The actors behind Gameover Zeus are interested in financial gain; thus they target consumers and businesses with this malware.

CryptoLocker, on the other hand, is not as sneaky, and warns users that unless they hand over a sum of money the malware will encrypt the data on the system. Such ransomware provides only a short window for the user to transfer the funds to the criminals, and failure to do so will result in the files being encrypted and unusable. If your system has files that are encrypted, the Stinger removal tool will not be able to retrieve them.

CryptoLocker encrypts the files on the system and generates a pop-up demanding that the victim pay a ransom to get the private key to decrypt the files. The malware uses public key cryptography algorithms to encrypt the victim’s files. Once the victim’s machine is infected, the key is generated and the private key is sent to the criminal’s server. The malware typically gives the victim 72 hours before the CryptoLocker server is supposed to destroy the private key, making the files unrecoverable and unusable. Victims are also infected via phishing emails and botnets.

Combining global law enforcement, including the National Crime Agency (United Kingdom), the FBI, and Europol, as well as partners in the private sector, this operation will provide a unique opportunity for those who are infected to remove the infections. Victims of these malware need to take advantage of this opportunity because the criminals will attempt to re-establish their communications infrastructure as quickly as they can to continue stealing your data and money.

The post It’s ‘Game Over’ for Zeus and CryptoLocker appeared first on McAfee.