Microsoft Word Intruder Revealed – inside a malware construction kit

What happens when cybercrooks take a leaf out of the Advanced Persistent Threatsters' book? Gabor Szappanos of SophosLabs investigates...

WHSmith contact form spams out personal customer data

Users of UK newsagent chain WHSmith's online services have reported large amounts of email arriving in their inboxes, containing personal contact data on other users.

WHSmith contact form spams out personal customer data

Users of UK newsagent chain WHSmith's online services have reported large amounts of email arriving in their inboxes, containing personal contact data on other users.

Uber hires the guys who hacked a Jeep to develop safer driverless cars

Charlie Miller and Chris Valasek, security researchers who caused huge headaches for Fiat Chrysler when they showed the world how to remotely hack a Jeep, have hacked their way into new jobs with Uber.

Sneaky adware caught accessing users’ Mac Keychain without permission

Last month, Ars chronicled a Mac app that brazenly exploited a then unpatched OS X vulnerability so the app could install itself without requiring people to enter system passwords. Now, researchers have found the same highly questionable installer is accessing people's Mac keychain without permission.

The adware taking these liberties is distributed by Israel-based Genieo Innovation, a company that's long been known to push adware and other unwanted apps. According to researchers at Malwarebytes, the Genieo installer automatically accesses a list of Safari extensions that, for reasons that aren't entirely clear, is stashed inside the Mac Keychain alongside passwords for iCloud, Gmail, and other important accounts.

Genieo acquires this access by very briefly displaying a message asking for permission to open the Safari extensions and then automatically clicking the accompanying OK button before a user has time to respond or possibly even notice what's taking place. With that, Genieo installs an extension known as Leperdvil. The following three-second video captures the entire thing:

Read 5 remaining paragraphs | Comments

Lizard Squad launches DDoS against UK law enforcement agency

The website of the UK's National Crime Agency was briefly affected by a distributed denial of service (DDoS) attack today, just a few days after the agency announced the arrest of six teenagers for using a paid DDoS service. Lizard Squad, the group behind the attack service, is claiming responsibility on Twitter—and turning it into an advertisement for the service's next version.

The attack took the NCA website offline for over two hours this morning, according to SkyNews. At 9:00am BST, someone with access to the Lizard Squad Twitter account posted:

The NCA announced that it had arrested users of Lizard Stresser, the Lizard Squad Web-based DDoS tool, on August 28 and noted that it was continuing to contact about 50 individuals in the UK who had signed up for the service but had not mounted attacks with it. The six teenagers were charged with attacking gaming, retail, and media sites—apparently including Microsoft's Xbox Live and Sony's Playstation network. All six were released on bail after the arrests.

Read 1 remaining paragraphs | Comments

Secret Service agent pleads guilty to stealing Silk Road bitcoins

If you can't trust law enforcement, who can you trust? Shaun Bridges, formerly part of the Baltimore Silk Road task force, has become the second agent to plead guilty to serious charges associated with his time investigating the shady online drug market.

National Crime Agency website DDoSed by Lizard Squad

NCA busts a bunch of blokes who allegedly used Lizard Squad's DDoS service. Guess what happens next?

[webapps] – Edimax BR6228nS/BR6228nC – Multiple Vulnerabilities

Edimax BR6228nS/BR6228nC - Multiple Vulnerabilities

[webapps] – Bedita 3.5.1 – XSS Vulnerabilities

Bedita 3.5.1 - XSS Vulnerabilities

Six UK teens arrested for being “customers” of Lizard Squad’s DDoS service

On August 28, the United Kingdom’s National Crime Agency announced the arrest of six teenagers, ranging in age from 15 to 18, for launching distributed denial of service attacks against multiple websites. The attacks were carried out using an attack tool created by Lizard Squad, the group behind denial of service attacks on gaming networks and the 8Chan imageboard site last winter. Called Lizard Stresser, the tool exploited compromised home routers, using them as a robot army against targeted sites and services.

The six arrested “are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous,” an NCA spokesperson wrote in an official statement on the case. “Organizations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies, and a number of online retailers.” Those sites, according to a source that spoke with Bloomberg Business, included Microsoft’s Xbox Live, Sony’s Playstation network, and

The timing of the attacks wasn’t mentioned by NCA. However, the user database of Lizard Stresser was leaked in January of this year. The NCA has been investigating individuals listed in the database and has identified a substantial number of them living in the UK. “Officers are also visiting approximately 50 addresses linked to individuals registered on the Lizard Stresser website, but who are not currently believed to have carried out attacks,” the NCA spokesperson noted. “A third of the individuals identified are under the age of 20, and the activity forms part of the NCA’s wider work to address younger people at risk of entering into serious forms of cyber crime.”

Read 3 remaining paragraphs | Comments

This email scam targeting businesses is a billion-dollar problem, FBI warns

The FBI issued a warning last week about email scams that have cost businesses $1.2 billion in fraudulent wire transfers since 2013. "Nigerian Prince" scams these are not...

Hack Brief: Malware Hits 225,000 (Jailbroken, Mostly Chinese) iPhones

Hack Brief: Malware Hits 225,000 (Jailbroken, Mostly Chinese) iPhones

The KeyRaider attack represents "the largest known Apple account theft caused by malware."

The post Hack Brief: Malware Hits 225,000 (Jailbroken, Mostly Chinese) iPhones appeared first on WIRED.

Malware infecting jailbroken iPhones stole 225,000 Apple account logins

A newly discovered malware family that preys on jailbroken iPhones has collected login credentials for more than 225,000 Apple accounts, making it one of the largest Apple account compromises to be caused by malware.

KeyRaider, as the malware family has been dubbed, is distributed through a third-party repository of Cydia, which markets itself as an alternative to Apple's official App Store. Malicious code surreptitiously included with Cydia apps is creating problems for people in China and at least 17 other countries, including France, Russia, Japan, and the UK. Not only has it pilfered account data for 225,941 Apple accounts, it has also disabled some infected phones until users pay a ransom and made unauthorized charges against some victims' accounts.

Researchers with Palo Alto Networks worked with members of the Chinese iPhone community Weiphone after members found the unauthorized charges. In a blog post published Sunday, the Palo Alto Networks researchers wrote:

Read 2 remaining paragraphs | Comments

China and Russia cross-referencing OPM data, other hacks to out US spies

The identities of a group of American technical experts who have provided assistance to covert operations by the US government overseas have been compromised as the result of cross-referencing of data from the Office of Personnel Management (OPM) and other recent data breaches, according a Los Angeles Times report. The Times' Brian Bennet and W. J. Hennigan cited allegations from two US officials speaking under the condition of anonymity that Chinese and Russian intelligence agencies have worked with both private software companies and criminal hacking rings to obtain and analyze data.

William Evanina, the Office of the Director of National Intelligence's National Counterintelligence Executive, confirmed in an interview with the LA Times that data from breaches had "absolutely" been used to unmask US covert agents. Performing data analytics on breach data could tell foreign intelligence agencies "who is an intelligence officer, who travels where, when, who's got financial difficulties, who's got medical issues" and help create a "common picture" of US intelligence operations, he said.

According to the report, the OPM hack and other major data breaches were being merged and analyzed by China in an effort to both ferret out US covert operations—to provide background information for targeted cyber-attacks—and to provide intelligence on individuals who could be targeted for blackmail. And Russia's Federal Security Service (FSB) is also using recent data breaches and ties to cybercriminals to target US government employees for cyber-attacks, the unnamed officials claimed.

Read 3 remaining paragraphs | Comments

What us worry? Ashley Madison says it added over 100K users last week

Executives at Ashley Madison may have lost their founder and CEO after suffering a breach that leaked highly personal details for more than 30 million users, but they want to make one thing clear: business fundamentals are strong, and the service for people seeking discreet encounters won't go gentle into that good night.

"Recent media reports predicting the imminent demise of Ashley Madison are greatly exaggerated," the remaining executives wrote in a statement issued early Monday morning. "The company continues its day-to-day operations even as it deals with the theft of its private data by criminal hackers. Despite having our business and customers attacked, we are growing." The statement went on to say that the company acquired "hundreds of thousands of new users"—including 87,596 women—although Ars has no way of confirming any of the numbers provided.

Monday's statement also challenged media reports claiming that an infinitesimal percentage of Ashley Madison users were real women and that the rest were either men or bogus female accounts manufactured by Ashley Madison employees in an attempt to lure men. Women sent in excess of 2.8 million messages on the Ashley Madison platform last week alone, company executives said, even as the company provided no details on how many messages were sent from male accounts and made no assurances that the female messages weren't generated by automated scripts.

Read 2 remaining paragraphs | Comments

White House eyes sanctions for China over cyber-theft of trade secrets

The Washington Post’s Ellen Nakashima reports that under the direction of the Obama administration, US government officials are planning “a package of unprecedented economic sanctions against Chinese companies and individuals” who have profited from trade secrets stolen from US companies by Chinese government-sponsored hackers.

The talk of sanctions comes just weeks before the arrival of Chinese president Xi Jinping for a state visit, and it may just be talk—a final call on whether to impose sanctions will likely be made within the next two weeks, according to the Post’s unnamed administration sources. While the Justice Department announced indictments against members of China’s People’s Liberation Army for the electronic theft of trade secrets last year, the indictments were largely symbolic. The sanctions under discussion would likely include the seizure of economic assets of Chinese companies making use of what officials allege to be data stolen from US companies—and elevate tensions with China further as the governments continue to face off over other economic and military issues.

The sanctions will not, apparently, include action over the theft of US government employee data from the Office of Personnel Management. The administration’s concern is greater over economic espionage, including the theft of “everything from nuclear power plant designs to search engine source code,” Nakashima reported. The Federal Bureau of Investigations reported last month that the number of economic espionage cases being investigated had jumped by 53 percent in the last year—and most of that growth was attributed to China’s aggressive use of computer and network espionage against US companies.

Read 2 remaining paragraphs | Comments

[webapps] – PhpWiki 1.5.4 – Multiple Vulnerabilities

PhpWiki 1.5.4 - Multiple Vulnerabilities

[dos] – Viber 4.2.0 – Non-Printable Characters Handling Denial of Service Vulnerability

Viber 4.2.0 - Non-Printable Characters Handling Denial of Service Vulnerability

[papers] – How to HeapSpray and Exploit Memory Corruption in IIS6

How to HeapSpray and Exploit Memory Corruption in IIS6

[webapps] – Cyberoam Firewall CR500iNG-XP – 10.6.2 MR-1 – Blind SQL Injection Vulnerability

Cyberoam Firewall CR500iNG-XP - 10.6.2 MR-1 - Blind SQL Injection Vulnerability

[webapps] – Samsung SyncThruWeb – SMB Hash Disclosure

Samsung SyncThruWeb - SMB Hash Disclosure

[remote] – MS SQL Server 2000/2005 SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit

MS SQL Server 2000/2005 SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit

PayPal patches potential payment-stealing vulnerability

An XSS hole could apparently have allowed a crook to pop up a realistic PayPal "pay page" and steal the victim's card data. Paul Ducklin takes a look...

Uber hires researchers who hacked Chrysler Uconnect

Less than a month after their command performances at the Black Hat and Def Con security conferences in Las Vegas, security researchers Charlie Miller (late of Twitter) and Chris Valasek (formerly of the security firm IOActive) have been poached by Uber—which ironically had security flaws in its own in-car technology exposed by University of California-San Diego researchers this month as well. According to a report from Reuters, Uber will announce the hiring of Miller and Valasek on Monday.

Miller and Valasek's research on Fiat Chrysler's Uconnect system exposed vulnerabilities in the design of the system that allowed them to take remote control of many of the systems of a targeted vehicle—as they demonstrated by shutting down the throttle of a 2014 Jeep Cherokee while it was being driven on an interstate by Wired reporter Andy Greenberg. The research, coordinated with Fiat Chrysler, led to the distribution of a fix by Chrysler and blocking of vulnerable ports by Sprint, the mobile carrier providing the network for Uconnect. But the attention garnered by the video led to Chrysler announcing a recall of 1.4 million vehicles to accelerate the installation of the software patches.

Uber announced grants to the University of Arizona to fund autonomous vehicle technology earlier this week. The hiring of Miller and Valasek is likely part of an effort to ensure that Uber's autonomous vehicle development work remains secure and may be partially prompted by the findings of the UCSD researchers Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage. The group presented research at the Usenix Security conference two weeks ago that showed a telematics device used by Uber and some auto insurers could be compromised to take remote control of systems in a similar fashion to Miller and Valasek's hack of the Jeep.

Read 1 remaining paragraphs | Comments

Uber Hires the Hackers Who Wirelessly Hijacked a Jeep

Uber Hires the Hackers Who Wirelessly Hijacked a Jeep

The two researchers will apparently be working on securing Uber's self-driving car of the future.

The post Uber Hires the Hackers Who Wirelessly Hijacked a Jeep appeared first on WIRED.

National Crime Agency snares teens who used Lizard Squad DDoS tool

The NCA says it wants to reform the teens caught up in its operation targeting users of LizardStresser, an online tool for attacking websites. Is a stern talking-to enough? Or should they face jail time?

Domain hijacking spear-phisher foiled by the last line of defense—paranoia

As the old joke goes, "Just because you're paranoid doesn't mean that everybody isn't out to get you." Based on the contents of my e-mail inbox lately, I can confirm that my paranoia is well-founded.

Yesterday, I got an e-mail telling me that the domain name server information of my vanity domain had been changed. It purported to be a message from GoDaddy and had enough information to be almost legitimate—I had just regained the domain after another hosting company had neglected to auto-renew it a year ago, and at one point I had put in a domain backorder with GoDaddy to ensure that I could jump on it when the spam Japanese medical device WordPress blog was done sucking all the search engine optimization mojo out of it.

I had changed the DNS server information about two weeks ago, so the alert that it had been changed again made me nervous. I recognized the text in the link in the e-mail as being the URL for GoDaddy's customer login page. However, there were signs that this was not legitimate:

Read 8 remaining paragraphs | Comments

Fake EFF site serving espionage malware was likely active for 3+ weeks

A spear-phishing campaign some researchers say is linked to the Russian government masqueraded as the Electronic Frontier Foundation in an attempt to infect targets with malware that collects passwords and other sensitive data.

The targeted e-mails, which link to the fraudulent domain, appear to be part of a larger campaign known as Pawn Storm. Last October, researchers at security firm Trend Micro brought the campaign to light and said it was targeting a US military, embassy, and defense contractor personnel, dissidents of the Russian government, and international media organizations. Last month, Trend Micro said the espionage malware campaign entered a new phase by exploiting what then was a zero-day vulnerability in Oracle's widely used Java browser plugin. Separate security firm FireEye has said the group behind the attacks has ties to Russia's government and has been active since at least 2007.

EFF staff technologist Cooper Quintin wrote in a blog post published Thursday that the round of attacks involving the site may have the ability to infect Macs and Linux machines, as well as the normal Windows fare. On Windows, the campaign downloads a payload known as Sednit that ultimately installs a keylogger and other malicious modules. Its use of the same path names, Java payloads, and Java exploits found in last month's campaign mean it's almost certainly the work of the same Pawn Storm actors that struck last month. Quintin wrote:

The attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known Java zero-day in two years. The attacker sends the target a spear phishing email containing a link to a unique URL on the malicious domain (in this case When visited, the URL will redirect the user to another unique URL in the form of{6_random_digits}/Go.class containing a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java payload is received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware analysts). The attacker, now able to run any code on the user's machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target's computer.

Quintin said he suspects has been serving malware since August 4, when the domain address was registered. The site had been reported for abuse, but as of Thursday it was still actively exploiting the Java vulnerability. On Friday morning, it was redirecting users to the authentic EFF page.

The attack is a potent reminder of the importance of installing security updates promptly. Oracle patched the critical Java vulnerability a few days after Trend Micro reported the July zero-day attacks. Then again, Ars has long advised people to assess if they truly required Java and other browser plugins and if not to consider uninstalling them.

Ashley Madison CEO Resigns in Wake of Hack, News of Affairs

Ashley Madison CEO Resigns in Wake of Hack, News of Affairs

Ashley Madison CEO steps down after emails leaked by hackers expose that he engaged in affairs.

The post Ashley Madison CEO Resigns in Wake of Hack, News of Affairs appeared first on WIRED.

CEO of Ashley Madison parent company quits

The CEO of Ashley Madison's parent company has left for unexplained reasons, less than a week after gigabytes' worth of his private e-mail were published online by hackers who rooted the company's network.

Avid Life Media CEO Noel Biderman's decision to step down was in mutual agreement with remaining company executives, Vice President Andrew S. Ricci said in a brief statement. The departure comes as some of the leaked e-mails raised ethical questions about the company's business practices and about Biderman's personal conduct. Ashley Madison's tag line was: "Life is short. Have an affair."

"This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees," Ricci wrote. "We are steadfast in our commitment to our customer base."

Trouble began for Biderman last month when Ashley Madison employees turned on their computers and were greeted with a message, accompanied by the AC/DC song Thunderstruck, informing them that the company's entire network had been compromised. The hackers demanded Avid Life Media immediately and permanently suspend the Ashley Madison website, which helps married people find clandestine affairs, or face the release of all user and executive data. A month later, after Avid Life Media declined to go along with the demands, the attackers made good on the threat.

Since then, the hack has proved to be a public relations disaster for the dating website for cheaters. With promises of discretion, the breach has raised serious questions about the company's security hygiene and practices. What's more, social media posts have reported what appear to be several damaging revelations found in the dump, including e-mails suggesting Avid Life Media employees tried to lure men by creating huge numbers of fake profiles to inflate the number of accounts registered to female users.

The full text of the statement reads:


Effective today, Noel Biderman, in mutual agreement with the company, is stepping down as Chief Executive Officer of Avid Life Media Inc. (ALM) and is no longer with the company. Until the appointment of a new CEO, the company will be led by the existing senior management team.

This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees. We are steadfast in our commitment to our customer base.

We are actively adjusting to the attack on our business and members’ privacy by criminals. We will continue to provide access to our unique platforms for our worldwide members.

We are actively cooperating with international law enforcement in an effort to bring those responsible for the theft of proprietary member and business information to justice.


Please direct all media inquiries to:

Andrew S. Ricci
Vice President

Dark Web market Agora suspends operations due to Tor vulnerability

The temporary move is meant to forestall potential attacks that could expose server IP addresses.

[webapps] – Pluck CMS 4.7.3 – Multiple Vulnerabilities

Pluck CMS 4.7.3 - Multiple Vulnerabilities

[dos] – freeSSHd 1.3.1 – Denial of Service Vulnerability

freeSSHd 1.3.1 - Denial of Service Vulnerability

[dos] – Photo Transfer (2) 1.0 iOS – Denial of Service Vulnerability

Photo Transfer (2) 1.0 iOS - Denial of Service Vulnerability