Issue 67 - Week of May 30th

1.       Myspace passwords leaked in major security breach: Myspace.com is a social networking website, which was once popular. Last week, Myspace confirmed that the company was hacked in 2013 and that the stolen Myspace username and password combinations have been made available for sale in an online hacker forum. The hacker, nicknamed Peace, who is selling the database of about 360 Million Myspace accounts, is the same hacker who was recently in the news for leaking 167 Million LinkedIn and 65 Million Tumblr accounts. Many users use the same password across various sites and hackers leverage this to hack into accounts using stolen passwords.

2.       65Million passwords from Tumblr data breach being sold: Earlier this month Tumblr revealed that a third party had obtained access to a set of e-mail addresses and passwords dating back from early 2013, before being acquired by Yahoo. At that time, Tumblr did not reveal the number of affected users, but in reality, around 65 Million accounts credentials were leaked in the 2013 Tumblr data breach.

3.       Credit Card breach at CiCi’s Pizza: American's CiCi’s Pizza, with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company’s point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang. Also read - Wendy’s data breach.

4.       TeamViewer users are being hacked in bulk: According to recent reports on Reddit and Twitter, the popular TeamViewer software that is used to remotely control PCs appears to have been hacked.  In many of the cases, the online burglars reportedly drained PayPal or bank accounts. TeamViewer denies being hacked, blames users - says the cause is password reuse, and introduces two new security measures - Trusted Devices and Data Integrity. The Trusted Devices feature allows you to approve the new device as trusted before it can access an existing TeamViewer account for the first time. The Data Integrity feature forces password reset when it detects any unusual behavior in a user's account.

5.       GhostShell hacker leaks 36 million user records to protest: GhostShell hacker back with a bang, leaks 36 million user records from 110 misconfigured MangoDB servers. The hacker announced the data leak on Twitter and posted a link to a PasteBin URL where he wrote that the leak was aimed at raising awareness “about what happens when you decide not to even add a username and password as root or check for open ports."

6.       Zero-Day exploit of Microsoft Windows - $90,000: Researchers have uncovered a zero-day exploit on Russian underground malware forum exploit.in. This apparently affects all versions of Microsoft Windows OS from Windows 2000 all the way up to a fully patched version of Windows 10. It is currently priced at $90k. Any zero-day exploit by itself will not be able to compromise a system, but is the most useful piece in the overall hacking kill chain. Also read - $1M for Apple zero day exploits

7.       Indian Govt. curbs smartphone use over hacking, data theft fears: Concern over hacking and data thefts and vulnerabilities in communication systems has prompted the government to instruct bureaucrats in all central ministries and departments to use smartphones only as a last resort and in emergency situations to discuss sensitive official work. The officers were sensitized that smartphone is a far less secure device when it comes to dealing with official work due to the risk of embedded malware or spyware that may be downloaded along with certain applications and that these instruments are best avoided when discussing classified information.

8.       Over 10,000 WordPress sites vulnerable to exploit: Security researchers have warned that over 10,000 websites powered by the WordPress content management system (CMS) are at risk of exploit due to a plugin containing a zero-day flaw. The WP Mobile Detector plugin is the source of the issue, containing a zero-day vulnerability. The zero-day can compromise a website and act as a backdoor to the CMS simply through sending the HEAD request with the backdoor URL. Developers have now patched the plugin and it is recommended that users of this plugin update their software.

9.       Long arm of law catches up - hackers who stole money put behind bars: Russian authorities have arrested a gang of 50 hackers suspected of stealing more than $25 Million from banks and other financial institutions in the country since 2011. The same criminal gang had also tried to steal by issuing false payment instructions, but that were blocked. The group allegedly used a Trojan called "Lurk" to set up a network of bots on infected computers to carry out the attacks. Lurk is a "file-less" Trojan that runs in RAM and has mostly been used for collecting banking credentials, especially for banks in Eastern Europe and the Russian Federation.

10.   FBI alerts to rise in extortion email schemes: The FBI has issued an announcement alerting citizens to a rise in extortion email schemes related to recent high-profile data thefts, stating the message is sent as soon as breach of an individual’s data is reported. The agency says its Internet Crime Complaint Center (IC3) is receiving complaints about emails which threaten release of personal information unless a ransom is paid within a given deadline. The amount demanded ranges between 2 to 5 bitcoins to be sent to a given address.