Tor-Based Malware ChewBacca Used to Steal Card Data from POS Systems

BlackPOS and Dexter are not the only pieces of malware used by cybercriminals to steal payment card data from point-of-sale (POS) systems. RSA researchers have found that the recently discovered ChewBacca Trojan is also used for similar operations.

ChewBacca’s existence was first brought to light in December 2013 by Kaspersky researchers. The information-stealing Trojan wasn’t being offered on public forums. It has attracted the attention of security experts because it uses the Tor network to hide its communications.

RSA says that the malware has been used to log track 1 and track 2 data from infected POS systems since October 25.

The company says that the Trojan has been leveraged in attacks against dozens of retailers. Most of them are based in the US, but some of them are in Russia, Canada and Australia.

However, RSA’s Will Gragido has told DarkReading that the malware doesn’t appear to be tied to the Target, Neiman Marcus or Michaels hacks. He has revealed that the individuals behind the ChewBacca campaign are most likely from Ukraine.

ChewBacca is not very sophisticated, yet it can be highly efficient when it comes to stealing payment card information from infected devices.

In order to steal card data, the malware has a memory scanner component that’s designed to target credit card processing systems. The scanner dumps a copy of the process’ memory and analyzes it for magnetic stripe data, which it extracts and logs.

“Retailers have a few choices against these attackers,” said RSA FirstWatch Senior Security Researcher Yotam Gottesman.

“They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors.”

GitHub Launches Bug Bounty Program with Rewards of up to $5,000 / €3,700

GitHub has launched a security bug bounty program. The code repository is prepared to reward security researchers who find and responsibly disclose vulnerabilities with up to $5,000 (€3,700). The lowest reward is $100 (€73).

“The idea is simple: hackers and security researchers (like you) find and report vulnerabilities through our responsible disclosure process. Then, to recognize the significant effort that these researchers often put forth when hunting down bugs, we reward them with some cold hard cash,” GitHub’s Shawn Davenport explained in a blog post.

It’s worth noting that not all GitHub applications are included in the bug bounty program. However, if they find and report security holes not part of the program, researchers might still get monetary rewards.

For the time being, the GitHub API, Gist, and the main website, GitHub.com, are included in the bounty program.

It’s worth noting that anyone can report vulnerabilities, not just people from the US. Furthermore, even young experts, aged between 13 and 18, can participate. However, those in the US have to submit a guardian consent before they can be paid.

Those who send reports are advised to give GitHub up to 24 hours to respond.

There are some other things you should know before trying out your skills on GitHub. You’re not allowed to use automated tools and scanners.

Social engineering and phishing attacks against GitHub employees are also forbidden. The details of the vulnerability must not be disclosed before the issue has been addressed.

Cross-site scripting (XSS) vulnerabilities are accepted. However, they don’t qualify for a reward if they only impact legacy browsers and plugins, or if too much user interaction is needed to trigger them.

Additional details, along with a leaderboard that shows the top contributors, are available on the GitHub Security Bug Bounty website.

Liberty Reserve Founder Fights Extradition to the US

40-year-old Arthur Budovsky, the founder of the Liberty Reserve virtual currency, is doing everything he can to avoid being extradited to the US. He’s currently in Spain, where he was arrested in November 2013 on US charges.

According to the Associated Press, Budovsky, who has Ukrainian origins, has told a Spanish court that US authorities started going after him in 2011 after he had refused to give the source code for Liberty Reserve to the FBI.

He says he refused to hand over the code because it would have been like giving away the secret formula for Coca Cola. The US allegedly also wants him because he gave up his US citizenship, so he’s considered a “traitor.”

He admits being the creator of Liberty Reserve. However, he claims to have sold his share in the business in 2007 and only worked as a consultant for the company since then.

Budovsky has highlighted that the virtual currency’s purpose was to serve as a secure platform for financial transactions. Liberty Reserve has always collaborated with authorities, he said.

Since he doesn’t face any charges in Spain, the man will be released if the court refuses to extradite him.

CYREN Launches WebSecurity

CYREN, until recently known as Commtouch, has launched a new cloud-based Web security service called CYREN WebSecurity.

Powered by CYREN’s GlobalView Cloud infrastructure and the company’s Recurrent Pattern Detection technology, WebSecurity helps organizations secure web browsing from all their devices, including smartphones and tablets. The solution addresses some of the challenges associated with the bring-your-own-device (BYOD) trend.

Software vendors and service providers can use CYREN’s cloud-based secure Web gateway service to offer their customers a secure browsing experience.

“CYREN WebSecurity provides our partners with the speed, accuracy and real-time insight that their end customers demand without the unnecessary burdens of additional capital expense and expert human resources,” CYREN VP of Products Brett Wilson said.

“We see CYREN’s robust cloud infrastructure as a true catalyst for growth – and today’s launch of CYREN Web Security is the latest step in harnessing its full capabilities.”

11 California High School Students Expelled After Hacking Computers to Change Grades

In December 2013, we learned that a dozen students of the Corona del Mar High School in Newport Beach, California, were suspected of changing their grades and obtaining tests after hacking into the school’s computers.

The Newport-Mesa Unified School District Board of Education has decided to expel 11 students.

A 28-year-old private tutor named Timothy Lance Lai is said to have shown the students how to use a keylogger. They connected the device to teachers’ computers in an effort to steal their access passwords.

The school district has decided to expel the students after analyzing the case for hours in a closed session. This is the toughest penalty allowed by the Education Code.

So far, no charges have been filed against Lai and the students, but the police are still looking into the case.

Two More Versions of “Eviction Notification” Malware Emails Spotted

As expected, there are more than two versions of the “eviction notification” spam emails that are currently making the rounds.

The third variant spotted by Conrad Longmore of Dynamoo’s Blog carries the subject line “Eviction notification No8423.” Another version comes with the subject line “Notice to quit No8116.” The number and the name of the sender can vary from one email to another.

Except for the subject line and the name of the sender, the emails are similar. They both read something like this:

“Hereby you are notified that you have to move to another location from the currently occupied premises within the next three weeks. Please find the lawsuit details attached to this letter.

If you do not move within this period of time, we will have no other alternative than to have you physically removed from the property per order of the Judge. If we can be of any assistance to you during your relocation, please feel free to contact us any time.”

The file attached to the notifications is a piece of malware. Some antivirus engines detect it as a downloader, while others say it’s a fake antivirus.

Either way, users should be on the lookout for such emails to avoid ending up with an infected computer. If you’re a victim of this attack, update your antivirus and scan your computer.

Repeat the process after a virus definition database update in case the threat wasn’t detected at the time of the scan.

The cybercriminals responsible for sending out these emails keep replacing the malware with new variants to make sure they’re not detected by security solutions.

It appears to be an aggressive campaign, so chances are that you will stumble upon one of these emails in your inbox.

Israel’s National Cyber Bureau Prepares Cyberattack Response Task Force

Representatives of Israel’s National Cyber Bureau have revealed the government’s intention to launch a new task force whose goal will be to help consumers and businesses in dealing with cyberattacks.

In an interview with Bloomberg, the head of the National Cyber Bureau, Rami Efrati, has explained that the new cyber emergency response teams will focus on various types of incidents.

Individuals and companies targeted in cyberattacks can file a report and they will be assisted by experts who specialize in certain areas. For instance, if a company from the financial sector is targeted, a professional with knowledge of cyberattacks against this industry will offer assistance.

In addition to providing assistance to victims, the new program will also facilitate sharing of information regarding cyber threats.

The National Cyber Bureau was established two years ago in an effort to coordinate responses to cyberattacks launched against Israel’s critical systems.

Malware Alert: Fax Message from Windsor Telecom Fax2Email

Emails apparently sent through Windsor Telecom’s Fax2Email service have been spotted landing in inboxes, informing recipients that they’ve received a fax message. In reality, the emails are being sent by cybercriminals as part of a malware distribution campaign.

The emails come from a spoofed address (no-reply@windsor-telecom.co.uk) and they carry the subject line “Fax Message on 08983092722 from.”

“FAX MESSAGEYou have received a fax on your fax number: 08983092722 from. The fax is attached to this email.PLEASE DO NOT REPLY BACK TO THIS MESSAGE,” the emails read.

The file that’s attached to them, FAX.MESSAGE.ZIP, contains an executable that’s actually a piece of malware, Dynamoo’s Blog reported.

At the time of writing, 16 of the 51 antivirus engines from VirusTotal detect the file as being malicious or suspicious.

If you’ve already opened the file, regularly scan your computer with an updated antivirus. If you’ve opened it from a work device (which is possible considering that it’s a fake fax email), notify your system administrator.

Remote Code Execution Vulnerability Impacts Wikipedia and Other MediaWiki Sites

Security researchers from Check Point have identified a critical vulnerability affecting websites created on the MediaWiki platform. Several Wiki sites have been impacted, including Wikipedia.org.

According to experts, the security hole could have been exploited for remote code execution. Cybercriminals could have leveraged the flaw to gain complete control of an affected Web server.

MediaWiki installations starting with version 1.8 are affected. It’s worth noting that in order for an attack to succeed, a specific non-default setting must be enabled.

Fortunately, the WikiMedia Foundation rushed to address the issue after being notified. The organization has also sent out an alert to encourage MediWiki customers to update their installations.

If unpatched, the vulnerability can be used to inject malicious code into Wikipedia.org and other Wiki websites that run on the open-source platform MediaWiki.

This could have been highly problematic, considering that Wikipedia has around 94 million unique visitors each month.

“It only takes a single vulnerability on a widely adopted platform for a hacker to infiltrate and wreak widespread damage. The Check Point Vulnerability Research Group focuses on finding these security exposures and deploying the necessary real-time protections to secure the Internet,” explained Dorit Dor, vice president of products at Check Point Software Technologies.

“We’re pleased that the MediaWiki platform is now protected against attacks on this vulnerability, which would have posed great security risk for millions of daily ‘wiki’ site users.”

Check Point reveals the fact that this is the third remote code execution vulnerability found on the MediaWiki platform since 2006.

A total of 13 security holes were found in MediaWiki in 2013. The list includes one code execution, six cross-site scripting (XSS), two bypass and three cross-site reference forgery (CSRF) vulnerabilities.

Website of Nigeria’s Ministry of Police Affairs Hacked and Defaced

The official website of Nigeria’s Ministry of Police Affairs (policeaffairs.gov.ng) has been breached and defaced by hackers of the Nigerian Cyber Army.

The attack took place on Sunday, TechnHackPK reported. The defacement page has been removed, but the website still hasn’t been restored.

The cyberattack has been launched in protest against the country’s government and the police.

“Every offence should have a fair punishment. People have committed greater offences and nothing was done to them. Police officers collecting bribes only confirms how corrupt our society has become,” the hackers said in a message posted on the defaced site.

They added, “It is also a sign of a failed government. If these officers are well remunerated, I don’t see any reason why they would resort to road-side extortion.”

A mirror of the defacement is available on zone-h.org.