339 Million AdultFriendFinder users compromised

Friend Finder Networks, the company that operates Adultfriendfinder.com and cams.com which was affected by a breach of 3.5 million users information in May, 2015 has been breached again.

How many victims? This time 339 million users including 15 million users whose accounts were deleted but their data were still held by the company.

What type of information? Usernames, email address, date of the last visit, password, last IP address used, browser information, and VIP membership status

What happened?  LeakedSource.com speculates that the breach was carried out through the use of an exploit for a Local File inclusion vulnerability which was publicly revealed last month. Passwords were found in unencrypted format or SHA 1 hashed which are both insecure. 99% of the hashed passwords have already been cracked. The team has decided not to make this particular data set searchable by the general public for now.

What was the response?  Friend Finder Networks has not confirmed the breach but they said the Local File inclusion vulnerability which was allegedly exploited has been fixed.

Quote: “It goes without saying that systems, software and processes should be regularly reviewed as previously accepted risk levels may no longer suffice.” – David Kennerley, director of threat research at Webroot, to SC Media.


Bluetooth enabled POS Skimmers now in use

anonymous-hacker-hacktivistSecurity researcher, Brian Krebs has described the operations of a specific skimmer that is bluetooth enabled. The skimmer fits neatly over the top of an Ingenico ISC250 point of sale terminal. The skimmer has its own battery and can grab data and send it to a mobile device within the bluetooth coverage area.

This makes it possible for cybercriminals to leave the mobile device running nearby and return for it later or store up the stolen information in the skimmer and download them later, SC Magazine reports.

​Brazilian Cyber criminals using live chat for their phishing schemes

A report by a security advisor for IBM, Limor Kessem showed how cyber criminals are employing a new tactic of using live chats to extract banking and personal information directly from victims in Brazil.
The report describes how the attack begins by sending an email with a link to the target victim. The link takes the victim to a fake webpage that emulates the victim’s bank website. The victim is then social engineered into divulging critical information through a live chat on the fake website.

The criminals can check the information provided since they are online and push an error message to the target if the information provided is not correct.

In the end, the victim is notified that the update was successful but should wait for 24 hours before login into their account. This gives them time for their fraudulent transactions to clear before the user realizes.

Internet Hosting Company OVH suffers DDoS attacks

​Over the past week, internet hosting company, OVH has suffered a massive DDoS attack with peaks of over 1Tb/s of traffic. This is the biggest DDoS attack known to date.

The founder and CTO of OVH tweeted: This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn,” and “last days, we got lot of huge DDoS. Here, the list of ‘bigger that 100Gbps’ only. You can see the simultaneous DDoS are close to 1Tbps!”.

KrebsonSecurity also suffered a huge attack of between 620 and 665 Gbps last week.

Over 500 Million Accounts affected in Yahoo Breach

Internet giant Yahoo last Thursday disclosed a major data breach affecting over 500 million user accounts. Yahoo announced that a state-sponsored actor was responsible for the breach which occurred in late 2014.

Information suspected to be leaked in the breach include names, email address, telephone numbers, birth dates, hashed passwords and, in some instances, encrypted or unencrypted security questions and answers. Yahoo has already invalidated those unencrypted security questions and answers.

Yahoo has said it is taking steps to notify affected users and has advised users who haven’t changed their passwords since 2014 to do so. The company statement also recommended that customers “avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information.”

Further security concerns with the breach includes attackers using leaked information for phishing attacks, sending spam messages from compromised accounts as well as other identity theft incidences.

Teenagers arrested for offering Booter Services

rpxubn-a_400x400vDOS is a distributed denial-of-service (DDoS) kit that is allegedly responsible for most of the DDoS attacks in the past four years. Two teenagers have been arrested in Israel for their alleged link to the selling of the kit. The teenagers, Itay Huri and Yarden Bidani, both 18, were arrested on September 8 by Israeli authorities on the request of the FBI and are under house arrest and forbidden to use internet-connected devices for 30 days. The service has been running undercover for four years now until security researcher, Brian Krebs found a hole in another DDoS-for-hire service that enabled access to vDoS’s database leading to the arrest of the teenagers.

The vDoS service was offered for between $20 to $200 per month depending on how long the hackers wanted to operate and payment was preferred through Bitcoin digital currency. The database uncovered by Krebs had tens of thousands of paying customers and over $600,000 has been netted in the past two years by the operators.

Romanian Hacker bags 52 months Prison term

jail-featHacker, Guccifer was sentenced to 52 months in prison for unauthorized access to a protected computer and aggravated identity theft. He will also serve three years of supervised release; give up online storage accounts holding victim information and pay restitution to his victims. Marcel Lehel Lazar, known as Guccifer was responsible for unlawfully gaining access to private accounts of at least 100 Americans and making their private information public on the internet.

Lazar targeted both public figures and private citizens. In some cases, he impersonated his victims online and in many cases released victims’ private records including emails, medical records, financial information and photographs to the public.

Lazer pleaded guilty to the crime on May 25 and admitted to committing the crime while on probation in Romania for a previous computer hacking crime. He admitted using proxies to hide his location and smashing his computers and cellphone with an ax when he discovered his identity had been uncovered.