Eddie Bauer the Latest Victim of POS Malware Attack

what-is-malware-as-a-serviceOutdoor clothing company Eddie Bauer has become the latest victim of a large scale Point of Sale malware attack, leading to the compromise of customer card data over the first six months of this year.

The firm claimed in a press release late yesterday that it is currently notifying an unspecified number of customers about the attack, which took place between 2 January and 17 July this year.

Interestingly, the company said that this POS malware campaign was part of a “sophisticated attack” encompassing a range of hotels, restaurants and retailers.

It emerged this week that a major breach had occurred at Hyatt, Marriott, Starwood and Intercontinental hotels between March and June 2016.

“We have been working closely with the FBI, cybersecurity experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts,” said Eddie Bauer CEO, Mike Egeck.

Continue reading

Advertisements

XSS and SQL Injection Plague Several NMSes

A slew of cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities that affect several network management system (NMS) products has been uncovered.

Security firm Rapid7 has released details on six flaws in products from vendors Spiceworks, Ispswitch, Castle Rock Computing and Opsview, some of which have already been patched, as can be seen in this real-time chart.

“NMSes present a valuable target for an internal attacker; by subverting these systems, and attackers can often pull an immense amount of valuable intelligence about the internal infrastructure,” explained Tod Beardsley, principal security research manager at Rapid7, in an email. “The fact that many of these protocols are delivered over SNMP is also very interesting; too often, designers of management software which is intended for internal use don’t consider the insider threat.”

Continue reading

LinkedIn Patches Persistent XSS Flaw in Help Center

LinkedIn quickly addressed a persistent cross-site scripting (XSS) vulnerability found by a researcher earlier this week in the company’s official Help Center website.

linkedin-logoSecurity researcher Rohit Dua discovered that an attacker could have injected malicious code into the “more details” field of the LinkedIn Help Center’s “Start a Discussion” page. Once the attacker published the post containing the XSS payload, the malicious code would get executed every time someone accessed the post, either directly in LinkedIn’s Help Center or by clicking on a link sent by the attacker.

Dua pointed out in an advisory that LinkedIn had filters in place to prevent such attacks, but a loophole he identified allowed attackers to inject malicious code. The expert believes this persistent XSS vulnerability could have been exploited to perform actions on the targeted user’s behalf, and even for an XSS worm designed to spread on LinkedIn’s forums. Continue reading

Stored XSS vulnerability identified in Jetpack plugin for WordPress

Researchers with Sucuri have identified a critical stored cross-site scripting (XSS) vulnerability in the popular Jetpack plugin for WordPress websites.

The Jetpack plugin opens up a number of features for WordPress site operators, including customization, traffic, mobile, content and performance tools. It currently has more than a million active downloads.

The stored XSS bug puts any affected WordPress website at risk of being completely taken over. The issue was fixed earlier this week with the release of Jetpack 3.7.1 and 3.7.2, but anyone who is still running Jetpack 3.7 or lower is vulnerable.

According to a Sucuri post published on Thursday, an attacker can exploit this vulnerability by entering a specially crafted malicious email address into one of the affected WordPress website’s contact form pages. The post noted that Jetpack’s contact form module is activated by default.

“As the email is not sanitized properly before being output on the ‘Feedback’ administrative section, the attacker could use this bug and a bit of web browser hackery to execute JavaScript code on the administrator’s end, allowing them to do whatever they [want] with the site (hiding a backdoor for future exploitation of the hacked site, injecting SEO spam, etc.),” the post said.

In a Friday email correspondence, Marc-Alexandre Montpas, vulnerability researcher with Sucuri, told SCM that Sucuri has not observed any instances of the stored XSS bug being exploited in the wild. However, he added that attackers may attempt to develop exploits now that the release is out.

According to Montpas, the bug is very easy to exploit.

“As it’s a stored XSS bug, the attacker has to wait for an administrator to visit the plugin’s Feedback section to silently trigger [the] attack payload,” Montpas said. “If this happens, nothing stops the malicious script from taking control of the site, which is extremely dangerous.”

Montpas noted that Jetpack 3.7.1 additionally patches a less dangerous information disclosure bug, so users should upgrade immediately even if they do not use the contact form module.