The fallout from the breach at the Democratic National Committee continued as WikiLeaks published more information and Julian Assange vowed that there was more to come. UK Telecom O2 became the latest company to be victimized by batches of previously exposed credentials. Shapeways, Kimpton Hotels, and Korean online store Interpark all made headlines for data breaches. Cybercrime advisories included researcher Tavis Ormandy warning of flaws in password manager LastPass, NIST advising organizations to move beyond SMS-based two-factor authentication, a flaw in Amazon's Silk web browser, the KeySniffer flaw affecting wireless keyboards, and news of the Chthonic banking Trojan. On the legal front a Miami judge ruled that bitcoin is not real money, Target shareholders' derivative lawsuit was dismissed, the University of Mississippi Medical Center was hit with a $2.7 million HIPAA settlement, a breach led to a Minnesota county paying a $1 million settlement, and a former Citibank employee was sentenced to prison. Finally, one internet star asked his followers to hand over their passwords, and they did.
The popular Pokemon Go was this week's top trending cybercrime target following several incidents including DDoS attacks that disrupted service. DDoS attacks against the U.S. Congress, Philippines Government and WikiLeaks also made news. Data breach announcements include more than 130 stores being impacted by Cici's Pizza's point-of-sale breach, Asiana Airlines having 47,000 documents containing customer information stolen, and 2 million users being impacted by a hack at Ubuntu Forums. On the advisory front, SurfWatch Labs released its Mid-Year 2016 Cyber Trends report, Adobe Flash is back in the news, a Stagefright-like vulnerability is affecting Apple devices, and legitimate remote administration software is being used to spread banking malware. The GOP led the way on the legal side of cybercrime as the party unveiled its official platform, including cyber. Oregon Health & Science University was fined $2.7 million. The Department of Commerce will soon being accepting self-certifications for the EU-U.S. Privacy Shield. The St. Louis Cardinals hacking case wrapped up with a 46-month prison sentence. The alleged operator of Kickass Torrents was also arrested this week. Lastly, Pokemon Go is leading many people to get hurt in strange ways.
Download the Mid-Year 2016 Cyber Trends report from SurfWatch Labs: http://info.surfwatchlabs.com/cyber-threat-trends-report-1h-2016
Several large healthcare databases have been put up for sale on the dark web, and the actor behind the leaks is promising more. Point-of-sale breaches made headlines this week at Hard Rock Hotel & Casino Las Vegas and Noodles & Company. More SWIFT attacks are impacting "dozens of banks." Sports and cybercrime intersected as ransomware hit NASCAR and the SEC was the victim of a Twitter hack. Advisories this week include vulnerabilities in Symantec products that Google's Project Zero called "as bad as it gets," Bart and Cerber ransomware warnings, Marcher and Retefe banking Trojan developments, and a botnet utilizing CCTVs. The legal side saw congressmen urging HHS to examine ransomware, the FTC clarifying what they're looking for during investigations, privacy lawsuits affecting both researchers and the FBI, and new and potential cybersecurity laws in Rhode Island and China. Lastly, a man is using technology to fight parking tickets.
Cybercrime and politics crossed paths yet again as a data breach at the Clinton Foundation was revealed as part of a wide reaching campaign. A massive cryptocurrency theft led to tens of millions of dollars in potential losses for The DAO. Acer is notifying users of a breach at the company's e-commerce site. And banks continue to be targeted with DDoS attacks. A variety of companies are also reporting secondary breaches stemming from the breaches at LinkedIn and others, keeping the issue of password reuse in the spotlight. Researchers highlighted a variety of malware this week including PunkeyPOS, DED Cryptor, RAA ransomware, Magnit and GozNym. The FBI released updated stats on business email compromise scams, and surprise, it's only getting worse. Legal news includes financial institutions filing a lawsuit against Wendy's, Home Depot filing an antitrust lawsuit against Visa and MasterCard over chip-and-signature issues, the SEC warning of a man hacking accounts to make unauthorized trades, and a $950,000 privacy settlement with the FTC. Also, some people are not too happy about a Game of Thrones spoiler service.
This week's trending cybercrime events include Wendy's announcing its point-of-sale breach is significantly larger than previously reported, a breach at the Democratic National Committee and theft of Donald Trump opposition research, and a nearly 8-million strong breach at Japan's top travel agency. The University of Calgary also joined the growing list of organizations that have made sizable ransomware payments, and file sharing service iMesh became the latest company to face a massive breach of user records. Advisories include more dark web dumps, a variety of espionage-related headlines, the apparent demise of the Angler Exploit Kit, and updates on malware, including ransomware targeting smart TVs. Trending legal stories include a hearing on the 6-month-old Cybersecurity Information Sharing Act, a ruling in favor of Net Neutrality, and a $1 million Morgan Stanley fine. Also, the once maligned Healthcare.gov website now ranks among the web's most trustworthy sites.
This week saw more news about password breaches as 427 million Myspace passwords and 65 million Tumblr passwords were put up for sale on the dark web. Scrum.org announced a potential data breach stemming from a vulnerability in third-party email server software. TeamViewer faced a DDoS attack and what the company claims are false accusations that it suffered a data breach. Australia's NSW Trainlink halted its online reservation system due to a compromise. Pakistan's Zameen real estate was hacked and had its entire database allegedly posted online. Trending advisories include warnings of a potential cryptoworm known as ZCrypt, the dormant FrameworkPOS campaign resurfacing, and Kovter malware targeting Fortune 500 companies by escalating from low-level adware to more advanced threats. The FBI also warned of data breach victims being extorted, and there was a vulnerability discovered in the popular WordPress Jetpack plugin. Legal stories include developments in the Anthem, CareFirst and Kroger breach lawsuits as well as warnings from the UK's IOC and the largest ever arrest of Russian hackers. Finally, one apartment complex found a controversial new way to get Facebook likes.
This week's trending cybercrime events include breaches at the NBA's Milwaukee Bucks and the furry site "Fur Affinity," a two-year cyber-espionage campaign against Swiss military contractor Ruag, payment card skimmers found at Walmart, and DDoS-for-hire services found on the online marketplace Fiverr. Researchers discussed several new types of malware including a stealthy new malware dubbed "Furtim," a new variant of Cerber ransomware, and changes to DMA Locker – which is being upgraded for a potential "massive" distribution. On the legal front, the transfer of data between the U.S. and the EU continues to be questioned in court, Wells Fargo was ordered to pay a $1.1 million fine related to employee data theft, another W-2-related breach lawsuit was filed, and various individuals were arrested and cybercriminal groups disrupted. Also, people continue to get in trouble by hacking road signs.
The hacker forum Nulled.io was breached and the sensitive information of its members was made publicly available. SWIFT warned of more attacks against banks at the same time the Anonymous OpIcarus campaign hit more financial sector targets. LinkedIn discovered its 2012 breach was much bigger than previously thought. And a couple of researches upset OkCupid by publishing data on 70,000 of the dating site's users. This week's advisories included more developments in the cat-and-mouse game around the CryptXXX ransomware, an alert on an old SAP vulnerability, an Android banking Trojan and click-fraud botnet, and more PayPal phishing scams. This week also saw a highly anticipated Supreme court ruling on a privacy-related class action lawsuit, the continuation of financial institutions lawsuit against Home Depot, and a new lawsuit around a breach of W-2 information at aircraft maintenance company Haeco. A judge also ruled the FBI did not have disclose a vulnerability in the Firefox browser, and the U.S. saw its first conviction in the hack of newswires that generated $100 million in profit. Also, the LinkedIn breach revealed another round of terrible password habits.
This week's trending cybercrime events included data breaches at Google, Kiddicare, and InvestBank as well as a ransomware infection that led to YahooMail being temporarily banned from the House of Representatives and a series of Anonymous-led DDoS attacks against banks. Researchers discovered several new mobile threats including RuMMS and Viking Horde Botnet malware. Blogger, PerezHilton and CBS-affilitiated websites were hit with malvertising. A new credit card scam was uncovered in Kuala Lumpur. Legal news includes Walmart suing Visa over chip-and-signature practices, the FTC and FCC partnering to investigate mobile security updates, and updated information on several stories including the Wendy's data breach and the signing of the Defend Against Trade Secrets Act of 2016. Lastly, a Lego robot can bypass screen pattern security.
Details on more than 7 million user accounts for Minecraft community Lifeboat were compromised. A German nuclear plant discovered malware on its systems. A ransomware attack hit the Lansing Board of Water and Light. Huge amounts of data were leaked from Canadian gold-mining firm Goldcorp and the Kenya Ministry of Defense. Trending advisories include vulnerabilities in Android, increased extortion and ransomware activity, and massive dumps of user credentials being leaked from several sources. On the legal side, the New York Attorney General announced the state is on pace for a record number of data breach notices this year, a new version of PCI DSS was released, and a hacker claims to have accessed Hillary Clinton's email server. Finally, a 10-year-old boy won a $10,000 bug bounty.