200,000 Comcast Customers Hacked




Comcast recently announced that 200,000 customers will have to change their passwords. They found out that 590,000 Comcast accounts are being sold online for $1000, but they say that only 200,000 accounts are active. Comcast denies they were hacked and said that their users probably downloaded viruses or they were phished and there accounts were obtained that way.

“We’re taking this seriously and we’re working to get this fixed for those customers who may have been impacted, but the vast majority of information out there was invalid,” a company spokesperson said, according to the Washington Post.

The chief technology officer for Intel Security says that data breaches have been so common lately that it’s not surprising to so much customer information for sale. They regularly monitor the dark web and see information like this for sale all the time.

Sam Chelini

article: http://time.com/4105920/comcast-customer-information/

XcodeGhost Malware

Recently thousands of apps on the apple app store were found with malware. They were infected by a program called XcodeGhost. XcodeGhost is ios malware which is hidden in a modified version of Xcode which is an ide for ios and os x apps. The malware could be controlled from command and control servers and it could steal apple id’s and passwords and control the infected apps.


The infected apps are mostly Chinese apps because developers in China can’t download the official version of Xcode from Apple because of internet restrictions. XcodeGhost is hosted in china and developers are more likely to download it because it is much faster than downloading the official Xcode from apple servers hosted in the US.
“Since the initial reports, possibly thousands more iOS apps have been identified as infected; iOS hackers Pangu Team said it found more than 3,400, while Appthority found 476 apps and Qihoo 360 listed another 350.” One of China’s most poplar search engines called Baidu was infected and might have infected a ton of people.
Sam Chelini

CareerBuilder Phishing Attacks

Once again, another popular website is facing the consequences of a phishing attack, although this time it is a little different. Normally when you think of a phishing attack you come to the conclusion that some clueless individual clicked a link in an email and corrupted the system, or gave away important information to a phony account and cost their business millions of dollars. The blame isn’t as easily directed on certain individuals this time around.

For anyone who doesn’t know what careerbuilder.com is or has never heard of it, it is a popular job searching service website. Tons of companies post job advertisements on this website such as open positions, then users can browse these job postings by area or category and apply. Generally you are able to just apply right from the website and upload your resume and attach it as a word document. Whenever a job seeker uploads their resume to a job posting, careerbuilder then notifies the company of the uploaded document. The people behind these attacks just simply title the document things such as “resume.doc” or “cv.doc” and employers open them as if it was just another typical resume. The employees download these attachments which on the surface appear to be just another applicant, but the files then go on to exploit a memory corruption vulnerability in Word RTF. This causes the infected machine to download a payload, which downloads a .zip file containing an image file which then drops a rootkit, Sheldor, on the machine. An image file is used because anti-virus programs tend to look past image files as they are expected to be nothing more than that. This is a dangerous peace of malware working its way into the organizations seeking new employees. Although the methods behind these attacks require a lot more work from the attackers due to having to find job posting and actually apply to them manually with their documents, the benefit is that it is very likely the majority of their attempts will indeed be successful. Typically, these kind of phishing attacks are just attempted with fake email accounts trying to fool people and is much less likely to work.

Researchers from a firm known as Proofpoint uncovered the information behind these malware attacks stating that the malicious documents were created in a program called Microsoft Word Intruder (MWI), a FireEye tool that was created in April of this year. This tool is sold on underground forums and serves up CVE-weaponized docs and costs around $2000-$3500 to purchase. Proofpoint also claims that careerbuilder took swift action against these attacks, but didn’t state exactly how. The bigger issue here is the fact that these attacks are always going to be a risk on job search websites and other alike websites with file attachments for attackers to parse out malware.





Additional Information:



-Liam Ellis

Dyre Wolf

Dyre Wolf is an ongoing and complex attack that combines multiple types of attacks into one large scam that has managed to make the attackers millions of dollars from companies. The attack consists of an initial spear phishing attack on a company. Contained within the email is an installer that will install the program upatre that is commonly disguised as pdf or some other file type. Once installed the attacker is allowed access to the computer by the installed software. The attacker installs Dyre onto the victims computer which allows the attacker to modify information when he chooses. The attack really ramps up when the victim goes to log into the bank. Dyre allows the attacker to modify the page returned to show a fake phone number and a message telling the user to call the number to resolve the issues. At this point it is up to the attacker to use social engineering to coerce the proper banking information out of the user. Once this happens the attacker will go and transfer the money to an account that is offshore commonly. Then the attacker will run a DDoS attack against the company to try and throw the company off from what happened and slow the companies ability to figure out who the attacker was.

Some steps to help prevent this would include making sure that people know to report anything that seems suspicious. Run mock phishing attacks against your users to help train them to look for the suspicious emails.

Samuel Mosher



Google Leaks 282,867 Hidden WHOIS Records

Google is taking some flack after a defect in Google Apps accidentally leaked a large number of customers’ domain registration WHOIS information. Over 282,000 domains registered using Google Apps for Work since mid 2013 have been exposed, opening up the potential that victims could become targets of spear phishing attacks, or even identity theft. The leak was first discovered by Cisco’s Talos Security Intelligence and Research Group on February 19, who quickly notified Google of their findings.

The attack exposes these customers’ names, phone numbers, email addresses, and even physical addresses. The alarming part of this leak is that the effected customers payed extra for a service that specifically keeps domain registration WHOIS information hidden from public view. Google was partnered with a company called eNom to mange domains registered by Google Apps for Work customers, and was tasked with maintaining the hidden WHOIS data. Domain registrants fell victim to this leak when their domains were automatically renewed the following year. eNom’s domain renewal system did not recognize that the domain registrant had previously payed for the unlisted WHOIS service, and went ahead and publicly renewed the domains with the hidden registrant information, allowing the WHOIS information to be archived in the public directory.

After being notified by Cisco Talos of the defect in Google Apps, Google patched it five days later. Strangely, Google waited until March 12th, almost three weeks later, to inform the effected customers that their WHOIS information had been leaked. Cisco Talos, in their public statement regarding the finding, encouraged effected customers to take the necessary actions to protect themselves from danger as a result of their domain registration being leaked. Actions recommended for victims include monitoring their email accounts for suspicious mail that might be highly sophisticated and targeted phishing attempts, as well as to monitor things that might indicate identity theft, such as credit scores or bank statements.


Jarrod Manwaring