Exploit This

Security News, Exploits, and Vulnerabilities.

Apple Pay: Bridging Online and Big Box Fraud

Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.

Inside the EquationDrug Espionage Platform

EquationDrug represents the main espionage platform from the Equation Group. It’s been in use for over 10 years, replacing EquationLaser until it was itself replaced itself by the even more sophisticated GrayFish platform.

Patch Tuesday March 2015 – Stuxnet LNK 0day Fixed

Wait, what? Wasn’t the Stuxnet LNK vulnerability CVE-2010-2568, in part reported by Sergey I. Ulasen, patched years ago? Didn’t Kim Zetter have enough time to write 448 pages of thoroughly footnoted research on this digital weaponry? Yes, it was, but MS10-046 didn’t… Read Full Article

Microsoft Fixes Stuxnet Bug, Again

Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time.

Spoofing the Boss Turns Thieves a Tidy Profit

Judy came within a whisker of losing $315,000 in cash belonging to her employer, a mid-sized manufacturing company in northeast Ohio. Judy’s boss had emailed her, asking her to wire the money to China to pay for some raw materials. The boss, who was traveling abroad at the time, had requested such transfers before — at even higher amounts to manufacturers in China and elsewhere — so the request didn’t seem unusual or suspicious.

Until it did.

SMS Trojan bypasses CAPTCHA

Trojan-SMS.AndroidOS.Podec proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system. It can also subscribe users to premium-rate services while bypassing CAPTCHA.

Understanding the operations of a scam

In Sweden, we’re facing a big issue with scammers trying to buy items for sale on various auction websites. Since one of these scammers tried to scam my wife, I decided to follow their scam and document the entire process.

Point-of-Sale Vendor NEXTEP Probes Breach

NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach, KrebsOnSecurity has learned.

Feds Indict Three in 2011 Epsilon Hack

U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what’s being called “one of the largest reported data breaches in U.S. history.” The government isn’t naming the victims in this case, but all signs point to the 2011 hack of Texas-based email marketing giant Epsilon.

Animals in the APT Farm

Over the years we have tracked multiple campaigns by an advanced threat actor we call Animal Farm. The group has targeted a wide range of global organizations.

%d bloggers like this: