Google releases Cloud-based Web App Vulnerability Scanner and Assessment Tool

Google on Thursday unleashed its own free web application vulnerability scanner tool, which the search engine giant calls Google Cloud Security Scanner, that will potentially scan developers' applications for common security vulnerabilities on its cloud platform more effectively.

SCANNER ADDRESSES TWO MAJOR WEB VULNERABILITIES
Google launched the Google Cloud Security Scanner in beta. The New web application vulnerability scanner allows App Engine developers to regularly scan their applications for two common web application vulnerabilities:

• Cross-Site Scripting (XSS)
• Mixed Content Scripts

Despite several free web application vulnerability scanner and vulnerability assessment tools are available in the market, Google says these website vulnerability scanners are typically hard to set up and "built for security professionals," not for web application developers that run the apps on the Google App Engine.

While Google Cloud Security Scanner will be easier for web application developers to use. This web application vulnerability scanner easily scans for Cross-Site Scripting (XSS) and mixed content scripts flaws, which the company argues are the most common security vulnerabilities Google App Engine developers face.

Today, common HTML5 and JavaScript-heavy applications are more challenging to crawl and test, and Google Cloud Security Scanner claims to take a novel approach by parsing the code and then executing a full-page render to find more complex areas of a developer's site.

GO FOR WEB VULNERABILITY SCAN NOW
The developers can access the Cloud Security Scanner under Compute > App Engine > Security in Google's Developers Console. This will run your first scan. It does not work with App Engine Managed VMs, Google Compute Engine, or other resources.

Google notes that there are two typical approaches to such security scans:

• Parse the HTML and emulate a browser – This is fast; however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations.
• Use a real browser – This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution, and time needed for the DOM to settle.

Security Engineering head Rob Mann says that their web vulnerability scanner uses Google Compute Engine to dynamically create a botnet of hundreds of virtual Chrome workers that scan at a max rate of 20 requests per second, so that the target sites won’t be overloaded.

"Cloud Security Scanner addresses the weaknesses of [real and emulated browsers] by using a multi-stage pipeline," Mann wrote in a blog post. "As with all dynamic vulnerability scanners, a clean scan does not necessarily mean you're security bug free."

The search engine giant still recommended developers to look into manual security review by a web app security professional, just to be on the safer side. However, the company hopes its vulnerability scanner tool will definitely provide a simple solution to the most common App Engine issues with minimal false positives.

Lenovo Shipping PCs with Pre-Installed 'Superfish Malware' that Kills HTTPS

One of the most popular computer manufacturers Lenovo is being criticized for selling laptops pre-installed with invasive marketing software, or malware that, experts say, opens up a door for hackers and cyber crooks.

The software, dubbed ‘Superfish Malware’, analyzes users’ Internet habits and injects third-party advertising into websites on browsers such as Google Chrome and Internet Explorer based on that activities without the user’s permission.

Security researchers recently discovered Superfish Malware presents onto new consumer-grade Lenovo computers sold before January of 2015. When taken out of the box for the first time, the adware gets activated and because it comes pre-installed, Lenovo customers might end up using it inadvertently.

SUPERFISH CERTIFICATE PASSWORD CRACKED
The Superfish Malware raised serious security concerns about the company’s move for breaking fundamental web security protocols, carrying out "Man in the Middle" (MitM) attacks - impersonating the security certificates of encrypted websites in order to monitor users’ behavior even on protected sites.

This would trouble Lenovo users because MitM attack can open a door for hackers to potentially compromise the sensitive information of any customer affected by Superfish - like passwords or banking details - because users’ data isn't actually being protected.
Anyone with the password that unlocks that single password-protected certificate authority would be able to completely bypass the computer's web encryption.

According to a post by Errata Security's Robert David Graham, he cracked and published the password which was stored in the Superfish software's active memory and was trivial to extract. So, one could imagine the loss, if the same would be done by any hacker or cyber crook.

SUPERFISH MALWARE TEMPORARILY REMOVED
After the news fired up over the Internet and multiple users complained of popups and other unwanted behavior, the computer giant removed the Superfish Malware.

"We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues," a Lenovo community administrator, Mark Hopkins, wrote in late January.

Hopkins also defended the company from criticism over installing Superfish in the first place — but it didn't address the false HTTPS certificate problem. He also says that Lenovo users can refuse the terms and conditions when setting up their laptop in order to disable the software.

"To be clear, Superfish technology is purely based on contextual/image and not behavioral," Hopkins’ statement reads. "It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is."

SELF-SIGNED HTTPS CERTS RAISED MAJOR SECURITY CONCERNS
While other users on online forums are reporting that Superfish Malware actually installs its own self-signed certificate authority which effectively allows the company to snoop on secure connections. And if true, Superfish Malware could be far more dangerous than we had thought.

"A blatant man-in-the-middle attack malware breaking privacy laws. I have requested return of the laptop and refund as I find it unbelievable that ... Lenovo would facilitate such applications pre bundled with new laptops," the user wrote on the Lenovo forums.

Facebook engineering director Mike Shaver also warned about the invasive adware via his personal Twitter account, saying that he found SuperFish certificates posted by different users who had shared the same RSA key.

"Lenovo installs a MITM cert and proxy called SuperFish, on new laptops, so it can inject ads? Someone tell me that's not the world I'm in," Shaver tweeted.

LENOVO - IT’S JUST TO ENHANCE USERS’ EXPERIENCE
The company this morning issued a weird statement addressing the controversy on the Lenovo computers. According to the computer giant, the Superfish software was "to help customers potentially discover interesting products while shopping."

"The relationship with Superfish is not financially significant," the statement reads. "Our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively."

What was my reaction on the fresh statement issued by the company? Oh! Come on Lenovo, we know the reality. May be you are one of the world’s largest PC brands, but after all you are also a Chinese PC brand.

HOW TO REMOVE LENOVO SUPERFISH

Click to enlarge image

In order to remove Lenovo Superfish Malware from your system, run the Microsoft Management Console (mmc.exe), and do the following:

• Go to File and Click Add/Remove.
• Choose Certificates, click Add.
• Choose Computer Account, click Next
• Choose Local Computer, click Finish
• Click OK
• Look under Trusted Root Certification Authorities -> Certificates
• Find the one issued to Superfish and delete it.

LENOVO’S BAD HISTORY REGARDING BACKDOOR
This isn't first time, in past the computer giant was caught installing malware backdoors in its products and was also banned by different countries for same reasons.

In the mid of 2013, the spy agencies - the ‘five eyes’ alliance of the US, Britain, Canada, Australia, and New Zealand - banned Lenovo for allegedly installing backdoor into Lenovo-brand circuit boards, along with other vulnerabilities discovered into the firmware.

Aussies ignorant to cyber threat

Australian are living in a “sea of blissful ignorance” about the growing online threat of ­foreign spies and criminals, the country’s first cyber-security co-ordinator has warned.

In an exclusive interview with The Australian, the head of the new Australian Cyber Security Centre, Stephen Day, also revealed that a cyber-terrorist ­attack was “an absolute possibility” as rogue groups become better resourced.

Major General Day said a high-level review of the nation’s cyber-security strategy being conducted by the Prime Minister’s Department was “sensible” given the speed at which the threat was evolving.

“We are in an arm-wrestle ­between those who are trying to defend and those who are trying to get around us (and) at the ­moment, because there is a general lack of awareness, those who would do us harm are at an advantage,” he said. “But we are going to catch them.”

General Day, who was ­appointed to the national role last November, said state-sponsored espionage was a growing concern, with foreign governments now regularly targeting public and private networks.

“There is a troubling increase in nation states stealing intellectual property from not only government, but also from industry,” General Day said.

“I don’t know if all countries are doing it, but an increasing number of nation states are playing in this space.”

Targeted areas include diplomacy, defence and national security information, along with Australian corporate know-how.

“The risk has always been there, espionage has been around for a long time … but the level of activity going into the stealing of intellectual property from big corporations is at a greater level than we have seen before.”

General Day said the rising threat was being addressed by telecommunication companies, resource companies and banks, but they were “islands of experience ... in a sea of blissful ­ignorance”.

The warning comes as The Australian can reveal a 20 per cent increase in cyber-security “incident responses” last year, of which more than half were state-­sponsored.

Most of these targeted the non-government sector, but 35 per cent of the 1131 incidents targeted federal government departments and 8 per cent state and local ­government.

An incident response is activated only for the most serious ­attacks, and can include defence specialists being deployed to ­prevent intrusion into Australian networks.

General Day said while Australian governments had made progress co-ordinating defence efforts, the community was still vulnerable.

The three main threats facing the country were foreign espionage, online crime — ranging from opportunistic online theft to ­organised-crime syndicates, and so-called “hactivists” seeking mass disruption.

General Day said only well-resourced terror groups posed a potential threat, given the sophistication now required to mount an effective attack.

“But some terrorist groups are very well resourced and it is an ­absolute possibility that they could create significant troubles for national security or economic prosperity,” he said. “We have been working for some years now on improving the defences of the government, but there is a lot of work to be done, there is no doubt about that.”

The government is reviewing its cyber-security strategy for the first time since 2009, with a report expected to be released mid-year.

16 Million Mobile Devices Infected With Malware in 2014

A new report published by Alcatel-Lucent’s Motive Security Labs estimates that 16 million mobile devices were infected with malware in 2014.

The rate of mobile infections in 2014 was 0.68%, which represents a 25% increase compared to the previous year. According to the telecoms company, 16 million is a conservative estimate considering that its sensors don’t have complete coverage in regions like China and Russia.

“In mobile networks, Android devices have now caught up to Windows laptops as the primary workhorse of cybercrime. With one billion Android devices shipped in 2014, the platform is a favorite target of cybercriminals who can have lots of infection success without a lot of work,” Kevin McNamee, director of Alcatel-Lucent Motive Security Labs, wrote in a blog post. “Android is more exposed than rivals because of its open platform and by allowing users to download apps from third-party stores where apps are not always well vetted.”

The number of Android malware samples in Motive Security Labs’ database increased by 161% last year, reaching close to 1.2 million.

The company has pointed out that the sophistication of Android malware has also increased. Older variants used primitive command and control (C&C) mechanisms, they had hard-coded and inflexible configurations, and they were easy to detect. However, in 2014, malware authors started leveraging more advanced techniques and even integrated rootkit technologies, a trend demonstrated by threats such as NotCompatible and Koler.

According to the report, six of the top 20 mobile pieces of malware are from the spyware category. These types of threats are designed to track users’ location, calls, text messages, emails, and Web browsing.

As far as residential fixed broadband networks are concerned, infection rates increased last year, but mainly due to adware. High-level threat infections (bots, rootkits, banking Trojans) increased slightly in the second quarter of 2014, but then they dropped again to roughly 5%, the report shows.

Researchers have also pointed out that many consumers avoid shopping online to prevent their credit card information from being stolen by cybercriminals. However, the risks are even greater at brick-and-mortar stores where cash registers and point-of-sale (PoS) terminals can become infected with malware.

“Card information stolen from online retailers can only be used for online purchases. Online purchases typically need to be shipped to the address of the card owner, making them less usable to fraudsters,” reads the report. “Because the point-of-sale-based malware records all the information in the magnetic strip on the card, the data they collect can be used to make new physical cards. Criminals use these forged cards in stores to buy expensive items such as electronics, which can easily be sold for cash.”

Microsoft opens 5th cybersecurity satellite center in Singapore

Microsoft has opened its fifth global Cybercrime Satellite Centre in Singapore to support its cybercrime efforts in Asia-Pacific, which is increasingly a hot target for hackers.

The facility is the third in the region where there are similar centers in Beijing and Tokyo, and will lend its services to Southeast Asian economies including India, South Korea, Australia, and New Zealand. The other two global sites are in Berlin and Washington, the latter of which was where the first was launched in November 2013.

The satellite centers run under Microsoft's digital crimes unit, which operates primarily as a support or cost center and not a for-profit business unit within the company, said Keshav Dhakad, Microsoft's Asia regional director of digital crimes unit, during a media briefing Monday at the launch. It supports the software vendor's business objectives and provides another layer of authentication to enhance its overall security environment, Dhakad said.

The global digital crime unit comprises more than 100 lawyers, investigators, engineers, forensic analysts, and data scientists located across the globe, including India, China, and EMEA. It works with industry partners, internet service providers as well as law enforcement and computer emergency response teams (CERTs) in the various local markets.

The Singapore center will leverage the resources of its U.S. counterpart, which coordinates global efforts to combat cybercrime and provides real-time cyberthreat intelligence and big data analytics. Microsoft has led various initiatives to deal with specific threats such as Operation Gameover Zeus in June 2014 aimed at combating the peer-to-peer botnet, which was based on the Zeus trojan and targeted banking and financial information.

The Microsoft digital crime unit also runs a Cyber Threat Intelligence Program that processes and analyzes more than 500 million transactions a day for malware infections, and provides training for third-party partners. CERTs have free access to the program, Dhakad said.

Richard Boscovich, Microsoft's US assistant general counsel for digital crimes unit added that the team works closely with the Interpol and will continue to do so when the Interpol Global Complex for Innovation officially opens in Singapore in April.

With three of its five global satellite centers located in Asia, Microsoft is putting resources in a region where IT consumption is growing exponentially and that is increasingly a target for hackers looking for financial gains.

Boscovich said: "We look at cybercriminals as business people and they follow [emerging markets] which are economically lucrative." A lot of computer usage in Asia also do not have safe practices, making these users prime targets for cybercriminals, he said, noting that the Singapore center will provide more visibility into malware developed specifically for the region.

S. Iswaran, Singapore's Second Minister for Home Affairs and Trade and Industry, noted that the city-state is "natural target for cybercriminals" because it is a trusted business hub with high presence of multinational corporations.

He noted that both government and commercial websites in the country had come under attack in recent years and could "inadvertently" become more vulnerable to cybersecurity threats as it drives its smart nation efforts.

"The sharing of expertise and information through cross-industry and public-private partnerships is a cornerstone of any effective cybersecurity ecosystem. It is critical that we create an environment of trust where networks can share intelligence expeditiously and partner organizations can discuss measures to tackle threats or prevent similar incidents from taking place," Iswaran said.

President Obama On Cybersecurity

Some highlights from President Obama’s speech on cybersecurity at Stanford University:

Twitter’s Own CFO Just Had His Twitter Account Hijacked

Twitter has a bit of a security problem. Taylor Swift, Chipotle, Newsweek — it seems each day brings another hijacked account or two.

Click to enlarge

For about 20 minutes this morning, Noto’s account was blasting out a massive torrent of spam.

It looks like the account was hijacked somewhere around 11:10 a.m. PT and recovered by 11:30. In that stretch, nearly 300 spam tweets were sent to some of Noto’s 13,000 followers.

Twitter has yet to comment on how the account might have been taken over. Given that it was used for spam rather than a political message, it’s possible that this wasn’t a targeted attack, instead relying on something like an old, forgotten API key left behind on a leaky third-party service.

It’s perhaps a bit revealing, though; if the company can’t keep the account of one of its own top executives locked down, what about its other 288 million active users?

Espionage app targets iOS devices

Trend Micro has discovered an interesting poisoned pawn - spyware specifically designed for espionage on iOS devices. While spyware targeting Apple users is highly notable by itself, this particular spyware is also involved in a targeted attack.

The iOS malware found is among those advanced malware and it is believed the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware Trend Micro found for Microsoft Windows’ systems. Two malicious iOS applications were found in Operation Pawn Storm. One is called XAgent and the other one uses the name of a legitimate iOS game, MadCap. XAgent is designed to work specifically with iOS7, which is still in one of every 5 iPhones and iPads. Fortunately, for iOS 8 devices, the user will see multiple notifications that the phone is trying to install an app. And it can’t run without the user launching. Both tools have the ability to record audio, which is very intrusive, and highly suggests the targeting of offline and confidential information.

Following analysis, Trend Micro concluded that both are applications related to SEDNIT – which is a spyware that aims to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. Some of the data theft capabilities include:

• Collect text messages
• Get contact lists
• Get pictures
• Collect geo-location data
• Start voice recording
• Get a list of installed apps
• Get a list of processes
• Obtain Wi-Fi status

There may also be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable.

For a more detailed analysis of the spyware, read here.

Background of Operation Pawn Storm
Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media.

The actors of Pawn Storm tend to first move a lot of pawns in the hopes they come close to their actual, high profile targets. When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware.

The iOS malware we found is among those advanced malware. We believe the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems.

Highly critical “Ghost” allowing code execution affects most Linux systems

An extremely critical vulnerability affecting most Linux distributions gives attackers the ability to execute malicious code on servers used to deliver e-mail, host webpages, and carry out other vital functions.

The vulnerability in the GNU C Library (glibc) represents a major Internet threat, in some ways comparable to the Heartbleed and Shellshock bugs that came to light last year. The bug, which is being dubbed "Ghost" by some researchers, has the common vulnerability and exposures designation of CVE-2015-0235. While a patch was issued two years ago, most Linux versions used in production systems remain unprotected at the moment. What's more, patching systems requires core functions or the entire affected server to be rebooted, a requirement that may cause some systems to remain vulnerable for some time to come.

The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that's invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections. Qualys has not yet published the exploit code but eventually plans to make it available as a Metasploit module.

“A lot of collateral damage on the Internet”

The glibc is the most common code library used by Linux. It contains standard functions that programs written in the C and C++ languages use to carry out common tasks. The vulnerability also affects Linux programs written in Python, Ruby, and most other languages because they also rely on glibc. As a result, most Linux systems should be presumed vulnerable unless they run an alternative to glibc or use a glibc version that contains the update from two years ago. The specter of so many systems being susceptible to an exploit with such severe consequences is prompting concern among many security professionals.

Besides Exim, other Linux components or apps that are potentially vulnerable to Ghost include MySQL servers, Secure Shell servers, form submission apps, and other types of mail servers.

It was reported that Qualys researchers enumerated apps they believed were not vulnerable. The list included Apache, Cups, Dovecot, GnuPG, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, and xinetd.

"If [researchers] were able to remotely exploit a pretty modern version of Exim with full exploit mitigations, that's pretty severe," said Jon Oberheide, a Linux security expert and the CTO of two-factor authentication service Duo Security. "There could be a lot of collateral damage on the Internet if this exploit gets published publicly, which it looks like they plan to do, and if other people start to write exploits for other targets."

The bug affects virtually all Linux-based software that performs domain name resolution. As result, it most likely can be exploited not only against servers but also client applications. Word of the vulnerability appears to have caught developers of the Ubuntu, Debian, and Red Hat distributions of Linux off guard. At the time this post was being prepared they appeared to be aware of the bug but had not yet distributed a ready-made fix. People who administer Linux systems should closely monitor official channels for information about how specific distributions are affected and whether a patch is available. Admins should also prepare for the inevitable reboots that will be required after installing the patch.

Update: Red Hat Enterprise Linux 5, has an update here, and readers are reporting a fix is also available for Ubuntu 12.04.

In the meantime, readers can find more technical details about Ghost in the previously mentioned Qualys blog post, as well as here and here.

.

Serious bug in fully patched Internet Explorer puts user credentials at risk

A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users' browsing sessions. Microsoft officials said they're working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1.

The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions of Internet Explorer running the latest patches to visit maliciously crafted pages.

To demonstrate the attack, the demo injects the words "Hacked by Deusen" into the website of the Daily Mail. But it also could have stolen HTML-based data the news site, or any other website, stores on visitors' computers. That means it would be trivial for attackers to use it to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a user name and password. Once in possession of the cookie, an attacker could access the same restricted areas normally available only to the victim, including those with credit card data, browsing histories, and other confidential data. Phishers could also exploit the bug to trick people into divulging passwords for sensitive sites.

The exploit appears to use iframes to tamper with IE's support of the same origin policy. The exploit code looks like this:

function go()
{
w=window.frames[0];
w.setTimeout("alert(eval('x=top.frames[1];r=confirm(\\'Close this window after 3 seconds...\\');x.location=\\'javascript:%22%3Cscript%3Efunction%20a()%7Bw.document.body.innerHTML%3D%27%3Ca%20style%3Dfont-size%3A50px%3EHacked%20by%20Deusen%3C%2Fa%3E%27%3B%7D%20function%20o()%7Bw%3Dwindow.open(%27http%3A%2F%2Fwww.dailymail.co.uk%27%2C%27_blank%27%2C%27top%3D0%2C%20left%3D0%2C%20width%3D800%2C%20height%3D600%2C%20location%3Dyes%2C%20scrollbars%3Dyes%27)%3BsetTimeout(%27a()%27%2C7000)%3B%7D%3C%2Fscript%3E%3Ca%20href%3D%27javascript%3Ao()%3Bvoid(0)%3B%27%3EGo%3C%2Fa%3E%22\\';'))",1);
}
setTimeout("go()",1000);

A Microsoft spokesperson issued the following statement:

We are not aware of this vulnerability being actively exploited and are working on a security update. To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.
The statement is correct in pointing out that to succeed, an attacker would first have to lure a target to a malicious site. In an age of social networking and shortened links, that's not a difficult burden to meet. And while SmartScreen could be an effective remedy, it would take some time for it to be put in place. And even then, SmartScreen would work only against attacks that are spammed to large numbers of people. SmartScreen would likely do nothing to prevent targeted attacks.

Hacked Hotel Phones Fueled Bank Phishing Scams

A recent phishing campaign targeting customers of several major U.S. banks was powered by text messages directing recipients to call hacked phone lines at Holiday Inn locations in the south. Such attacks are not new, but this one is a timely reminder that phishers increasingly are using lures blasted out via SMS as more banks turn to text messaging to communicate with customers about account activity.

The above-mentioned phishing attacks were actually a mix of scams known as “SMiShing” — phishing lures sent via SMS text message — and voice phishing or “vishing,” where consumers are directed to call a number that answers with a voice prompt spoofing the bank and instructing the caller to enter his credit card number and expiration date.

Over the past two weeks, fraudsters have been blasting out SMS messages to hundreds of thousands of mobile users in the Houston, Texas area. The messages alerted recipients about supposed problems with their bank account, urging them to call a supplied number and follow the automated voice prompts to validate or verify their credit card account information.

On Saturday, Jan. 30, I called one of the numbers that was sent out in the smishing/vishing scam — 281-866-0500 – which is the main phone line for a Holiday Inn Express in Houston. At the time, calls to the number went straight to an automated voice prompt targeting Bank of America customers:

“Thank you for calling Bank of America. A text message has been sent to inform you that your debit card has been limited due to a security issue. To reactivate, please press one now.” After pressing one, the caller is prompted to enter the last four digits of their Social Security number, and then the full card number and expiration date.

My recording of the call was garbled, but here’s a copy of a very similar voice prompt targeting Key Bank customers earlier in January that also was run off the fax line tied to a different Holiday Inn a few miles away in Houston [number: 832-237-8999], according to Numbercop, a telephony threat intelligence firm.

Holiday Inn’s corporate office did not return calls seeking comment, but the company apparently got the message because the phone lines were answering normally on Monday. A front desk clerk who answered the line on Tuesday said the hotel received over 100 complaints from people who got text messages prompting them to call the hotel’s main number during the time it was hacked.

According to Jan Volzke, Numbercop’s chief executive, these scams typically start on a Saturday afternoon and run through the weekend when targeted banks are typically closed.

“Two separate Holiday Inns getting hijacked in such short time suggests there is a larger issue at work with their telephone system provider,” he said. “That phone line is probably sitting right next to the credit card machine of the Holiday Inn. In a way this is just another retail terminal, and if they can’t secure their phone lines, maybe you shouldn’t be giving them your credit card.”

Volzke said the recipients of the phony texts in Houston were geo-targeted by area code.

“The texts were sent in bursts with varying bank affiliations, including Bank of America, Fifth Third Bank, and Susquehanna Bank,” he said. “The campaign last week was an identical case to one a week or so earlier that referenced Key Bank, Bank of America and Wells Fargo.”

Numbercop says the text message lures were sent using email-to-SMS gateways, but that the company also has seen similar campaigns sent from regular in-network numbers (prepaid mobile phones e.g.), which can be harder to catch. In addition, Volzke said, phishers often will target AT&T and Verizon users for use in furthering these schemes.

Many banks now offer their customers the ability to receive text message alerts about activity on their credit card accounts — such as recent transactions — so it’s not surprising that crooks are exploiting this medium. While vishing and SMiShing attacks are not new (see this story from 2010), they are on the rise: According to Cloudmark, the incidence of SMS bank account phishing in the U.S. more than tripled in September 2014. Cloudmark’s recently released Annual Threat Report found more than one in four unsolicited SMS messages reported in 2014 attempted to steal the victim’s personal or financial information.

Volzke says it’s unfortunate that more financial institutions aren’t communicating with their customers via mobile banking apps.

“Banking apps are among the most frequently downloaded and used apps,” Volzke said. “If the user has an app from the bank installed, then if the bank really has something to say they should use the in-app messaging method, not text messages which can be spoofed and are not secure. And yet we see almost no bank making use of this.”

Regardless of whether you communicate with your bank via text message, avoid calling phone numbers or clicking links that appear to have been sent via text message from your bank. Also, be extremely wary of any incoming calls from someone calling from your bank. If you think there may be an issue with your account, your best bet is to simply call the number on the back of your credit or debit card.

Hackers target third new zero-day for Adobe Flash

Security researchers have advised users of Adobe's Flash Player to disable the software temporarily, as yet another remotely exploitable vulnerability is being actively attacked by would-be hackers.

The bug has the potential to allow attackers to take full control of users' computers without their interaction.

Recently-released Flash Player versions 16.0.0.296 for Microsoft Windows and Apple OS X are vulnerable to the CVE-2015-0313 vulnerability, which Adobe rates as critical. Versions 13.0.0.264 and earlier are also vulnerable, along with Flash Player 11.2.202.440 and earlier for Linux.

Security vendor Trend Micro is credited with discovering the new zero-day vulnerability alongside two Microsoft researchers.

The company said CVE-2015-0313 is being actively exploited in drive-by attacks delivered via malicious advertisements, believed to have been executed through the Angler Exploit Kit.

"Malvertisements" on popular websites redirect visitors to a series of other sites, finally landing at a Russian-registered domain that attempts to deliver the payload that executes the exploit.

Trend Micro said it has already counted over 3000 hits related to CVE-2015-0313, suggesting the vulnerability is being widely used by attackers.

Neither the security vendor nor Adobe have yet published a full analysis of the new zero-day, which is the third to strike the popular Flash Player software in a month.