Internet Services Provider Web.com Compromised

This week we hear about web.com being compromised, and malware operators profiting from Bitcoin ransoms.

Breach

INTERNET SERVICES PROVIDER WEB.COM COMPROMISED

On August 13, 2015, Web.com discovered a security breach that compromised credit card information for about 93,000 of its 3.3 million accounts. This breach was discovered during routine security monitoring and the information included names and addresses as well as credit card numbers.

Credit card or identity fraud may occur if the hackers decide to sell the database of users to people who specialize in committing such crimes. Additionally, this data may be used for phishing emails and can be crosschecked with data from other breaches.

This story underlines the case for continuous network monitoring. Monitoring networks for suspicious activity should allow anomalies to be detected, traced and remedied before attackers have time to fully infiltrate networks and steal data.

References: Web.com

Mitigation Strategies:

  • Daily log review is needed to review system logs for malicious activity
  • 24×7 security monitoring to provide anomaly detection
  • Vulnerability scanning can be used to help find and correct vulnerabilities before attackers exploit them

Malware

MALWARE OPERATORS PROFIT FROM BITCOIN RANSOMS

Security researchers have uncovered a large-scale malvertising campaign that attempts to infect hosts with malware. Malicious ads are distributed by ad networks and appear on many popular websites. When users visit these sites, the Angler Exploit Kit attempts to exploit vulnerabilities found in Adobe Flash player and web browsers. If an exploit is successful, a malicious adware package or the CryptoWall ransomware Trojan is installed.

Both the adware package and the ransomware infections are designed to bring revenue to the malware operators. Cryptowall becomes profitable when users become infected with the Trojan and their locally stored files are encrypted. To decrypt the files, operators demand a $500.00 ransom payable in Bitcoin. Once the Bitcoin is received, the private key needed to decrypt the files is provided.

Recent techniques involve innocuous email attachments containing .rar files, and in turn, contain .scr and .jpg files. These files appear harmless but are initiating hidden activity and installing backdoor and downloader malware in the background. The group seems to be targeting new victims from North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique, Germany, and in the United States within certain industry sectors.

It is imperative that a layered security approach along with a proper backup procedure is used to protect the corporate enterprise. This approach will increase the chances of blocking or quickly catching this kind of activity.

References: Malwarebytes

Mitigation Strategies:

Top 20 IP Addresses

113.142.134.133 – NEW 115.231.217.153 – NEW
208.109.252.167 – NEW 119.147.137.34 – NEW
122.224.54.104 – NEW 54.154.175.26 – NEW
61.160.223.78 – NEW 113.106.106.131 – NEW
98.124.174.202 – NEW 54.217.247.24 – NEW
110.93.14.68 – NEW 43.255.188.146 – NEW
61.160.194.183 – NEW 82.221.128.206
216.66.0.113 – NEW 54.207.8.195 – NEW
46.4.94.230 – NEW 62.149.145.89 – NEW
61.160.213.108 – NEW 43.255.188.138