By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

The Internal Revenue Service (IRS) issued today a warning to alert taxpayers and tax professionals of an active IRS impersonation scam campaign sending spam emails to deliver malicious payloads. This warning was issued after the IRS received several reports from taxpayers during this week regarding unsolicited messages with "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder" subjects, coming from scammers impersonating the U.S. revenue service with the help of spoofed email addresses. "The emails have links that show an IRS.gov-like website with details pretending to be about the taxpayer's refund, electronic return or tax account," says IRS' warning. "The emails contain a 'temporary password' or 'one-time password' to 'access' the files to submit the refund. But when taxpayers try to access these, it turns out to be a malicious file." More to the point, after entering the password issued in the spam message, the targets would unintentionally download malware that could allow the malicious actors to either harvest sensitive info or take control of their victims' compromised systems. "The IRS does not send emails about your tax refund or sensitive financial information," stated IRS Commissioner Chuck Rettig. "This latest scheme is yet another reminder that tax scams are a year-round business for thieves. We urge you to be on guard at all times." The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also urges users and administrators to review the CISA Tip on how to avoid phishing and social engineering attacks. This warning comes after the IRS issued a joint news release with the US tax industry and state tax agencies in late July to remind professional tax preparers that they are required by federal law to have a data security plan in place. Learn more on OUR FORUM.

A vulnerability in the free version of Bitdefender Antivirus could be exploited by an attacker to get SYSTEM-level permissions, reserved for the most privileged account on a Windows machine. Privilege escalation vulnerabilities are used in a later stage of an attack after the threat actor already compromised the target host and needs elevated permissions to establish persistence or execute code with the privileges of the most powerful user. Identified as CVE-2019-15295, the vulnerability is owed to lack of verification that loaded binaries are signed and come from a trusted location. Peleg Hadar of SafeBreach Labs says that Bitdefender's security service (vsserv.exe) and the updater service (updatesrv.exe) started assigned processes with SYSTEM authority. However, they tried to load a missing DLL file ('RestartWatchDog.dll') from various locations in the PATH environment variable. One of the locations is 'c:/python27,' which comes with an access control list (ACL) open to any authenticated user. This makes privilege escalation trivial because a user to normal permissions could write the missing DLL and have it loaded by Bitdefender's signed processes. Hadar tested the theory with an unsigned DLL that wrote to a text file the name of the process loading it, the name of the user executing it, and the name of the DLL file. His assumption was confirmed, and his 'RestartWatchDog.dll' file was loaded without a hitch. The root of the issue is the ServiceInstance.dll library that attempts to load the missing DLL. SafeBreach disclosed the vulnerability responsibly to Bitdefender on July 17 and on August 14 received validation from the antivirus maker. On Monday, Bitdefender rolled out a patch for its Antivirus Free 2020 product. Users with an internet connection received the update automatically. Get better informed by stopping by OUR FORUM.

Contractors working for Microsoft have listened to the audio of Xbox users speaking in their homes in order to improve the console’s voice command features, Motherboard has learned. The audio was supposed to be captured following a voice command like “Xbox” or “Hey Cortana,” but contractors said that recordings were sometimes triggered and recorded by mistake. The news is the latest in a string of revelations that show contractors working on behalf of Microsoft listen to audio captured by several of its products. Motherboard previously reported that human contractors were listening to some Skype calls as well as audio recorded by Cortana, Microsoft’s Siri-like virtual assistant. "Xbox commands came up first as a bit of an outlier and then became about half of what we did before becoming most of what we did," one former contractor who worked on behalf of Microsoft told Motherboard. Motherboard granted multiple sources in this story anonymity as they had signed non-disclosure agreements. The former contractor said they worked on Xbox audio data from 2014 to 2015 before Cortana was implemented into the console in 2016. When it launched in November 2013, the Xbox One had the capability to be controlled via voice commands with the Kinect system. Straight away, some users and commentators were concerned with the idea of Kinect listening to Xbox users, waiting for commands such as "Xbox on." Microsoft said in a statement at the time "Kinect for Xbox 360 was designed and built with strong privacy protections in place and the new Kinect will continue this commitment."  For further details please visit OUR FORUM.

The attackers who previously breached and abused the website of free multimedia editor VSDC to distribute the Win32.Bolik.2 banking Trojan have now switched their tactics. While previously they hacked legitimate websites to hijack download links infected with malware, the hackers are now creating website clones to deliver banking Trojans onto unsuspecting victims' computers. This allows them to focus on adding capabilities to their malicious tools instead of wasting time by trying to infiltrate the servers and websites of legitimate businesses. More to the point, they are actively distributing the bank Win32.Bolik.2 banking Trojan via the nord-vpn[.]club website, an almost perfect clone of the official nordvpn.com site used by the popular NordVPN VPN service. The cloned website also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1. "Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus," state the Doctor Web researchers who spotted the campaign. "Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems." The operators behind this malicious campaign have launched their attacks on August 8, they are focusing on English-speaking targets and, according to the researchers, thousands have already visited the nord-vpn[.]club website in search of a download link for the NordVPN client. "The actor is interested in English speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable," Doctor Web malware analyst Ivan Korolev told BleepingComputer.  To learn more please visit OUR FORUM.

Ubisoft continues to build upon Tom Clancy's Rainbow Six Siege, soon securing its next major expansion. Following Operation Phantom Sight, the update is headed to the Latin American underworld, falling midway through its fourth year of content.  Two new resourceful Operators lie on the horizon of Operation Ember Rise, set to shake up how defenders lock down the objective. We've wrapped up everything we know so far about the Rainbow Six Siege's next season, ahead of its August 18 unveiling. Ubisoft has dropped its first teaser image for Year 4 Season 3, confirming the coming update's title, Operation Ember Rise. While Ubisoft is yet to outline its Operation Ember Rise release plans, a late-summer launch is expected for Xbox One, PlayStation 4, and PC. As with prior Rainbow Six Siege updates, the third season of 2019 drops two new playable Operators, expanding the ever-growing roster to 50 recruits. Outlined in Ubisoft's Year 4 roadmap, the latest members span independent counterterrorism units (CTUs), hailing from Mexican and Peruvian specialist forces. Expect new attacking and defending talent, sticking to a familiar seasonal template. While Ubisoft hasn't formally unveiled its upcoming Latin duo, brief teasers have surfaced throughout Year 4. Promotional assets for ringleader Harry "Six" Pandey left reference to narcotics crackdowns, singling cartel activity in each Operator's home turf. Addressing a "Crosscheck w/ Capitao anti-drug operations for common ground" and "Antiquities trafficking," it establishes a clear future expansion beyond existing lore. The same pinboard also dropped tease of Operation Phantom Sight's Nøkk and Warden, alongside remaining threads still to uncover. For more complete details along with dates, more images and a video clip visit OUR FORUM.

Head for the hills, folks! It’s not often that we cover security here, but serious times call for serious talk. There is a trojan called Trickbot, and it is one of the stealthiest malware threats in recent memory. Doesn’t help that it is going after anything and everything that crosses its path. And to make matters worse, this is a rapidly evolving threat. The latest twist in its tale is that it is targeting Windows 10 users specifically via new methods that not only evade but actually disable Windows Defender on these systems. Trickbot may be in the news for all the wrong reasons these days, but this malware is not new. It has been causing trouble since 2016. Since then, this banking trojan is estimated to have compromised no less than 250 million email accounts. So much so that many in the cybersecurity world consider Trickbot as the topmost threat targeting the computing landscape. This malware is designed with a laser focus on stealing the private data of users. Whether it be harvesting emails or stealing logins and passwords, hijacking web browsers or altering displayed websites, stealing banking details or transferring money out of crypto wallets, Trickbot is doing it all. The developers behind Trickbot have updated this malware numerous times over the years, adding advanced new traits every time. One of these features is screen locking, where the more recent versions of Trickbot are capable of locking the computer screens of the victims. What’s even worse, and an extremely dangerous addition is the capability of hijacking several different kinds of applications and then stealing credentials, recording information relating to web browsing, as well as system details itself like the CPU, operating system and running processes. Complete details can be found on OUR FORUM.

 

GTranslate