Hack Hall of Shame: September 2015

September brought news of yet another insurance breach as it was revealed that the details of over 10 million people were compromised in an attack on Excellus Blue Cross Blue Shield. September wasn’t a good month for Apple because just after the KeyRaider attack on jailbroken iPhones was announced, developers showed they were able to sneak in weaponized apps into the App Store affecting all kinds of iPhones.

The attacks just kept on coming in September: Imgur suffered a DDoS attack on their 4chan and 8chan servers, the Kardashians unwillingly exposed the details of more than 800,000 of their fans and news reports exposed many hacks on the U.S. government originating from China around the same time China’s President Xi Jinping was visiting the U.S.

Countdown with us the top hacks, attacks and vulnerabilities of September 2015.

Over 10 million insurance accounts compromised

The first week of September brought with it news of a hack on New York health insurers Excellus BlueCross BlueShield. On September 9, it was revealed that over 10 million members where possibly affected by the breach (3.5 million of which are served by Excellus’ affiliate, Lifetime Healthcare Companies). According to Reuters, upon further investigation, it was discovered that the initial hack occurred back in December 2013.

Personal data stolen from Lloyds Bank

On September 10, it was reported that thousands of Lloyds Bank customers had their personal details compromised after a data box was stolen. The incident happened back in July 30 when the data box was stolen from a Royal Sun Alliance Insurance data room. According to reports, only those who opened their accounts between 2006 and 2012, and who subsequently made a claim on an insurance policy were affected.

10 days, 11 million passwords

The Ashley Madison hack is still making the news and in September, a cracking team, Cynosure Prime, managed to decipher over 11.2million passwords – in just 10 day! This happened because of, what was dubbed, a programming blunder on Ashley Madison’s part. The cracked passwords show many still use simple, easy to guess passwords and here are the top 5 passwords used as reported by The Hacker News:

• 123456 by 120511 users
• 12345 by 48452 users
• password by 39448 users
• DEFAULT by 34275 users
• 123456789 by 26620 users

DDoS attack on UK Police

The UK’s National Crime Agency website was taken down on September 1, with Lizard Squad claiming responsibility. The attack was likely a reaction to the arrest of six teenagers who used Lizard Stresser, a DDoS attack tool developed by the Lizard Squad. The group announced the attack through their Twitter account but the tweet has since been removed.

200million WhatsApp web app users at risk

Security firm Check Point revealed a bug in Whatsapp’s web extension could give hackers remote control to a user’s computer, and all the attacker would need is the user’s phone number. The software vulnerability puts at risk 200 million users of the web app who may be tricked into downloading malware on their PCs.

XcodeGhost erodes Apple’s security klout

When it comes to security, September was not a good month for Apple. At the start of the month, Palo Alto Networks released a report detailing a new form of iOS malware that seems to affect only jailbroken iPhones. However, a few weeks later there was yet another dent in Apple’s security ecosystem when the same security specialists, Palo Alto Networks, revealed XcodeGhost, a trojanized version of Xcode, Apple’s applications development software. XcodeGhost modifies Xcode, infects apps and these are then uploaded to the App Store. A total of 39 iOS apps were infected, including WeChat, possibly affecting hundreds of millions of users.

Remember Stagefright?

Android Stagefright vulnerabilities were only released a few months back. Since then, patches were released by Google and other vendors, while Zimperium, the firm who documented the vulnerabilities, also created an app to help users establish whether their devices were at risk. In September, Zimperium published an exploit for one of the most critical vulnerabilities and said it was tested on a Nexus device running Android 4.0.4. Now, recent reports, are saying Stagefright is back, but this time around it mostly affects Android 5.0 Lollipop and later.

Card breach at Hilton Hotel franchise in the US.

Patterns in credit card fraud were noticed by several banks suggesting hackers might have compromised point-of-sales registers in Hilton Hotel shops and restaurants. Brian Krebs wrote on this security blog that “in August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015.” Hilton said they are currently investigating the claims.

More ransomware, this time on Android

A new type of ransomware is locking out victims by changing their lock screen pin on their Android devices. Lockerpin.A overlays a bogus patch install and when the continue button is clicked, users give the app admin privileges. From there, it resets the PIN and locks the user out of their device. A note then follows the lock urging the user to pay the ransom in order to be given back access to the phone.

Losing at poker? There might be a reason for that

Odlanor is malware that targeted users of Full Tilt Poker and PokerStars by taking screenshots of their games thus giving an unfair advantage to the hacker who then joins the same session knowing what cards the victim’s hands contain. The spyware is installed through a variety of poker-related software and, according to ESET, the malware has been in the wild since March of this year.