List of Cyber Attacks and Data Breaches in September

Although this month’s list may not be as long as August’s, it’s by far the most shocking of the year so far. The number of payment card breaches in the US appears to be going up and up and an end isn’t in sight. This list will continue to be updated until the very end of September, and as there’s a high chance of more breaches due to the revelation of Shellshock, I suggest you come back for updates.

Payment card breaches

880,000 Affected by Viator Payment Card Breach

Hundreds of US Stores Affected as POS Provider is Hacked

Biggest ever data breach? Home Depot hack attack could involve 60 million payment cards

800k Payment Cards Compromised in Goodwill Industries Breach

Payment card data stolen in Jimmy John’s data breach

Hotel Chain Suffers Payment Card Breach

Personal data breaches

Florida medical center hit with breach for third time in two years

Data breach at Tampa General Hospital

Central Utah Clinic notifies over 30K patients of potential HIPAA breach

Computer hardware containing patient data stolen from Ohio plastic surgery office

5 Million Leaked Gmail Passwords Sounds Pretty Scary, But Was It?

Other attacks and breaches
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT

Biggest attack on RT.com: Website hit by 10 Gbps DDoS

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

Naked pictures of Jennifer Lawrence and other celebrity starlets leak online

eBay XSS vulnerability used iPhones as bait, redirected users to phishing page

Hackers attack Namecheap accounts

Healthcare information compromised at Temple University, Philadelphia

ObamaCare Website Hacked

New ‘Shellshock’ bash bug affects 500 million computers, servers and devices.

Keyless Smart Cars are now target for hackers

Now it is the turn of smart keyless car becoming target for hackers, that high-tech keyless car security system is pretty sweet for hackers. According to a new report in Wired, thieves can use off-the-shelf hardware and software to impersonate a vehicle's security fob and break into a car in no more than a few minutes.

This vulnerability in keyless vehicles illustrates what is practically an axiom in technology: Convenience often reduces security. And in a corollary truth, hackers are usually at least one step ahead of the technologies intended to thwart them.

Australian security researcher Silvio Cesare plans to review his findings about this new approach to keyless break-ins at this week's Black Hat Internet security conference in Las Vegas. The annual event is a place where people from law enforcement, security experts, military intelligence and even the shady side of the street come together.

People have previously found weaknesses in keyless entries. In 2012, for instance, a rash of Chicago car break-ins were linked to someone using some kind of electronic tool.

Meanwhile, Swiss researchers have found a way to get someone's key fob to broadcast an open command so it can be duplicated, potentially allowing thieves to break into and operate a car.

However, Cesare thinks that he may be the first to actually crack the encryption intended to guard they keyless systems. He built a device that would keep pressing the buttons on his own fob. After collecting thousands of samples of the codes intended to be picked up by the car, he found patters that reduced the number of possible codes to unlock a vehicle from 43 million to less than 13,000.

That's still a big number for humans, but computers can try that many sequences without getting bored, wasting time or needing a bathroom break.

Other auto threats are also a topic of discussion at the Black Hat conference. According to InformationWeek, as cars increasingly feature on-vehicle wireless networks that connect with satellite services and smartphones, they become more vulnerable to remote attacks. By breaking into a car's Bluetooth network or a phone app, for instance, someone could in theory control a car's steering, braking or automated parking.

Last year, researchers showed how they could take control of many basic functions in a 2010 Toyota Prius and 2010 Ford Escape. Among new vehicles, the 2014 Jeep Cherokee, 2014 Infiniti Q50 and 2015 Escalade are the most vulnerable to attack, according to security researchers. A 2014 Audi A8 was deemed the least vulnerable model to electronic attack because the car's networked systems are separate from its physical operational systems.

The automobile industry has begun to take such threats more seriously. Last month it announced a mechanism to share security vulnerabilities.

One million Android devices infected in China

One million Android devices in China were infected with an Xshqi SMS worm on August 2, the day the country celebrated Valentine’s Day.

Experts at Kaspersky Lab revealed that a malware, dubbedTrojan.AndroidOS.Xshqi.a, infected neatly 500,000 Android devices in just six hours last week in China, but Chinese media provided a more pessimistic estimate declaring that the number of infected mobile is over 1 million smartphones.

The attackers operated in conjunction of the day the country celebrated Valentine’s Day as explained by Kaspersky team.

“The fact that this Trojan combination appeared on the Chinese Valentine’s Day is premeditated, taking advantage of user credulity on this special day. And it uses social engineering techniques to spread as much as possible and infect more devices. This Trojan is a good example of why it’s always worth thinking twice about trusting a link received on your mobile phone. No matter who sends it, it could still be a malicious program.,” reported researcher Vigi Zhang in a blog post.

The malware has been classified as a mobile SMS worm, but it includes also two malicious modules, the XXshenqi.apk and its asset Trogoogle.apk, the first one is used to spread the malicious code meanwhile the other component is a backdoor.

Once a mobile device is infected by Trojan.AndroidOS.Xshqi.a, the malware sends malicious SMSs to all the contacts in the victim’s address book. The link is used by malware authors to get victims to install the Trojan as well, Trojan.AndroidOS.Xshqi.a that verify the presence of the Trogoogle.apk, if it isn’t installed it displays a dialog window to prompt the user to install Trogoogle.apk. detected by Kaspersky as Backdoor.AndroidOS.Trogle.a.

The backdoor is used by cybercriminals to perform numerous operations, for example in order to steal victim’s personal information it asks user to register the app. The backdoor also enables the attackers to control victim’s device and send different commands to perform several operations, for example to create and send text messages.

Chinese law enforcement has already identified the author of the malicious campaign, he is a 19-year-old college student that admitted creating the malicious code, but he claimed that he only did it for fun. The young man was detained in the city of Shenzhen while visiting his parents.