Tag Archives: Phishing

Avast revisits the biggest threats of 2014

2014 has been an active year for cybercrime. Let’s start with the most recent and then take a look at some of the other important security events of the year.

shutterstock_134221643

State-sponsored espionage

We are ending the year with the most publicized and destructive hack of a major global company by another country – now identified as North Korea. The Sony Entertainment attack, still being investigated by the FBI, resulted in the theft of 100 terabytes of confidential employee data, business documents, and unreleased films. It was an attack on privacy due to the theft of a massive amount of personal records, but also essentially blackmail; aiming to silence something that the North Korean government didn’t like – namely the release of The Interview, a movie depicting an assassination attempt on Kim Jong-Un.

Most of the blame for state-sponsored cybercrime in 2014 has been with Russian or Chinese hackers. Whether private or state-sponsored, these hackers have attempted to access secret information from the United States government, military, or large American companies. Recently, Chinese hackers sponsored by the military were indicted for economic espionage by the U.S. Department of Justice.

Home-Depot-ApronLarge data breaches

Along with the Sony breach, other notable companies that suffered from cybercrime include Home Depot, eBay, Michaels, Staples, Sally Beauty Supply, and others. A significant number of these breaches were begun months or years ago, but were revealed or discovered in 2014.

Nearly 110 million records were stolen from Home Depot; the largest ever breach of a U.S retailer. The cyber-heist included 56 million payment card numbers and 53 million email addresses.

JPMorgan Chase’s data breach impacted nearly 80 million households in the U.S., as well as 7 million small- and medium-sized businesses. Cybercriminals were able to gain access after stealing an employee’s password, reminiscent of the Target breach from 2013. This breach is said to be one of the largest breaches of a financial institution. The FBI is still investigating.

Financial and data stealing malware

GameOver Zeus, called the most infamous malware ever created, infected millions of Internet users around the world and has stolen millions of dollars by retrieving online banking credentials from the infected systems.

Tinba Trojan banking malware uses a social engineering technique called spearfishing to target its victims. The spam campaign targeted Bank of America, ING Direct, and HSBC customers using scare tactics to get customers to download a Trojan which gathered personal information.

Chinese hackers were at it again, and again, targeting South Korean banking customers with banking malware using a VPN connection. The customers were sent to a look-alike webpage where they were unknowingly handing cybercrooks their banking passwords and login information.

Software vulnerabilities

Many of the breaches that occurred in 2014 were because of unpatched security holes in software that hackers took advantage of. The names we heard most often were Adobe Flash Player/Plugin, Apple Quicktime, Oracle Java Runtime, and Adobe Acrobat Reader.

Avast’s selection of security products have a feature called Software Updater which shows you an overview of all your outdated software applications, so you can keep them up to date and eliminate any security vulnerabilities.

ShellshockNumerous new exploits

Flaws in software led to Shellshock and Heartbleed, two names that struck terror in IT administrator’s hearts.

Heartbleed takes advantage of a serious vulnerability in OpenSSL. It allows cybercrooks to steal encryption keys, usernames and passwords, financial data and other sensitive data they have no right to, and leaves no trace of the operation.

Shellshock ended up affecting more than half of the websites on the Internet. Hackers deployed malware on legitimate websites in order to retrieve confidential data from compromised computers.

Ransomware

Another name that made headlines was a group of malware dubbed ransomware, such as CryptoLocker, and its variants Cryptowall, Prison Locker, PowerLocker, and Zerolocker. The most widespread is Cryptolocker, which encrypts data on a computer and demands money from the victim in order to provide the decryption key.

Avast detects and protects its users from CryptoLocker and GameoverZeus.  Make sure you back up important files on a regular basis to avoid losing them to ransomware.

Ransomware made its way from desktop to Android during the year, and Avast created a Ransomware Removal app to eliminate Android ransomware and unlocks encrypted files for free.

Privacy attacks

Mac users were shocked, celebrities mortified, and fans titillated by news of the iCloud hack which lead to the online publication of numerous private photos of Hollywood famous celebrities. The serious cloud breach was launched using brute force methods on targeted iCloud accounts.

Social engineering

The art of deception is a highly successful method for cybercrooks. The weakest link in security is the end-user, and hackers take advantage of us all the time using social engineering schemes.

shutterstock_204144223 (2)Phishing

In a phishing or spearphishing attack, hackers use email messages to trick people into providing sensitive information, click on links, or download malware. One of the most famous instances was the Target breach, in which hackers got a network password from a third party vendor that worked for Target, to get into the network and compromise their point-of-sale machines in November 2013.

Social media scams

Social channels, like Facebook, offer a perfect environment for social engineers. They can create buzz, grab users’ interest with shocking content, and encourage people to share the scams themselves. Scams often come in the form of fake video links which lead to surveys and rogue webpages.

Exploit kits for sale

The Avast Virus Lab observed increased activity of malware distributed through exploit kits this year. These kits, often for sale on the deep web, allow cybercrooks to develop customized malware threats in order to attack specific targets. Zeus source code was used to develop Gameover, and the Zeus Gameover network was used to download and install Cryptolocker.

Avast Software’s security applications for PC, Mac, and Android are trusted by more than 200-million people and businesses. Please follow us on FacebookTwitter and Google+.

South Korea hit with banking malware using VPN connection

South Korean banks have been attacked by hackers again!

This is not the first time we reported malware which targets Korean banking customers. In the past, we wrote about Chinese threats against Korean Windows users and last year we published a series of blogposts, Fake Korean bank applications for Android (part 1, part 2, part 3), about malware targeting mobile platforms.

The Korean banking malware is based on the same principle previously used. The customer executes the infected binary, which modifies Windows hosts file. This file contains a list of domains with assigned IP addresses.  Malware, however, may modify this file. When a customer wants to visit his online bank website, he is redirected to the IP address specified in the hosts file, not to the original bank website!

XP Debugging2

The piece of malware we will discuss in this blog post performs the above mentioned modification of system settings. However, when we looked into the modified hosts file, we noticed something unusual.

hosts

As you can see in the figure above (shortened screenshot of hosts file), the malware redirects many websites of South Korean banks to the IP address 10.0.0.7. If you try to enter this address into your web browser, you probably won’t get any response, because this is the private IP address. The other websites which belong to South Korean search engines, like Naver, are redirected to the publicly accessible IP address. When visiting any of these search engines on the infected machine, the following banner is displayed on the top of the regular website.

popThe image says:

Do you have a security software or program in your PC or Do you have a security card? Due to hacking incidents and potential of compromising users’ information if you want to use internet banking you need to do identification procedure.

We found one very interesting technical detail about the malware behavior – it uses a VPN connection! When a user clicks on one of the bank’s logos below, he is connected to a VPN and the fake banking website is displayed. At first, the malware connects to the C&C server and obtains configuration by GET request on 69.30.240.106/index.txt. The C&C answer includes a link to an executable modifying the hosts file and VPN server IP address.

900
test.exe
vpn=204.12.226.98

The executable is responsible for properly rewriting %windows%system32driversetchost file, which is queried for address translation before querying DNS on Windows machines. For example, if you want to go to www.naver.com the system first accesses the host file, and if there is a match it uses the specified IP address (104.203.169.221) for that site which differs from the original DNS records – 202.131.30.12 for our geographical location.

The malware targets Korean bank customers who access the following bank websites:

www.nonghyup.com, nonghyup.com, banking.nonghyup.com, www.nonghyup.co.kr, nonghyup.co.kr, banking.nonghyup.co.kr, www.shinhan.com, shinhan.com, www.shinhanbank.com, shinhanbank.com, www.shinhanbank.co.kr, shinhanbank.co.kr, banking.shinhanbank.com, banking.shinhan.com, banking.shinhanbank.co.kr, www.hanabank.com, hanabank.com, www.hanabank.co.kr, hanabank.co.kr, www.wooribank.com, wooribank.com, www.wooribank.kr, wooribank.kr, www.wooribank.co.kr, wooribank.co.kr, www.kbstar.com, kbstar.com, www.kbstar.co.kr, kbstar.co.kr, www.keb.co.kr, keb.co.kr, ebank.keb.co.kr, online.keb.co.kr, www.ibk.co.kr, ibk.co.kr, www.ibk.kr, ibk.kr, mybank.ibk.co.kr, banking.ibk.co.kr, www.kfcc.co.kr, kfcc.co.kr, www.kfcc.com, kfcc.com, www.epostbank.co.kr, epostbank.co.kr, www.epost.kr, epost.kr, www.epostbank.kr, epostbank.kr

The bank domain names are translated into a private network address range (10.0.0.7) and the search engines are translated to webserver running IIS. Webserver runs a Chinese version of IIS, as shown from the error message displayed when supplying incorrect header information.

iis
The malware, however, is not connected to the VPN all the time. The malware searches for the active Internet Explorer windows and if found, depending on Internet Explorer version, it locates browser’s address bar and extracts the currently entered url address. If URL belonging to any of the banks is found, VPN connection is established.

At first, malware drops a file %USERPROFILE%profiles.pbk, which includes the basic configuration. The credentials for VPN (name and password) are hard coded in the binary. The connection is made with help of Windows RAS API interface.

rasdial

If we want to verify the VPN connection in Windows, we can simply locate the dropped PBK file and double click on it. In properties, we will choose “Prompt for name and passwords, certificate, etc.” We enter the username and password, which we previously extracted from the malicious binary. After pressing the “Connect” button, we are connected to the VPN, and if hosts file is properly modified, we can access the fake bank websites. After pressing “Hang Up”, we can disconnect from VPN.

pbk01

pbk02

pbk03

pbk04

 

After a successful connection, “ipconfig /all” command lists PPP connection to VPN, with the current machine’s assigned private IP address. At this moment, the infected machine is connected into the private network and it can access contents hosted on 10.0.0.7.

vpn

Example of visiting bank’s website on a compromised computer

When a customer visits nate, daum or naver on an infected machine, he is presented with the following banner.
XP Debugging1

After clicking on the logo of a bank, the customer is presented with the following modified website (the example below was taken for epostbank.kr, however this attack works the same way for the other banks). If the customer clicks on any link on the fake bank website, he is presented with an error message. The message says that the additional security measures are available. After clicking OK, the fake verification process starts.
epostbank_errormsg
The customer is asked to fill in some personal details.
epostbank01
Then he is asked for a phone number and numbers in his security card.
epostbank02
Lastly, he is presented with a link to download a malicious Android application. At the writing of this blog post, the link to the malicious Android app is not working anymore.
epostbank03

SHAs:

Original dropper

1C22460BAFDDBFDC5521DC1838E2B0719E34F258C2860282CD48DF1FBAF76E79

Dropped DLL, C&C communication

FDF4CAA13129BCEF76B9E18D713C3829CF3E76F14FAE019C2C91810A84E2D878

Hosts file modifier

1D1AE6340D9FAB3A93864B1A74D9980A8287423AAAE47D086CA002EA0DFA4FD4

 

Acknowledgements:

This analysis was jointly accomplished by Jaromir Horejsi, David Fiser and Honza Zika.

German phishing scam spreading globally

In recent weeks, we detected another wave of phishing emails, written in German, pretending to be a billing invoice sent from various well-known companies such as Vodafone. Instead of a real invoice, they contain a link to an archive with a malicious code that can infect users’ PCs. The original wave of this malware campaign was already observed earlier this year primarily targeting Germany. This time, it is spreading worldwide. However, they are still in German, which helps identify them as a scam.

In this post, we give a brief technical description of this threat and provide several tips how to not get caught by similar phishing threats.

 

Phishing Emails

We have found several different versions of these emails that claim to be sent from Vodafone, Telekom Deutschland GmbH, Volksbank, and other companies with a faked sender name (e.g. [email protected]) including the official logos. As we can see in Vodafone’s official statement, these companies are aware of this scam and have already warned their customers. Each version of such email is slightly different and contains the current date, a random customer number and payment amount.

Phishing email - Vodafone

If we look more carefully at the sender’s email address, we can see that the true author did not bother with faking the sender’s email address. This should immediately alert the recipient as an email from German Vodafone would hardly be sent from an unrelated Romanian domain.

In the latest scam, the emails do not contain any attachment, which is different to the other recent phishing campaigns. The proclaimed bill (a PDF file) is available online via a given link (also unique for each version) that actually leads to a ZIP archive stored on one of the hacked sites. These archives contain an exploited/unsecured WordPress instance and they serve as a mule for the distribution of malware to users.

Once again, a user targeted by such an attack should be alerted via a simple inspection of the target location of the link by hovering the cursor over it (but remember to not click on the link). This feature is supported by most browsers and email clients. As we can see from the following figure, the target domain of the link is also very suspicious:

beachmountainXXX.net/AYowCJbK

.

Link to a hacked domain

Malicious Content

The downloaded file (e.g.

2014_11rechnung_K4768955881.zip

) is a ZIP archive containing an executable file. The user is fooled by the application’s icon (similar to Adobe Reader) to think that it is a PDF file, which is yet another well-known trick used by malware authors.

Icon of the executable file

If you are not sure about the real file type, you can see the file properties.

For the following analysis of the malicious content, we use a sample with the MD5 checksum

b0a152fe885a13a6ffb0057f6f21912f

. It is an executable file downloaded from one of these links, likely originally written in C++ by using MFC.

First Stage

The (unwanted) execution of this file starts the first phase of the malicious behavior.

The file itself is 160 kB large, but most of its size is stored within the resource file masked as the following GIF image (109 kB).

The author of this sample used steganography because 99% bytes of the image content represents an encrypted code. This code is decrypted first and the control is passed to this decrypted code.

Furthermore, WinAPI functions are called indirectly (via functions

LoadModule()

and

GetProcAddress()

) and names of these functions are obfuscated and decoded during run-time on the application’s stack in order to make analysis more difficult.

Afterwards, it creates a new process with the same name and fills its sections with the decrypted code from the GIF image (via the

WriteProcessMemory()

function).

This new process copies the original file into 

C:Users%USERNAME%AppDataRoamingIdentitiesqwrhwyyy.exe

(as a read-only system file), registers itself to be run at system startup (registry key

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

), and deletes the original file by using a generated batch file.

Once the file is executed from this new location, it behaves differently:

It checks whether it is analyzed or virtualized via the following techniques.

  • Detection of a loaded Sandboxie module 
    SbieDll.dll

    and detection of running processes 

    VboxService.exe

    (VirtualBox) and

    vmtoolsd.exe

    (VMware).

  • It also uses the
    GetTickCount()

    function to detect whether it has really started during the startup and also to detect debuggers.

  • If any of these is detected, the executable file stops its malicious activity.

Afterwards, it extracts and decrypts another executable file on stack from the aforementioned GIF image and injects it into other processes, such as

explorer.exe

,

firefox.exe

. This starts the second stage of infection. Note: some versions of this malware try also to check a working Internet connection via a DnsQuery of www.microsoft.com before starting the second stage.

Second Stage

This extracted file is relatively small (52 kB) because it is packed by the UPX packer (version 3.08).

After its run-time unpacking, it uses the same anti-debugging tricks as the previous sample.

The main body of this file can be described by the following decompiled code:

CreateMutexA(0, 1, mutexName); // "qazwsxedc"
Sleep(1800000);                // wait for 30 minutes
WSAStartup(0x202, &WSAData);   // initiate Winsock
seconds = getLocalTimeInSeconds(0);
if (GetTickCount() < 1920000 /* 32 minutes after startup */ &&
	GetTickCount() > 1000) {
	while (1) {
		malicious();           // the main functionality
		gStateInactive = 1;
		Sleep(300000);         // wait for 5 minutes
	}
}

  • For synchronization between the first and second stage, the mutex 
    qazwsxedc

    is used (e.g. another variation of classical

    qwert

    or

    asdfg

    names).

  • Afterwards, the malware waits for 30 minutes to remain stealthy. After that, it also checks whether no more than 32 minutes have passed since the system startup (i.e. whether it was started during the first two minutes after startup).
  • In its main loop, it follows the malicious behavior described in the remaining paragraphs (function
    malicious()

    ). After each iteration, it makes a 5 minutes break before the next action.

In this function, the string

DC85CCC4C4CCC7CED385C6CE919F9F98

is decrypted at first by using the fixed XOR key

0xAB

. The resulting string

w.googlex.me:443

represents a remote address of the command-and-control (C&C) host and its port. The second one is

m.googlex.me:53

. At first, the sample tries to check connection with these servers by using the Winsock functions. The other samples contain different lists of C&C servers:

ahokcjidanptacyu.eu
gctrbwqyxxyamcnn.eu
ggcrguelfhvtuxdb.eu
gkkelsrkypraqhto.eu
gunvpvqhnwxxgjsn.eu
gvlmoefoqapvrvec.eu
mcfpeqbotiwxfxqu.eu
...

Afterwards, it obtains information about the local computer, such as:

  • computer name;
  • version of operating system;
  • processor information and number of cores;
  • memory information.
English (United States) // local settings
TEST-PC                 // PC name
Windows 7 Professional  // Windows version
4096 MB                 // memory      
Intel(R) Xeon(R) CPU E5-1620 v2 @ 3.70GHz | CORE 8 // CPU
2014-10                 // malware version

Afterwards, this information is encrypted and send as a registration to a C&C server from the aforementioned list. The reply from the server is encrypted by the same algorithm. The very first byte of the reply message specifies an action (i.e. a control code) to be performed. To date, we have identified the following codes:

  • 18, 19, and 20 – open a specified page in Internet Explorer (with minor differences).
  • 16 and 17 – download and execute a file specified within the message. The file is downloaded via the
    URLDownloadToFile()

    function, stored with a random name, e.g.

    %TMP%mibww.exe

    and executed via the 

    WinExec()

    function.

  • 6 – terminate the process (itself).
  • 5 – inactivate itself for a specified time.
  • 2, 3, and 4 – these codes imply different types of online communication with other systems (e.g. for downloading other malware modules, communication with other infected systems, attacking specified targets). The communication is executed via a server-specified number of threads running the following built-in functions. Arguments to these functions are also sent within the messages from a C&C server. All of these functions are based on Winsock functions.
    • Sending a message to a given IP address (or host name) and port.
    • Communication with a remote server on ports 21 and 22.
    • Sending multiple types of HTTP GET requests to specified servers.
GET %FILE% HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE %VERSION%.0; Windows NT %VERSION%.1; SV1)
Host: %HOST%:%PORT%
Connection: Keep-Alive

GET %FILE% HTTP/1.1
Content-Type: text/html
Host: %HOST%
Accept: text/html, */*
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%VERSION%.0

GET %FILE% HTTP/1.1
Referer: http://%ADDR%:80/http://%ADDR%
Host: %HOST%
Connection: Close
Cache-Control : no-cache

GET %FILE% HTTP/1.1
Content-Type: text/html
Host: %HOST%
Accept: text/html, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

Those actions are constantly executed until the process is terminated by the C&C server (unlikely) or by user (e.g. system shutdown). However, this process is started once again during the system startup.

As we can see, it is up to the attacker to download and execute other malicious modules, such as password stealers, bankers, or to include the infected PC into a botnet.

Conclusion

Although, the analyzed phishing emails are far from perfect (download links and sender addresses are suspicious, the text of email is only available in German, etc.), it is still possible to fool a user into executing the malicious file. This file is powerful enough to infect the user’s machine and turn it into an unsafe place.

Here are some basic tips, that we’ve previously shared about how to detect a phishing email:

  • Check the spelling and grammar – it is unlikely that your bank or service provider will send you an email with such mistakes.
  • Sender’s name and email address can be spoofed, do not rely on them.
  • Look at the target address of the link – different domains than the official ones are highly suspicious.
  • Do not panic and do not do any action in haste. The attacker often tries to threaten you and make a time pressure on you.
  • Do not open suspicious attachments or links. If you really need to open a file, check its file type before double-clicking it. The file name and icon can be easily crafted to look like a picture or document.
  • If you are not sure about the email’s origin, try to contact that company directly (e.g. call official customer care), but do not respond to such email and never ever send your credentials in this way.
  • And as always: use AVG to stay protected.

Fake confirmation emails from Walmart, Home Depot, others in circulation

Cybercrooks target busy holiday shoppers with phishing scheme.

After all that shopping on Black Friday and Cyber Monday, consumers are reporting a bunch of phishing emails that look like authentic communications from poular stores. Malware-infected emails are reportedly coming from Walmart, Home Depot, Target, and Costco. The catch is these are not from the authentic merchants, but rather cybercrooks are using a phishing scheme to send fake emails with the intent to gather personal information from harried shoppers.

Walmart scam email

Millions of these emails are being sent each day, originating from more than 600 hacked websites that act as intermediaries, according to security analysts from Malcovery monitoring the attacks. This method prevented detection by causing the spammed links to point to websites that had been safe until the morning of the attack.

The messages have subject lines like this:

  • Thank you for your order
  • Order Confirmation
  • Thank you for buying from Best Buy
  • Acknowledgment of Order
  • Order Status

If you receive one of these emails, don’t click on any links. Instead, visit the merchant’s website or call their customer service. Don’t give any personal information out unless you know for sure with whom you are speaking.

Home Depot scam email

costco scam email

 

Signs of a fake email

Unfortunately, cybercrooks are becoming more professional with their scams, but here are a few things you can look for to tell a fake email from an authentic one.

  • Poor grammar usage
  • The Sender (the “from” line) may not match the merchant name
  • Links in the email do not go to the real website
  • There is no order confirmation number or details about the order. A real order confirmation email contains the details of your order without clicking on any links, as well as where it is being shipped and the payment method.

target scam email

How to protect yourself

Walmart acknowledged that the fraudulent emails were in circulation and suggested these steps if you receive a suspicious email.

  • If you actually placed an order and are suspicious about the email you received, log onto your Walmart.com order to check your order status.
  • Keep your virus software updated on all your computers.

If you were a victim of fraud via the Internet, you should file a report with your local law enforcement agency along with the Internet Crime Complaint Center (ICCC). The ICCC is a partnership between the FBI and the National White Collar Crime Center. You can make a report with the ICCC.

Avast Software’s security applications for PC, Mac, and Android are trusted by more than 200-million people and businesses. Please follow us on FacebookTwitter and Google+.

 

Donate generously on Giving Tuesday, but watch out for scams

#GivingTuesday is a day dedicated to give from the bounty we have received.

GivingTuesday2014

After the shopping free-for-all of Black Friday, the local discoveries of Small Business Saturday, and the online click frenzy of Cyber Monday, people the world over have a day for giving thanks.

On Tuesday, December 2, 2014, charities, families, businesses, community centers, and students around the world will come together for one common purpose: to celebrate generosity and to give. ~www.givingtuesday.org

From supporting women’s microfranchises selling solar products in Nicaragua to supplying feed and services to a ranch in Arizona that helps save horses from abuse and neglect to constructing toilets in a school in West Bengal, there are a myriad of opportunities to spread your goodwill and your cash. It’s also an opportunity for cybercrooks to scam those with a generous heart.

What you need to know about charity scams

Charities and fundraising groups use all methods to solicit funds, so you could receive a phone call, a knock at your door, an email, a message via social networking sites, and even a text message on your mobile phone. Before giving your donation, carefully review a charity and ensure it is a trustworthy organization.

The Better Business Bureau (BBB) and the Federal Trade Commission (FTC) offers some valuable tips.

    • Watch out for copycats. There may be hundreds of charities seeking support in the same category, and some may use a name that is similar to a better-known, reputable organization. Don’t fall for a case of mistaken identity.
    • Avoid being pressured. Don’t succumb to high-pressure tactics that try to get you to donate immediately. Responsible organizations will welcome your gift tomorrow just as much as today.
    • Give through a reputable, secure service. If a charity asks for donations in cash, by money wire, or offers to send a courier or overnight delivery service to collect the donation immediately, then beware. A genuine charity will give you time and a secure method to make your donation.
    • When in doubt, check them out. The results of a Google or Yahoo search have been known to include bogus phishing sites designed to look like a legitimate charity’s website. Just look up scams around Hurricane Katrina, and you’ll see what I mean. Charity Navigator says,
      • Carefully examine the web address. Most non-profit web addresses end with .org and not .com. Avoid web addresses that end in a series of numbers.
      • Bogus sites often ask for detailed personal information such as your social security number, date of birth, or your bank account and pin information. Be extremely skeptical of these sites as providing this information makes it easy for them to steal your identity.

Avast Software’s security applications for PC, Mac, and Android are trusted by more than 200-million people and businesses. Please follow us on FacebookTwitter and Google+.

 

 

Home Depot discloses that 53 million customer email addresses were stolen

Home-Depot-ApronThe Home Depot security breach last spring has gotten worse. In addition to the 56 million credit-card accounts that were compromised, around 53 million customer email addresses were also taken, according to a statement from Home Depot about the breach investigation. Home Depot assures its customers that no passwords, payment card information like debit card PIN numbers, or other “sensitive” information was stolen.

The breach occurred when cybercrooks stole a third-party vendor’s user name and password to enter their network in April 2014. The hackers then deployed unique, custom-built malware on Home Depot’s self-checkout registers in the United States and Canada.

The company said that as of September 18, the malware had been eliminated from the network.

Request your free identity protection

The Home Depot is notifying affected customers and still offering free identity protection services, including credit monitoring, to any customer who used a credit or debit card at one of its 2,266 retail stores beginning in April. Customers who wish to take advantage of these services should visit homedepot.allclearid.com or call 1-800-HOMEDEPOT (466-3337).

The Fallout

Home Depot said that customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails.

  • Review your credit card statements carefully and call your bank if you see any suspicious transactions.
  • Be aware of phone calls or emails that appear to offer you identity theft protection but are truly phishing schemes designed to steal your information. Always go directly to The Home Depot’s website or to the AllClear ID website, or call Equifax for information rather than clicking on links in emails.

Get more information from Home Depot’s Facebook page.

// <![CDATA[
(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = “//connect.facebook.net/en_US/all.js#xfbml=1”; fjs.parentNode.insertBefore(js, fjs); }(document, ‘script’, ‘facebook-jssdk’));
// ]]>

 

Avast Software’s security applications for PC, Mac, and Android are trusted by more than 200-million people and businesses. Please follow us on Facebook, Twitter and Google+.