Hackers have hit the daily deals site LivingSocial, gaining access to credentials and encrypted passwords of its 50 million registered users.

Although the passwords were hashed and salted, the company said in a memo to employees that data for its 50 million users might have been compromised and it was contacting customers.

The memo said: “We recently experienced a cyber attack on our computer systems that resulted in unauthorised access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

“The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed' and ‘salted' passwords. We never store passwords in plain text.”

It also confirmed that neither the database that stores customer credit card information or the database that stores merchants' financial and banking information were affected or accessed.

The memo, signed by CEO Tim O'Shaughnessy and featured by allthingsd, said that it was "redoubling efforts to prevent any issues in the future" and in anticipation of a high call volume, it was likely to temporarily suspend consumer phone-based servicing and devote all of its resources to web-based servicing.

O'Shaughnessy said: “I apologise for the formality of this note, which the circumstances demand. We need to do the right thing for our customers who place their trust in us, and that is why we're taking the steps described and going above and beyond what's required. We'll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.”

Paul Ducklin, head of technology for Sophos Asia Pacific, said that rather than storing an actual password, consider storing a random string of characters instead; which combine the password and this random string and pass the salted password through a non-reversible cryptographic function to get a message digest code.

“A crook can check to see if your password is, say ‘s3cr3cy' by salting-and-hashing himself, but he has to start with a guess, because he can't go back from the hash to your password,” he said.

“That's why easy-to-guess passwords are bad: the crooks crack them first.”

Terry Greer-King, managing director of Check Point UK, said: “LivingSocial users should change their passwords quickly, even though the stolen passwords were encrypted: this protection can be cracked using easily-available programs.

“They should also be cautious about clicking on links in emails they receive purporting to be from LivingSocial. There's a real risk that the stolen email addresses will be used to send phishing emails to users, to try and harvest more data such as credit card details.

“In 2012, businesses globally were reporting an average of nearly 70 attempted security attacks on their networks every week. For the attackers, this is just a numbers game.”

As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Network have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the "Re: Fwd:" notation. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.

When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here.  Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.

Server-side polymorphic technology has been applied to evade traditional AV detection. 

It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of  the following subjects:

Fwd: Dollar Bank bankruptcy

Re: Shedding light on 'dark matter'

Re: Why Washington is corrupt

Re: Kissinger: Thatcher's strong beliefs

Re: Tax havens busted

Fwd: Re: First Citizens Bank bankruptcy

Fwd: Re: Living large in Don Draper's New York

Fwd: Re: Kissinger: Thatcher's strong beliefs

Re: Fwd: California Bank & Trust bankruptcy

Fwd: Re: Bank of America bankruptcy

Fwd: Allowing knives on planes is 'insane'

Fwd: Re: War with N. Korea

Fwd: Air Canada goes 'Gangnam style'

Fwd: Re: NASA plans to catch an asteroid

Re: Fwd: Dollar Bank bankruptcy

Fwd: Why Washington is corrupt

Fwd: Blast kills 29 on bus in New-York

Fwd: Shedding light on 'dark matter'

Fwd: Re: Marikana massacre aftermath

Re: Fwd: Kissinger: Thatcher's strong beliefs

Fwd: Re: PNC Bank bankruptcy

Re: Fwd: Bank Of The West bankruptcy

Re: Fwd: M&I Bank bankruptcy

Re: Bank Of The West bankruptcy

Fwd: Bank Of The West bankruptcy

Re: Fwd: PNC Bank bankruptcy

Re: Bank of America bankruptcy

Re: Fwd: War with N. Korea

Re: California Bank & Trust bankruptcy

Re: Blast kills 29 on bus in New-York

Re: Fwd: Blast kills 29 on bus in New-York

Re: Sending out SOS for 'America's flagship'

Re: Fwd: Marikana massacre aftermath

Re: Living large in Don Draper's New York

Re: War with N. Korea

Fwd: Re: Death penalty 'harms Bali's reputation'

Re: Fwd: Death penalty 'harms Bali's reputation'

Re: PNC Bank bankruptcy

Re: NASA plans to catch an asteroid

Re: Northern Trust Bank bankruptcy

Fwd: Tax havens busted

Re: Fwd: Why Washington is corrupt

Re: Fwd: Tax havens busted

Fwd: M&I Bank bankruptcy

Re: Fwd: Fashion designer Lilly Pulitzer dies

Re: First Citizens Bank bankruptcy

Re: Fwd: Shedding light on 'dark matter'

Re: Fwd: Living large in Don Draper's New York

Re: Fwd: Northern Trust Bank bankruptcy

Fwd: Re: California Bank & Trust bankruptcy

Re: Air Canada goes 'Gangnam style'

Re: Fashion designer Lilly Pulitzer dies

Re: Dollar Bank bankruptcy

Fwd: Sending out SOS for 'America's flagship'

Websense technologies can protect customers in a multi-stage attack:

• Websense email security blocks the malicious email.
• Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
• Vunlerability files and the payload trojan are detected by Websense Gateway products.
• Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).

Researchers have discovered a new Trojan capable of stealing credit card data from point-of-sale (POS) systems, and it appears to be an updated version of Dexter, similar malware targeting card-swiping devices.

On Thursday, Chintan Shah, a security researcher for McAfee Labs, blogged about VSkimmer, which is capable of grabbing data – account numbers, expiration dates and service code numbers – stored on the magnetic strip of credit cards.

In the post, Shah also said the Trojan targets Windows machines.

“The malware, vSkimmer, can detect the card readers, grab all the information from the Windows machines attached to these readers, and send that data to a control server,” Shah said.

McAfee researchers noticed participants on an online Russian forum discussing a potential sale, and began to analyse the Trojan.

“The author of the thread also discusses other capabilities of this malware, which appears to be a successor of Dexter, but with additional functions,” Shah said.

Dexter was originally detected in December 2012 by researchers at Seculert, an Israel-based security firm. It too targeted POS terminals, devices swiped during purchases.

According to Shah, the fact that VSkimmer was targeting terminals running Windows showed how “financial fraud is actively evolving and how Trojans are developed and passed around in the underground community,” he wrote.

In an interview with SCMagazine.com on Friday, Adam Wosotowsky, messaging data architect at McAfee Labs, said that attackers likely started infecting machines with VSkimmer via USB devices.

“A USB [infection vector] would require an inside job or confidence scam – talking people into allowing you to [access] these machines,” Wosotowsky said.

McAfee has yet to confirm the number of infections. Its oldest sample of the malware dates back to 13th February. Wosotowsky said however, that efforts to leverage the Trojan have been very 'targeted', so VSkimmer cases are likely not widespread.

“This is specialised malware, and it's a trend we are seeing more of – [attackers] going directly after point-of-sale systems,” he said. "There's a lot of activity moving in this direction."

Thankfully, award-winning US computer security reporter Brian Krebs is safe.

Nobody was harmed. But they could have been.

Given a DOSed website, a fake and libelous FBI letter sent to his website host, and a dinner party delayed by a SWAT team training guns on him and ordering him to "Put your hands in the air!", Krebs last week surely endured the most dramatic retribution ever meted out to a security blogger.

Krebs has a good idea of the specific criminal element behind the trio of attacks. Since the dramatic events of Thursday, he's traced the denial-of-service attack to a common operator who apparently launched a similar attack on Ars Technica following its coverage of Krebs's victimization.

As described by his fellow security scribe Dan Goodin at Ars Technica, Krebs is known for work that includes:

• "Exposés [that] completely shut down a California hosting service that coddled spammers and child pornographers and severely disrupted an organized crime syndicate known as Russian Business Network" and, more recently,
• "Investigative journalism that followed the money to the people who sell malware exploit kits, illicitly procured credit reports, and denial-of-service services in underground forums."

In short, Krebs has enemies.

Last week, one or more of those enemies targeted him, likely in retaliation for his most recent investigation.

On Friday, Krebs detailed in a post how the ordeal started the day before, when his site was targeted with "a fairly massive denial of service attack."

That same afternoon, a technician from Prolexic called. Prolexic is a company that Krebs hired to protect his site, KrebsOnSecurity.com, from DOS attacks.

Prolexic forwarded a letter they'd received earlier that day, purporting to come from the US Federal Bureau of Investigation.

The letter, which Krebs reprinted here, falsely claimed that Krebs's site was "hosting illegal content, profiting from cybercriminal activity, and that it should be shut down," Krebs writes.

Both Prolexic and Krebs dubbed it a hoax - an assumption Krebs confirmed with a quick call to the FBI.

As Prolexic tidied up his DOSed site, Krebs got to work tidying up his home in anticipation of dinner guests. His office phone rang while he was vacuuming, but he ignored it.

That, it turns out, was an unfortunate choice, given that the call came from law enforcement who were trying to verify what would turn out to be a spoofed emergency call showing Krebs's number on caller ID.

As he was vacuuming, Krebs noticed plastic tape on the front-door threshold, left over from securing an extension cord. He opened the door to unpeel it.

He tells of what happened next:

"When I opened the door to peel the rest of the tape off, I heard someone yell, 'Don't move! Put your hands in the air.' Glancing up from my squat, I saw a Fairfax County Police officer leaning over the trunk of a squad car, both arms extended and pointing a handgun at me. As I very slowly turned my head to the left, I observed about a half-dozen other squad cars, lights flashing, and more officers pointing firearms in my direction, including a shotgun and a semi-automatic rifle. I was instructed to face the house, back down my front steps and walk backwards into the adjoining parking area, after which point I was handcuffed and walked up to the top of the street.

"I informed the responding officers that this was a hoax, and that I’d even warned them in advance of this possibility. In August 2012, I filed a report with Fairfax County Police after receiving non-specific threats. The threats came directly after I wrote about a service called absoboot.com, which is a service that can be hired to knock Web sites offline."

Krebs had filed a police report last year on the suspicion that he would be SWATted.

SWATting is the practice of falsely reporting an emergency, as a prank or as revenge against a victim upon whom descends emergency services - or, in Krebs's case, armed law enforcement.

Krebs' persecutors had, in fact, spoofed an emergency call to make it appear that it had come from his phone.

As Sophos's Chester Wisniewski noted last April when he wrote about fraudulent calls targeting US banks, caller ID spoofing can be particularly convincing in the US, given that the call display service used by most phone companies here does a reverse lookup for the name information based on the caller ID number provided by the call.

Once a criminal determines the phone number he wants to have fraudulently show up as his caller ID number - Krebs's phone number, in this case - it's trivial to display that number on the call recipient's display.

Caller ID spoofing has been around for years through various technologies: ISDN PRI circuits used by collection agencies, law enforcement, and private investigators, all of whom have used it with varying degrees of legality; spoofing services such as Star38.com; and through Voice over IP (VoIP) technology.

Given how trivial it is to spoof caller ID, it's surprising that people put any faith at all in the technology - most particularly that law enforcement do.

In fact, the police who took Krebs's report warning that he might be targeted by SWATting hadn't even heard of the practice.

All too readily, we tend to put faith in appearances. We believe caller ID identifies the true identity of a caller.

Or somebody flashes a piece of silver and we obediently hand over our licenses or wallets, or we open a door and allow strangers inside our home or our cars, without verifying whether what we've seen was an authentic emblem or a plastic toy badge.

We - the police included - trust in the technology we use. Criminals will always exploit that trust.

Krebs's work, along with other security reporters and researchers, is to poke sticks into hornets' nests, to borrow a friend's analogy.

In this case, the sting from angry hornets could have had fatal consequences, as Krebs points out:

"I have seen many young hackers discussing SWATing attacks as equivalent to calling in a bomb threat to get out of taking exams in high school or college. Unfortunately, calling in a bomb threat is nowhere near as dangerous as sending a SWAT team or some equivalent force to raid someone’s residence. This type of individual prank puts peoples’ lives at risk, wastes huge amounts of taxpayer dollars, and draws otherwise scarce resources away from real emergencies. What’s more, there are a lot of folks who will confront armed force with armed force, all with the intention of self-defense.

"The local police departments of the United States are ill-equipped to do much to stop these sorts of attacks. I would like to see federal recognition of a task force or some kind of concerted response to these potentially deadly pranks. Hopefully, authorities can drive the message home that perpetrating these hoaxes on another will bring severe penalties. Who knows: Perhaps some of the data uncovered in this blog post and in future posts here will result in the legal SWATing of those responsible."

Well said, Brian. We all hope so too, for your sake and for the sake of all security researchers, law enforcement personnel and victims of attacks like the one you experienced.