Krebs on Security: First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

Krebs on Security: First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records. “The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.”

Krebs on Security: Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions

Krebs on Security: Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions. “A highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at credit unions, and many credit union sources say they suspect the non-public data may have been somehow obtained from the National Credit Union Administration (NCUA), an independent federal agency that insures deposits at federally insured credit unions.”

Black Hats & White Collars: SEC EDGAR Database Hackers Revealed (Splunk)

Splunk: Black Hats & White Collars: SEC EDGAR Database Hackers Revealed. “Over the past year, I’ve been presenting research at security conferences regarding the increasingly cozy relationship between black hat hackers and white collar criminals. One of the cases I researched was a group of hackers targeting PR firms for non-public insider information that could be monetized by trading stock based on the results of a company’s earnings and other factors. This past week it was revealed that this same group of criminal hackers and traders had become much more brazen and were also involved in the hacking of SEC’s EDGAR system targeting similar information.”

The Hindu: A new bank scam using Google Maps loophole

The Hindu: A new bank scam using Google Maps loophole. “Scamsters seem to have stumbled upon a gold mine in the form of a loophole in the Google Maps interface. Taking advantage of the fact that on Google Maps, an establishment’s contact details can be edited by anyone, a group of Thane-based con artists have been putting up their own contact numbers and getting customers who call them into revealing sensitive account details.”

Krebs on Security: SMS Phishing + Cardless ATM = Profit

Krebs on Security: SMS Phishing + Cardless ATM = Profit. “A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud for bad guys, who can leverage phished or stolen account credentials to add a new phone number to the customer’s account and then use that added device to siphon cash from hijacked accounts at cardless ATMs.”

ZDNet: Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks

ZDNet: Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks. “Over 100,000 routers have had their DNS settings modified to redirect users to phishing pages. The redirection occurs only when users are trying to access e-banking pages for Brazilian banks. Around 88% of these routers are located in Brazil, and the campaign has been raging since at least mid-August when security firm Radware first spotted something strange.”

New York Times: Banks and Retailers Are Tracking How You Type, Swipe and Tap

New York Times: Banks and Retailers Are Tracking How You Type, Swipe and Tap. “The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features. To fight fraud, a growing number of banks and merchants are tracking visitors’ physical movements as they use websites and apps. Some use the technology only to weed out automated attacks and suspicious transactions, but others are going significantly further, amassing tens of millions of profiles that can identify customers by how they touch, hold and tap their devices.”