IRS

IRS Reports 700,000 U.S. Taxpayers Hacked And 47 Million ‘Get Transcripts’ Ordered

Another 390,000 taxpayer accounts have been identified as potentially accessed by thieves that hacked into the IRS’s “Get Transcript” online application, the IRS said Friday, bringing the total number of accounts affected to approximately 724,000.

The breach was discovered last May, when the IRS initially identified possible unauthorized access of about 114,000 taxpayer accounts. Then, last August, the IRS revised that figure to 334,000. The application on the IRS website, launched in January 2014, was intended to allow taxpayers to more easily obtain records of their prior tax filings. It has remained suspended since the data breach was first discovered.

– See more at: http://www.journalofaccountancy.com/news/2016/feb/irs-get-transcript-data-breach-worse-201613967.html#sthash.3T7hcm9T.dpuf

 

WordPress hack plugin GroupDocs

One of my wordpress blogs got hacked.  I was notified by google

I was apprehensive about accessing the site from my computer so i checked it out from my smartphone.  I figured most current malware attempts to download and install on windows systems, but are usually not smart enough to infect two different platforms (windows AND android).  The site seemed fine, but I am sure there is something wrong.  So I logged into the server.  The dates look a little suspcious but I the actual php files looked find.

I noticed a pattern with the dates that the files were access.  I am seeing scores of files/folders that have been “touched” and have the same date/time stamp Nov 22, 2015 12:00.  You only see that many files changed at once when a script does it.  I focused on those files and I can see that MOST of the Nov 22 1200 date/time stamps are on ONE plugin:   plugin GroupDocs.  I look at the error log:

INFO Started brute forcing.

INFO checking: drinkmusiccity.com, david, david
INFO checking: farmofpeace.com, salima, salima
INFO checking: fayjames.com, fay, fay
INFO checking: fantasyassembly.com, kevin-j, kevin-j
INFO checking: fionaraven.com, fiona, fiona
INFO checking: fishinglakes.com, Colby, Colby
INFO checking: firetown.com, firetown, firetown
INFO checking: fontainetours.com, claudia, claudia
INFO checking: foreverboundadoption.org, designteam, designteam
INFO checking: fotoparisberlin.com, amelie, amelie
INFO checking: frabonisdeli.com, bennett-fraboni, bennett-fraboni
INFO checking: freeloveforum.com, anne, anne
INFO checking: funkatech.com, incyte, incyte
INFO checking: futurist.com, brenda-cooper, brenda-cooper
INFO checking: futebolnas4linhas.com, ingrid-carvalho, ingrid-carvalho
INFO checking: freedomnewton.com, pastorc, pastorc
INFO checking: k-bell.co.jp, kohei, kohei
INFO checking: katrinakaif.co.uk, harish, harish
INFO checking: kcfw.de, c-mohr, c-mohr
INFO checking: kazu.co.nz, staff, staff
INFO checking: keneally.com, samcniotktaetl, samcniotktaetl
INFO checking: keratoconus.com.au, jim, jim
INFO checking: fundacjadantian.com, fundacjadantian, fundacjadantian
INFO checking: kibi-group.com, kibi, kibi

I look up the plugin GroupDocs.  I has had a MAJOR compromise:

https://wordpress.org/support/topic/beaware-this-plugin-attracts-hackers

It is being used as a backdoor into WordPress.  Honestly, I don’t remember even installing it.  I am not sure if it came with the theme I installed or what.  I start checking all more other blog’s plugins.  I don’t see it any where else.  Upon further inspection of the plugin, I can clearly see the PHP backdoor code:

sending: {
  "type" : "WPBF_RESPONSE",
  "linkPasses" : [
    {
      "site" : "farmofpeace.com",
      "user" : "salima",
      "pass" : "salima"
    },

    {
      "site" : "i-entertainment.co.uk",
      "user" : "nicolai2014",
      "pass" : "nicolai2014"
    },

    {
      "site" : "020haopai.com",
      "user" : "siteadmin",
      "pass" : "siteadmin"
    },

    {
      "site" : "zargarcarpet.com",
      "user" : "akeel",
      "pass" : "akeel"
    },

    {
      "site" : "haubstadtsommerfest.com",
      "user" : "joeyconti",
      "pass" : "joeyconti"
    }
  ]
}

Starting brute forcing WordPress
CURRENT TIME: 2015-11-20 15:47:06
CURRENT TIME: 2015-11-20 15:47:37
CURRENT TIME: 2015-11-20 15:48:08
CURRENT TIME: 2015-11-20 15:48:39
Child dead. Reading response: 
Done. read: 0 bytes


The Fix Action:

Al Qaeda Sites getting Hacked

This was an article that really cheered me up today. Al Qaeda websites are still getting hacked constantly. Sometimes it seems that the free world is WAY off on the “War on Terror”. With most resources going to Iraq, political rhetoric and pandering and the almost complete absence of anyone talking about capturing and/or killing Osama bin Laden, its easy to get discouraged. Its good to see that the cyberwar is still being waged on those who promote and or support terrorism.

Octavia Nasr | BIO
CNN senior editor for Arab affairs

A hacking war is raging on Jihadi websites. Radical Islamist sites have been attacking and getting attacked for quite some time. The website hacking practice was common in 2001 and 2002… Following the 9/11 attacks when al Qaeda used only one website to communicate its messages to supporters and foes alike. That website was called alneda.com. It was getting constantly hacked… sometimes several hackings a day. After every hacking the site managed to resurface on the net until it disappeared from the scene in 2004 to be replaced by other websites — What started as one al Qaeda-linked site mushroomed into dozens which branched out into hundreds of supporting sites that serve as dissemination centers over the internet.


More.

GMail Security Hole Allowed Malicious Hacker to Invade the Life of a Blogger

Mr. [tag]David Airey[/tag] a blogger and designer from UK had his [tag]site[/tag] Hacked by some useless bastard. This [tag]gmail[/tag] hacker set up a malicious site that exploited a security flaw in gmail to set up an email filter that autoforwarded all David’s emails to another malicious email account. Although Google has appearently fixed the problem, if you have been affected by one of these malicious webpages the filter may still be in your gmail account. David Explains how to find it and get rid of it:

MPORTANT: If you use GMail, it’s absolutely vital that you check your account settings now.

Here’s what to do:

When logged into GMail, click on the ’settings’ tab in the upper right of the screen. Then check both the ‘Filters’ and the ‘Forwarding and POP’ sections.

Get more information from David Airey.

Right now David is fighting to get his domain back legally after refusing to be manipulated by the gmail hacker.

To David,
Good on you, man! And as bad as it is, I’ve been emailed a couple of people who have lost thousands from hackers. I’ve been on the receiving end of these desperate criminals too… and like you I choose to use my blog like a gun.

read more | digg story