Adobe Systems this week rushed out an emergency patch to plug a security hole in its widely-installed Flash Player software, warning that the vulnerability is already being exploited in active attacks.

Adobe said a “critical” bug exists in all versions of Flash including Flash versions 21.0.0.197 and lower (older) across a broad range of systems, including Windows, Mac, Linux and Chrome OS. Find out if you have Flash and if so what version by visiting this link.

In a security advisory, the software maker said it is aware of reports that the vulnerability is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier. 

Adobe said additional security protections built into all versions of Flash including 21.0.0.182 and newer should block this flaw from being exploited. But even if you’re running one of the newer versions of Flash with the additional protections, you should update, hobble or remove Flash as soon as possible.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

By the way, I’m not the only one trying to make it easier for people to put a lasso on Flash: In a blog post today, Microsoft said Microsoft Edge users on Windows 10 will auto-pause Flash content that is not central to the Web page. The new feature will be available in Windows 10 build 14316.

“Peripheral content like animations or advertisements built with Flash will be displayed in a paused state unless the user explicitly clicks to play that content,” wrote the Microsoft Edge team. “This significantly reduces power consumption and improves performance while preserving the full fidelity of the page. Flash content that is central to the page, like video and games, will not be paused. We are planning for and look forward to a future where Flash is no longer necessary as a default experience in Microsoft Edge.”

Additional reading on this vulnerability:

Kafeine‘s Malware Don’t Need Coffee Blog on active exploitation of the bug.

Trend Micro’s take on evidence that thieves have been using this flaw in automated attacks since at least March 31, 2016.

The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.

In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270 percent increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries.

CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.

Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes rarely set off spam traps because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.

They do this by scraping employee email addresses and other information from the target’s Web site to help make the missives more convincing. In the case where executives or employees have their inboxes compromised by the thieves, the crooks will scour the victim’s email correspondence for certain words that might reveal whether the company routinely deals with wire transfers — searching for messages with key words like “invoice,” “deposit” and “president.”

On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, CEO fraud is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the CEO scam the crooks trick the victim into doing that for them.

The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars. 

Last month, the Associated Press wrote that toy maker Mattel lost $3 million in 2015 thanks to a CEO fraud phishing scam. In 2015, tech firm Ubiquiti disclosed in a quarterly financial report that it suffered a whopping $46.7 million hit because of a CEO fraud scam. In February 2015, email con artists made off with $17.2 million from The Scoular Co., an employee-owned commodities trader. More recently, I wrote about a slightly more complex CEO fraud scheme that incorporated a phony phone call from a phisher posing as an accountant at KPMG.

The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

For an example of what some of these CEO fraud scams look like, check out this post from security education and awareness firm Phishme about scam artists trying to target the company’s leadership.

I’m always amazed when I hear security professionals I know and respect make comments suggesting that phishing and spam are solved problems. The right mix of blacklisting and email validation regimes like DKIM and SPF can block the vast majority of this junk, these experts argue.

But CEO fraud attacks succeed because they rely almost entirely on tricking employees into ignoring or sidestepping some very basic security precautions. Educating employees so that they are less likely to fall for these scams won’t block all social engineering attacks, but it should help. Remember, the attackers are constantly testing users’ security awareness. Organizations might as well be doing the same, using periodic tests to identify problematic users and to place additional security controls on those individuals.

Online payroll management firm Greenshades.com is an object lesson in how not to do authentication. Until very recently, the company allowed corporate payroll administrators to access employee payroll data online using nothing more than an employee’s date of birth and Social Security number. That is, until criminals discovered this and began mass-filing fraudulent tax refund requests with the IRS on large swaths of employees at firms that use the company’s services.

Jacksonville, Fla.-based Greenshades posted an alert on its homepage stating that the company “has seen an abnormal increase in identity thieves using personal information to fraudulently log into the company’s system to access personal tax information.”

Many online services blame these sorts of attacks on customers re-using the same password at multiple sites, but Greenshades set customers up for this by allowing access to payroll records just by supplying the employee’s Social Security number and date of birth.

As this author has sought repeatedly to demonstrate, SSN/DOB information is extremely easy and cheap to obtain via multiple criminal-run Web sites: SSN/DOB data is reliably available for purchase from underground online crime shops for less than $4 per person (payable in Bitcoin only).

The spike in tax fraud against employees of companies that use Greenshades came to light earlier this month in various media stories. A number of employees at public high schools in Chicago discovered that crooks beat them to the punch on filing tax returns. An investigation into that incident suggested security weaknesses at Greenshades were to blame.

The Milwaukee Journal Sentinel wrote last month about tax fraud perpetrated against local county workers, fraud that also was linked to compromised Greenshades accounts. In Nebraska, the Lower Platte North Natural Resources District and Fremont Health hospital had a number of employees with tax fraud linked to compromised Greenshades accounts, according to a report in the Fremont Tribune.

Greenshades co-CEO Matthew Kane said the company allowed payroll administrators to access W2 information with nothing more than SSN and DOB for one simple reason: Many customers demanded it.

“There’s a valid reason to have what I call weak login credentials,” Kane told KrebsOnSecurity. “Some of our clients clamor for weaker login credentials, such as companies that have a large staff of temporary workers.”

Kane said customers have a “wide range of options” to select from in choosing how they will authenticate to Greenshades.com, but that the most secure option currently offered is a simple username and password.

When asked whether the company offers any sort of two-step or two-factor authentication, Kane argued that corporate email addresses assigned to company employees serve as a kind of second factor.

“In this case, the second factor would be having access to that corporate inbox,” Kane reasoned. He added that Greenshades is working on rolling out a 2-factor authentication feature that may not be optional going forward.

Kane said that although Greenshades heard from a “significant number” of its customers about unauthorized access to employee records, the company believes the overall percentage of affected employees at individual customer organizations was low.

However, in at least some of the reported incidents tied to this mess at Greenshades, the overall percentage has been quite high. In the case of the Lower Platt North NRD, for example, 90 percent of employees had their taxes filed fraudulently this year.

It’s remarkable that a company which specializes in helping firms manage sensitive tax and payroll data could be so lax with authentication. Unfortunately, shoddy authentication is still quite common — even among banks. In February, Pittsburgh, Pa.-based First National Bank alerted customers gained through a recent merger with Metro Bank that they could access the company’s bill pay and electronic banking portal by supplying their Metro Bank username and the last four digits of their Social Security number.

Relying on static data elements like SSNs and birthdays for authentication is a horrible idea all around. These data points are no longer secret because they are broadly available for sale on most Americans, and companies have no business using them for authentication.

Banking industry sources tell KrebsOnSecurity that the Trump Hotel Collection — a string of luxury properties tied to business magnate and Republican presidential candidate Donald Trump — appears to be dealing with another breach of its credit card systems. If confirmed, this would be the second such breach at the Trump properties in less than a year.

A representative from Trump Hotels said the organization was investigating the claims.

“We are in the midst of a thorough investigation on this matter,” the company said in a written statement. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

KrebsOnSecurity reached out to the Trump organization after hearing from three sources in the financial sector who said they’ve noticed a pattern of fraud on customer credit cards which suggests that hackers have breached credit card systems at some — if not all — of the Trump Hotel Collection properties.

On July 1, 2015, this publication was the first to report that banks suspected a breach at Trump properties. After that story ran, Trump Hotel Collection acknowledged being alerted about suspicious activity tied to accounts that were recently used at its hotels. But it didn’t officially confirm that its payment systems had been infected with card-stealing malware until October 2015.

The Trump Hotel Collection includes more than a dozen properties globally. Sources said they noticed a pattern of fraud on cards that were all used at multiple Trump hotel locations in the past two to three months, including at Trump International Hotel New York, Trump Hotel Waikiki in Honolulu, and the Trump International Hotel & Tower in Toronto.

The hospitality industry has been hit hard by card breaches over the past two years. In April 2014, hotel franchising firm White Lodging confirmed its second card breach in a year. Card thieves also have hit Hilton, Hyatt, and Starwood properties. In many of those breaches, the hacked systems were located inside of hotel restaurants and gift shops.

Like most other current presidential candidates, Mr. Trump has offered little in the way of a policy playbook on cybersecurity. But in statements last month, Trump bashed the United States as “obsolete” on cybersecurity, and suggested the country is being “toyed with” by adversaries from China, Russia and elsewhere.

“We’re so obsolete in cyber,” Trump told The New York Times. “We’re the ones that sort of were very much involved with the creation, but we’re so obsolete.” Trump was critical of the US military’s cyber prowess, charging the Defense Department and the military are “going backwards” in cyber while “other countries are moving forward at a much more rapid pace.”

“We are frankly not being led very well in terms of the protection of this country,” Trump said.

Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned.

Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.

The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site.

Contacted about the posting, Verizon Enterprise told KrebsOnSecurity that the company recently identified a security  flaw in its site that permitted hackers to steal customer contact information, and that it is in the process of alerting affected customers.

“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”

The seller of the Verizon Enterprise data offers the database in multiple formats, including the database platform MongoDB, so it seems likely that the attackers somehow forced the MongoDB system to dump its contents. Verizon has not yet responded to questions about how the breach occurred, or exactly how many customers were being notified.

The irony in this breach is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place.  I frequently recommend Verizon’s annual Data Breach Investigations Report (DBIR) because each year’s is chock full of interesting case studies from actual breaches, case studies that include hard lessons which mostly age very well (i.e., even a DBIR report from four years ago has a great deal of relevance to today’s security challenges).

According to the 2015 report, for example, Verizon Enterprise found that organized crime groups were the most frequently seen threat actor for Web application attacks of the sort likely exploited in this instance. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks,” the company explained.

It’s a fair bet that if cyber thieves buy all or some of the Verizon Enterprise customer database, some of those customers may be easy marks for phishing and other targeted attacks. Even if it is limited to the contact data for technical managers at companies that use Verizon Enterprise Solutions, this is bound to be target-rich list: According to Verizon’s page at Wikipedia, some 99 percent of Fortune 500 companies are using Verizon Enterprise Solutions.