(wtop.com) Fwd: NOTICE OF HACKING INCIDENT AND POSSIBLE MALWARE ATTACK (fwd)

[security curmudgeon <jericho () attrition org>]

-------- Original Message --------
Subject:        NOTICE OF HACKING INCIDENT AND POSSIBLE MALWARE ATTACK
Date:   Sun, 12 May 2013 11:02:41 -0600
From:   WTOP <website () community wtop com>
Reply-To:       Hubbard Radio, DC
<reply-fecc167275600d7f-28697_HTML-79048353-1066862-0 () community wtop com>
To:


To view this email as a web page, go here.
http://click.community.wtop.com/?qs=[..]

Forward to a Friend
http://click.community.wtop.com/?qs=[..]
| Unsubscribe
http://click.community.wtop.com/?qs=[..]

WTOP

*WTOP SPECIAL MESSAGE*

Dear WTOP.com User,

You are receiving this notification because you registered on WTOP.com 
sometime since 2006 (most likely to receive an email alert or to make 
comments on our website). _Please read this entire message. It contains 
important security information._

We recently learned that WTOP.com was the victim of a cyber attack. Upon 
discovery, we immediately launched an investigation, removed malicious 
code and notified federal law enforcement officials of the incident.

_If you accessed the WTOP.com website approximately between May 5 and May 
7, 2013_, your computer may have been infected with malware. If you 
accessed the site recently, you should run your security software and 
perform a malware scan on your computer. For more information, see our 
Frequently Asked Questions which are posted below.

In addition, during the cyber attack, our database of WTOP.com emails and 
passwords may have been compromised. We have no evidence yet that your 
WTOP.com username and password were taken. We do not have any social 
security numbers or credit card numbers in our database. The only 
information we have is the WTOP.com username and password and possibly 
your address and phone number if you provided it. However, the security of 
our listeners' information is of utmost importance to us and, out of an 
abundance of caution, we want to provide you with the following 
information on steps we have taken to keep your information secure.

_The following applies to all WTOP.com community members._

As a precaution, we have reset your password. You will be asked to reset 
your password the next time you log in. You may also reset your WTOP.com 
password here: https://www.wtop.com/public/member/password_send 
<http://click.community.wtop.com/?qs=[..]> 
We also recommend that you immediately change other accounts that you have 
established using the same username and/or password to keep secure any 
information you have placed on those sites. This is particularly important 
if you use your email address as your username.

More information on best practices for online privacy and security, and
the use of passwords can be found here.
(http://www.staysafeonline.org/stay-safe-online/protect-your-personal-information/passwords-and-securing-your-accounts
<http://click.community.wtop.com/?qs=[..]>)

We take your privacy very seriously and are taking steps to prevent 
similar occurrences. We apologize for any inconvenience that this has 
caused. If you have questions or need additional information, please 
contact us at moreinfo () wtop com <mailto:moreinfo () wtop com>.

Regards,
Joel Oxley
Senior Regional Vice President
WTOP and Federal News Radio


------------------------------------------------------------------------


       Frequently Asked Questions

  1. How do I know if my computer was infected?

     The malware attack targeted the Internet Explorer browser. If you
     accessed WTOP.com or FederalNewsRadio.com from Internet Explorer
     recently, you may have been infected. While other browsers may not
     have been directly infected, the malware may have still installed a
     cookie on your browser. We urge everyone to clear their cookies and
     browser cache

<http://click.community.wtop.com/?qs=[..]>
     no matter what browser they have been using to access
     FederalNewsRadio.com and WTOP.com, and to do a full virus scan on
     their machine (see instructions below).

     An infected machine may exhibit some or all of the following behavior:
      1. Active programs will be shut down.
      2. Fake virus scanner, often labeled "Internet Security," will
         automatically open and run.
      3. Inability to open or access any programs or applications.
         Attempting to do so may result in a fake virus warning.
      4. Periodic pop-ups displaying a fake warning and/or prompting the
         user to purchase the full product.
      5. The malware (often called amsecure.exe) resides in memory and
         adds itself to the list of startup programs.


     An infected machine will likely open numerous windows with error
     message such as:
      1. ?Amsecure.exe warning! Application cannot be executed. The file
         cmd.exe is infected. Please activate your antivirus software.?
      2. ?Warning! Running Trial version!! The security of your computer
         has been compromised! Now running trial version of the software!
         Click here to purchase the full version of the software and get
         full protection for your PC!?
      3. ?Attention. Suspicious software activity is detected by
         Amsecure.exe on your computer. Please start system files
         scanning for details.?
      4. ?Amsecure.exe detects application that seems to be a key-logger.
         System information security is at risk. It is recommended to
         enable the security mode and run total System scanning.?
      5. ?Warning! Name: taskmgr.exe.  Name: C:\WINDOWS\taskmgr.exe?


     You may also see error messages when trying to access the Internet,
     such as the ones below:
      1. Iexplore caused an Invalid Page Fault in module3 (the number at
         the end can vary)
      2. The web page you requested is not available offline
      3. Explorer caused an exception C06D007EH in module Sens.dll



  2. What do I do if I was infected with malware? If you don?t already
     have an anti-virus program on your machine, download one. Some free
     possibilities are AVG

<http://click.community.wtop.com/?qs=[..]>
     or Avast

<http://click.community.wtop.com/?qs=[..]>.
     A removal tool, which may help, can be found here

<http://click.community.wtop.com/?qs=[..]>.
     The best practice for removing malware is to download the anti-virus
     program to a trusted, non-infected computer instead of the computer
     which you believe has the virus.

     If you have access to a trusted, non-infected computer:
      1. Download the anti-virus program and save it to a CD or flash
         drive. *__*
      2. Reboot the infected computer.
      3. As soon as you see the screen come on, begin tapping the F8 key.
      4. You should soon see a menu of options. Use the arrow keys to
         move up and down the options list (your mouse won?t work) until
         the ?Safe Mode? option is highlighted.
      5. Press ?Enter? to choose ?Safe Mode?.
      6. After the computer is done booting into safe mode, insert the CD
         or flash drive that contains the anti-virus program you
         downloaded earlier. Navigate to the drive that contains the
         program. Run the anti-virus program by double clicking on it.
      7. Run a full scan on the computer and have it remove any infected
         files.
      8. Restart the computer into its regular state.


     If you do not have access to a trusted, non-infected computer:
      1. Reboot the infected computer.
      2. As soon as you see the screen come on, begin tapping the F8 key.
      3. You should soon see a menu of options. Use the arrow keys to
         move up and down the options list (your mouse won?t work) until
         the ?Safe Mode with Networking? option is highlighted.
      4. Press ?Enter? to choose ?Safe Mode with Networking?.
      5. After the computer is done booting into safe mode, open a
         browser and download the removal tool from:

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~FakeAV-GOJ.aspx

<http://click.community.wtop.com/?qs=[..]>

      6. Run a full scan on the computer and have it remove any infected
         files.
      7. Restart the computer into its regular state.



For more information visit WTOP.com
<http://click.community.wtop.com/?qs=[..]>
or tune to 103.5 FM.

Facebook
[..]

------------------------------------------------------------------------

Please do not reply to this email, as the reply will not be read. To
contact WTOP Radio, please click here
<http://click.community.wtop.com/?qs=[..]>
WTOP Radio is located at 3400 Idaho Avenue, NW, Washington DC, 20016.
Privacy Statement
<http://click.community.wtop.com/?qs=[..]>

This email was sent to: *[redacted]*

This email was sent by: Hubbard Radio DC
3400 Idaho Avenue, NW Washington, DC 20016 United States



We respect your right to privacy - view our policy
<http://click.community.wtop.com/?qs=142a7bd2762dbfcb2caab8984851b60f2a0594a35fcd5a5a65d8160cf984cec2>
        <http://click.community.wtop.com/?qs=142a7bd2762dbfcb9698e61d47fe5af77904a5b582a63095a21a2748221ae807>

Manage Subscriptions
<http://click.community.wtop.com/?qs=f428cf20b44e520e63a6eb91f90431b01e25d7ed5968a62cde0d02f08174ca84>
| Update Profile
<http://click.community.wtop.com/?qs=f428cf20b44e520ee50ef21fe1c2cf793fe190c0885497323366e12dd718cac5>
| One-Click Unsubscribe
<http://click.community.wtop.com/?qs=f428cf20b44e520ea9c87fa59bf820ada9e888916551426e9f0746570f4394a3>



_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.