March, 2011


11
Mar 11

Rogue Antivirus Via Skype Phone Call?

A few readers have written, saying that they recently received Skype phone calls urging them to download and install a system update for Microsoft Windows. Users who visit the recommended site are bombarded with the same old scareware prompts that try to frighten them into purchasing worthless security software.

Scareware scams are nothing new to Skype: They have spread for some time now over the instant message client built into Skype, but this is the first I’ve heard of rogue anti-virus peddlers resorting to robocalls via Skype to spread their junk software.

One quick-thinking reader managed to record the tail end of the call, which is available by clicking here. It says, “To download the patch update, request professional maintenance at www.sosgt.com.” It seems from this thread on the Skype.com user forum that a great many others are getting these rogue AV calls.

Continue reading →


11
Mar 11

Green Skimmers Skimming Green

To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.

Earlier this year, authorities in Ireland began dealing with a rash of ATM skimmers like the one picture directly below. The green anti-skimming device is backlit and oddly-shaped, a design intended to confound skimmer makers. But as can been seen from the first picture here, the only obvious difference between a compromised ATM and an unadulterated one in this case is a small plastic lip at the top, which the crooks in this attack used to house the electronic brains for their skimmer.


The second picture below shows the underside of the skimming device, removed from a compromised machine in the background.

A representative from the Garda (Irish Police) declined to discuss the skimming photos, saying that for legal reasons they were unable to comment on ongoing court cases. But a source close to the investigation said identical skimmers have been found attached to ATMs across the country. The source said a 33-year-old Moldovan man has been arrested in Limerick in connection with the attacks, which authorities have called part of a global ATM fraud operation.

Continue reading →


9
Mar 11

SpyEye, ZeuS Users Target Tracker Sites

Crooks who create botnets with the help of crimeware kits SpyEye and ZeuS are actively venting their frustration with two Web services that help ISPs and companies block infected machines from communicating with control networks run by these botmasters. The lengths to which established cyber criminals are willing to go to disable and discredit these anti-fraud services provide convincing proof that the services are working as designed, and that the bad guys are suffering financially as a result.

The creations of Swiss security expert Roman Hüssy, ZeusTracker and its sister service SpyEye Tracker have endured countless distributed denial-of-service (DDoS) attacks from botmasters apparently retaliating for having their network infrastructure listed by these services. At one point, someone wrote a fake suicide in Hüssy’s name and distributed it to his family and friends, prompting local police to rouse him from slumber to investigate his well-being. But, those attacks haven’t deterred Hüssy or sidelined his services.

Now, the attackers are beginning to consider stealthier and more diabolical ways to strike back. A  series of discussions on an uber-exclusive Russian language forum that caters to identity and credit card thieves reveal that botmasters are becoming impatient in their search for a solution that puts Hüssy and/or his tracking services out of commission once and for all (click the images in this post twice to read along).

“DDoSing doesn’t bring satisfactory results. We’re now working on mapping his entire infrastructure, flag his scripts,” writes a user named Sal, who claims to specialize in providing bulletproof servers. “Now we will engage in a pinpointed assault. This should be cheaper + should bring results at least temporarily….Let’s brainstorm here.”

Other members join the discussion. One suggests pooling funds to hire a hitman. “It’s easier and more productive to just use a joint fund to hire a killer, and story’s over,” writes user “Femar.” Another forum member named “Deviant” recommends dosing Hüssy with organic mercury. “Dimethylmercury – the fluid has no color. One drop on your hand will penetrate thick latex gloves. Lethal result is guaranteed within one month.”

But forum members seemed to coalesce around an idea for seeding the ZeuS and SpyEye configuration files (those that list the location of key parts of the botnet, such as the place to deposit stolen data) with legitimate Web sites. Their stated goal? To cause SpyEye Tracker and ZeuS Tracker to flag legitimate sites as hostile, and thereby to lose credibility with ISPs that rely on the trackers.

I caught up with Hüssy via instant message yesterday, and asked whether he’d seen any SpyEye or ZeuS configuration files seeded with legitimate sites. He just laughed.

“ZeusTracker checks if a command and control server is really up before adding it to the blocklist,” Hüssy said. “These guys have no clue how ZeusTracker works.”

Continue reading →


8
Mar 11

Patch Tuesday, Etc.

Microsoft has issued security updates to fix at least four security holes in its Windows operating system and other software. Not exactly a fat Patch Tuesday from Microsoft, but depending on how agile you are in updating third-party applications like Flash, iTunes and Shockwave, you may have some additional patching to do.

One of the updates from Microsoft earned a “critical” rating, meaning Redmond believes it could be exploited to break into vulnerable systems with little to no help from users. That flaw, a bug in the way Windows Media Player and Media Center process certain types of media files, could be leveraged by convincing a user to open a tainted video file. This flaw affects Windows XP, Vista and Windows 7.

Continue reading →


8
Mar 11

WHOIS Problem Reporting System to Gain Privacy Option

A system that allows anti-spam activists to report entities that bulk-register domain names using false or misleading identity data is about to gain a much-needed new privacy feature: The option for activists not to expose their identities to the very spammers they’re trying to report.

The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the Internet’s domain name system, runs a program called the WHOIS Data Problem Reporting System (WDPRS). It’s designed to allow Internet community members to alert registrars about customers that list incomplete or inaccurate contact records for domain registrations.

The policy of requiring registrars to make WHOIS data publicly searchable is no doubt a contentious one, but the reality is that spammers and scammers frequently bulk register large numbers of domains in one go, and tend to take their business to registrars that don’t ask too many questions. Indeed, some domain registrars have built a business out of catering to spammers and scammers.

In many cases, spammers will mass-register domains using completely bogus contact information, or — as appears to have been the case with hundreds of domains that were used recently in an attack against KrebsOnSecurity.com — with the contact information belonging to people whose stolen credit cards were used to fraudulently register the spammy domains.

Some anti-spam activists have pursued bulk registrants with false WHOIS data because, under ICANN’s rules, registrars are supposed to investigate and eventually suspend domains whose owners fail to respond to requests to verify or correct false WHOIS data. And in direct response to a massive influx of reporting on these domains by such activists, ICANN built the WPDRS.

But at some point, ICANN began sharing the names and email addresses of people who were reporting the erroneous WHOIS information with the registrars for each offending domain, exposing the identities of any anti-spam activists who used their real contact information in reporting the issues to ICANN.

Continue reading →


3
Mar 11

ChronoPay’s Scareware Diaries

If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments.

Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software.

Click image for PDF version of timeline. Each entry is clickable and links to supporting documents.

ChronoPay handles Internet bill payments for a variety of major Russian companies, including domestic airlines and utilities. But ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning.

In June 2009, The Washington Post published the results of a six-month investigation into ChronoPay’s high-risk business. At the time, ChronoPay was one of a handful of processors for Pandora Software, the most prevalent brand of rogue software that was besieging consumers at the time. That story drew links between ChronoPay and an entity called Innovagest2000, which was listed as the technical support contact in the end-user license agreements that shipped with nearly all Pandora rogue anti-virus products.

When I confronted ChronoPay’s CEO Pavel Vrublevsky in 2009 about the apparent ties between Innovagest and his company, he insisted that there was no connection, and that his company’s processing services were merely being abused by scammers. But the recently leaked ChronoPay documents paint a very different picture, showing that Innovagest2000 was but one example of a cookie-cutter operation that ChronoPay has  refined and repeated over the last 24 months.

The documents show that Innovagest was a company founded by ChronoPay’s Spanish division, and that ChronoPay paid for everything, from the cost of Innovagest’s incorporation documents to the domain registration, virtual hosting and 1-800 technical and customer support lines for the company.

The same dynamic would play out with other ChronoPay “customers” that specialized in selling rogue anti-virus software. For example, leaked internal documents indicate that ChronoPay employees created two companies in Cyprus that would later be used in processing rogue anti-virus payments: Yioliant Holdings; and the strangely named Flytech Classic Distribution Ltd. ChronoPay emails show that employees also paid for domains software-retail.com and creativity-soft.com, rogue anti-virus peddling domains that were registered in the names and addresses of Yioliant Holdings and Flytech, respectively. Finally, emails also show that ChronoPay paid for the virtual hosting and telephone support for these operations. This accounting document, taken from one of the documents apparently stolen from ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft.com (the amounts in the document are in Russian Rubles, not dollars, and the document has been edited to remove full credit card numbers and victim names).

Further, the purloined documents show these domains were aggressively promoted by external rogue anti-virus affiliate programs, such as Gelezyaka.biz, as well as a rogue anti-virus affiliate program apparently managed in-house by ChronoPay, called “Crusader.”

MEETING IN MOSCOW

Last month, I traveled to Moscow and had a chance to sit down with Vrublevsky at his offices. When I asked him about Innovagest, his tone was much different from the last time we discussed the subject in 2009. This may have had something to do with my already having told him that someone had leaked me his company’s internal documents and emails, which showed how integral ChronoPay was to the rogue anti-virus industry.

“By the time which correlates with your story, we didn’t know too much about spyware, and that Innovagest company that you tracked wasn’t used just for spyware only,” Vrublevsky said. “It was used for a bunch of shit.”

Vrublevsky further said that some of ChronoPay’s customers have in the past secretly sub-let the company’s processing services to other entities, who in turn used it to push through their own shady transactions. He offered, as an example, an entity that I wasn’t previously aware had been a customer of ChronoPay’s: A rogue anti-virus promotion program called TrafficConverter.biz.

Continue reading →


2
Mar 11

Renewal Buddy: Comparison Shopping for Anti-Virus Software

The anti-virus industry has long drawn its biggest share of profits from loyal customers, extracting full-price for the software from existing customers seeking license renewals while steeply discounting their products for new users. But a new comparison shopping site makes it simple for renewing customers to take advantage of these introductory deals, or to switch to a competing product for a hefty price reduction.

Launched a month ago, renewalbuddy.com is intended to streamline the process of searching for deals to renew your existing anti-virus product without paying the full renewal price. For example, I have Norton Internet Security installed on one of my Windows 7 machines; I selected that product from the pull-down menu, told it I wanted a 3-user license, and instantly saw an offer for NIS 2011 for $29.99. Had I simply waited until the product was about to expire and followed the prompt from the currently-installed software to renew my license, that renewal would have cost me $62.99, according to Symantec’s site.

True, you can find these deals on your own just by spending a few minutes searching the Web (the $29.99 link offered by this service brought me to an offer on Amazon.com). But my sense is that very few people who pay for anti-virus software ever do this.

“People assume that a renewal license key is somehow different from a new license key, and that’s why most people click on the expiration pop-up and go through the process and end up paying full price for renewals,” said  Graham O’Reilly, renewalbuddy.com’s chief executive and a former sales director of the U.K. division of anti-virus maker AVG Technologies. “What people don’t understand is that a license key is a license key, and that they can just pop it in to the program without having to reinstall it, and it will extend a license in the same way.”

Continue reading →