Subscribe to RSS
Follow me on Twitter
Join me on Facebook
When it’s time to book a vacation or a quick getaway, many of us turn to travel reservation sites like Expedia, Travelocity and other comparison services. But there’s a cybercrime-friendly booking service that is not well-known. When cyber crooks want to get away — with a crime — increasingly they are turning to underground online booking services that make it easy for crooks to rent hacked PCs that can help them ply their trade anonymously.
We often hear about hacked, remote-controlled PCs or “bots” being used to send spam or to host malicious Web sites, but seldom do security researchers delve into the mechanics behind one of the most basic uses for a bot: To serve as a node in an anonymization service that allows paying customers to proxy their Internet connections through one or more compromised systems.
As I noted in a Washington Post column in 2008, “this type of service is especially appealing to criminals looking to fleece bank accounts at institutions that conduct rudimentary Internet address checks to ensure that the person accessing an account is indeed logged on from the legitimate customer’s geographic region, as opposed to say, Odessa, Ukraine.” Scammers have been using proxies forever it seems, but it’s interesting that it is so easy to find victims, once you are a user of the anonymization service.
Here’s an overview of one of the more advanced anonymity networks on the market, an invite-only subscription service marketed on several key underground cyber crime forums.
When I tested this service, it had more than 4,100 bot proxies available in 75 countries, although the bulk of the hacked PCs being sold or rented were in the United States and the United Kingdom. Also, the number of available proxies fluctuates daily, peaking during normal business hours in the United States. Drilling down into the U.S. map (see image above), users can select proxies by state, or use the “advanced search” box, which allows customers to select bots based on city, IP range, Internet provider, and connection speed. This service also includes a fairly active Russian-language customer support forum. Customers can use the service after paying a one-time $150 registration fee (security deposit?) via a virtual currency such as WebMoney or Liberty Reserve. After that, individual botted systems can be rented for about a dollar a day, or “purchased” for exclusive use for slightly more.
I tried to locate some owners of the hacked machines being rented via this service. Initially this presented a challenge because the majority of the proxies listed are compromised PCs hooked up to home or small business cable modem or DSL connections. As you can see from the screenshot below, the only identifying information for these systems was the IP address and host name. And although so-called “geo-location” services can plot the approximate location of an Internet address, these services are not exact and are sometimes way off.
I started poking through the listings for proxies that had meaningful host names, such as the domain name of a business. It wasn’t long before I stumbled upon the Web site for The Securities Group LLC, a Memphis, Tenn. based privately held broker/dealer firm specializing in healthcare partnerships with physicians. According to the company’s site, “TSG has raised over $100,000,000 having syndicated over 200 healthcare projects including whole hospital exemptions, ambulatory surgery centers, surgical hospitals, PET Imaging facilities, CATH labs and a prostate cancer supplement LLC with up to 400 physician investors.” The proxy being sold by the anonymization service was tied to the Internet address of TSG’s email server, and to the Web site for the Kirby Pines Retirement Community, also in Memphis.
Michelle Trammell, associate director of Kirby Pines and president of TSG, said she was unaware that her computer systems were being sold to cyber crooks when I first contacted her this week. I later heard from Steve Cunningham from ProTech Talent & Technology, an IT services firm in Memphis that was recently called in to help secure the network.
Cunningham said an anti-virus scan of the TSG and retirement community machines showed that one of the machines was hijacked by a spam bot that was removed about two weeks before I contacted him, but he said he had no idea the network was still being exploited by cyber crooks. “Some malware was found that was sending out spam,” Cunningham said, “It looks like they didn’t have a very comprehensive security system in place, but we’re going to be updating [PCs] and installing some anti-virus software on all of the servers over the next week or so.”
Other organizations whose IP addresses and host names showed up in the anonymization service include apparel chain The Limited; Santiam Memorial Hospital in Stayton, Ore.; Salem, Mass. based North Shore Medical Center; marketing communications firm McCann-Erickson Worldwide; and the Greater Reno-Tahoe Economic Development Authority.
Anonymization services add another obstacle on the increasingly complex paths of botnets. As I have often reported, tracing botnets to their masters is difficult at best and can be a Sisyphean task. And as TSG’s experience shows, it’s far easier to keep a PC up to date with the latest security protections than it is to sanitize a computer once a bot takes over.
Have you seen:
Reintroducing Scanlab (a.k.a Scamlab)…Many sites and services require customers to present “proof” of their identity online by producing scanned copies of important documents, such as passports, utility bills, or diplomas. But these requests don’t really prove much, as there are a number of online services that will happily forge these documents quite convincingly for a small fee.
Related posts:
- Call Centers for Computer Criminals
- Computer Crooks Steal $100,000 from Ill. Town
- NSA on Computer Network Attack & Defense
Tags: Kirby Pines Retirement Community, McCann-Erickson, Michelle Trammell, North Shore Medical Center, Santiam Memorial Hospital, The Limited, The Securities Group LLC
Hidden due to low comment rating. Click here to see.
Using a picture to verify the bank’s website has been discussed in this forum:
“Sitekey is better than nothing, I suppose (just barely), but it doesn’t address the issue of having your credentials stolen.
Consider the following scenario: Crooks get a keystroke logger or form grabber on your system, something like ZeuS. They now have your online banking user name and password, right? Well, what’s to stop them from using that to log in as you? A picture of a blue vase? I don’t think so.”
http://krebsonsecurity.com/2010/09/google-adds-2-factor-security-to-gmail-apps/comment-page-1/#comment-10401
http://krebsonsecurity.com/2010/09/google-adds-2-factor-security-to-gmail-apps/comment-page-1/#comment-10405
Hidden due to low comment rating. Click here to see.
You just don’t get it, do you, Deborah? Ed isn’t expressing his opinion, he’s quoting Brian’s post from last September, and pointing to another of Brian’s security advisories. If you weren’t so quick to post – and had looked at the links, you would have seen this. Ed is trying to do damage control, as are many other commenters here, including me, who are concerned that some nonprofessional reader of this blog may believe that you are well-versed in the current state of computer security. You aren’t!
I’m pretty sure I’ll get flamed for this comment and I’ll appologise up front to any who are offended by the analgoy.
@DeborahS
With an attitude like that you must believe an abortion is a better form of birth control than a condom – correct?
Hidden due to low comment rating. Click here to see.
No comment on prairie_sailor’s comment to you, that one is all him.
I will say that the vast majority of people that responded to your comments used both reasoned discourse and facts and logic which you continue to ignore. You’ve ignored the advice of industry experts, and you fail to logically take a step back from your almighty approach to consider the facts presented.
I agree with JBV’s comment above. Your approach is wrong for anyone but yourself, and your continued ignorance should NOT serve as an example from anyone trying to learn here.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
INDIA’s first NGO that is fighting against cyber threats. Join us to make world cyber crime.
http://indianhans.org
recover your any online accounts at
http://www.indianhans.org/recovery/
Thank you I just pissed myself. update 21 Had a good laugh.
LMAO, you are an idiot my friend. Just shut it. Sorry to get nasty but you called me Gump first. What internet browser you using, please say a version of internet explorer in the 6 range. Lmao. Keep reading Brian’s column maybe you will learn something. But stop commenting you are a moron.
Hidden due to low comment rating. Click here to see.
@ Deborah
Let me some this up for you. Two motorcycle riders. One wears a helmet and one doesn’t. Just cause the one without the helmet is a good driver does not mean that he/she should recommend riding bikes without helmets because he/she likes the breeze on his/her hair.
What you are doing talking about your “security” is a disservice to those that truly want to learn how to be better protected.
Sorry “Sum” before that band wagon starts.
Debra — I maintain a very light touch in moderating comments, and I haven’t pushed a single one of your comments one thumb up or down. But I find that people who come on here and start antagonizing other readers quickly find themselves voted down.
There aren’t any official “rules” to this site, other than to avoid from engaging in gratuitous personal attacks against other readers. Maybe you feel like you didn’t start the argument. And yes, some of the others here have responded in less than a hospitable fashion, but now you seem to be egging people on.
So to everyone: Please try to be civil with others. I don’t like moderating comments, but I also don’t like reading the constant bickering back and forth, and I’m sure others don’t appreciate it either.
Thanks.
Brian,
Love your reporting on the hacking economy and how the underground services are being sold. I am curious what precautions do you take to make sure you are not infected with malware when you visit these locations. Do you have a crash and burn system which you re-image after each visit?
Thanks, Mark. Yes, that’s exactly it. I wouldn’t visit most of these carding forums with any computer I cared about. Virtual machines are the way to go!
Bk
Brian,
Thanks for the reply. One last question do you set up any kind of monitoring tools when you visit those sites to determine if they are trying to infect your machine with any type of malicious spyware or other programs that would be really interesting if they were infecting their own source of income but I wouldn’t be shocked.
Hi,
What the heck is that proxy thing…how can we know our system is not included in the list.
@radha please check the proxy site
what is the address of the proxy site?