April 8, 2011

When it’s time to book a vacation or a quick getaway, many of us turn to travel reservation sites like Expedia, Travelocity and other comparison services. But there’s a cybercrime-friendly booking service that is not well-known. When cyber crooks want to get away — with a crime — increasingly they are turning to underground online booking services that make it easy for crooks to rent hacked PCs that can help them ply their trade anonymously.

We often hear about hacked, remote-controlled PCs or “bots” being used to send spam or to host malicious Web sites, but seldom do security researchers delve into the mechanics behind one of the most basic uses for a bot: To serve as a node in an anonymization service that allows paying customers to proxy their Internet connections through one or more compromised systems.

As I noted in a Washington Post column in 2008, “this type of service is especially appealing to criminals looking to fleece bank accounts at institutions that conduct rudimentary Internet address checks to ensure that the person accessing an account is indeed logged on from the legitimate customer’s geographic region, as opposed to say, Odessa, Ukraine.” Scammers have been using proxies forever it seems, but it’s interesting that it is so easy to find victims, once you are a user of the anonymization service.

Here’s an overview of one of the more advanced anonymity networks on the market, an invite-only subscription service marketed on several key underground cyber crime forums.

When I tested this service, it had more than 4,100 bot proxies available in 75 countries, although the bulk of the hacked PCs being sold or rented were in the United States and the United Kingdom. Also, the number of available proxies fluctuates daily, peaking during normal business hours in the United States. Drilling down into the U.S. map (see image above), users can select proxies by state, or use the “advanced search” box, which allows customers to select bots based on city, IP range, Internet provider, and connection speed. This service also includes a fairly active Russian-language customer support forum. Customers can use the service after paying a one-time $150 registration fee (security deposit?) via a virtual currency such as WebMoney or Liberty Reserve. After that, individual botted systems can be rented for about a dollar a day, or “purchased” for exclusive use for slightly more.

I tried to locate some owners of the hacked machines being rented via this service. Initially this presented a challenge because the majority of the proxies listed are compromised PCs hooked up to home or small business cable modem or DSL connections. As you can see from the screenshot below, the only identifying information for these systems was the IP address and host name. And although so-called “geo-location” services can plot the approximate location of an Internet address, these services are not exact and are sometimes way off.

I started poking through the listings for proxies that had meaningful host names, such as the domain name of a business. It wasn’t long before I stumbled upon the Web site for The Securities Group LLC, a Memphis, Tenn. based privately held broker/dealer firm specializing in healthcare partnerships with physicians. According to the company’s site, “TSG has raised over $100,000,000 having syndicated over 200 healthcare projects including whole hospital exemptions, ambulatory surgery centers, surgical hospitals, PET Imaging facilities, CATH labs and a prostate cancer supplement LLC with up to 400 physician investors.” The proxy being sold by the anonymization service was tied to the Internet address of TSG’s email server, and to the Web site for the Kirby Pines Retirement Community, also in Memphis.

Michelle Trammell, associate director of Kirby Pines and president of TSG, said she was unaware that her computer systems were being sold to cyber crooks when I first contacted her this week. I later heard from Steve Cunningham from ProTech Talent & Technology, an IT services firm in Memphis that was recently called in to help secure the network.

Cunningham said an anti-virus scan of the TSG and retirement community machines showed that one of the machines was hijacked by a spam bot that was removed about two weeks before I contacted him, but he said he had no idea the network was still being exploited by cyber crooks. “Some malware was found that was sending out spam,” Cunningham said, “It looks like they didn’t have a very comprehensive security system in place, but we’re going to be updating [PCs] and installing some anti-virus software on all of the servers over the next week or so.”

Other organizations whose IP addresses and host names showed up in the anonymization service include apparel chain The Limited; Santiam Memorial Hospital in Stayton, Ore.; Salem, Mass. based North Shore Medical Center; marketing communications firm McCann-Erickson Worldwide; and the Greater Reno-Tahoe Economic Development Authority.

Anonymization services add another obstacle on the increasingly complex paths of botnets. As I have often reported, tracing botnets to their masters is difficult at best and can be a Sisyphean task. And as TSG’s experience shows, it’s far easier to keep a PC up to date with the latest security protections than it is to sanitize a computer once a bot takes over.

[EPSB]

Have you seen:

Reintroducing Scanlab (a.k.a Scamlab)…Many sites and services require customers to present “proof” of their identity online by producing scanned copies of important documents, such as passports, utility bills, or diplomas. But these requests don’t really prove much, as there are a number of online services that will happily forge these documents quite convincingly for a small fee.

[/EPSB]


130 thoughts on “Is Your Computer Listed “For Rent”?

  1. DeborahS

    @Chad

    “God help you if you do any banking on your computer! ”

    Well, I bank with a credit union from my hometown (100 miles from where I live today), and they are surprisingly hip to a lot of the tricks that the bad guys try to pull. Like they ask you to make up your own graphic sign that they will display whenever you log in, so you know that if you don’t see that you aren’t logging in to their website. And the login verification questions can be completely made up by the user, with answers that only the user would know. The answers don’t even have to make sense with the questions, just so long as the recorded answers match with the recorded questions. So, between belonging to a 2-bit credit union based in nowhere, with no branches beyond nowhere, and their particularly savvy security provisions, I bank online in relative confidence.

    Oh, ok. You want to know my Flash and Java versions. Lemme see what I can find for you. I have Adobe Flash Player 10.1.82.76 (through no fault of my own – I didn’t manually update it), and Java(TM) 6, Update 21, 6.0.210 (same story). I mainly watch my processes and my internet connections. If nothing bad is happening in those places, I don’t worry about it. I’m sure this must curl the teeth of some security experts, but I’ve been doing perfectly fine this way for nigh unto a decade now.

    1. EdJ

      Using a picture to verify the bank’s website has been discussed in this forum:

      “Sitekey is better than nothing, I suppose (just barely), but it doesn’t address the issue of having your credentials stolen.

      Consider the following scenario: Crooks get a keystroke logger or form grabber on your system, something like ZeuS. They now have your online banking user name and password, right? Well, what’s to stop them from using that to log in as you? A picture of a blue vase? I don’t think so.”

      http://krebsonsecurity.com/2010/09/google-adds-2-factor-security-to-gmail-apps/comment-page-1/#comment-10401

      http://krebsonsecurity.com/2010/09/google-adds-2-factor-security-to-gmail-apps/comment-page-1/#comment-10405

      1. DeborahS

        @EdJ
        “”Sitekey is better than nothing, I suppose (just barely), but it doesn’t address the issue of having your credentials stolen.”

        I agree, it’s just barely better than nothing, but you are correct that the big issue is whether your credentials are stolen or not.

        “Consider the following scenario: Crooks get a keystroke logger or form grabber on your system, something like ZeuS. They now have your online banking user name and password, right? Well, what’s to stop them from using that to log in as you? A picture of a blue vase? I don’t think so.”

        Absolutely true. They would see the picture of the blue vase and say oh my, isn’t that cute, but then what do they do when the next page asks them which book was the 3rd book on the 2nd shelf on the first set of bookcases my Dad gave me? I bet they couldn’t ever guess or Google it, particularly since my recorded answer is the name of my most beloved pet.

        No, the purpose of the user-designed image is not to fool the bad guy, but to tip off the user that they’ve been redirected to a phishing site if they don’t see it. The phishing site is unlikely to know that they’re supposed to reproduce it, and just as unlikely to know what they are supposed to reproduce. In principle it could be done, but really. How many bad guys would go to that much trouble for an unknown number of pennies?

        1. JBV

          You just don’t get it, do you, Deborah? Ed isn’t expressing his opinion, he’s quoting Brian’s post from last September, and pointing to another of Brian’s security advisories. If you weren’t so quick to post – and had looked at the links, you would have seen this. Ed is trying to do damage control, as are many other commenters here, including me, who are concerned that some nonprofessional reader of this blog may believe that you are well-versed in the current state of computer security. You aren’t!

    2. prairie_sailor

      I’m pretty sure I’ll get flamed for this comment and I’ll appologise up front to any who are offended by the analgoy.

      @DeborahS

      With an attitude like that you must believe an abortion is a better form of birth control than a condom – correct?

      1. DeborahS

        @prairie_sailor

        “With an attitude like that you must believe an abortion is a better form of birth control than a condom – correct?”

        No, that is not correct. And I’m getting a little tired of trying to deal with you idiots who think that the “experts” know all the answers and that anybody who doesn’t kowtow to them is an idiot. The simple fact is that we’re all in this together. Either we stand up and own up to that, or we fall. I’m sure Fate could hardly give a damn.

        Whatever happened to reasoned discourse, and proving things with facts and logic? No matter, apparently now the game is whoever can sling the most mud the fastest is the one who “wins”. Rotsaruck with that strategy. We humans developed a trust in the concepts of facts and logic for a reason.

        As for me, I’ll continue to know what I know and do what I do. It’s been working pretty good so far, and I haven’t seen anything else that looks like it would work better, or I would try it. So show me. I’m an open minded person.

        1. Helly

          No comment on prairie_sailor’s comment to you, that one is all him.

          I will say that the vast majority of people that responded to your comments used both reasoned discourse and facts and logic which you continue to ignore. You’ve ignored the advice of industry experts, and you fail to logically take a step back from your almighty approach to consider the facts presented.

          I agree with JBV’s comment above. Your approach is wrong for anyone but yourself, and your continued ignorance should NOT serve as an example from anyone trying to learn here.

          1. DeborahS

            @Helly & others who agree with him/her,

            “I will say that the vast majority of people that responded to your comments used both reasoned discourse and facts and logic which you continue to ignore.”

            And I believe I have responded to logical comments with logic. But I don’t think that calling me a moron, suggesting that I have really stupid views, and massively disliking me resembles any form of facts and logic. That sort of response is smearing, not logic. I really don’t like being smeared, and that’s pretty much a guaranteed way to make me lose my temper.

            However, the simple act of you presenting a logical argument does not guarantee that I will agree with you, nor does the fact that you have a logical argument make you right. (Nor does it make me right, if the shoe is on the other foot.) At least, I’m in agreement with the Cartesian principle that if two reasonable “men” disagree, there may not be a definitive answer. The topics that come up on this blog are not theorems in mathematics or hard science, which can be categorically proven true or false. They are opinions, and as such can only be judged subjectively, by each person.

            “You’ve ignored the advice of industry experts, and you fail to logically take a step back from your almighty approach to consider the facts presented.”

            I don’t think I’m ignoring the advice of industry experts, but I frequently do disagree with the logic, or find that the picture painted is incomplete, and/or find that the advice does not apply to me. I am however fairly scrupulous about recognizing a superior argument when I see one, and I’m quick to admit that I am wrong, if I am persuaded that I am in fact wrong. Please don’t confuse the concept of ignoring with the concept of not being persuaded.

            “I agree with JBV’s comment above. Your approach is wrong for anyone but yourself, and your continued ignorance should NOT serve as an example from anyone trying to learn here.”

            It is not my intention to serve as an example, nor to preach any sort of gospel, and frankly it astonishes me that so many of you assume that this is what I’m about. Apparently the commenters to this blog have some sort of unwritten creed about who may post here and what they may and may not say. If this is what Brian intends for his blog, these requirement really should be stated in very bold terms, so that new visitors can plainly see them and know whether they will be welcome or not. And again please, don’t confuse ignorance with disagreement. I can recognize what you are saying and the logic behind what you say, but I don’t know of any requirement on me whatsoever that I must agree that you are right.

          2. DeborahS

            @whoever just posted the “dislike” against me.

            Who are you, and just what exactly makes you think that you are so superior to the Classic Masters of Logic?

            Nah, but you don’t have to say. You’re just an invisible button clicker, and probably a stupid one at that. How do I know that? Well a person who wasn’t stupid and who genuinely (ie, had a logical argument) disagreed with me would have the balls to stand up and say why.

            So what gives? Are those “dislike” button clickers just a bunch of mindless ninnies, or do they have a point? I’d be willing to consider their point, but I can’t if they can’t express it.

  2. Chad

    Thank you I just pissed myself. update 21 Had a good laugh.

  3. Chad

    LMAO, you are an idiot my friend. Just shut it. Sorry to get nasty but you called me Gump first. What internet browser you using, please say a version of internet explorer in the 6 range. Lmao. Keep reading Brian’s column maybe you will learn something. But stop commenting you are a moron.

    1. DeborahS

      @Chad
      “But stop commenting you are a moron.”

      Oh, insults are cheap, but results count. You can rely on the “experts” and the marketing buzz if you want to, I’ll not stand in your way. But that doesn’t mean that you are better than me.

  4. Chad

    @ Deborah

    Let me some this up for you. Two motorcycle riders. One wears a helmet and one doesn’t. Just cause the one without the helmet is a good driver does not mean that he/she should recommend riding bikes without helmets because he/she likes the breeze on his/her hair.

    What you are doing talking about your “security” is a disservice to those that truly want to learn how to be better protected.

  5. BrianKrebs Post author

    Debra — I maintain a very light touch in moderating comments, and I haven’t pushed a single one of your comments one thumb up or down. But I find that people who come on here and start antagonizing other readers quickly find themselves voted down.

    There aren’t any official “rules” to this site, other than to avoid from engaging in gratuitous personal attacks against other readers. Maybe you feel like you didn’t start the argument. And yes, some of the others here have responded in less than a hospitable fashion, but now you seem to be egging people on.

    So to everyone: Please try to be civil with others. I don’t like moderating comments, but I also don’t like reading the constant bickering back and forth, and I’m sure others don’t appreciate it either.

    Thanks.

  6. Mark Kelly

    Brian,
    Love your reporting on the hacking economy and how the underground services are being sold. I am curious what precautions do you take to make sure you are not infected with malware when you visit these locations. Do you have a crash and burn system which you re-image after each visit?

    1. BrianKrebs Post author

      Thanks, Mark. Yes, that’s exactly it. I wouldn’t visit most of these carding forums with any computer I cared about. Virtual machines are the way to go!

      Bk

      1. Mark Kelly

        Brian,
        Thanks for the reply. One last question do you set up any kind of monitoring tools when you visit those sites to determine if they are trying to infect your machine with any type of malicious spyware or other programs that would be really interesting if they were infecting their own source of income but I wouldn’t be shocked.

  7. radha

    Hi,
    What the heck is that proxy thing…how can we know our system is not included in the list.

  8. Marie

    @radha please check the proxy site

    what is the address of the proxy site?

Comments are closed.