July, 2011


28
Jul 11

Trojan Tricks Victims Into Transferring Funds

It’s horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief’s account.

The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.

When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

Continue reading →


26
Jul 11

Spam & Fake AV: Like Ham & Eggs

An explosion of online fraud tools and services online makes it easier than ever for novices to get started in computer crime. At the same time, a growing body of evidence suggests that much of the world’s cybercrime activity may be the work of a core group of miscreants who’ve been at it for many years.

I recently highlighted the financial links among the organizations responsible for promoting fake antivirus products and spam-advertised pharmacies; all were relying on a few banks in Azerbaijan to process credit card payments.

In this segment, I’ll look at the personnel overlap between the fake AV and pharma industries. The data is drawn from two places: a study done by researchers at the University of California, Santa Barbara (UCSB) that examined three of the most popular fake AV affiliate services which pay hackers to foist worthless software on clueless Internet users; and the leaked Glavmed/Spamit affiliate database, which includes the financial and contact information for many of the world’s top spammers and hackers.

UCSB researcher Brett Stone-Gross and I compared the ICQ instant message numbers belonging to affiliates from Glavmed/Spamit with the ICQ numbers used by affiliates of the largest of the fake AV programs measured by his research team. The result? 417 out of 998 affiliates who were registered with the fake AV distribution service — a whopping 42.2 percent — also were registered pharma spammers with Glavmed/Spamit.

Continue reading →


25
Jul 11

Calif. Co. Sues Bank Over $465k eBanking Heist

A California real estate escrow company that lost more than $465,000 in an online banking heist last year is suing its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.

The plight of Redondo Beach, Calif. based Village View Escrow, first publicized by KrebsOnSecurity last summer, began in March 2010. That’s when organized crooks broke into the firm’s computers and bank accounts, and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

Village View’s bank, Professional Business Bank of Pasadena, Calif., relied on third-party service provider NetTeller, which allowed commercial customers to authenticate to the bank’s site with little more than a username and password. Village View’s contract with Professional Bank stated that electronic transfers would only be allowed if they were authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers.

The attack on Village View demonstrates the sophistication of malicious software like the ZeuS Trojan. The thieves disguised a banking Trojan as a UPS shipping receipt, and the company’s owner acknowledged opening the attachment and forwarding it to another employee who also viewed the malware-laced file. Once inside Village View’s systems, the attackers apparently disabled email notifications from the bank.

Nevertheless, Village View’s lawsuit challenges Professional Bank’s claims that its systems used “multi-factor,” and “state-0f-the-art” ebanking systems, and accuses the bank of negligence for not having procedures to help the company recover the fraudulent transfers.

Continue reading →


21
Jul 11

Comcast Hijacks Firefox Homepage: “We’ll Fix”

Comcast says it is revamping the software that new customers need to install to start service with the ISP. The software is unfriendly to Mac users running Firefox: It changes the browser’s homepage to comcast.net, and blocks users from changing it to anything else.

I heard this from a friend who’d just signed up for Comcast’s Xfinity high-speed Internet service and soon discovered some behavior on his Mac that is akin to Windows malware  — something had hijacked his Internet settings. The technician who arrived to turn on the service said that a software package from Comcast was necessary to complete the installation. My friend later discovered that his homepage had been changed to comcast.net, and that Comcast software had modified his Firefox profile so that there was no way to change the homepage setting.

I contacted Comcast; they initially blamed the problem on a bug in Firefox. Mozilla denies this, and says it’s Comcast’s doing.

Continue reading →


19
Jul 11

Google: Your Computer Appears to Be Infected

Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software.

Google security engineer Damian Menscher said he discovered the monster network of hacked machines while conducting routine maintenance at a Google data center. Menscher said when Google takes a data center off-line, search traffic directed to that center is temporarily stopped. Unexpectedly, Menscher found that a data center recently taken off-line was still receiving thousands of requests per second.

Screenshot of the image Google is displaying to notify users of infected PCs.

Menscher dug further and discovered the source of the traffic: more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack results when users search for keywords at Google.com and other major search engines. Ironically, the traffic wasn’t search traffic at all: The malware instructed host PCs to periodically ping a specific Google Internet address to check whether the systems were online.

Menscher said the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software. He suspects that the fake AV program either ships with or later downloads the search hijacker component.

Continue reading →


19
Jul 11

eBanking Theft Costs Town of Eliot, Me. $28k

Organized cyber thieves stole more than $28,000 from a small New England town last week. The case once again highlights the mismatch between the sophistication of today’s attackers and the weak security measures protecting many commercial online banking accounts.

On July 11, 2011, I alerted the town controller of Eliot, Maine that its accounts were probably being raided by computer crooks in Eastern Europe. I had heard from a “money mule,” an individual who was recruited through a work-at-home job scam to help the thieves launder money. He had misgivings about a job he had just completed for his employer. The job involved helping to move almost $5,000 from one of his employer’s “clients” to individuals in Ukraine. The receipt his employer emailed to him along with the money transfer said the client was “Town of Eliot, Ma.”

Norma Jean Spinney, the town controller, said she immediately alerted the town’s financial institution, TD Bank, but the bank couldn’t find any unusual transactions. Spinney said that three days later she received a call from TD Bank, notifying the town of a suspicious batch of payroll direct deposits totaling more than $28,000. TD Bank may have had a chance to stop this robbery, but apparently they dropped the ball.

Nevertheless, the town is not likely to see the stolen money again. Unlike consumers, organizations are not protected against online banking losses from cyber fraud. What’s more, a forensic analysis by a local IT firm showed that Spinney’s PC was infected with at least two banking Trojans at the time of the heist.

TD Bank spokeswoman Jennifer Morneau declined to discuss the incident, citing customer confidentiality policies.

Continue reading →


18
Jul 11

Microsoft Offers $250K Bounty for Rustock Author

Microsoft said today that it is offering a $250,000 reward for new information leading to the arrest and conviction of the individual(s) responsible for the Rustock botnet, a now-defunct crime machine that was once responsible for sending 40 percent of all junk email.

The bounty is the software giant’s latest salvo in its war on Rustock; Microsoft secured a major victory in March, when it worked with ISPs and security firms to launch a successful sneak attack against the botnet, knocking out its support infrastructure. Richard Boscovich, senior attorney for Microsoft’s digital crimes unit, said that although spam from Rustock-infected PCs has ceased, there are still hundreds of thousands of infected computers around the world to be cleaned of the botnet malware.

Microsoft's Rustock notice in The Moscow News, June 14

“This reward offer stems from Microsoft’s recognition that the Rustock botnet is responsible for a number of criminal activities and serves to underscore our commitment to tracking down those behind it,” Boscovich wrote in a post on the official Microsoft blog. “While the primary goal for our legal and technical operation has been to stop and disrupt the threat that Rustock has posed for everyone affected by it, we also believe the Rustock bot-herders should be held accountable for their actions.”

Microsoft recently ran advertisements in major newspapers in Moscow and St. Petersburg, as part of a deal the company struck with a U.S. court to help dismantle Rustock; the court granted Microsoft dominion over the Rustock control servers and domains as long as the company made a “good faith” effort to notify the unidentified owners.

Continue reading →


18
Jul 11

Apple’s i-Patches Fix Critical iOS Flaws

Apple has issued a software update that fixes at least three serious security holes in supported versions of its iPhone, iPad, iPod and iPod Touch devices.

The patch targets security weaknesses in the way iOS devices render PDF files. Experts have been warning that attackers could leverage the flaws to install software without warning or permission if users were to merely browse to a malicious site. The update fixes the same vulnerabilities that jailbreakme.com has been using to help people jailbreak Apple’s i-devices.

The Apple update — iOS 4.2.9 or iOS 4.3.4, depending on your device — can be downloaded only from within iTunes. If you are planning to jailbreak your device, visit jailbreakme.com, and then apply the unofficial patch that the Dev-Team released to help jailbreakers protect their phones from further abuse of the vulnerabilities.


18
Jul 11

Is Your Voicemail Wide Open?

The “phone-hacking” scandal that has gripped the U.K. is now making waves on this side of the pond. It stems from an alleged series of intrusions into the wireless voicemail boxes of high profile celebrities and 9/11 victims. The news stories about this scandal make it sound as if the attacks were sophisticated — an investigation into exactly what happened is still pending — but many people would be surprised to learn just how easy it is to “hack” into someone’s voicemail.

For years, it has been a poorly-kept secret that some of the world’s largest wireless providers rely on caller ID information to verify that a call to check voicemail is made from the account holder’s mobile phone. Unfortunately, this means that if you haven’t set up your voicemail account to require a PIN for access, your messages may be vulnerable to snooping by anyone who has access to caller ID “spoofing” technology. Several companies offer caller ID spoofing services, and the tools needed to start your own spoofing operation are freely available online.

I wanted to check whether this is possible with my AT&T account — so I chose my wife’s new iPhone as the target; I was reasonably sure she hadn’t set a PIN on her voicemail. I surfed over to spooftel.com and found that I still had $10 in credits in my account. I instructed Spooftel to call her number, and to use that same number as the caller ID information that gets transmitted to my wife’s phone. Her phone rang 4 times before going to voicemail; I pressed the # sign on my iPhone and was immediately presented with her saved messages. Continue reading →


15
Jul 11

More Than 100 Arrested in Fake Internet Sales

Law enforcement officials in Romania and the United States have arrested and charged more than 100 individuals in connection with an organized fraud ring that used phony online auctions for cars, boats and other high-priced items to bilk consumers out of at least $10 million.

According to a statement from the Justice Department, the scams run by this ring followed a familiar script. Conspirators located in Romania would post items for sale such as cars, motorcycles and boats on Internet auction and online websites. They would instruct interested buyers to wire transfer the purchase money to a fictitious name they claimed to be an employee of an escrow company. Once the victim wired the funds, the co-conspirators in Romania would text information about the wire transfer to co-conspirators in the United States known as “arrows” to enable them to retrieve the wired funds. They would also provide the arrows with instructions as to where to send the funds after retrieval.

Continue reading →