July, 2011


15
Jul 11

How to Buy Friends and Deceive People

Want more friends and followers? Emerging enterprises will create them for you — for a price. An abundance of low-cost, freelance labor online is posing huge challenges for Internet companies trying to combat the growing abuse of their services, and has created a virtual testbed for emerging industries built to assist a range of cybercrime activities, new research shows.

Free services like Craigslist, Facebook, Gmail and Twitter have long sought to deter scammers and spammers by deploying technical countermeasures designed to prevent automated activity, such as the use of botnets to create new accounts en masse. These defenses typically require users to perform tasks that are difficult to automate, at least in theory, such as requiring that new accounts be verified by phone before activation.

But researchers from the University of California, San Diego found that these fraud controls increasingly are being defeated by freelance work arrangements: buyers “crowdsource” work by posting jobs they need done, and globally distributed workers bid on projects that they are willing to take on.

“The availability of this on-demand, for-hire contract market to do just about anything you can think of means it’s very easy for people to innovate around new scams,” said Stefan Savage, a UCSD computer science professor and co-author of the study.

The UCSD team examined almost seven years worth of data from freelancer.com, a popular marketplace for those looking for work. They found that 65-70 percent of the 84,000+ jobs offered for bidding during that time appeared to be for legitimate work such online content creation and Web programming. The remainder centered around four classes of what they termed “dirty” jobs, such as account registration and verification, social network linking (buying friends and followers), search engine optimization, and ad posting and bulk mailing.

“Though not widely appreciated, today there are vibrant markets for such abuse-oriented services,’” the researchers wrote. “In a matter of minutes, one can buy a thousand phone-verified Gmail accounts for $300, or a thousand Facebook ‘friends’ for $26 – all provided using extensive manual labor.”

Continue reading →


13
Jul 11

Azeri Banks Corner Fake AV, Pharma Market

Banks in Azerbaijan that have courted the shadowy trade in spam-advertised pharmaceuticals now have cornered the market for processing credit card payments for fake antivirus software, new data reveals.

In June, KrebsOnSecurity highlighted research from the University of California, San Diego (UCSD) showing that Azerigazbank, a financial institution in Azerbaijan, was the primary merchant bank for most major online-fraud pharmacy affiliate programs. By the time that research was published, those programs had moved their business to another bank in Azerbaijan, JSCB Bank Standard.

Earlier this month, researchers from the University of California, Santa Barbara (UCSB) revealed that three of the most popular fake AV affiliate services — which pay hackers to foist worthless software on clueless Internet users — processed tens of millions of dollars in payments through Bank Standard and the International Bank of Azerbaijan.

UCSD researcher Damon McCoy has been making targeted “buys” at dozens of fake AV sites, trying to identify their partner banks. The fake AV operations that McCoy follows are distinct from those in the UCSB research; the UCSB team asked that the names of the rogue AV programs they infiltrated not be published, citing ongoing law enforcement investigations.

A popular fraud forum features a banner ad recruiting affiliates for BestAV

In late 2010, McCoy began buying rogue antivirus software from fake AV affiliate businesses BestAV and Gagarincash — the latter named after Yuri Gagarin, the Russian cosmonaut who was the first man launched into space. McCoy said both fake AV operations previously used Bank Standard, but within the past month have switched to the International Bank of Azerbaijan.

McCoy also tracked a more elusive fake AV affiliate program that he calls Win7Security, after the program’s most profitable brand of fake AV. McCoy said that for the past several months he’d lost track of Win7Security, and hadn’t seen any of its sites being pimped in the usual places, such as malware-laced banner ads and booby-trapped Web sites that redirect users to fake AV sites.

Recently, I heard from a source that stumbled upon a portion of the customer database for a payment processing firm  idpay.com. It’s not clear where this company is based; it claims to have offices in Russia, New York and the United Kingdom, but neither NY nor the UK has any record of that company, and the company did not respond to requests for comment. The idpay.com database indicates that a large number of fake AV Web sites were using idpay.com to process payments (a partial list is here).

Continue reading →


12
Jul 11

Microsoft Fixes Scary Bluetooth Flaw, 21 Others

Microsoft today released updates to fix at least 22 security flaws in its Windows operating systems and other software. The sole critical patch from this month’s batch addresses an unusual Bluetooth vulnerability that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network.

Bluetooth is a wireless communications standard that allows electronic devices — such as laptops, mobile phones and headsets — to communicate over short distances (the average range is between 30 to 100 meters, but that range can be extended with specialized tools). To share data, two Bluetooth-enabled devices normally need to “pair” with one another, a process that involves the exchange of a passkey between the two devices.

But Microsoft today shipped a patch to fix a flaw in its Bluetooth implementation on Windows Vista and Windows 7 computers that it said attackers could use to seize control over a vulnerable system without any action on the part of the user.  The assailant’s computer would need to be within a short distance of the victim’s PC, and the target would merely need to have Bluetooth turned on.

Joshua Talbot
, security intelligence manager for Symantec Security Response, said the vulnerability could be exploited without any alerts being sent to the victim PC.

“An attacker would exploit this by sending specific malicious data to the targeted computer while establishing a Bluetooth connection,” Talbot said. “Because of a memory corruption issue at the heart of this vulnerability, the attacker would then gain access to the computer. All this would happen before any notification alerts the targeted user that another computer has requested a Bluetooth connection.”

Although it is unlikely, such a vulnerability could be used to power a computer worm that spreads from one Bluetooth-enabled Windows laptop to another, Talbot said.

Continue reading →


11
Jul 11

Spammers Sell More Non-Lifestyle Drugs in U.S.

Spam may be synonymous with male enhancement drugs, but new research shows that Americans are far more likely than buyers in other countries to turn to spam-advertised pharmacies to obtain pills to treat serious ailments–a trend that reflects differences in government health care and prescription drug policies.

Researchers at the University of California, San Diego, have collected the first data showing which drugs consumers most often buy from spam advertisements, and how much they spend at shadowy online apothecaries.

“People are going to them when they’re either too embarrassed to talk to a doctor, or when it would be far too expensive to buy these drugs otherwise,” said Chris Kanich, a PhD candidate at UCSD’s computer science department, and lead researcher of the study.

Previous estimates of monthly revenue from spam have varied dramatically, from $300,000 to more than $58 million. The UCSD researchers found that the largest rogue Internet pharmacies generate between $1 million and $2.5 million in sales each month, although they caution that their estimates are conservative.

Kanich says the figures show that although the spam-advertised market is substantial, it is not nearly as big as some have claimed, and falls short of annual expenditures on technical anti-spam solutions by corporations and ISPs.

This is an excerpt from a piece I wrote that was published today in MIT Technology Review. Read the full story here. The UCSD paper is available at this link (PDF).


11
Jul 11

ZeuS Trojan for Google Android Spotted

Criminals have developed a component of the ZeuS Trojan designed to run on Google Android phones. The new strain of malware comes as security experts are warning about the threat from mobile malware that may use tainted ads and drive-by downloads.

Image courtesy Fortinet.

Researchers at Fortinet said the malicious file is a new version of “Zitmo,” a family of mobile malware first spotted last year that stands for “ZeuS in the mobile.” The Zitmo variant, disguised as a security application, is designed to intercept the one-time passcodes that banks send to mobile users as an added security feature. It masquerades as a component of Rapport, a banking activation application from Trusteer. Once installed, the malware lies in wait for incoming text messages, and forwards them to a remote Web server.

Trusteer published a lengthy blog post today that mentions an attack by this threat “that was used in conjunction with Zeus 2.1.0.10. The user was first infected with Zeus on their PC and then Zeus showed the message requesting the user to download the Android malware component.” In a phone interview, Trusteer CEO Mickey Boodaei said crooks used the Trojan in live attacks against several online banking users during the first week of June, but that the infrastructure that supported the attacks was taken offline about a month ago.

Boodaei offers a bold and grim forecast for the development of mobile malware, predicting that within 12 to 24 months more than 1 in 20 (5.6%) of Android phones and iPads/iPhones could become infected by mobile malware if fraudsters start integrating zero-day mobile vulnerabilities into leading exploit kits.

The last bit about exploit kits is key, because almost all mobile malware developed so far uses some type of social engineering to install itself on a device. Boodaei predicts a future time when crooks begin incorporating mobile phone vulnerabilities into automated exploit kits like BlackHole and Eleonore, which use security flaws to install malicious software when the user visits a booby-trapped site with a vulnerable device.

Continue reading →


6
Jul 11

Which Banks Are Enabling Fake AV Scams?

Fake antivirus scams and rogue Internet pharmacies relentlessly seek customers who are willing to trade their credit card numbers for a remedy. Banks and financial institutions become partners in crime when they process payments to fraudsters.

Published research has shown that rogue Internet pharmacies and spam would be much less prevalent and profitable if a few top U.S. financial institutions stopped processing payments for dodgy overseas banks. This is also true for fake antivirus scams, which use misleading security alerts to frighten people into purchasing worthless security software.

Researchers from the University of California, Santa Barbara spent several months infiltrating three of the most popular fake antivirus (fake AV) “affiliate” networks, organized criminal operations that pay hackers to deploy the bunk software. The researchers uncovered a peculiar credit card processing pattern that was common to these scams; a pattern that Visa and MasterCard could use to detect and blacklist fake AV processors.

The pattern reflects each fake AV program’s desire to minimize the threat from “chargebacks,” which occur when consumers dispute a charge. The fake AV networks the UCSB team infiltrated tried to steer unhappy buyers to live customer support agents who could be reached via a toll-free number or online chat. When customers requested a refund, the fake AV firm either ignored the request or granted a refund. If the firm ignored the request, then the buyer could still contact their credit card provider to obtain satisfaction by initiating a chargeback; the credit card network grants a refund to the buyer and then forcibly collects the funds from the firm by reversing the charge.

Excessive chargebacks (more than 2-3 percent of sales) generally raise red flags at Visa and MasterCard, which employ a sliding scale of financial penalties for firms that generate too many chargebacks. But the fake AV companies also don’t want to issue refunds voluntarily if they think a customer won’t take the next step of requesting a chargeback.

The UCSB team found that the fake AV operations sought to maximize profits by altering their refunds according to the chargebacks reported against them, and by refunding just enough to remain below a payment processor’s chargeback limits. Whenever the rate of chargebacks increased, the miscreants would begin issuing more refunds. When the rate of chargebacks subsided, the miscreants would again withhold refunds. Consider the following diagram, from the researchers’ report, which shows a direct and very close correlation between increased chargebacks and heightened refund rates.

The researchers found that fraudsters offered more refunds (dotted line) as chargebacks (red) spiked.

Continue reading →


5
Jul 11

A Futures Market for Computer Security

Information security researchers from academia, industry, and the U.S. intelligence community are collaborating to build a pilot “prediction market” capable of anticipating major information security events before they occur.

A prediction market is similar to a regular stock exchange, except the “stocks” are simple statements that the exchange’s members are encouraged to evaluate. Traders will buy and sell “shares” of a stock based on the strength of their confidence about the future outcome—with an overall goal of increasing the value of their portfolios, which will in turn earn them some sort of financial reward. Traders may choose to buy or sell additional shares of a stock, and that buying and selling activity pushes the stock price up or down, just as in a real market.

This is an excerpt from a story I wrote for MIT Technology Review. Read the rest of the piece here.


1
Jul 11

Where Have All the Spambots Gone?

First, the good news: The past year has witnessed the decimation of spam volume, the arrests of several key hackers, and the high-profile takedowns of some of the Web’s most notorious botnets. The bad news? The crooks behind these huge crime machines are fighting back — devising new approaches designed to resist even the most energetic takedown efforts.

The volume of junk email flooding inboxes each day is way down from a year ago, as much as a 90 percent decrease according to some estimates. Symantec reports that spam volumes hit their high mark in July 2010, when junk email purveyors were blasting in excess of 225 billion spam messages per day. The company says daily spam volumes now hover between 25 and 50 billion missives daily. Anti-spam experts from Cisco Systems are tracking a similarly precipitous decline, from 300 billion per day in June 2010 to just 40 billion in June 2011.

Spam messages per day, July 2010 - July 2011. Image courtesy Symantec.

There may be many reasons for the drop in junk email volumes, but it would be a mistake to downplay efforts by law enforcement officials and security experts.  In the past year, authorities have taken down some of the biggest botnets and apprehended several top botmasters. Most recently, the FBI worked with dozens of ISPs to kneecap the Coreflood botnet. In April, Microsoft launched an apparently successful sneak attack against Rustock, a botnet once responsible for sending 40 percent of all junk email.

Daily spam volume July 2010 - July 2011. Image courtesy Spamcop.net

In December 2010, the FBI arrested a Russian accused of running the Mega-D botnet. In October 2010, authorities in the Netherlands arrested the alleged creator of the Bredolab botnet and dismantled huge chunks of the botnet. A month earlier, Spamit.com, one of the biggest spammer affiliate programs ever created, was shut down when its creator, Igor Gusev, was named the world’s number one spammer and went into hiding. In August 2010, researchers clobbered the Pushdo botnet, causing spam from that botnet to slow to a trickle.

But botmasters are not idly standing by while their industry is dismantled. Analysts from Kaspersky Lab this week published research on a new version of the TDSS malware (a.k.a. TDL), a sophisticated malicious code family that includes a powerful rootkit component that compromises PCs below the operating system level, making it extremely challenging to detect and remove. The latest version of TDSS — dubbed TDL-4 has already infected 4.5 million PCs; it uses a custom encryption scheme that makes it difficult for security experts to analyze traffic between hijacked PCs and botnet controllers. TDL-4 control networks also send out instructions to infected PCs using a peer-to-peer network that includes multiple failsafe mechanisms.

Continue reading →