December, 2011


7
Dec 11

Pro Grade (3D Printer-Made?) ATM Skimmer

In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.

Below is a front view image of the device. It is an all-in-one skimmer designed to fit over the card acceptance slot and to record the data from the magnetic stripe of any card dipped into the reader. The fraud device is shown sideways in this picture; attached to an actual ATM, it would appear rotated 90 degrees to the right, so that the word “CHASE” is pointing down.

On the bottom of the fake card acceptance slot is a tiny hole for a built-in spy camera that is connected to a battery. The spy camera turns on when a card is dipped into the skimmer’s card acceptance slot, and is angled to record customer PINs.

The bottom of the skimmer device is designed to overlay the controls on the cash machine for vision impaired ATM users. On the underside of that space is a data port to allow manual downloading of information from the skimmer.

Looking at the backside of the device shows shows the true geek factor of this ATM skimmer. The fraudster who built it appears to have cannibalized parts from a video camera or perhaps a smartphone (possibly to enable the transmission of  PIN entry video and stolen card data to the fraudster wirelessly via SMS or Bluetooth). It’s too bad so much of the skimmer is obscured by yellow plastic. I’d welcome any feedback from readers who can easily identify these parts based on the limited information here. Continue reading →


6
Dec 11

Attackers Hit New Adobe Reader, Acrobat Flaw

Malicious hackers are targeting a previously unknown security hole in Adobe Reader and Acrobat to compromise Microsoft Windows machines, Adobe warned today.

Adobe says attackers are taking advantage of a newly discovered critical flaw that exists in Adobe Reader X (10.1.1) and earlier versions for Windows and Mac systems, and Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, as well as Adobe Acrobat X (10.1.1) and earlier for Windows and Mac machines. A security bulletin warns of reports that the vulnerability is being actively exploited in “limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.” Continue reading →


6
Dec 11

Download.com Bundling Toolbars, Trojans?

It wasn’t long ago that I felt comfortable recommending CNET‘s download.com as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.

Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.

CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted download.com’s zero tolerance policy toward all bundled adware.

Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from download.com and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.

The CNET download installer that I got for Nmap from download.com was made by CBS Interactive (CNET Networks was acquired by CBS in 2008), and it is detected as malicious by three antivirus products at Virustotal.com. When I unpacked the installer from the Nmap program and scanned just the installer, 10 out of the 39 antivirus products detected the file as either a Trojan horse or adware.

Continue reading →


5
Dec 11

Chats With Accused ‘Mega-D’ Botnet Owner?

Recently leaked online chat records may provide the closest look yet at a Russian man awaiting trial in Wisconsin on charges of running a cybercrime machine once responsible for sending between 30 to 40 percent of the world’s junk email.

Oleg Nikolaenko

Oleg Y. Nikolaenko, a 24-year-old who’s been dubbed “The King of Spam,” was arrested by authorities in November 2010 as he visited a car show in Las Vegas. The U.S. Justice Department alleges that Nikolaenko, using the online nickname “Docent” earned hundreds of thousands of dollars using his “Mega-D” botnet, which authorities say infected more than half a million PCs and could send over 10 billion spam messages a day. Nikoalenko has pleaded not guilty to the charges, and is slated to appear in court this week for a status conference (PDF) on his case.

The Justice Department alleges that Nikolaenko spammed on behalf of Lance Atkinson and other members of Affking, an affiliate program that marketed fly-by-night online pharmacies and knockoff designer goods. Atkinson told prosecutors that one of his two largest Russian spamming affiliates used the online moniker Docent. He also said that Docent received payment via an ePassporte account under the name “Genbucks_dcent.” FBI agents later learned that the account was registered in Nikolaenko’s name and address in Russia, and that the email address attached to the account was 4docent@gmail.com.

According to my research, Docent also spammed for other rogue pharmacy programs. In fact, it’s hard to find one that didn’t pay him to send spam. In my Pharma Wars series, I’ve detailed how Russian cybercrime investigators probing the operations of the massive GlavMed/SpamIt rogue pharmacy operation seized thousands of chat logs from one of its principal organizers. The chats were later leaked online and to select journalists. Within those records are hundreds of hours of chats between the owners of the pharmacy program and many of the world’s biggest spammers, including dozens with one of its top earners — Docent.

According to the SpamIt records, Docent earned commissions totaling more than $325,000 promoting SpamIt pharmacy sites through spam between 2007 and 2010. The Docent in the SpamIt database also had his earnings sent to the same ePassporte account identified by the FBI. The Docent in the leaked chats never references himself as Nikolaenko, but in several cases he asks SpamIt coordinators to send documents to him at the 4docent@gmail.com address.

The chats between Docent and Stupin show a young man who is ultra-confident in the value and sheer spam-blasting power of his botnet. Below are the first in a series of conversation snippets between Docent and SpamIt co-administrator Dmitry Stupin. Before each is a brief note providing some context.

In the transcript that follows, Stupin tries to woo Docent to join SpamIt. Docent negotiates a much higher commission rate than is usually given to new spamming partners. The typical rate is 30 percent of each sale, but Docent is a known figure in the spamming underground, and argues that his botnet will bring such massive traffic to the SpamIt pharmacies that he deserves a higher 45 or 50 percent cut of the sales. This conversation was recorded on Feb. 1, 2007.

Stupin:  Hello! You have communicated with ICQ 397061228, I am writing regarding your case, Docent.

Docent: Which case?

Stupin:  Do you want to send spam regarding our partnerka [“partnerka” is Russian slang for a mix of private and semi-public affiliate groups that form to facilitate cybercrime activities].

Docent: Which exactly do you mean? I have not yet communicated with this 397061228.

Stupin: Here is the letter which recently came from  you: “It is usual spam,  GI bases, not opt-in. Big volume of emails. I mail a lot of [competing pharmacy] programs, Bulker, Mailien, SRX. I’m a member of most bulk forums. So if you need references, i can provide them. Usual traffic is 2k+ uniques. Also i need bulk-host.”

Docent: Yes, I got it. It’s just nobody IM’d me.

Stupin: ок) What kind of volumes of spam can you deliver? We are soon deploying our own “partnerka” for spam, we just do not have it right now.

Docent: Volumes are huge, 500 million + / day.

Stupin: Wow! Are you not accidentally on [Spamhaus] ROKSO List ?

Docent: Yes, it’s a list of idiots :), with the exception of a couple of people.

Stupin:  We do contract people for our spam campaigns, but only verified people. We are not publicly opened yet.

Continue reading →


2
Dec 11

Loopholes in Verified by Visa & SecureCode

Trend Micro’s Rik Ferguson posted a good piece on Thursday about a major shortcoming in credit card security programs maintained by MasterCard and Visa. Although the loophole that Ferguson highlighted may be unsettling to some, fraudsters who specialize in stealing and using stolen credit cards online have been exploiting it for years.

At issue is a security protocol called “3 Domain Secure,” (3DS), a program designed to reduce card fraud and shift liability for fraud from online merchants to the card issuing banks. Visa introduced the program in 2001, branding it “Verified by Visa,” and MasterCard has a similar program in place called “SecureCode.”

Cardholders who chose to participate in the programs can register their card by entering the card number, filling in their ZIP code and birth date, and picking a passcode. When a cardholder makes a purchase at a site that uses 3DS, he enters the code, which is verified by the issuing bank and is never shared with the merchant site.

But as Ferguson notes, people are human and tend to forget things, especially passcodes and passwords, and it is the password reset function that eliminates any security provided by Verified by Visa or SecureCode. From his blog:

What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.”

The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitimate account holder, let’s have a look at that “Identification” phase.”

“Oh noes, this doesn’t look good at all! Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn’t the criminal already have access to this? So what remains? One piece of information that is not included on the card. Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.”

“Having entered the required information all that remains is to enter a new password of your choosing and your transaction is authorised. Worse still, no email notification is sent to alert the cardholder that their account has been accessed or modified. The cardholder need never know until they check their statements.”

This would all be very shocking if it wasn’t already painfully obvious to today’s cyber crooks. When I read the Trend blog post, I began searching for several screen shots I had taken of a discussion on an underground carding forum more than two years ago, which explained very clearly how to get around this added level of card security. The tutorial in the screen shot below was posted by an administrator from the carding forum carder.pro on Halloween, 2009:

Continue reading →