December, 2012


10
Dec 12

Espionage Attacks Against Ruskies?

Hardly a week goes by without news of a cyber espionage attack emanating from China that is focused on extracting sensitive data from corporations and research centers in the United States. But analysis of a recent malware campaign suggests that cyberspies in that region may be just as interested in siphoning secrets from Russian targets.

The Cyrillic text used in the decoy document.

Researchers at Milpitas, Calif. based security firm FireEye say they spotted an email attack of apparent Chinese origin that used Russian language lures to steal data from mostly Russian victims. The email malware campaign embedded a Microsoft Word exploit that displayed a decoy document containing news about a meeting of ASEAN, the Association of Southeast Asian Nations.

According to FireEye’s Alex Lanstein, this campaign had its control infrastructure in Korea and Japan, but clues point to Chinese design and operation. The malicious Word document sample that kicked this off was authored from a Microsoft Windows system that was set to use the language pack “Windows Simplified Chinese (PRC, Singapore). The researchers also say they were able to gain access to the control server used in the attack, which revealed systems logging in from China to check on new victims.

Update, 1:05 p.m. ET: FireEye just published a blog post about this research, which indicates they now believe the likely source of this attack was Korea, not China. The headline to this story has been modified..

Continue reading →


4
Dec 12

ATM Thieves Swap Security Camera for Keyboard

This blog has featured stories about a vast array of impressive, high-tech devices used to steal money from automated teller machines (ATMs). But every so often thieves think up an innovation that makes all of the current ATM skimmers look like child’s play. Case in point: Authorities in Brazil have arrested a man who allegedly stole more than USD $41,000 from an ATM after swapping its security camera with a portable keyboard that let him hack the cash machine.

Photo: TV Bahia

The story comes from O Estado de S. Paulo (“The State of São Paulo“), a daily newspaper in Brazil’s largest city. According to the paper, late last month a crook approached an ATM at the Bank of Brazil and somehow removed the security camera from the machine. Apparently, the camera was a USB-based device, because the thief then was able to insert his own USB stick into the slot previously occupied by the camera. As you can imagine, a scene straight out of Terminator 2 ensued.

The attacker was then able to connect a folding keyboard to the ATM’s computer and restart the machine. The newspaper story isn’t crystal clear on the role of the USB device — whether it served as a replacement operating system or merely served to connect the keyboard to the machine (it’s not hard to imagine why this would be so easy, since most ATMs run on some version of Microsoft Windows, which automatically installs drivers for most USB-based input devices).

At any rate, after the thief rebooted the ATM’s computer, he was reportedly able to type the value of the currency notes that he intended to withdraw. According to the story, the thief started by removing all of the R $100 bills, and then moved on to the R $50 notes, and so on.

A crude skimming device removed from an Inova Hospital in Fairfax, Va. last month.

A crude skimming device removed from an Inova Hospital in Fairfax, Va. last month.

As clever as this hack was, the crook didn’t get away: The police were alerted by the central bank’s security team, and caught the thief in the process of withdrawing the funds. Brazilian authorities said they believe the man was being coached via phone, but that the guy they apprehended refused to give up the identity of his accomplice. My guess is the one coaching the thief had inside knowledge about how these machines operated, and perhaps even worked at a financial institution at one point.

These kinds of attacks make traditional ATM skimmer scams look positively prehistoric by comparison. But the sad part is that even really crude skimming devices can be very lucrative and go undetected for months. I was reminded of this last week, when, for the third time in as many months, authorities discovered ATM skimmers at hospitals within a few miles of here. Local police believe the same thieves are responsible for planting all of the fraud devices, which are relatively unsophisticated but nonetheless enabled the theft of thousands of dollars over a period of several weeks.

Continue reading →


3
Dec 12

Vrublevsky Sues Kaspersky

The co-founder and owner of ChronoPay, one of Russia’s largest e-payment providers, is suing Russian security firm Kaspersky Lab, alleging that the latter published defamatory blog posts about him in connection with his ongoing cybercrime trial.

ChronoPay founder Pavel Vrublevsky, at his office in Moscow

Pavel O. Vrublevsky, is on trial in Moscow for allegedly hiring the curator of the Festi spam botnet to attack one of ChronoPay’s rival payment processors. He spent six months in prison last year after admitting to his part in the attack on Assist, a company that processed payments for Russian airline Aeroflot.

The events leading up to that crime are the subject of my Pharma Wars series, which documents an expensive and labyrinthine grudge match between Vrublevsky and the other co-founder of ChronoPay: Igor Gusevthe alleged proprietor of GlavMed and SpamIt, sister organizations that until recently were the largest sources of spam touting rogue Internet pharmacies. For his part, Vrublevsky has been identified as the co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion. 

Kaspersky blogger Tatyana Nikitina has covered Vrublevsky’s trial, which has been marked by prosecutorial miscues, allegations of official corruption, and the passage of new Russian laws that actually reduce the penalties for some of Vrublevsky’s alleged offenses. In her latest blog post, “The Vrublevsky Case is Ruined,” Nikitina laments yet another regressive milestone in the trial: The dismissal of claims by Aeroflot that it suffered almost $5 million losses as a result of the cyberattack.

Late last month, Vrublevsky’s lawyers fired back, filing a $5 million defamation lawsuit against Kaspersky Lab, charging that its publications contained untrue and defamatory information. In the suit, Vrublevsky argues that Kaspersky is not only trying to discredit him and influence the judicial process, but that Kaspersky is hardly a disinterested party. He noted that Assist was using Kaspersky’s DDoS protection services at the time of the attack, which Assist said took its services offline for a week.

Continue reading →