Breadcrumbs


31
May 15

Malware Evolution Calls for Actor Attribution?

What makes one novel strain of malicious software more dangerous or noteworthy than another? Is it the sheer capability and feature set of the new malware, or are these qualities meaningless without also considering the skills, intentions and ingenuity of the person wielding it? Most experts probably would say it’s important to consider attribution insofar as it is knowable, but it’s remarkable how seldom companies that regularly publish reports on the latest criminal innovations go the extra mile to add context about the crooks apparently involved in deploying those tools.

mysteryman

Perhaps with some new malware samples, the associated actor attribution data is too inconclusive to publish —particularly when corporate lawyers are involved and such findings are juxtaposed to facts about a new code sample that can be demonstrated empirically. Maybe in other cases, the company publishing the research privately has concerns that airing their findings on attribution will somehow cause people to take them or the newfound threat less seriously?

I doubt many who are familiar with my reporting will have trouble telling where I come down on this subject, which explains why I’m fascinated by a bit of digging done into the actor behind a new malware sample that recently received quite a bit of media attention. That threat, known variously as “Rombertik” and “Carbon Grabber,” is financial crimeware that gained media attention because of a curious feature: it was apparently designed to overwrite key sections of the hard drive, rendering the host system unbootable.

News about Rombertik’s destructive ways was first published by Cisco, which posited that the feature was a defense mechanism built into the malware to frustrate security researchers who might be trying to unlock its secrets. Other security firms published competing theories about the purpose of the destructive component of the malware. Some argued it was the malware author’s way of enforcing licensing agreements with his customers: Those who tried to use the malware on Web addresses or domains that were not authorized as part of the original sale would be considered in violation of the software agreement — their malware infrastructure thus exposed to (criminal) a copyright enforcement regime of the most unforgiving kind.

Incredibly, none of these companies bothered to look more closely at the clues rather clumsily left behind by the person apparently responsible for spreading the malware sample that prompted Cisco to blog about Rombertik in the first place. Had they done so, they might have discovered that this ultra-sophisticated new malware strain was unearthed precisely because it was being wielded by a relatively unsophisticated actor who seems to pose more of a threat to himself than to others.

AFRICAN PERSISTENT THREAT

As much as I would love to take credit for this research, that glory belongs to the community which has sprung up around ThreatConnect, a company that specializes in threat attribution with a special focus on crowdsourcing raw actor data across a large community of users.

In this case, ThreatConnect dug deeper into centozos[dot]org[dot]in, the control server used in the Rombertik sample featured in the original Cisco report. The Web site registration records for that domain lists an individual in Lagos, Nigeria who used the email address genhostkay@dispostable.com. For those unfamiliar with Dispostable, it is a free, throwaway email service that allows anyone to send and receive email without supplying a password for the account. While this kind of service relieves the user of having to remember their password, it also allows anyone who knows the username to read all of the mail associated with that account.

KallySky's inbox at Dispostable.

KallySky’s inbox at Dispostable.

Continue reading →


26
Mar 15

Who Is the Antidetect Author?

Earlier this month I wrote about Antidetect, a commercial tool designed to help thieves evade fraud detection schemes employed by many e-commerce companies. That piece walked readers through a sales video for Antidetect showing the software being used to buy products online with stolen credit cards. Today, we’ll take a closer look at clues to a possible real-life identity of this tool’s creator.

The author of Antidetect uses the nickname “Byte Catcher,” and advertises on several crime forums that he can be reached at the ICQ address 737084, and at the jabber instant messaging handles “byte.catcher@xmpp.ru” and “byte.catcher@0nl1ne.at”. His software is for sale at antidetect[dot]net and antidetect[dot]org.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Searching on that ICQ number turns up a post on a Russian forum from 2006, wherein a fifth-year computer science student posting under the name “pavelvladimirovich” says he is looking for a job and that he can be reached at the following contact points:

ICQ: 737084

Skype name: pavelvladimirovich1

email: gpvx@yandex.ru

According to a reverse WHOIS lookup ordered from Domaintools.com, that email address is the same one used to register the aforementioned antidetect[dot]org, as well as antifraud[dot]biz and hwidspoofer[dot]com (HWID is short for hardware identification, a common method that software makers use to ensure a given program license can only be used on one computer).

These were quite recent registrations (mid-2014), but that gpvx@yandex.ru email also was used to register domains in 2007, including allfreelance[dot]org and a domain called casinohackers[dot]com. Interestingly, one of the main uses that Byte Catcher advertises for his Antidetect software is to help beat fraud detection mechanisms used by online casinos. As we can see from this page at archive.org, a subsection of casinohackers.com was at one time dedicated to advertising Antidetect Patch — a version that comes with its own virtual machine.

That ICQ number is tied to a user named “collisionsoftware” at the Russian cybercrime forum antichat[dot]ru, in which the seller is advertising software that routes the user’s Internet connection through hacked PCs. He directs interested buyers to the web site cn[dot]viamk[dot]com, which is no longer online. But an archived version of that page at archive.org shows the same “collision” name and the words “freelance team.” The contact form on this site also lists the above-referenced ICQ number and email gpvx@yandex.ru, and even includes a résumé of the site’s owner.

Another domain connected to that antichat profile is cnsoft[dot]ru, the now defunct domain for Collision Software, which bills itself as a firm that can be hired to write software. The homepage lists the same ICQ number (737084).

The ICQ.com profile page for that number includes links to accounts on Russian fraud forums that are all named “Mysterious Killer.” In one of those accounts, on the fraud forum exploit[dot]in, Mysterious Killer lists the same Jabber and ICQ addresses, and offers a variety of services, including a tool to mass-check PayPal account credentials, as well as a full instructional course on click-fraud.

Antidetect retails for between $399 and $999, and includes live support.

Antidetect retails for between $399 and $999, and includes (somewhat unreliable) live support.

Both antifraud[dot]biz and allfreelance[dot]org were originally registered by an individual in Kaliningrad, Russia named Pavel V. Golub. Note that this name matches the initials in the email address gpvx@yandex.ru. KrebsOnSecurity has yet to receive a response to inquiries sent to that email and to the above-referenced Skype profile. Update, 1:05 p.m.: Pavel replied to my email, denying that he produced the video selling his software. “My software was cracked few years ago and then it as spreaded, selled by other people,” he wrote. Meanwhile, someone has started deleting photos and other items linked in this story.

Original story:

A little searching turns up this profile on Russian social networking giant Odnoklassniki.ru for one Pavel Golub, a 29-year-old male from Koenig, Russia. Written in Russian as “Кениг,” this is Russian slang for Kaliningrad and refers to the city’s previous German name.

One of Pavel’s five friends on Odnoklassniki is 27-year-old Vera Golub, also of Kaliningrad. A search of “Vera Golub, Kaliningrad” on vkontakte.com — Russia’s version of Facebook — reveals a vk.com group in Kaliningrad about artificial fingernails that has two contacts: Vera Ivanova (referred to as “master” in this group), and Pavel Vladimirovich (listed as “husband”). Continue reading →


31
Dec 14

Lizard Kids: A Long Trail of Fail

The Lizard Squad, a band of young hooligans that recently became Internet famous for launching crippling distributed denial-of-service (DDoS) attacks against the largest online gaming networks, is now advertising its own Lizard-branded DDoS-for-hire service. Read on for a decidedly different take on this offering than what’s being portrayed in the mainstream media.

Lizard Stresser login page taunts this author.

Lizard Stresser login page taunts this author.

The new service, lizardstresser[dot]su, seems a natural evolution for a group of misguided youngsters that has sought to profit from its attention-seeking activities. The Lizard kids only ceased their attack against Sony’s Playstation and Microsoft’s Xbox Live networks last week after MegaUpload founder Kim Dotcom offered the group $300,000 worth of vouchers for his service in exchange for ending the assault. And in a development probably that shocks no one, the gang’s members cynically told Dailydot that both attacks were just elaborate commercials for and a run-up to this DDoS-for-hire offering.

The group is advertising the new “booter service” via its Twitter account, which has some 132,000+ followers. Subscriptions range from $5.99 per month for the ability to knock a target offline for 100 seconds at a time, to $129.99 monthly for DDoS attacks lasting more than eight hours.

In any case, I’m not terribly interested in turning this post into a commercial for the Lizard kids; rather, it’s a brain dump of related information I’ve gathered from various sources in the past 24 hours about the individuals and infrastructure that support the site.

In a show of just how little this group knows about actual hacking and coding, the source code for the service appears to have been lifted in its entirety from titaniumstresser, another, more established DDoS-for-hire booter service. In fact, these Lizard geniuses are so inexperienced at coding that they inadvertently exposed information about all of their 1,700+ registered users (more on this in a moment).

These two services, like most booters, are hidden behind CloudFlare, a content distribution service that lets sites obscure their true Internet address. In case anyone cares, Lizardstresser’s real Internet address currently is 217.71.50.57, at a hosting facility in Bosnia.

In any database of leaked forum or service usernames, it is usually safe to say that the usernames which show up first in the list are the administrators and/or creators of the site. The usernames exposed by the coding and authentication weaknesses in LizardStresser show that the first few registered users are “anti” and “antichrist.” As far as I can tell, these two users are the same guy: A ne’er-do-well who has previously sold access to his personal DDoS-for-hire service on Darkode — a notorious English-language cybercrime forum that I have profiled extensively on this blog.

As detailed in a recent, highly entertaining post on the blog Malwaretech, LizardSquad and Darkode are practically synonymous and indistinguishable now. Anyone curious about why the Lizard kids have picked on Yours Truly can probably find the answer in that Malwaretech story. As that post notes, the main online chat room for the Lizard kids (at lizardpatrol[dot]com) also is hidden behind CloudFlare, but careful research shows that it is actually hosted at the same Internet address as Darkode (5,38,89,132).

A suggested new banner for this blog from the jokers at black hat forum Darkode, which shares a server with the main chat forum for the Lizard kids.

A suggested new banner for this blog from the jokers at black hat forum Darkode, which shares a server with the main chat forum for the Lizard kids.

In a show of just how desperate these kids are for attention, consider that the login page for LizardStresser currently says “Hosted somewhere on Brian Krebs’ forehead: Donate to the forehead reduction foundation, simply send money to krebsonsecurity@gmail.com on PayPal.” Many of you have done that in the past couple of days, although I doubt as a result of visiting the Lizard kids’ silly site. Anyway, for those generous donors, a hearty “thank you.” Continue reading →


29
Dec 14

Who’s in the Lizard Squad?

The core members of a group calling itself “Lizard Squad” — which took responsibility for attacking Sony’s Playstation and Microsoft‘s Xbox networks and knocking them offline for Christmas Day — want very much to be recognized for their actions. So, here’s a closer look at two young men who appear to be anxious to let the world know they are closely connected to the attacks.

Kim Dotcom offers Lizard Squad members vouchers to stop the attack.

Kim Dotcom offers Lizard Squad members vouchers to stop the attack.

The LizardSquad reportedly only called off their attacks after MegaUpload founder Kim Dotcom offered the group some 3,000 vouchers for his content hosting service. The vouchers sell for $99 apiece, meaning that Dotcom effectively offered the group the equivalent of $300,000 to stop their seige.

On Dec. 26, BBC Radio aired an interview with two young men who claimed to have been involved in the attacks. The two were referred to in the interview only as “Member 1″ and “Member 2,” but both have each given on-camera interviews previously (more on that in a bit).

The BBC’s Stephen Nolan asks Member 2, “It was nothing really to do with exposing a company for the greater good? You took the money and you ran, didn’t you, like a petty criminal?”

M2: “Well, we didn’t really expect money from it in the first place. If we really cared about money we could have used the twitter accounts that we generated over 50,000 followers within 24-48 hours we could have used that for monetization, you know? We could have easily sent out a couple of linked….profiles or whatever where each click could gain us three to six cents.”

Vinnie Omari, speaking to Sky News on Dec. 27.

Vinnie Omari, speaking to Sky News on Dec. 27.

Nolan: “So why did you take the vouchers, then?

M2: “It was just an offer. It’s hard to say. It was just a one-time thing. It’s $300,000 worth of vouchers.”

Nolan: “Dirty, grubby, greed?”

M2: “Well, that’s what happens, I’m afraid. That’s what it is like in the security business.”

Member2, the guy that does most of the talking in the BBC interview, appears to be a 22-year-old from the United Kingdom named Vinnie Omari. Sky News ran an on-camera interview with Omari on Dec. 27, quoting him as a “computer security analyst” as he talks about the attacks by LizardSquad and their supposed feud with a rival hacker gang.

The same voice can be heard on this video from Vinnie’s Youtube channel, in which he enthuses about hackforums[dot]net, a forum that is overrun with teenage wannabe hackers who spend most of their time trying to impress, attack or steal from one another.

In a thread on Hackforums that Omari began on Dec. 26 using the Hackforums username “Vinnie” Omari says he’s been given vouchers from Kim Dotcom’s Mega, and wonders if the Hackforums rules allow him to sell the vouchers on the forum.

Hackforums user "Vinnie" asks about selling MegaUpload vouchers.

Hackforums user “Vinnie” asks about selling MegaUpload vouchers.

vinnie-profit

Continue reading →


13
Dec 14

SpamHaus, CloudFlare Attacker Pleads Guilty

A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare, KrebsOnSecurity has learned.

narko-stophausIn late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers. When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare’s network. The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it “the attack that almost broke the Internet.”

In April 2013, an unnamed then-16-year-old male from London identified only by his hacker alias “Narko,” was arrested and charged with computer misuse and money laundering in connection with the attack.

Sources close to the investigation now tell KrebsOnSecurity that Narko has pleaded guilty to those charges, and that Narko’s real name is Sean Nolan McDonough. A spokesman for the U.K. National Crime Agency confirmed that a 17-year-old male from London had pleaded guilty to those charges on Dec. 10, but noted that “court reporting restrictions are in place in respect to a juvenile offender, [and] as a consequence the NCA will not be releasing further detail.”

During the assault on SpamHaus, Narko was listed as one of several moderators of the forum Stophaus[dot]com, a motley crew of hacktivists, spammers and bulletproof hosting providers who took credit for organizing the attack on SpamHaus and CloudFlare.

WHO RUNS STOPHAUS?

It is likely that McDonough/Narko was hired by someone else to conduct the attack. So, this seems as good a time as any to look deeper into who’s likely the founder and driving force behind the Stophaus movement itself. All signs point to an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good.

cocg-fbNot long after McDonough’s arrest, a new Facebook page went online called “Freenarko,” which listed itself as “a solidarity support group to help in the legal defense and media stability for ‘Narko,’ a 16-yr old brother in London who faces charges concerning the Spamhaus DDoS attack in March.”

Multiple posts on that page link to Stophaus propaganda, to the Facebook page for the Church of the Common Good, and to a now-defunct Web site called “WeAreHomogeneous.org” (an eye-opening and archived copy of the site as it existed in early 2013 is available at archive.org; for better or worse, the group’s Facebook page lives on).

The Church of Common Good lists as its leader a Gulfport, Fla. man named Andrew J. Stephens, whose LinkedIn page says he is a “media mercenary” at the same organization (hours after this story was posted, large chunks of text were deleted from Stephens’ profile; a PDF of the original profile is here).

Stephens’ CV lists a stint in 2012 as owner of an email marketing firm variously called Digital Dollars and IBT Inc, moneymaking schemes which Stephens describes as a “beginner to intermediate level guide to successful list marketing in today’s email environment. It incorporates the use of both white hat and some sketchy techniques you would find on black hat forums, but has avoided anything illegal or unethical…which you would also find on black hat forums.”

More recent entries in Andrew’s LinkedIn profile show that he now sees his current job as a “social engineer.” From his page:

“I am a what you may call a “Social Engineer” and have done work for several information security teams. My most recent operation was with a research team doing propaganda analysis for a media firm. I have a unique ability to access data that is typically inaccessible through social engineering and use this ability to gather data for research purposes. I have a knack for data mining and analysis, but was not formally trained so am able to think outside the box and accomplish goals traditional infosec students could not. I am proficient at strategic planning and vulnerability analysis and am often busy dissecting malware and tracking the criminals behind such software. There’s no real title for what I do, but I do it well I am told.”

Turns out, Andrew J. Stephens used to have his own Web site — andrewstephens.org. Here, the indispensable archive.org helps out again with a cache of his site from back when it launched in 2011 (oddly enough, the same year that Stophaus claims to have been born). On his page, Mr. Stephens lists himself as an “internet entrepreneur” and his business as “IBT.” Under his “Featured Work” heading, he lists “The Stophaus Project,” “Blackhat Learning Center,” and a link to an spamming software tool called “Quick Send v.1.0.”

Stephens did not return requests for comment sent to his various contact addresses, although a combative individual who uses the Twitter handle @Stophaus and has been promoting the group’s campaign refused to answer direct questions about whether he was in fact Andrew J. Stephens.

Continue reading →


5
Nov 14

Still Spamming After All These Years

A long trail of spam, dodgy domains and hijacked Internet addresses leads back to a 37-year-old junk email purveyor in San Diego who was the first alleged spammer to have been criminally prosecuted 13 years ago for blasting unsolicited commercial email.

atballLast month, security experts at Cisco blogged about spam samples caught by the company’s SpamCop service, which maintains a blacklist of known spam sources. When companies or Internet service providers learn that their address ranges are listed on spam blacklists, they generally get in touch with the blacklister to determine and remediate the cause for the listing (because usually at that point legitimate customers of the blacklisted company or ISP are having trouble sending email).

In this case, a hosting firm in Ireland reached out to Cisco to dispute being listed by SpamCop, insisting that it had no spammers on its networks. Upon investigating further, the hosting company discovered that the spam had indeed come from its Internet addresses, but that the addresses in question weren’t actually being hosted on its network. Rather, the addresses had been hijacked by a spam gang.

Spammers sometimes hijack Internet address ranges that go unused for periods of time. Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker (for another example of IP address hijacking, also known as “network identity theft,” check out this story I wrote for The Washington Post back in 2008).

So who’s benefitting from the Internet addresses wrested from the Irish hosting company? According to Cisco, the addresses were hijacked by Mega-Spred and Visnet, hosting providers in Bulgaria and Romania, respectively. But what of the spammers using this infrastructure?

One of the domains promoted in the spam that caused this ruckus — unmetegulzoo[dot]com — leads to some interesting clues. It was registered recently by a Mike Prescott in San Diego, to the email address mikeprescott7777@gmail.com. That email was used to register more than 1,100 similarly spammy domains that were recently seen in junk email campaigns (for the complete list, see this CSV file compiled by DomainTools.com).

Enter Ron Guilmette, an avid anti-spam researcher who tracks spammer activity not by following clues in the junk email itself but by looking for patterns in the way spammers use the domains they’re advertising in their spam campaigns. Guilmette stumbled on the domains registered to the Mike Prescott address while digging through the registration records on more than 14,000 spam-advertised domains that were all using the same method (Guilmette asked to keep that telltale pattern out of this story so as not to tip off the spammers, but I have seen his research and it is solid).

persaud-fbOf the 5,000 or so domains in that bunch that have accessible WHOIS registration records, hundreds of them were registered to variations on the Mike Prescott email address and to locations in San Diego. Interestingly, one email address found in the registration records for hundreds of domains advertised in this spam campaign was registered to a “michaelp77x@gmail.com” in San Diego, which also happens to be the email address tied to the Facebook account for one Michael Persaud in San Diego.

Persaud is an unabashed bulk emailer who’s been sued by AOL, the San Diego District Attorney’s office and by anti-spam activists multiple times over the last 15 years. Reached via email, Persaud doesn’t deny registering the domains in question, and admits to sending unsolicited bulk email for a variety of “clients.” But Persaud claims that all of his spam campaigns adhere to the CAN-SPAM Act, the main anti-spam law in the United States — which prohibits the sending of spam that spoofs that sender’s address and which does not give recipients an easy way to opt out of receiving future such emails from that sender.

As for why his spam was observed coming from multiple hijacked Internet address ranges, Persaud said he had no idea. Continue reading →


24
Jun 14

The ‘Fly’ Has Been Swatted

A Ukrainian man who claimed responsibility for organizing a campaign to send heroin to my home last summer has been arrested in Italy on suspicion of trafficking in stolen credit card accounts, among other things, KrebsOnSecurity.com has learned.

Sergei "Fly" Vovnenko was arrested in Naples, Italy.

Passport photo for Sergei “Fly” Vovnenko. He was arrested in Naples, Italy earlier this month.

Last summer, appropos of nothing, an infamous cybercrook known as “Fly,” “Flycracker” and “Muxacc” began sending me profane and taunting tweets. On top of this, he posted my credit report on his blog and changed his Twitter profile picture to an image of an action figure holding up my severed head.

The only thing I knew about Fly then was that he was the founder and administrator of a closely-guarded Russian-language crime forum called thecc.bz (the “cc” part referring to credit cards). Fly also was a trusted moderator on Mazafaka, one of the most exclusive and venerable Russian carding forums online today.

Shortly after Fly began sending those nasty tweets, I secretly gained access to his forum, where I learned that he had hatched a plot to buy heroin on the Silk Road, have it shipped to my home, and then spoof a call from one of my neighbors to the local police when the drugs arrived (see Mail from the Velvet Cybercrime Underground).

Thankfully, I was able to warn the cops in advance, even track the package along with the rest of the forum members thanks to a USPS tracking link that Fly had posted into a discussion thread on his forum.

Angry that I’d foiled his plan to have me arrested for drug possession, Fly had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”

Irina Gumenyuk-Vovnenko lists her hometown as Naples in her Odnoklassniki.ru profile.

Irina Gumenyuk-Vovnenko’s lists her hometown as Naples in her Odnoklassniki.ru profile.

After this incident, I became intensely curious about the identity of this Fly individual, so I began looking through databases of hacked carding and cybercrime forums. My first real break came when Russian computer forensics firm Group-IB provided a key piece of the puzzle (they also were quite helpful on the heroin sleuthing as well). Group-IB found that on the now-defunct vulnes[dot]com, Fly maintained an account under the nickname Flycracker, and signed up with the email address mazafaka@libero.it (.it is the country code for Italy).

According to a trusted source in the security community, that email account was somehow compromised last year. The source said the account was full of emailed reports from a keylogging device that was tied to another email address — 777flyck777@gmail.com (according to Google, mazafaka@libero.it is the recovery email address for 777flyck777@gmail.com).

Those keylog reports contained some valuable information, and indicated that Fly had planted a keylogger on his wife Irina’s computer. On several occasions, those emails show Fly’s wife typed in her Gmail address, which included her real first and last name — Irina Gumenyuk.

Later, Gumenyuk would change the surname on her various social networking profiles online to Vovnenko. She even mentioned her husband by name several times in emails to friends, identifying him as 28-year-old “Sergei Vovnenko”. Payment information contained in those emails — including shipping and other account information — put the happy couple and their young son in Naples, Italy. Continue reading →


15
Jan 14

A First Look at the Target Intrusion, Malware

Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.

The seller of the point-of-sale "memory dump" malware used in the Target attack.

The seller of the point-of-sale “memory dump” malware allegedly used in the Target attack.

In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware.

This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.

Target hasn’t officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack.

‘BLACK POS’

On Dec. 18, three days after Target became aware of the breach and the same day this blog broke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec. The report generated by that scan was very recently removed, but it remains available via Google cache (Update, Jan. 16, 9:29 a.m.: Sometime after this story ran, Google removed the cached ThreatExpert report; I’ve uploaded a PDF version of it here).

According to sources, "ttcopscli3acs" is the name of the Windows share point used by the POS malware planted at Target stores; the username that the thieves used to log in remotely and download stolen card data was "Best1_user"; the password was "BackupU$r"

According to sources, “ttcopscli3acs” is the name of the Windows computer name/domain used by the POS malware planted at Target stores; the username that the malware used to upload stolen data data was “Best1_user”; the password was “BackupU$r”

According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-sale malware strain that Symantec calls “Reedum” (note the Windows service name of the malicious process is the same as the ThreatExpert analysis –“POSWDS”). Interestingly, a search in Virustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, “30503 POS malware from FBI”.

The source close to the Target investigation said that at the time this POS malware was installed in Target’s environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. “They were customized to avoid detection and for use in specific environments,” the source said.

pos-fbiThat source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system.

According the author of BlackPOS — an individual who uses a variety of nicknames, including “Antikiller” — the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones “budget version” of the crimeware costs $1,800, while a more feature-rich “full version” — including options for encrypting stolen data, for example — runs $2,300.

Continue reading →


6
Jan 14

Deconstructing the $9.84 Credit Card Hustle

Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84. Many wondered whether this was the result of the Target breach; I suppose I asked for this, having repeatedly advised readers to keep a close eye on their bank statements for bogus transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom.

homecsOne reader said the $9.84 charge on her card  came with a notation stating the site responsible was eetsac.com. I soon discovered that there are dozens of sites complaining about similar charges from similarly-constructed domains; for example, this 30-page thread at Amazon’s customer help forums includes gripes from hundreds of people taken by this scam.

I did a bit of digging into that eetsac.com domain, ordering a historic WHOIS report from domaintools.com. The report shows that the domain eetsac.com was originally registered using the email address walter.kosevo@ymail.com. Domaintools also reports that this email address was used to register more than 230 other sites; a full list is available here (CSV).

A closer look at some of those domains reveals a few interesting facts. Callscs.in, for example, is a Web site for a call center and a domain that has been associated with these $9.84 fraudulent charges. Callscs.in lists as its local phone number 43114300. That number traces back to a call center in India, Call Connect India, Inc., which registers its physical address as Plot No 82, Sector 12 A, Dwarka. New Delhi – 110075.

iwepThe next site like that one on the list — cewcs.com — references the domain insiderwebeducationpro.com, another domain on the list of sites registered to that ymail.com email address. The homepage of insiderwebeducationpro.com lists the following contact information:

Copyright © 2014. All Rights Reserved – Lasorea Ltd

Lasorea Ltd.
Site and billing supported by:cewcs.com cs@cewcs.com
Premier Business Centre 47-49 Park Royal Road
London UK NW107LQ
8555311090

A search at companieshouse.gov.uk, a government site which maintains records about companies based in the United Kingdom, turned up incorporation records (PDF) showing that Lasorea Ltd. was founded in January 2013 by Emil Darbinian, a 28-year-old self-described accountant from Nicosia, Cyprus. Other records searches on Mr. Darbinian indicate he owns at least two other companies at the same address, including Testohealth Labs. Ltd — which appears to be a software company — and a firm called Levantos Venture Ltd. Mr. Darbinian did not return messages seeking comment.

Another domain on the list — etosac.com — is listed as the support and billing site for webtutorialpro.com, a site which bills itself as an “affiliate learning system.” In fact, of the 235 domains registered to walter.kosevo@ymail.com, all seem to be either affiliate programs of one kind (diet pills, work-at-home) or support/call center sites.

Dozens of sites like this one are the source of the $9.84 charges.

Dozens of sites like this one are the apparent source of the $9.84 charges.

Webtutorialpro.com lists on its homepage a company named Lukria, Ltd., and an address at the same London business park as Mr. Darbinian’s companies. If we step through the signup process to become an affiliate at Webtutorialpro.com, we can see that everything — from the “online store in a box” to “pay per click extreme” and the tutorial on “how to get FREE web traffic — all retail for….wait for it….$9.84!

Lukria, according to incorporation documents (PDF) purchased from companieshouse.co.uk, was created on the same day as Lasorea Ltd., and lists as its director a Sergey Babayan, also from Cyprus. According to the Facebook pages of both Mr. Darbinian and Mr. Babayan, the two men are friends. Mr. Babayan has not responded to requests for comment.

Mr. Babayan’s Facebook profile says he works at a company called Prospectacy Limited, which LinkedIn says is an accounting firm in Nicosia, Cyprus. According to Prospectacy’s Web site, this company specializes in “corporate services,” including “company formation,” “banking,” and “virtual office” services. The company seems to be in the business of establishing offshore firms; according to a reverse WHOIS record lookup from domaintools.com, the email address used to register Prospectacy’s domain also was used to register at least ten other domains, including registerincyprus.com, registerinuk.com, setupincyprus.com and setupineu.com.

A number of these affiliate sites include on their home page links to credorax.com, a Southborough, Mass. based acquiring bank Malta-based acquiring bank that is in the business of processing credit and debit card payments for merchants. It’s not clear whether either cewcs.com or insiderwebeducationpro.com use Credorax Inc. for payment processing, but it seems to suggest that by association. I reached out to Credorax to learn whether this site (and perhaps others that are the subject of this story) are customers, and will update this story if I hear back from them.

Update, 12:43 p.m. ET: I heard from Michael Burtscher, vice president of acquiring risk and fraud management at Credorax. Burtscher clarified that his company has offices in the U.S. but is based in Malta. Burtscher confirmed that Credorax had until recently helped to process cards for the network of sites named in this story, but that the company has severed that relationship. He declined to say when exactly the relationship ended, or indeed whether my information about the client’s identities was accurate. Burtscher would only say that Credorax terminated its relationship with the client in response to consumer complaints about the fraudulent charges. “This was one of those cases where when we onboarded them it looked like a legitimate account, but when we saw there were issues we decided to take action.”

Continue reading →


24
Dec 13

Who’s Selling Credit Cards from Target?

The previous two posts on this blog have featured stories about banks buying back credit and debit card accounts stolen in the Target hack and that ended up for sale on rescator[dot]la, a popular underground store. Today’s post looks a bit closer at open-source information on a possible real-life identity for the proprietor of that online fraud shop.

Rescator[dot]la is run by a miscreant who uses the nickname Rescator, and who is a top member of the Russian and English language crime forum Lampeduza[dot]la. He operates multiple online stores that sell stolen card data, including rescator[dot]la, kaddafi[dot]hk, octavian[dot]su and cheapdumps[dot]org. Rescator also maintains a presence on several other carding forums, most notably cpro[dot]su and vor[dot]cc.

A private message on cpro[dot]su between Rescator and a member interested in his card shop. Notice the ad for Rescator's email flood service at the bottom.

A private message on cpro[dot]su between Rescator and a member interested in his card shop. Notice the ad for Rescator’s email flood service at the bottom; this will become important as you read on.

In an Aug. 2011 thread that has since been deleted, Rescator introduced himself to the existing members of vor[dot]cc, a fairly exclusive Russian carding forum. When new members join a carding community, it is customary for them to explain their expertise and list previous nicknames and forums on which they have established reputations.

Rescator, a.k.a. "Hel" a.k.a. "Helkern" the onetime administrator of the Darklife forum, introduces himself to vor[dot]cc crime forum members.

Rescator, a.k.a. “Hel” a.k.a. “Helkern” the onetime administrator of the Darklife forum, introduces himself to vor[dot]cc crime forum members.

In the thread pictured above, we can see Rescator listing his bona fides and telling others he was “Hel,” one of three founders of darklife[dot]ws, a now-defunct hacker forum. In the screen shot below, Rescator clarifies that “Hel, in fact, is me.”

Rescator says his former nickname was "Hel," short for Helkern, the administrator of Darklife.

Rescator says his former nickname was “Hel,” short for Helkern, the administrator of Darklife.

The only darklife member who matched that nickname was “Helkern,” one of darklife’s three founders. Darklife administrators were all young men who fancied themselves skilled hackers, and at one point the group hacked into the venerable and closely-guarded Russian hacking forum cih[dot]ms after guessing the password of an administrator there.

Darklife admin "Helkern" brags to other members about hacking into cih[dot]ms, a more elite Russian hacking forum.

Darklife admin “Helkern” brags to other members about hacking into cih[dot]ms, a more elite Russian hacking forum.

In a counterattack documented in the entertaining thread that is still posted as a trophy of sorts at cih[dot]ms/old/epicfail, hackers from cih[dot]ms hacked into the Darklife forum, and posted personal photos of Helkern and fellow Darklife leaders, including these two of Helkern:

helkern1

And a self-portrait of Helkern:

helkern-self

So if Helkern is Rescator, who is Helkern? If we check at some of the other Russian forums that Helkern was active in at the time that Darklife was online in 2008, we can see he was a fairly frequent contributor to the now-defunct Grabberz[dot]com; in this cached post, Helkern can be seen pasting an exploit he developed for a remote SQL injection vulnerability. In it, he claims ownership of the ICQ instant messenger address 261333.

Continue reading →