I’m taking a short break from some year-end downtime to observe that KrebsOnSecurity.com turns two years old today!

This past year, KrebsOnSecurity.com has featured more than 200 blog posts, and attracted 5,000+ reader comments. It has been humbling to watch the audience here steadily grow and mature into a community. The expertise and conversations offered by readers in the blog comments have added immeasurably to the value and usefulness of this site.

My research and reporting involved more than a dozen public speaking events around the globe in 2011. The highlights of my work-related travel included trips to Austria, Canada, Poland, Russia, and The Netherlands. 2012 promises more interesting destinations.

When I founded Krebs On Security LLC in late 2009, I had no idea if it would work out. This past year, I’ve respectfully turned down some very flattering offers to work at important publications. The money and (apparent) stability those opportunities held out were certainly enticing, but I’m having way too much fun on my own, and today I can scarcely imagine doing anything else.

I look forward to continuing my investigative reporting on cybercrime, cybersecurity, and the underground economy. Most of all, I look forward to your continued readership and support. Thank you.

In case you missed them, here are some of the most-read investigative stories on KrebsOnsecurity.com from 2011:

Russian Cops Crash Pill Pusher Party

SpamIt, Glavmed Pharmacy Networks Exposed

Is Your Computer Listed “For Rent”?

Rent-a-Bot Networks Tied to TDSS Botnet

Who’s Behind the TDSS Botnet?

Gang Used 3D Printers for ATM Skimmers

Digital Hit Men for Hire

Beware of Juice-Jacking

Coordinated ATM Heists Net Thieves $13 Million

Rustock Botnet Suspect Sought Job at Google

Apple Took 3+ Years to Fix FinFisher Trojan Hole

Advanced Persistent Tweets: Zero-Day in 140 Characters

Pro-Grade (3D-Printer Made?) ATM Skimmer

How Much is Your Identity Worth?

Authorities in Manhattan today unsealed indictments against 55 people suspected of operating an identity theft and financial fraud ring, including a number of insiders at banks and companies throughout New York who allegedly helped to steal more than $2 million from hundreds of customers and clients.

Prosecutors say the 18-month-long investigation is notable because it underscores the ways in which traditional street crooks are moving their activity online: New York authorities maintain that more than a dozen of the defendants have violent criminal records and belong to different street gangs in Brooklyn.

At the center of the alleged conspiracy are employees at New York institutions that had access to large amounts of sensitive consumer and business data. Among those being arraigned today in a New York state court are JP Morgan Chase employees Karen Chance, Mercy Adebandjo and Joanna Gierczack; Tracey Nelson, an employee of the United Jewish Appeal-Federation; Roberto “Robbie” Millar, a car salesman for Open Road-Audi in Brooklyn; and Nicola Bennett, a compliance officer employed by AKAM Associates Inc., a residential property management company.

“These insiders used their positions to gain access to client data, and then sold that data to make money for themselves and their accomplices,” District Attorney Vance said in a written statement. “We will continue to work with our partners to build significant cases to disrupt identity theft and dismantle these criminal organizations.”

The indictments allege that middlemen named in the conspiracy purchased personal information on customers and donors from Nelson and Millar, and then either re-sold the data or used it themselves to commit fraudulent financial transactions.

Prosecutors also charge that the Chase employees abused their access to steal personal data on account holders, and sold the information to counterfeit check makers and to individuals who specialized in setting up and executing fraudulent bank transfers.

Some of the defendants are alleged to have recruited other indicted members for the purpose of using their bank accounts to conduct fraudulent transactions. Prosecutors say the recruiters played a dual role: trafficking in stolen personal information bought from others, and recruiting people to provide bank accounts through which they could commit fraud.

These so-called “collusive account holders” — effectively complicit money mules — make up the bulk of the individuals named in the indictments. New York authorities charge that when defendants wanted to withdraw money quickly from collusive accounts, they purchased US Postal Service money orders with the debit cards linked to the accounts.

The indictments state that some the defendants arraigned today used automated systems set up by Citibank and TD Bank to change the personal information on ID theft victims’ bank records, including the victims’ contact address, phone numbers and email addresses.

For example, prosecutor alleged that one of the defendants,  Josiah “Pespi” Boatwains, would request that stolen credit cards be mailed to an address where a co-conspirator Richard Ramos, an employee at United Parcel Service (UPS) would intercept the cards on Boatwain’s behalf in exchange for money.

Boatwains and two other defendants allegedly then used those stolen cards to purchase luxury items that other defendants sold to co-conspirators named in the indictments. Other defendants allegedly used hijacked credit card account numbers to make online purchases buying airline tickets, movie ticket, credit reports, pizza and iTunes products.

A statement of facts filed with the New York State Supreme Court notes that there is a large amount of violent activity that surrounds the defendants in this case. The statement reads:

“During the course of our investigation 2 targets of the investigation were murdered. One of the deceased was brutally murdered. When his body was found by the police, they recovered personal identifying information of victims linked to our case. Specifically, on his person, a copy of a check was found that was from one of our identity theft victims that had donated to the United Jewish Appeal.”

“In addition, we are informed by the police department that many of these defendants are members of the Brooklyn Gang called “The Outlaws,” and others are Bloods and Crypts [sic]. Many of our defendants have violent criminal convictions.”

New York authorities say they expect the dollar losses to increase as the investigation continues.

A decorated Ukrainian general was arrested last week in Romania along with two other men suspected of being part of an organized cybercrime gang that laundered at least $1.4 million stolen from U.S. and Italian firms.

Gen. Valeriu Gaichuck, far right.

Apprehended in Iasi, Romania last week were Matei Vitalie, 37, of Moldova; Konstantin Ossipov, a 42-year-old Israeli citizen; and 54-year-old Valeriu Gaichuk, a Ukrainian general who, according to his Facebook page, once studied at Florida International University in Miami.

Romanian prosecutors allege that the men created fake companies and business contracts to help to launder funds that were stolen from at least two firms, including $952,800 from the Society of Corporate Compliance and Ethics, an organization based in Minneapolis. Roy Snell, the society’s chief executive, declined to comment for this story.

Romanian authorities, working with the FBI and Italian special forces, were tipped off by banks in Italy, which denied a request allegedly by the accused to transfer $400,000 from a victim company there to a fictitious firm. According to documents released by prosecutors, the men were caught red handed on Dec. 9 trying to withdrawn nearly $1 million stolen from the American company.

A U.S. law enforcement investigator familiar with the case who spoke on condition of anonymity said keystroke logging Trojans were used to steal the online banking credentials of the victim organizations, and that the case is connected to at least one other cyber fraud investigation that is still pending. 

The judge overseeing the case approved the prosecutor’s request to have the men detained for at least 29 days pending further investigation, saying that authorities have information that the defendants belong to much larger organized criminal group.

Talk about geek chic. Facebook has started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws.

Facebook's Bug Bounty debit card for security researchers who report security flaws in its site and applications.

I first read about this card on the Polish IT security portal Niebezpiecznik.pl, which recently published an image of a bug bounty card given to Szymon Gruszecki, a Polish security researcher and penetration tester. A sucker for most things credit/debit card related, I wanted to hear more from researchers who’d received the cards.

Like many participants in Facebook’s program, Gruszecki also is hunting bugs for other companies that offer researchers money in exchange for privately reporting vulnerabilities, including Google, Mozilla, CCBill and Piwik. That’s not to say he only finds bugs for money.

“I regularly report Web app vulnerabilities to various companies [that don't offer bounties], including Microsoft, Apple, etc.,” Gruszecki wrote in an email exchange.

The bug bounty programs are a clever way for Internet-based companies to simultaneously generate goodwill within the security community and to convince researchers to report bugs privately. Researchers are rewarded if their bugs can be confirmed, and if they give the affected companies time to fix the flaws before going public with the information.

As an added bonus, some researchers — like Gruszecki — choose not to disclose the bugs at all.

“My rule #1 as participant of bug bounties: Don’t tell details about reported bugs,” he replied, when asked about the details behind his most recent Facebug find. “This is my personal decision, but perhaps in the future I change my mind. So I prefer to fix the bugs silently, but it’s nice that they can mention about me by putting my name on their White Hat list.”

Gurszecki said that as cool as the White Hat card is, he has asked Facebook to send his earnings another way, saying that using the card carried too many fees in his country.

“I have found the card is too expensive to use in Poland, and chose another way to get my reward,” he said. “The Facebook team sent me the card only as a souvenir.”

Neal Poole, a junior at Brown University, has reported close to a dozen flaws to Facebook, and also recently received a White Hat card. Poole has earned cash reporting flaws to Google and Mozilla, but unlike Gruszecki he blogs about each vulnerability he finds after they are fixed, detailing every step of his discovery and interaction with the affected vendor.

Poole’s research and diligent write-ups eventually caught the attention of Facebook’s recruiters: Next summer, he’ll be interning at Facebook, working directly with the company’s security team.

The New York native welcomed the bug bounty card, which makes it a bit easier to get paid. Initially, he’d asked to be paid via Western Union, but he ended up having the payment sent via PayPal. Now he just takes the card into JP Morgan Chase (the issuer of the card) and has them dump the cash into his bank account. “It was a little confusing at first for the people at my bank. They’d never seen one of these cards before.”

The young researcher said although the White Hat card definitely carries some geek cred, he won’t be flashing it at security conferences to buy drinks for his contemporaries anytime soon.

“I don’t think I’d want to use card like that at [hacker conventions like] Black Hat or DefCon,” Poole said. “It’d probably get cloned, or I’d feel like if you pulled out the card it you would immediately become a target.”

Trend Micro’s Rik Ferguson posted a good piece on Thursday about a major shortcoming in credit card security programs maintained by MasterCard and Visa. Although the loophole that Ferguson highlighted may be unsettling to some, fraudsters who specialize in stealing and using stolen credit cards online have been exploiting it for years.

At issue is a security protocol called “3 Domain Secure,” (3DS), a program designed to reduce card fraud and shift liability for fraud from online merchants to the card issuing banks. Visa introduced the program in 2001, branding it “Verified by Visa,” and MasterCard has a similar program in place called “SecureCode.”

Cardholders who chose to participate in the programs can register their card by entering the card number, filling in their ZIP code and birth date, and picking a passcode. When a cardholder makes a purchase at a site that uses 3DS, he enters the code, which is verified by the issuing bank and is never shared with the merchant site.

But as Ferguson notes, people are human and tend to forget things, especially passcodes and passwords, and it is the password reset function that eliminates any security provided by Verified by Visa or SecureCode. From his blog:

“What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.”

The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitimate account holder, let’s have a look at that “Identification” phase.”

“Oh noes, this doesn’t look good at all! Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn’t the criminal already have access to this? So what remains? One piece of information that is not included on the card. Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.”

“Having entered the required information all that remains is to enter a new password of your choosing and your transaction is authorised. Worse still, no email notification is sent to alert the cardholder that their account has been accessed or modified. The cardholder need never know until they check their statements.”

This would all be very shocking if it wasn’t already painfully obvious to today’s cyber crooks. When I read the Trend blog post, I began searching for several screen shots I had taken of a discussion on an underground carding forum more than two years ago, which explained very clearly how to get around this added level of card security. The tutorial in the screen shot below was posted by an administrator from the carding forum carder.pro on Halloween, 2009:

Programs like these are a good example of security that is designed to make people feel more secure but that add little in the way of real security, or merely shift the risk to another party. Supporters of 3DS would do well to adopt the password reset advice offered in the Trend post, and to absorb the main points in a paper released last year by researchers at the University of Cambridge, “Verified by Visa and MasterCard SecureCode: How Not to Design Authentication” (PDF).

Compromised PayPal accounts are a valuable commodity in the criminal underground, and crooks frequently trade them in shadowy online forums. But it wasn’t until recently that I finally encountered a proper Web site dedicated to selling hacked PayPal accounts.

Compromised PayPal accounts for sale at iProfit.su

Many of the PayPal accounts for sale at iProfit.su have a zero balance, but according to the proprietor of this shop these are all “verified.” PayPal “verifies” an account when a customer agrees to attach a bank account to it; PayPal then sends a micropayment the bank account, and asks the user the value of that mini deposit. A bonus feature: all the hacked PayPal profiles currently for sale at iProfit.su are advertised as having a credit card attached to them, which is another way PayPal accounts can be verified.

The creator of iProfit.su also advertises private, bulk sales of unverified PayPal accounts; currently he is selling these at $50 per 100 accounts – a bargain at only 50 cents apiece.

Accounts are sold with or without email access (indicated by the “email” heading in the screenshot above): Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of iProfit.su told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.

It’s not clear how this guy prices the verified PayPal accounts. In the accounts I saw advertised (see screenshot above), the prices started at $2.50 for verified accounts with a balance from $0 to $10. Higher-balance verified accounts appear to be priced at between 8 to 12 percent of their total balance. For example, one account — apparently taken from a hapless victim named Abigail — has a current balance of $121.07, and is being sold for $15.

Another account, from Gwynn in Tallmadge (Ohio?) has a hefty balance of $1,102.37; its sale price was set at $45. Taking a look at the domain name in Gwynn’s email address, I decided she must work at or for Gambit Systems, a software development firm in Akron, Ohio. I  sent an email to the administrator at that company, who passed on the information and confirmed that PayPal had since locked down Gwynn’s account.

The proprietors of iProfit.su also run blackservice.su, a “carding” forum where members can sell all kinds of stolen goods and illegal services, from stolen credit cards to services that will look up Social Security numbers and birthdays. Readers may have noticed that both of the Web sites mentioned in this story end with the “.su” top-level domain (TLD): This TLD identifies the Soviet Union; it’s a holdover from the country-code TLD that was created for the Soviet Union in 1990. It was long considered dead, but .su is now quite popular, particularly among sites catering to Russian-language cybercrime forums.

Microsoft today released 13 software updates to fix at least 22 security flaws in its Windows operating systems and other software. Two of the flaws addressed in the August patch batch earned Microsoft’s most dire “critical” rating, meaning that attackers can exploit them to break into systems without any help from users.

Among the critical updates is a cumulative patch for Internet Explorer that plugs at least five security holes in the browser. The update is considered critical for IE versions 7, 8 and 9 (oddly enough, it earned an overall “important” rating on the insecure IE6).

The other critical patch fixes a serious problem with the DNS server built into Windows Server 2003 and Windows Server 2008 systems (consumer systems such as Windows XP, Vista and Windows 7 are not affected by the flaw). Although the DNS bug is rated critical, Microsoft considers it unlikely that attackers will develop functioning code to exploit the flaw.

Nine other flaws earned Microsoft’s important rating, and six of those ranked high on Microsoft’s exploitability index, meaning the company believes it is likely that attackers will develop code designed to exploit them to break into Windows PC

As always, if you experience any issues during or after applying the updates, please leave a note in the comment section about it. A summary of all patches released today is available at this link.

A new approach to overcoming state-level Internet censorship relies, ironically enough, on a technique that security experts have frequently associated with government surveillance.

Current anti-censorship technologies, including the services Tor and Dynaweb, direct connections to restricted websites through a network of encrypted proxy servers, with the aim of hiding who’s visiting such sites from censors. But the censors are constantly searching for and blocking these proxies. A new scheme, called Telex, makes it harder for censors to block communications by disguising traffic destined for restricted sites as traffic meant for popular, uncensored websites. It does this by employing the same method of analyzing packets of data that censors often use.

“To route around state-level Internet censorship, people have relied on proxy servers outside of the country doing the censorship,” says J. Alex Halderman, assistant professor of electrical engineering and computer science at the University of Michigan. “The difficulty there is, you have to communicate to those people where the proxies are, and it’s very hard to do that without also letting the government censors figure out where the proxies are.”

The Telex system has two major components: “stations” at dozens of Internet service providers (ISPs)—the stations connect traffic from inside nations that censor to the rest of the Internet—and the Telex client software program that runs on the computers of people who want to avoid censorship.

This is an excerpt from a piece I wrote that was published today in MIT Technology Review. Read the full story here.

Law enforcement officials in Romania and the United States have arrested and charged more than 100 individuals in connection with an organized fraud ring that used phony online auctions for cars, boats and other high-priced items to bilk consumers out of at least $10 million.

According to a statement from the Justice Department, the scams run by this ring followed a familiar script. Conspirators located in Romania would post items for sale such as cars, motorcycles and boats on Internet auction and online websites. They would instruct interested buyers to wire transfer the purchase money to a fictitious name they claimed to be an employee of an escrow company. Once the victim wired the funds, the co-conspirators in Romania would text information about the wire transfer to co-conspirators in the United States known as “arrows” to enable them to retrieve the wired funds. They would also provide the arrows with instructions as to where to send the funds after retrieval.

The arrows in the United States would then visit wire transfer services such as Western Union or MoneyGram, provide false documents including passports and drivers’ licenses in the name of the recipient of the wire transfer, and grab the cash. They would subsequently wire the funds overseas, typically to individuals in Romania, minus a percentage kept for commissions. The victims would not receive the items they believed they were purchasing. In some cases, co-conspirators in Romania also directed arrows to provide bank accounts in the United States where larger amounts of funds could be wired by victims of the fraud.

Since February 2011, FBI agents and U.S. Justice Department authorities in Florida, Pennsylvania and Texas have arrested or charged at least 21 Romanians and Moldovans in the U.S. who were allegedly members of the ring. Thirteen of those charged have pleaded guilty, and three remain at large.

The Bucharest news agency Adevarul.ro has more details on the 90 Romanians arrested by authorities there in nine different cities. The Romanian authorities say the group stole almost $20 million, about twice as much as the Justice Department estimates.

Some of the Romanians arrested were from the town of Râmnicu Vâlcea, a location that has become synonymous with online auction fraud. In January, Wired published a fascinating and readable article on how this remote town of 120,000 residents has become cybercrime central, earning the town the nickname “hackerville.”

Spam may be synonymous with male enhancement drugs, but new research shows that Americans are far more likely than buyers in other countries to turn to spam-advertised pharmacies to obtain pills to treat serious ailments–a trend that reflects differences in government health care and prescription drug policies.

Researchers at the University of California, San Diego, have collected the first data showing which drugs consumers most often buy from spam advertisements, and how much they spend at shadowy online apothecaries.

“People are going to them when they’re either too embarrassed to talk to a doctor, or when it would be far too expensive to buy these drugs otherwise,” said Chris Kanich, a PhD candidate at UCSD’s computer science department, and lead researcher of the study.

Previous estimates of monthly revenue from spam have varied dramatically, from $300,000 to more than $58 million. The UCSD researchers found that the largest rogue Internet pharmacies generate between $1 million and $2.5 million in sales each month, although they caution that their estimates are conservative.

Kanich says the figures show that although the spam-advertised market is substantial, it is not nearly as big as some have claimed, and falls short of annual expenditures on technical anti-spam solutions by corporations and ISPs.

This is an excerpt from a piece I wrote that was published today in MIT Technology Review. Read the full story here. The UCSD paper is available at this link (PDF).