The Wikimedia Foundation last week warned that readers who are seeing ads on Wikipedia articles are likely using a Web browser that has been infected with malware. The warning points to an apparent resurgence in adware and spyware that is being delivered via cleverly disguised browser extensions designed to run across multiple Web browsers and operating systems.

An ad served by IWantThis! browser extension. Source: Wikimedia

In a posting on its blog, Wikimedia noted that although the nonprofit organization is funded by more than a million donors and does not run ads, some users were complaining of seeing ads on Wikipedia entries. “If you’re seeing advertisements for a for-profit industry (see screenshot below for an example) or anything but our fundraiser, then your web browser has likely been infected with malware,” reads a blog post co-written by Philippe Beaudette, director of community advocacy at the Wikimedia Foundation.

The blog post named one example of a browser extension called “IWantThis!,” which is essentially spyware masquerading as adware. The description at the IWantThis! Web site makes it sound like a harmless plugin that occasionally overlays ads on third-party Web sites and helps users share product or online shopping wish lists with others. As I was researching this extension, I came across this helpful description of it at the DeleteMalware Blog, which points to the broad privacy policy that ships with this extension:

Examples of the information we may collect and analyze when you use our website include the IP address used to connect your computer to the Internet; login; e-mail address; password; computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform; the full Uniform Resource Locator (URL) clickstream to, through, and from the Site, including date and time; cookie; web pages you viewed or searched for; and the phone number you used to call us.

The author of that DeleteMalware post said he found a copy of the IWantThis browser extension bundled with freeware from software download sites (the author doesn’t mention which download site, but it’s worth mentioning again that sites like Download.com have recently begun bundling adware, toolbars and other potentially invasive software with otherwise “free” titles).

The Wikimedia blog post specifically mentions that this extension affects Google Chrome users, but the extension appears to be equally capable of installing across multiple browsers, including Mozilla Firefox and Internet Explorer. Last week, I wrote about LilyJade, a new computer worm that was spreading across Facebook accounts by abusing the free services offered by Crossrider, a platform that makes it simple to develop browser extensions that work seamlessly across browsers and operating systems.

In researching IWantThis, I spoke with Sergey Golovanov, a malware expert at Russian antivirus maker Kaspersky Lab, who pointed out that the IWantThis extension has been delivered via Crossrider since at least February of this year. This may or may not be linked to an affiliate program that rewards people with commissions for convincing people to install the software.This writeup from Symantec’s ThreatExpert malware scanning engine steps through some of the registry changes that the IWantThis extension executes on a host system.

It’s also worth noting that few — if any — antivirus firms are likely to alert users about malicious or invasive browser extensions. For example, none of the 43 antivirus and security applications used to conduct this scan of the IWantThis! extension at Virustotal.com flagged it as malicious, or even a potentially unwanted application.

Broken record alert: If you didn’t go looking for it, don’t install it!

iYogi Refers to Incident as ‘Tylenol Moment’

Avast, an antivirus maker that claims more than 150 million customers, is suspending its relationship with iYogi, a company that it has relied upon for the past two years to provide live customer support for its products. The move comes just one day after an investigation into iYogi by KrebsOnSecurity.com indicating that the company was using the relationship to push expensive and unnecessary support contracts onto Avast users.

In a blog post published today, Avast said it came to the decision after reports on this blog that “iYogi’s representatives appear to have attempted to increase sales of iYogi’s premium support packages by representing that user computers had issues that they did not have.”

“Avast is a very non-traditional company in that positive referrals and recommendations from our user base drive our product usage,” Avast CEO Vince Steckler wrote. “We do not distribute our products in retail, via computer manufacturers, or other similar channels. This model has served us well and has made us the most popular antivirus product in the world. Last year we added over 30M new users on top of almost 30M new users in the previous year. As such, any behavior that erodes the confidence our users have with Avast is unacceptable. In particular, we find the behavior that Mr. Krebs describes as unacceptable.”

Steckler said Avast had initial reports of the unnecessary upselling a few weeks ago and met with iYogi’s senior executives to ensure the behavior was being corrected.

“Thus, we were shocked to find out about Mr. Krebs’ experience. As a consequence, we have removed the iYogi support service from our website and shortly it will be removed from our products,” Steckler said. “We believe that this type of service, when performed in a correct manner, provides immense value to users. As such, over the next weeks, we will work with iYogi to determine whether the service can be re-launched.”

Steckler added that Avast will also work to ensure that any users who feel they have been misled into purchasing a premium support receive a full refund. The company asked that users send any complaints or concerns to support@avast.com or even to the CEO himself, at vince.steckler@avast.com.

iYogi executives posted several comments to this blog yesterday and today in response to my reporting. After Avast announced its decision to drop iYogi, Larry Gordon, iYogi’s president of global channel sales, sent me a formal letter that was unapologetic, but which promised that the company would endeavor to do better. Gordon called the incident, a “Tylenol moment for iYogi and the leadership team.” His letter is reprinted in its entirety below.

Hi Brian:

I have enjoyed reading your blog, except for the last post; for obvious reasons. But even all the latest comments provide iYogi with opportunity.

I’m the president of global channel sales for iYogi, and I am writing to communicate our model for providing freemium services. As you probably know, remote tech support is still a new service category and creating a market and meeting consumer demand for subscription-based services required an innovative marketing approach. So we invented a “Serve to Sell” model for ourselves. Similar to antivirus products, and now mobile games, we want as many people to try our service as possible, and then we use that service-experience to upsell our subscription-based all-you-can-eat tech support, which many think is a pretty good deal at $169/year. We call it “try it before you buy it.” It works well. The trick, of course, is not to turn anyone off in the sales process.

For this reason, we have focused on creating a terrific service experience; we audit 30% of our agent engagements through KPMG and have CSAT rates that our amongst the highest in the world for any type of CE service or product, not just tech support. But this is the new world of total transparency. Any type of flaw or snafu can be broadcast and amplified. It’s thumbs up or thumbs down. That is why we need to be perfect. And need to get better.

In the last five years we have grown rapidly and now have close to two million subscribers, across four geographies and deploy over 5,000 tech experts. At this scale of operations, it is likely that given all the variables of a services business, a customer could experience an over enthusiastic or an erroneous sales pitch from a tech agent, as described in your post.

We market to consumers through the Internet and partner with high-growth technology companies like Avast. While technology in some respects is becoming simpler and easier to use, in some cases and for some people it has become more complex. It requires assistance with setup, installation, integration or application support. We have worked with Avast for almost two years and assisted 363,605 of their customers. They can also seek support through the Avast forum, but these customers choose voice and remote support as well. Despite the recent turn of events, we believe that this model is a perfect complement for the major freemium AV player and has enhanced their brand’s engagement with this group of consumers. This view is endorsed by the customer satisfaction scores for Avast customers over the last nine months that show over 95% of the respondents are satisfied, with a large majority being extremely satisfied (84%). 4% are not satisfied and we need to do a better job with them, and will figure out how to fine tune the agent sales process even further. The technical process has not been a question.

Which brings us to the opportunity we face. This is a Tylenol moment for iYogi and the leadership team. We have a great offering, our guys do great work, and we have helped millions of people for free. We have kept them safe. We have saved them time and aggravation. We are the only guys doing this. We have also made a mistake and will improve to keep it from happening again. We know how to do it. It will cost us some time and money, but it will be well spent. Like the makers of Tylenol we think that we can improve even more. Keep an eye on us, just like our partners and customers do. Tell us again how we are doing a few weeks from now.

Larry Gordon

President, Global Channel Sales

iYogi

NY, NY

A Web site that bills itself as a place where independent and open source software developers can hire each other has secured promises to award at least $1,435 to the first person who can develop a working exploit that takes advantage of newly disclosed and dangerous security hole in all supported versions of Microsoft Windows.

That reward, which is sure to only increase with each passing day, is offered to any developer who can devise an exploit for one of two critical vulnerabilities that Microsoft patched on Tuesday in its Remote Desktop Protocol (RDP is designed as a way to let administrators control and configure machines remotely over a network).

Update, 8:47 a.m.: The RDP exploit may already be available. There are unconfirmed reports that a working exploit for the RDP bug has been posted to Chinese-language forums.

Original post:

The bounty comes courtesy of contributors to gun.io (pronounced gun-yo), a site that advances free and open software. The current bounty offered for the exploit is almost certainly far less than the price such a weapon could command the underground market, or even what a legitimate vulnerability research company like TippingPoint might pay for such research. But the site shows promise for organizing a grassroots effort at crafting exploits that can be used by attackers and defenders alike to test the security of desktops and the networks in which they run.

“We’re trying to advance the culture of independent software development – so we’ve made a place where indie developers can find other devs to help work on their projects and find gigs to work on when they need cash,” gun.io explains on the About section of the site.

In fact, the RDP exploit is hardly the most lucrative coding project up for bid on the site. A project posted by user “Sushee” to develop a Flash game social network is offering $4,000. Another promises $2,000 for an open source Android Youtube application in support of individuals who are blind.

It’s not clear yet whether the open-source bounty model has a future for encouraging the development of software exploits. Most of the money for the RDP project was put up by Rapid7′s HD Moore. The  Gun.io reward is for an exploit that can run as a module in Metasploit, an open source penetration testing platform that Moore created.

Jones said Moore’s donation brought with it a suggestion about a new nickname for Gun.io: “KiddieStarter.”

“If GitHub and oDesk had a baby, and then that baby had a baby with KickStarter, that baby would be Gun.io,” Jones joked. “Kickstarter for coders isn’t far off, but it’s not quite on the mark either. KickStarter is a person saying ‘Hey, give me money!,’ but Gun.io is a group of people saying ‘Hey! Somebody do this and take our money!’”

KrebsOnSecurity.com earned two honors this week at the RSA Security Conference. For the second year running, it was voted the blog that best represents the security industry by judges at the 2012 Social Security Blogger Awards. I was also recognized for a “Security Bloggers Hall of Fame award,” alongside noted security expert Bruce Schneier.

Many thanks to the judges and to the organizers of the Security Bloggers Meetup at RSA. I would like to have been there to accept the awards in person, but I was headed to Halifax, Nova Scotia, for the Atlantic Security Conference (AtlSec), where I delivered the opening keynote last week.

Others honored with awards at RSA this year include (in no particular order):

Most educational security blog: Richard Bejtlich‘s Taosecurity.
Best blog post of the year: Moxie Marlinspike‘s Thoughtcrime Labs post on broken SSL.
Best security podcast: exoticliability.com
Most entertaining blog: @jack_daniel‘s Uncommon Sense Security
Best corporate security blog: @SophosLabs‘s Naked Security.

Many readers have reported site slowness or availability issues over the past several days. My site has been receiving some extra love in the form of automated junk traffic. Apologies for the inconvenience, and thanks for your patience while we work things out.

Computers running Microsoft‘s antivirus and security software may be flagging google.com — the world’s most-visited Web site — as malicious, apparently due to a faulty Valentine’s Day security update shipped by Microsoft.

Microsoft's antivirus software flagged google.com as bad.

Not long after Microsoft released software security updates on Tuesday, the company’s Technet support forums lit up with complaints about Internet Explorer sounding the malware alarm when users visited google.com.

The alerts appear to be the result of a “false positive” detection shipped to users of Microsoft’s antivirus and security products, most notably its Forefront technology and free “Security Essentials” antivirus software.

I first learned of this bug from a reader, and promptly updated a Windows XP system I have that runs Microsoft Security Essentials. Upon reboot, Internet Explorer told me that my homepage — google.com — was serving up a “severe” threat –  Exploit:JS/Blacole.BW. For whatever reason, Microsoft’s security software thought Google’s homepage was infected with a Blackhole Exploit Kit.

I could be wrong, but it doesn’t appear that Google is in fact infected or serving up exploits. Fortunately, clicking the default “remove” action prompted by Microsoft’s antivirus technology did virtually nothing that I could tell; the program reported that it was unable to find the threat (psst, Microsoft…that’s because there isn’t one). Judging from the responses in the Microsoft forum, the company appears to be aware of and responding to the bogus alerts.

False positives happen to every antivirus vendor, and this one was fairly innocuous as these things go: It’s not like it deleted or quarantined essential operating system files, rendering host computers useless, as faulty updates from other vendors have in the past. But Microsoft is probably smarting from this episode: The company is expected to ship a version of its antivirus technology with Windows 8, the next version of Windows due to be released later this year.

I’m taking a short break from some year-end downtime to observe that KrebsOnSecurity.com turns two years old today!

This past year, KrebsOnSecurity.com has featured more than 200 blog posts, and attracted 5,000+ reader comments. It has been humbling to watch the audience here steadily grow and mature into a community. The expertise and conversations offered by readers in the blog comments have added immeasurably to the value and usefulness of this site.

My research and reporting involved more than a dozen public speaking events around the globe in 2011. The highlights of my work-related travel included trips to Austria, Canada, Poland, Russia, and The Netherlands. 2012 promises more interesting destinations.

When I founded Krebs On Security LLC in late 2009, I had no idea if it would work out. This past year, I’ve respectfully turned down some very flattering offers to work at important publications. The money and (apparent) stability those opportunities held out were certainly enticing, but I’m having way too much fun on my own, and today I can scarcely imagine doing anything else.

I look forward to continuing my investigative reporting on cybercrime, cybersecurity, and the underground economy. Most of all, I look forward to your continued readership and support. Thank you.

In case you missed them, here are some of the most-read investigative stories on KrebsOnsecurity.com from 2011:

Russian Cops Crash Pill Pusher Party

SpamIt, Glavmed Pharmacy Networks Exposed

Is Your Computer Listed “For Rent”?

Rent-a-Bot Networks Tied to TDSS Botnet

Who’s Behind the TDSS Botnet?

Gang Used 3D Printers for ATM Skimmers

Digital Hit Men for Hire

Beware of Juice-Jacking

Coordinated ATM Heists Net Thieves $13 Million

Rustock Botnet Suspect Sought Job at Google

Apple Took 3+ Years to Fix FinFisher Trojan Hole

Advanced Persistent Tweets: Zero-Day in 140 Characters

Pro-Grade (3D-Printer Made?) ATM Skimmer

How Much is Your Identity Worth?

Authorities in Manhattan today unsealed indictments against 55 people suspected of operating an identity theft and financial fraud ring, including a number of insiders at banks and companies throughout New York who allegedly helped to steal more than $2 million from hundreds of customers and clients.

Prosecutors say the 18-month-long investigation is notable because it underscores the ways in which traditional street crooks are moving their activity online: New York authorities maintain that more than a dozen of the defendants have violent criminal records and belong to different street gangs in Brooklyn.

At the center of the alleged conspiracy are employees at New York institutions that had access to large amounts of sensitive consumer and business data. Among those being arraigned today in a New York state court are JP Morgan Chase employees Karen Chance, Mercy Adebandjo and Joanna Gierczack; Tracey Nelson, an employee of the United Jewish Appeal-Federation; Roberto “Robbie” Millar, a car salesman for Open Road-Audi in Brooklyn; and Nicola Bennett, a compliance officer employed by AKAM Associates Inc., a residential property management company.

“These insiders used their positions to gain access to client data, and then sold that data to make money for themselves and their accomplices,” District Attorney Cyrus Vance Jr. said in a written statement. “We will continue to work with our partners to build significant cases to disrupt identity theft and dismantle these criminal organizations.”

The indictments allege that middlemen named in the conspiracy purchased personal information on customers and donors from Nelson and Millar, and then either re-sold the data or used it themselves to commit fraudulent financial transactions.

Prosecutors also charge that the Chase employees abused their access to steal personal data on account holders, and sold the information to counterfeit check makers and to individuals who specialized in setting up and executing fraudulent bank transfers.

Some of the defendants are alleged to have recruited other indicted members for the purpose of using their bank accounts to conduct fraudulent transactions. Prosecutors say the recruiters played a dual role: trafficking in stolen personal information bought from others, and recruiting people to provide bank accounts through which they could commit fraud.

These so-called “collusive account holders” — effectively complicit money mules — make up the bulk of the individuals named in the indictments. New York authorities charge that when defendants wanted to withdraw money quickly from collusive accounts, they purchased US Postal Service money orders with the debit cards linked to the accounts.

The indictments state that some the defendants arraigned today used automated systems set up by Citibank and TD Bank to change the personal information on ID theft victims’ bank records, including the victims’ contact address, phone numbers and email addresses.

For example, prosecutor alleged that one of the defendants,  Josiah “Pespi” Boatwains, would request that stolen credit cards be mailed to an address where a co-conspirator Richard Ramos, an employee at United Parcel Service (UPS) would intercept the cards on Boatwain’s behalf in exchange for money.

Boatwains and two other defendants allegedly then used those stolen cards to purchase luxury items that other defendants sold to co-conspirators named in the indictments. Other defendants allegedly used hijacked credit card account numbers to make online purchases buying airline tickets, movie ticket, credit reports, pizza and iTunes products.

A statement of facts filed with the New York State Supreme Court notes that there is a large amount of violent activity that surrounds the defendants in this case. The statement reads:

“During the course of our investigation 2 targets of the investigation were murdered. One of the deceased was brutally murdered. When his body was found by the police, they recovered personal identifying information of victims linked to our case. Specifically, on his person, a copy of a check was found that was from one of our identity theft victims that had donated to the United Jewish Appeal.”

“In addition, we are informed by the police department that many of these defendants are members of the Brooklyn Gang called “The Outlaws,” and others are Bloods and Crypts [sic]. Many of our defendants have violent criminal convictions.”

New York authorities say they expect the dollar losses to increase as the investigation continues.

A decorated Ukrainian general was arrested last week in Romania along with two other men suspected of being part of an organized cybercrime gang that laundered at least $1.4 million stolen from U.S. and Italian firms.

Gen. Valeriu Gaichuck, far right.

Apprehended in Iasi, Romania last week were Matei Vitalie, 37, of Moldova; Konstantin Ossipov, a 42-year-old Israeli citizen; and 54-year-old Valeriu Gaichuk, a Ukrainian general who, according to his Facebook page, once studied at Florida International University in Miami.

Romanian prosecutors allege that the men created fake companies and business contracts to help to launder funds that were stolen from at least two firms, including $952,800 from the Society of Corporate Compliance and Ethics, an organization based in Minneapolis. Roy Snell, the society’s chief executive, declined to comment for this story.

Romanian authorities, working with the FBI and Italian special forces, were tipped off by banks in Italy, which denied a request allegedly by the accused to transfer $400,000 from a victim company there to a fictitious firm. According to documents released by prosecutors, the men were caught red handed on Dec. 9 trying to withdrawn nearly $1 million stolen from the American company.

A U.S. law enforcement investigator familiar with the case who spoke on condition of anonymity said keystroke logging Trojans were used to steal the online banking credentials of the victim organizations, and that the case is connected to at least one other cyber fraud investigation that is still pending. 

The judge overseeing the case approved the prosecutor’s request to have the men detained for at least 29 days pending further investigation, saying that authorities have information that the defendants belong to much larger organized criminal group.

Talk about geek chic. Facebook has started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws.

Facebook's Bug Bounty debit card for security researchers who report security flaws in its site and applications.

I first read about this card on the Polish IT security portal Niebezpiecznik.pl, which recently published an image of a bug bounty card given to Szymon Gruszecki, a Polish security researcher and penetration tester. A sucker for most things credit/debit card related, I wanted to hear more from researchers who’d received the cards.

Like many participants in Facebook’s program, Gruszecki also is hunting bugs for other companies that offer researchers money in exchange for privately reporting vulnerabilities, including Google, Mozilla, CCBill and Piwik. That’s not to say he only finds bugs for money.

“I regularly report Web app vulnerabilities to various companies [that don't offer bounties], including Microsoft, Apple, etc.,” Gruszecki wrote in an email exchange.

The bug bounty programs are a clever way for Internet-based companies to simultaneously generate goodwill within the security community and to convince researchers to report bugs privately. Researchers are rewarded if their bugs can be confirmed, and if they give the affected companies time to fix the flaws before going public with the information.

As an added bonus, some researchers — like Gruszecki — choose not to disclose the bugs at all.

“My rule #1 as participant of bug bounties: Don’t tell details about reported bugs,” he replied, when asked about the details behind his most recent Facebug find. “This is my personal decision, but perhaps in the future I change my mind. So I prefer to fix the bugs silently, but it’s nice that they can mention about me by putting my name on their White Hat list.”

Gurszecki said that as cool as the White Hat card is, he has asked Facebook to send his earnings another way, saying that using the card carried too many fees in his country.

“I have found the card is too expensive to use in Poland, and chose another way to get my reward,” he said. “The Facebook team sent me the card only as a souvenir.”

Neal Poole, a junior at Brown University, has reported close to a dozen flaws to Facebook, and also recently received a White Hat card. Poole has earned cash reporting flaws to Google and Mozilla, but unlike Gruszecki he blogs about each vulnerability he finds after they are fixed, detailing every step of his discovery and interaction with the affected vendor.

Poole’s research and diligent write-ups eventually caught the attention of Facebook’s recruiters: Next summer, he’ll be interning at Facebook, working directly with the company’s security team.

The New York native welcomed the bug bounty card, which makes it a bit easier to get paid. Initially, he’d asked to be paid via Western Union, but he ended up having the payment sent via PayPal. Now he just takes the card into JP Morgan Chase (the issuer of the card) and has them dump the cash into his bank account. “It was a little confusing at first for the people at my bank. They’d never seen one of these cards before.”

The young researcher said although the White Hat card definitely carries some geek cred, he won’t be flashing it at security conferences to buy drinks for his contemporaries anytime soon.

“I don’t think I’d want to use card like that at [hacker conventions like] Black Hat or DefCon,” Poole said. “It’d probably get cloned, or I’d feel like if you pulled out the card it you would immediately become a target.”

Trend Micro’s Rik Ferguson posted a good piece on Thursday about a major shortcoming in credit card security programs maintained by MasterCard and Visa. Although the loophole that Ferguson highlighted may be unsettling to some, fraudsters who specialize in stealing and using stolen credit cards online have been exploiting it for years.

At issue is a security protocol called “3 Domain Secure,” (3DS), a program designed to reduce card fraud and shift liability for fraud from online merchants to the card issuing banks. Visa introduced the program in 2001, branding it “Verified by Visa,” and MasterCard has a similar program in place called “SecureCode.”

Cardholders who chose to participate in the programs can register their card by entering the card number, filling in their ZIP code and birth date, and picking a passcode. When a cardholder makes a purchase at a site that uses 3DS, he enters the code, which is verified by the issuing bank and is never shared with the merchant site.

But as Ferguson notes, people are human and tend to forget things, especially passcodes and passwords, and it is the password reset function that eliminates any security provided by Verified by Visa or SecureCode. From his blog:

“What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.”

The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitimate account holder, let’s have a look at that “Identification” phase.”

“Oh noes, this doesn’t look good at all! Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn’t the criminal already have access to this? So what remains? One piece of information that is not included on the card. Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.”

“Having entered the required information all that remains is to enter a new password of your choosing and your transaction is authorised. Worse still, no email notification is sent to alert the cardholder that their account has been accessed or modified. The cardholder need never know until they check their statements.”

This would all be very shocking if it wasn’t already painfully obvious to today’s cyber crooks. When I read the Trend blog post, I began searching for several screen shots I had taken of a discussion on an underground carding forum more than two years ago, which explained very clearly how to get around this added level of card security. The tutorial in the screen shot below was posted by an administrator from the carding forum carder.pro on Halloween, 2009:

Programs like these are a good example of security that is designed to make people feel more secure but that add little in the way of real security, or merely shift the risk to another party. Supporters of 3DS would do well to adopt the password reset advice offered in the Trend post, and to absorb the main points in a paper released last year by researchers at the University of Cambridge, “Verified by Visa and MasterCard SecureCode: How Not to Design Authentication” (PDF).