A Little Sunshine

Skimmers Siphoning Card Data at the Pump

Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.

Forced to re-issue an unusually high number of bank cards due to fraudulent charges on the accounts, a regional bank serving Colorado and surrounding states recently began searching for commonalities among the victimized accounts. The financial institution, which shared information with KrebsOnSecurity.com on the condition that it not be named, found that virtually all of the compromised cardholders had purchased gas from a string of filling stations along or not far from Interstate 25, a major North-South highway that runs through the heart of Denver.

Several Valero stations along the I-25 corridor reached by phone acknowledged being visited over the past week by local police and U.S. Secret Service agents searching for skimmer devices. The stations declined to comment on the record, but said investigators left a bulletin stating that stations in the area had been targeted and urging them to be on the lookout for suspicious activity around the pumps.

Mark Gallick, a Secret Service agent with the Denver field office, confirmed that a bulletin on skimmers was circulating among gas stations in the area, but refused to comment further.

Similar attacks on gas station pumps recently have hit other parts of the country: Police in Arizona also are dealing with a spike in reports about skimmers showing up at gas pumps, prompting Gov. Janice Brewer this month to urge the Arizona Department of Weights and Measures to increase their inspection efforts in looking for skimmers at gas stations.

Bluetooth-enabled gas pump skimmer. Photo: Alachua County, Fla. Sheriff's Office

Bluetooth based wireless skimmers have been found attached to a slew of gas station pumps throughout the Southeast, particularly in Florida. Wireless skimmers allow thieves to pull up to the compromised station and download stolen card data with a laptop while sitting in their car. Many wireless skimmers run on rechargeable batteries, but skimmers attached to the insides of a gas pump can easily be made to draw on the pump’s power source in order to continue stealing card data indefinitely.

“Our device is not the traditional skimmer but rather a Bluetooth enabled equivalent of a thumb drive programmed to capture the data as it was transmitted from point A to point B inside the gas pump itself,” said Lt. Stephen Maynard, the public information officer for the Alachua County, Fla. Sheriff’s Office, which dealt with skimmer compromised pumps earlier this year.

The gas pumps compromised in the Denver-area attacks showed no outward signs of having been tampered with or altered, according to several sources. My source at the bank said all of the pumps in question contained a device on the inside of the pumps designed to record data stored on the back of cards inserted into the compromised pumps, but he wasn’t sure whether the skimmers were designed to transmit the stolen data wirelessly.

Continue reading →

Experts Warn of New Windows Shortcut Flaw

Researchers have discovered a sophisticated new strain of malicious software that piggybacks on USB storage devices and leverages what appears to be a previously unknown security vulnerability in the way Microsoft Windows processes shortcut files.

Update, July 16, 7:49 p.m. ET: Microsoft just released an advisory about this flaw, available here. Microsoft said it stems from a vulnerability in the “Windows shell” (Windows Explorer, e.g.) that is present in every supported version of Windows. The advisory includes steps that can mitigate the threat from this flaw.

Original post:

VirusBlokAda, an anti-virus company based in Belarus, said that on June 17 its specialists found two new malware samples that were capable of infecting a fully-patched Windows 7 system if a user were to view the contents of an infected USB drive with a common file manager such as Windows Explorer.

USB-borne malware is extremely common, and most malware that propagates via USB and other removable drives traditionally has taken advantage of the Windows Autorun or Autoplay feature. But according to VirusBlokAda, this strain of malware leverages a vulnerability in the method Windows uses for handling shortcut files.

Shortcut files — or those ending in the “.lnk” extension — are Windows files that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu. Ideally, a shortcut doesn’t do anything until a user clicks on its icon. But VirusBlokAda found that these malicious shortcut files are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer.

Continue reading →

A Little Sunshine — 74 Comments
7
Jul 10

Pirate Bay Hack Exposes User Booty

Security weaknesses in the hugely popular file-sharing Web site thepiratebay.org have exposed the user names, e-mail and Internet addresses of more than 4 million Pirate Bay users, according to information obtained by KrebsOnSecurity.com.

A screen shot of the Pirate Bay admin panel showing newly registered users.

An Argentinian hacker named Ch Russo said he and two of his associates discovered multiple SQL injection vulnerabilities that let them into the user database for the site. Armed with this access, the hackers had the ability to create, delete, modify or view all user information, including the number and name of file trackers or torrents uploaded by users.

Russo maintains that at no time did he or his associates alter or delete information in The Pirate Bay database. But he acknowledges that they did briefly consider how much this access and information would be worth to anti-piracy companies employed by entertainment industry lobbying groups like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), each of which has assiduously sought to sink The Pirate Bay on grounds that the network facilitates copyright infringement.

That effort has largely failed, but both industries have been busy suing individual music and movie downloaders for alleged copyright violations, often obtaining substantial monetary damages when defendants settled the charges out of court. In almost every case, the entertainment industry learned the identities of file-sharing users by subpoenaing subscriber information from Internet service providers based on the user’s Internet address.

“Probably these groups would be very interested in this information, but we are not [trying] to sell it,” Russo told KrebsOnSecurity.com in a phone interview. “Instead we wanted to tell people that their information may not be so well protected.”

Continue reading →

A Little Sunshine — 36 Comments
1
Jul 10

Top Apps Largely Forgo Windows Security Protections

Many of the most widely used third-party software applications for Microsoft Windows do not take advantage of two major lines of defense built into the operating system that can help block attacks from hackers and viruses, according to research released today.

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operation system. But according to a new analysis by software vulnerability management firm Secunia, half of the third party apps they looked at fail to leverage either feature.

As indicated by the chart to the right, Secunia found that at least 50 percent of the applications examined — including Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and AOL‘s Winamp — still do not invoke either DEP or ASLR. Secunia said DEP adoption has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors.

“If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly,” wrote Alin Rad Pop, a senior security specialist at Secunia. “While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms. If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attackers choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.”

Continue reading →

A Little Sunshine — 62 Comments
25
Jun 10

Anti-virus is a Poor Substitute for Common Sense

-“Common sense always speaks too late.” — Raymond Chandler

A new study about the (in)efficacy of anti-virus software in detecting the latest malware threats is a much-needed reminder that staying safe online is more about using your head than finding the right mix or brand of security software.

Last week, security software testing firm NSS Labs completed another controversial test of how the major anti-virus products fared in detecting malware pushed by malicious Web sites: Most of the products took an average of more than 45 hours — nearly two days — to detect the latest threats.

The two graphs below show the performance of the commercial versions of 10 top anti-virus products. NSS permitted the publication of these graphics without the legend showing how to track the performance of each product, in part because they are selling this information, but also because — as NSS President Rick Moy told me — they don’t want to become an advertisement for any one anti-virus company.

That’s fine with me because my feeling is that while products that come out on top in these tests may change from month to month, the basic takeaway for users should not: If you’re depending on your anti-virus product to save you from an ill-advised decision — such as opening an attachment in an e-mail you weren’t expecting, installing random video codecs from third-party sites, or downloading executable files from peer-to-peer file sharing networks — you’re playing Russian Roulette with your computer.

Continue reading →

A Little Sunshine — 17 Comments
17
Jun 10

Drug Charges Against Accused AT&T/iPad Hacker

A hacker in a group that discovered the AT&T iPad-related flaw was arrested on drug charges following the execution of an FBI search warrant of his home in Arkansas on Tuesday, according to published reports.

CNET’s Elinor Mills writes that the FBI found a broad selection of narcotics at the home of a man tied to “Goatse Security,” the group that recently claimed responsibility for extracting contact information on more than 114,000 iPad customers from AT&T’s Web site.

From the CNET story:

Andrew Auernheimer, 24, was being held in Washington County Detention Center in Fayetteville, Ark., according to Lt. Anthony Foster of the Washington County Sheriff’s office in that state. The drugs were found during the execution of the warrant, said Lt. Mike Perryman, of the Fayetteville Police Department. However, Perryman could not say what prompted the warrant.
Auernheimer, who goes by the name “Escher” and the hacker handle “Weev,” faces four felony charges of possession of a controlled substance and one misdemeanor possession charge, Foster said. The drugs included cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals, he said.

Spiegelmock and Auernheimer speaking at Toorcon 2006

Auernheimer is quite a colorful character. I met him in 2006 at the Toorcon security conference in San Diego, where he and Mischa Spiegelmock – an employee for blogging service LiveJournal – were delivering a talk on what they claimed was an unpatched security flaw in Mozilla’s Firefox browser that hackers were supposedly attacking to compromise Web surfers. At the time, Auernheimer introduced himself as Andrew “Weev” Wbeelsoi.

That presentation — which called on security researchers everywhere to stop publicizing and fixing software security vulnerabilities — was at times hilarious and bizarre. Weev started out by informing the audience that he was delivering his speech while tripping on acid. When I followed up with Weev after that talk to get more details on their claims, it was fairly plain that he wasn’t kidding about the acid trip. However, the two hackers would later admit to me that they didn’t really have the zero day exploits that they claimed, and that they were just trying to have a little fun with the security industry.

A Little Sunshine / The Wire — 11 Comments
15
Jun 10

Police Arrest 178 in U.S.-Europe Raid on Credit Card ‘Cloning Labs’

Equipment seized from a 'cloning lab'. Photo courtesy Spanish Ministry of Interior.

Police have arrested 178 people in Europe and the United States suspected of cloning credit and debit cards in an international scam worth over 20 million euro ($24.52 million), according to a report from Reuters and authorities in Spain.

The stories so far are all light on details or whether this bust was connected to specific fraud forums that facilitate the trade in stolen credit card data, but the wire reports include the following information:

Police in fourteen countries participated a two-year investigation, initiated in Spain where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, arrested 76 people and dismantled six cloning labs.
The raids were made primarily in Romania, France, Italy, Germany, Ireland and the United States, with arrests also made in Australia, Sweden, Greece, Finland and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation and money-laundering, the police said.

Source here. There is also quite a bit more juicy information in the press release from Spanish Ministry of Interior, a Google translated version of which is available here. For all you Spanish speakers, the original version is here.

Criminals can clone debit cards if they have access to the cardholder’s PIN as well as the data stored on the magnetic strip on the back of these payment cards. In some cases, crooks obtain these “dumps” by stealing the data (either in person or via hacking) online or main street merchants.

Another popular method of obtaining dumps and PINs is through the use of ATM skimmers, which I have written about extensively. According to Spanish police, as part of the raids Germany has arrested 16 people involved in skimming bank cards (look for another KrebsOnSecurity post on ATM skimmers sometime in the next week or so).

In related news, MasterCard announced it is trialing a new debit card that includes not only a computer chip but also a tiny digital display that produces a one-time password for each online transaction. But don’t expect to see these replacing regular, low tech credit and debit cards here in the U.S., at least not for a while. Slashgear.com reports that the devices are being trialed with Turkish bank for now.

Read more about the specs of this device, at this data sheet (PDF) from the manufacturer’s Web site.

A Little Sunshine / Web Fraud 2.0 — 5 Comments
14
Jun 10

Cloud Keyloggers?

Keystroke-logging computer viruses let crooks steal your passwords, and sometimes even read your e-mails and online chats. Recently, however, anonymous criminals have added insult to injury, releasing a keylogger strain that publishes stolen information for all the world to see at online notepad sharing sites such as pastebin.com.

Last week, security experts at BitDefender discovered a continuing stream of new entries at pastebin.com and pastebin.ca that included text files laid out in the format typically used by keystroke-logging malware. For example, each keypress in the log posted to pastebin.com is preceded by a listing of the program currently in focus on the victim’s screen, and each function key pressed is spelled out, so that when the victim hits the backspace or down arrow key, for instance, the keystroke log will show a “[back]” or “[down]” entry in place of each corresponding keypress (see the screenshot to the right).

Typically, keystroke logging malware will submit stolen data to a Web server specified in the malware that the attacker controls. BitDefender theorizes that those responsible for creating this keylogger variant may have chosen pastebin.com because it is unlikely to be blocked by Web filters or malware blacklists.

I kept the pastebin.com home page open most of the weekend and refreshed it periodically, and confirmed that a relatively large number of keylogger records were being uploaded in real time to the free service. To the right is one of many screenshots I took of the files I found on Pastebin.com.

Pastebin owner Jeroen said Pastebin is aware of the problem and is working on a new version of the site that should block these automated keyloggers from posting their content there.

Continue reading →

A Little Sunshine / Latest Warnings — 62 Comments
11
Jun 10

Don’t Need Java? Junk It.

I am often asked to recommend security software, but it’s important to remember that staying secure is just as much about removing little-used software that increases your exposure to online threats. At the very top of my nix-it-now list is Java, a powerful application that most users have on their systems but that probably few actually need.

Not only do most users have some version of Java on their systems, most Windows users likely have multiple copies of this program on their PCs, because older installers failed to remove previous, insecure versions of the software.

Worse still, Java is now among the most frequently-attacked programs, and appears to be fast replacing Adobe as the target of choice for automated exploit tools used by criminals.

Readers of the blog are no doubt familiar with my previous stories on the Eleonore Exploit Pack, a commercial software package sold by and to criminals that is used to booby trap Web sites with exploits for the most common Web browser vulnerabilities. Check out past posts on Eleonore, and it’s clear Java flaws are a key target of this increasingly common exploit pack.

Below are a few screen shots taken from the administration page of yet another working Eleonore Exploit Pack: The first image shows the exploits used by this pack, along with the number of times each exploit (“sploit”) was successful in delivering malicious software payloads (or “loads”) to the visitor. As we can see, the “java2e” and “javae0″ are by far the most successful of the exploits.

Continue reading →

A Little Sunshine / Latest Warnings — 41 Comments
9
Jun 10

ZeuS Trojan Attack Spoofs IRS, Twitter, Youtube

Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos.

According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack appears to be an extension of a broad malware spam campaign that began at the end of May.

The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement.

All of the latest e-mails use a variety of URL shortening services. For example, this shortened link (currently live and dangerous, and therefore neutered here)…

Continue reading →

Krebs on Security

In-depth security news and investigation