Advertisement
  • About the Author
  • About this Blog

    • Web Fraud 2.0

    Target: Small Businesses / Web Fraud 2.076 Comments
    28
    Jun 10

    e-Banking Bandits Stole $465,000 From Calif. Escrow Firm

    A California escrow firm has been forced to take out a pricey loan to pay back $465,000 that was stolen when hackers hijacked the company’s online bank account earlier this year.

    In March, computer criminals broke into the network of Redondo Beach based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

    Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasadena, Calif. – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.

    The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire requests. Marisco said that a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco’s computer and the PC belonging to her assistant, the second person needed to approve transfers.

    As a guarantor of payment for residential real estate transactions, Village View Escrow holds other peoples’ money until the sale of a property is complete. Failure to come up with the funds when a real estate deal is finalized can spell bankruptcy and possibly worse for an escrow provider. Since the incident, Marisco has had to take out a $395,000 loan at 12 percent to cover the loss (she managed to get $70,000 in wires reversed).

    “I’m working for nothing right now, and can’t afford to pay myself,” Marisco said in a phone interview.

    Officials from Professional Business Bank did not immediately return calls seeking comment.

    Continue reading →

    Time to Patch / Web Fraud 2.016 Comments
    23
    Jun 10

    Exploiting the Exploiters

    Most computer users understand the concept of security flaws in common desktop software such as media players and instant message clients, but the same users often are surprised to learn that the very software tools attackers use to break into networks and computers typically are riddled with their own hidden security holes. Indeed, bugs that reside in attack software of the sort sold to criminals are extremely valuable to law enforcement officials and so-called “white hat” hackers, who can leverage these weaknesses to spy on the attackers or interfere with their day-to-day operations.

    Administrative page from a live Crimepack exploit kit.

    Last week, French security researchers announced they had discovered a slew of vulnerabilities in several widely used “exploit packs,” stealthy tool kits designed to be stitched into hacked and malicious sites. The kits — sold in the underground for hundreds of dollars and marketed under brands such as Crimepack, Eleonore, and iPack — probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to quietly install malicious software.

    Speaking at the Syscan security conference in Singapore, Laurent Oudot, founder of Paris-based TEHTRI Security, released security advisories broadly outlining more than a dozen remotely exploitable flaws in Eleonore and other exploit packs. According to TEHTRI, some of the bugs would allow attackers to view internal data stored by those kits, while others could let an attacker seize control over sites retrofitted with one of these exploit packs.

    “It’s time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues,” Oudot wrote in a posting to the Bugtraq security mailing list.

    Continue reading →

    A Little Sunshine / Web Fraud 2.05 Comments
    14
    Jun 10

    Cloud Keyloggers?

    Keystroke-logging computer viruses let crooks steal your passwords, and sometimes even read your e-mails and online chats. Recently, however, anonymous criminals have added insult to injury, releasing a keylogger strain that publishes stolen information for all the world to see at online notepad sharing sites such as pastebin.com.

    Last week, security experts at BitDefender discovered a continuing stream of new entries at pastebin.com and pastebin.ca that included text files laid out in the format typically used by keystroke-logging malware. For example, each keypress in the log posted to pastebin.com is preceded by a listing of the program currently in focus on the victim’s screen, and each function key pressed is spelled out, so that when the victim hits the backspace or down arrow key, for instance, the keystroke log will show a “[back]” or “[down]” entry in place of each corresponding keypress (see the screenshot to the right).

    Typically, keystroke logging malware will submit stolen data to a Web server specified in the malware that the attacker controls. BitDefender theorizes that those responsible for creating this keylogger variant may have chosen pastebin.com because it is unlikely to be blocked by Web filters or malware blacklists.

    I kept the pastebin.com home page open most of the weekend and refreshed it periodically, and confirmed that a relatively large number of keylogger records were being uploaded in real time to the free service. To the right is one of many screenshots I took of the files I found on Pastebin.com.

    Pastebin owner Jeroen said Pastebin is aware of the problem and is working on a new version of the site that should block these automated keyloggers from posting their content there.

    Continue reading →

    A Little Sunshine / Web Fraud 2.035 Comments
    3
    Jun 10

    ATM Skimmers: Separating Cruft from Craft

    ATM skimmers –or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data — are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.

    Both the fake PIN pad (bottom) and bogus card skimmer overlay (right).

    The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.

    Generally, these custom-made devices are not cheap, and you won’t find images of them plastered all over the Web. Take these pictures, for instance, which were obtained directly from an ATM skimmer maker in Russia. This custom-made skimmer kit is designed to fit on an NCR ATM model 5886, and it is sold on a few criminal forums for about 8,000 Euro — shipping included. It consists of two main parts: The upper portion is a carefully molded device that fits over the card entry slot and is able to read and record the information stored on the card’s magnetic stripe (I apologize for the poor quality of the pictures: According to the Exif data included in these images, they were taken earlier this year with a Nokia 3250 phone).

    The second component is a PIN capture device that is essentially a dummy metal plate with a look-alike PIN entry pad designed to rest direct on top of the actual PIN pad, so that any keypresses will be both sent to the real ATM PIN pad and recorded by the fraudulent PIN pad overlay.

    Both the card skimmer and the PIN pad overlay device relay the data they’ve stolen via text message, and each has its own miniature GSM device that relays SMS messages (buyers of these kits are responsible for supplying their own SIM cards). According to the vendor of this skimmer set, the devices are powered by lithium ion batteries, and can run for 3-5 days on a charge, assuming the skimmers transmit on average about 200-300 SMS messages per day.

    Continue reading →

    Target: Small Businesses / Web Fraud 2.0203 Comments
    2
    Jun 10

    Using Windows for a Day Cost Mac User $100,000

    David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.

    Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.

    A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.

    Now, Green’s firm — DKG Enterprises, a party supplies firm based in Oklahoma City — is wrangling with its bank over who should pay for the loss, said Joe Dunn, the company’s controller. So far, DKG has managed to recover just $22,000 of the $98,000 stolen in the April 27 incident.

    Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

    But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.

    Continue reading →

    A Little Sunshine / Latest Warnings / Web Fraud 2.029 Comments
    24
    May 10

    Revisiting the Eleonore Exploit Kit

    Not long after I launched this blog, I wrote about the damage wrought by the Eleonore Exploit Kit, an increasingly prevalent commercial hacking tool that makes it easy for criminals to booby-trap Web sites with malicious software. That post generated tremendous public interest because it offered a peek at the statistics page that normally only the criminals operating these kits get to see. I’m revisiting this topic again because I managed to have a look at another live Eleonore exploit pack panel, and the data seem to reinforce a previous observation: Today’s attackers care less about the browser you use and more about whether your third-party browser add-ons and plugins are out-of-date and exploitable.

    Hacked and malicious sites retrofitted with kits like Eleonore have become more common of late: In a report issued this week, Web security firm Zscaler found that roughly 5 percent of the browser exploits they identified during the first quarter of this year were tied to hacked or malicious sites that criminals had outfitted with some version of Eleonore.

    Like most exploit kits, Eleonore is designed to invisibly probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software. The hacker’s end of the kit is a Web-based interface that features detailed stats on the percentage of visitors to the booby-trapped site(s) that are successfully attacked, and which software vulnerabilities were most successful in leading to the installation of the hacker’s malware.

    This particular Eleonore kit — which is currently stitched into several live adult Web sites — comes with at least a half-dozen browser exploits, including three that target Internet Explorer flaws, two that attack Java bugs, and one that targets a range of Adobe PDF Reader vulnerabilities. According to this kit’s stats page, the malicious adult sites manage to infect roughly every one in ten visitors.

    As we can see from the landing page pictured above, Windows XP users represent by far the largest group of users hitting these poisoned porn sites.

    Once again, Eleonore shows just how heavily Java flaws are now being used to infect computers (the above graphic shows the number of successful malware installations or “loads” per exploit). The last time I reviewed a working Eleonore admin panel, we saw that Java flaws were the second most reliable exploits. This time around, Java was the biggest source infections. In the Eleonore kit I wrote about earlier this year, some 34 percent of the systems that were successfully exploited were attacked via a Java flaw. In this installation, four out of every ten victims who were hacked were compromised because of they were running an outdated version of Java.

    Continue reading →

    A Little Sunshine / Web Fraud 2.033 Comments
    18
    May 10

    Fraud Bazaar Carders.cc Hacked

    Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.

    The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.

    A third file — which includes what appear to be Internet addresses assigned to the various Carders.cc users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file — which is accompanied by an ASCII art picture of a cat — includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group.

    Continue reading →

    A Little Sunshine / Web Fraud 2.015 Comments
    18
    May 10

    Following the Money, Part II

    A leading Russian politician has accused a prominent Moscow businessman of running an international spam and online pharmacy operation while serving as an anti-spam adviser to the Russian government. Russian investigators now say they plan to create a special task force to look into the allegations.

    In an open letter to investigators at the Ministry of Internal Affairs (MVD) of the Russian Federation, Ilya V. Ponomarev, a deputy of the Russian State Duma’s Hi-Tech Development Subcommittee, in March called for a criminal inquiry into the activities of one Pavel Vrublevsky, an individual I interviewed last year in an investigative report on rogue security software (a translated PDF version of Ponomarev’s letter is here).

    Vrublevsky is founder and general director of ChronoPay, an online payment processor widely accepted in Russia to handle a number of domestic transactions, including payment for Russian airline and lottery tickets. ChronoPay also specializes in handling “high risk” online merchants, such as pharmacy, adult and Internet gaming sites. Last year, The Washington Post published a story I wrote that showed Chronopay was processing payments for a large number of sites pushing rogue anti-virus products, or “scareware.”

    According to Ponomarev, Vrublevsky also is known online as “Redeye,” and is the creator of Crutop.nu, a large adult Webmaster forum that the U.S. Federal Trade Commission last year said was a place “where criminals share techniques and strategies with one another,” and a Russian language Web site “that features a variety of discussion forums that focus on making money from spam.”

    In his letter to A.V. Anichin, the deputy minister and chief of the Russian MVD Investigations Committee, Ponomarev said the primary analysis of Vrublevsky’s activities shows the extent of the problem which escapes attention of law-enforcement bodies.

    “They include trade in pornography on the Internet that contains scenes of cruel violence, real rape, zoophilia, etc. (etu-cash.com, cash.pornocruto.es), unlawful banking business focused on laundering of money generated by a range of criminal activities in order to escape taxes using fethard.biz and acceptance of payments for illegal sale of music files mp3 which violates author’s rights of performers and illegal trade in drug-containing and controlled prescribed drastic preparations via on-line chemistry networks (rx-promotion.com, spampromo.com), and illegal mass spam distribution all over the world, as well as sale of malicious software under the guise of anti-virus software.”

    Ponomarev notes that Vrublevsky is a key member of the anti-spam working group of the Ministry of Telecom and Mass Communication. Ponomarev also said that the MVD had instituted a criminal investigation into Vrublevsky in 2007, only to abandon the case when the chief investigator quit and reportedly went to work for Vrublevsky.

    “We have here a merger between a criminal element and the government power which is unacceptable and inadmissible in any civilized society,” Ponomarev wrote.

    Continue reading →

    A Little Sunshine / Web Fraud 2.013 Comments
    17
    May 10

    Teach a Man to Phish…

    Phishing may not be the most sophisticated form of cyber crime, but it can be a lucrative trade for those who decide to make it their day jobs. Indeed, data secretly collected from an international phishing operation over  18 months suggests that criminals who pursue a career in phishing can reap millions of dollars a year, even if they only manage to snag just a few victims per scam.

    Phishers often set up their fraudulent sites using ready-made “phish kits” — collections of HTML, text and images that mimic the content found at major banks and e-commerce sites. Typically, phishers stitch the kits into the fabric of hacked, legitimate sites, which they then outfit with a “backdoor” that allows them to get back into the site at any time.

    About a year and a half ago, investigators at Charleston, S.C. based PhishLabs found that one particular backdoor that showed up time and again in phishing attacks referenced an image at a domain name that was about to expire. When that domain finally came up for grabs, PhishLabs registered it, hoping that they could use it to keep tabs on new phishing sites being set up with the same kit.

    The trick worked: PhishLabs collected data on visits to the site for roughly 15 months, and tracked some 1,767 Web sites that were hacked and seeded with the phishing kit that tried to pull content from the domain that PhishLabs had scooped up.

    PhishLabs  determined that most of the phishing sites were likely set up by a single person — a man in Lagos, Nigeria that PhishLabs estimates was responsible for about 1,100 of the phishing sites the company tracked over the 15 month experiment.

    Continue reading →

    Target: Small Businesses / Web Fraud 2.032 Comments
    10
    May 10

    A Stroll Down Victim Lane

    Last week I traveled to Cooperstown, N.Y. to deliver a keynote address about the scourge of online banking fraud that I’ve written about so frequently this past year. I flew into Albany, and in the short, 60 minute drive west to Cooperstown, I passed through tiny Duanesburg, a town whose middle school district is still out a half million dollars from e-banking fraud. On my way to Cooperstown, I also passed within a few minutes of several other recent victims — including a wrecking firm based on Schenectady that lost $70,000 last month when organized thieves raided its online bank account.

    Alexander “Sandy” Jackson‘s world started crashing down on Apr. 20, the day he learned that more than $70,000 of company’s cash had been transferred to 10 complete strangers scattered about the United States. Since then, the owner of Jackson Demolition Service has spent a good deal of time trying to retrieve that money. So far, he and his bank have recovered about one-third of the amount stolen.

    Oddly enough, Jackson first learned of the fraud after being contacted by an individual who received close to $5,000 of the firm’s money.

    That individual was Montgomery, Ala. resident April Overton. In March, Overton responded to an e-mail from a company that said it found her resume on Careerbuilder.com, and would she be interested in a work-at-home job entering tax information on behalf of American tax filers? Overton said she accepted the job, and for more than a month worked several hours each day completing various tax forms with personal tax information sent to her via e-mail, forms that she then had to fax back to her employers, who claimed to be Tax World LLC, at www.taxreturnsworld.com.

    “I was basically processing tax returns, and they’d have me log in to a site every morning between the hours of 8:30 a.m. and 11:30 a.m., and would send me information, have me filing out [IRS Form] 1040 tax returns,” Overton said.

    Continue reading →

    ← Older Entries