Advertisement
  • About the Author
  • About this Blog

    • Web Fraud 2.0

    A Little Sunshine / Latest Warnings / The Coming Storm / Web Fraud 2.010 Comments
    2
    May 12

    OpenX Promises Fix for Rogue Ads Bug

    Hackers are actively exploiting a dangerous security vulnerability in OpenX — an online ad-serving solution for Web sites — to run booby-trapped ads that serve malware and browser exploits across countless Web sites that depend on the solution.

    Security experts have been warning for months about mysterious attacks on OpenX installations in which the site owners discovered new rogue administrator accounts. That access allows miscreants to load tainted ads on sites that rely on the software. The bad ads usually try to foist malware on visitors, or frighten them into paying for bogus security software.

    OpenX is only now just starting to acknowledge the attacks, as more users are coming forward with unanswered questions about the mysteriously added administrator accounts.

    Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.08 Comments
    1
    May 12

    Service Automates Boobytrapping of Hacked Sites

    Hardly a week goes by without news of some widespread compromise in which thousands of Web sites that share a common vulnerability are hacked and seeded with malware. Media coverage of these mass hacks usually centers on the security flaw that allowed the intrusions, but one aspect of these crimes that’s seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites.

    Google-translated version of iFrameservice's homepage

    Regular readers of this blog may be unsurprised to learn that this is another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits.

    At the very least, a decent iFramer service will allow customers to verify large lists of file transfer protocol (FTP) credentials used to administer hacked Web sites, scrubbing those lists of invalid credential pairs. The service will then upload the customer’s malware and malicious scripts to the hacked site, and check each link to ensure the trap is properly set.

    A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials.

    Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.011 Comments
    28
    Mar 12

    Researchers Clobber Khelios Spam Botnet

    Experts from across the security industry collaborated this week to quarantine more than 110,000 Microsoft Windows PCs that were infected with the Khelios worm, a contagion that forces infected PCs to blast out junk email advertising rogue Internet pharmacies.

    Most botnets are relatively fragile: If security experts or law enforcement agencies seize the Internet servers used to control the zombie network, the crime machine eventually implodes. But Khelios (a.k.a. “Kelihos”) was built to withstand such attacks, employing a peer-to-peer structure not unlike that used by popular music and file-sharing sites to avoid takedown by the entertainment industry.

    Update, 11:07 a.m. ET: Multiple sources are now reporting that within hours of the Khelios.B takedown, Khelios.C was compiled and launched. It appears to be spreading via Facebook.

    Original post: The distributed nature of a P2P botnet allows the botmaster to orchestrate its activities by seeding a few machines in the network with encrypted instructions. Those systems then act as a catalyst, relaying the commands from one infected machine to another in rapid succession.

    P2P botnets can be extremely resilient, but they typically posses a central weakness: They are only as strong as the encryption that scrambles the directives that the botmaster sends to infected machines. In other words,  anyone who manages to decipher the computer language needed to talk to the compromised systems can send them new instructions, such as commands to connect to a control server that is beyond the reach of the miscreant(s) who constructed the botnet.

    That’s precisely the approach that security researchers used to seize control of Khelios. The caper was pulled off by a motley band of security experts from the Honeynet Project, Kaspersky, SecureWorks, and startup security firm CrowdStrike. The group figured out how to crack the encryption used to control systems infected with Khelios, and then sent a handful of machines new instructions to connect to a Web server that the researchers controlled.

    That feat allowed the research team to wrest the botnet from the miscreants who created it, said Adam Meyers, director of intelligence for CrowdStrike. The hijacking of the botnet took only a few minutes, and when it was complete, the team had more than 110,000 PCs reporting to its surrogate control server.

    “Once we injected that information in the P2P node, it was essentially propagating everything else for us,” Meyers said. “By taking advantage of the intricacies of the protocol, we were providing the most up-to-date information that all of hosts were spreading.”

    The group is now working to notify ISPs where the infected hosts reside, in hopes of cleaning up the bot infestations. Meyers said that, for some unknown reason, the largest single geographic grouping of Khelios-infected systems – 25 percent — were located in Poland. U.S.-based ISPs were home to the second largest contingent of Khelios bots. Meyers said about 80 percent of the Khelios-infected systems they sinkholed were running Windows XP, an increasingly insecure operating system that Microsoft released more than a decade ago. Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.052 Comments
    26
    Mar 12

    Microsoft Takes Down Dozens of Zeus, SpyEye Botnets

    Microsoft today announced the execution of a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye — powerful banking Trojans that have helped thieves steal more than $100 million from small to mid-sized businesses in the United States and abroad.

    Microsoft, U.S. Marshals pay a surprise visit to a Scranton, Pa. hosting facility.

    In a consolidated legal filing, Microsoft received court approval to seize several servers in Scranton, Penn. and Lombard, Ill. used to control dozens of ZeuS and SpyEye botnets. The company also was granted permission to take control of 800 domains that were used by the crime machines.The company published a video showing a portion of the seizures, conducted late last week with the help of U.S. Marshals.

    This is the latest in a string of botnet takedowns executed by Microsoft’s legal team, but it appears to be the first one in which the company invoked the Racketeer Influenced and Corrupt Organizations (RICO) Act.

    “The RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets,” wrote Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit. “By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the “organization” were not necessarily part of the core enterprise.”

    It’s too soon to say how much of an impact this effort will have, or whether it will last long. Previous takedowns by Microsoft — such as its targeting of the Kelihos botnet last fall — have produced mixed results. There also are indications that this takedown may have impacted legitimate — albeit hacked — sites that crooks were using in their botnet operations. According to data recorded by Abuse.ch, a Swiss security site that tracks ZeuS and SpyEye control servers, some of the domains Microsoft seized appear to belong to legitimate businesses whose sites were compromised and used to host components of the malware infrastructure. Among them is a site in Italy that sells iPhone cases, a Thai social networking forum, and a site in San Diego that teaches dance lessons.

    The effort also shines a spotlight on an elusive group of cyber thieves operating out of Ukraine who have been tagged as the brains behind a great deal of the ebanking losses over the past five years, including the authors of ZeuS (Slavik/Monstr) and SpyEye (Harderman/Gribodemon), both identities that were outed on this blog more than 18 months ago. Over the past few years, KrebsOnSecurity has amassed a virtual treasure trove of data about these and other individuals named in the complaint. Look for a follow-up piece with more details on these actors.

    A breakdown of the court documents related to this case is available at zeuslegalnotice.com.

    A Little Sunshine / The Coming Storm / Web Fraud 2.010 Comments
    20
    Mar 12

    Twitter Bots Target Tibetan Protests

    Twitter bots — zombie accounts that auto-follow and send junk tweets hawking questionable wares and services — can be an annoyance to anyone who has even a modest number of followers. But increasingly, Twitter bots are being used as a tool to suppress political dissent, as evidenced by an ongoing flood of meaningless tweets directed at hashtags popular for tracking Tibetan protesters who are taking a stand against Chinese rule.

    It’s not clear how long ago the bogus tweet campaigns began, but Tibetan sympathizers say they recently noticed that several Twitter hashtags related to the conflict — including #tibet and #freetibet — are now so constantly inundated with junk tweets from apparently automated Twitter accounts that the hashtags have ceased to become a useful way to track the conflict.

    The discovery comes amid growing international concern over the practice of self-immolation as a means of protest in Tibet. According to the Associated Press, about 30 Tibetans have set themselves on fire since last year to protest suppression of their Buddhist culture and to call for the return of the Dalai Lama — their spiritual leader who fled during a failed 1959 uprising against Chinese rule.

    I first heard about this trend from reader Erika Rand, who is co-producing a feature-length documentary about Tibet called State of Control. Rand said she noticed the tweet flood and Googled the phenomenon, only to find a story I wrote about a similar technique deployed in Russia to dilute Twitter hashtags being used by citizens protesting last year’s disputed parliamentary elections there.

    “We first discovered these tweets looking at Twitter via the web, then looked at TweetDeck to see how quickly they were coming,” Rand said in an email to KrebsOnSecurity.com late last week. “They no longer appear when searching for Tibet on Twitter via the web, but are still flooding in fast via TweetDeck. This looks like an attempt to suppress news about recent activism surrounding Tibet. We’re not sure how long it’s been going on for. We noticed it last night, and it’s still happening now.” Continue reading →

    A Little Sunshine / Web Fraud 2.0135 Comments
    14
    Mar 12

    Aghast at Avast’s iYogi Support

    The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast’s customer support.

    A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support contracts.

    Adam Riley, Avast’s third party support manager, wrote in a post on the company’s blog that “during the past week or so, we have received some complaints and it appears that some of our customers are being targeted by a new scam.  Luckily only a handful of customers have contacted us regarding this so far, but they report receiving phone calls from ‘Avast customer service’ reps who need to take control of their computer to resolve some issue and who, for a fee, wish to charge them for this privilege.”

    I’d first heard about the issue when a reader wrote in to say he’d received complaints from his clients about calls from someone claiming to represent Microsoft and requesting remote access to user computers to help troubleshoot computer problems.

    I decided to investigate iYogi myself, and created a fresh installation of Windows XP on my Mac, using the free virtual machine from Virtualbox. I wanted to see whether I, too, would receive follow-up sales pitches. I also wanted to see for myself if there was anything to the claims on Avast’s user forum that iYogi was using support requests to push expensive “maintenance and support” packages.

    A call to the support number listed on Avast’s site put me through to a technician named Kishore Chinni; I told Mr. Chinni that I had just installed a copy of Avast, but that I couldn’t be certain it was updating correctly. He asked for a phone number and an email address, and then said the first thing he needed to do was take remote control over my system. He directed me to use Internet Explorer to visit a Web site that requested permission to install two ActiveX add-ons. Those add-ons installed a remote control client called Bomgar Support.

    Chinni asked if I had previously installed any antivirus software, and I said I wasn’t sure (I hadn’t). He then fired up the Windows Registry Editor (regedit), poked around some entries, and then opened up the Windows System Configuration Utility (msconfig) and the Windows Event Viewer. Chinni somberly read aloud a few of the entries in the event viewer marked with yellow exclamation points, saying they were signs that my computer could have a problem. He then switched over to the “services” panel of the system configuration tool and noted that the “manufacturer” listing next to avast! antivirus read “unknown.”

    “When it says unknown like that, these are warnings that there could be an infection running on the computer,” Chinni explained. He proceeded to install an iYogi “tune up” tool called PCDiagnostics, which took about 60 seconds to complete a scan of my system. The results showed that my brand new installation of Windows had earned a 73% score, and that it had to detected 17 registry errors and a problem with Windows Update (this was unlikely, as I had already enabled Windows Update and Automatic Updates before I made the support call, and had installed all available security patches). Chinni explained that the “antispyware” warning generated by the PCDiagnostics scan was an indication that a previously installed security software program had not been cleanly removed and was probably causing problems with my computer.

    He said another technician could help me with these problems if I wanted. When I inquired whether it would be free, Chinni told me that the company sells support packages for one- to three-year durations, and that the starting price for a support package was $169.99. Continue reading →

    Latest Warnings / Target: Small Businesses / Web Fraud 2.08 Comments
    13
    Mar 12

    Hacked Inboxes Lead to Bank Fraud

    Hacked and phished email accounts increasingly are serving as the staging grounds for bank fraud schemes targeting small businesses. The scams are decidedly low-tech and often result in losses of just a few thousand dollars, but the attacks frequently succeed because they exploit existing trust relationships between banks and their customers.

    Last month, scam artists hijacked private email accounts belonging to three different customers of Western National Bank, a small financial institution with seven branches throughout Central and West Texas. In each case, the thieves could see that the victim had previously communicated with bank personnel via email.

    The attackers then crafted the following email, sending it to personnel at each victim’s respective local WNB bank branch.

    Good Morning,

    Can you please update me with the the available balance in my account and also the information needed to  complete an outgoing wire transfer for me today,i am on my way to my nephew funeral service but i will check my mail often for your response.

    Thanks.

    Wade Kuehler, an executive vice president at WNB, said bank personnel followed up on two of the requests, ignoring the request not to contact the customer via phone. In both cases, the customers were grateful for the contact, saying they had not sent such a request.

    But the thieves struck paydirt with the third attempt, when a sympathetic associate at the bank responded to the message with the requested balance information. The follow-up email from the thieves included instructions to wire money to an account at another bank, and the assistant helpfully processed the transfer.

    Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.018 Comments
    8
    Mar 12

    Banking on Badb in the Underweb

    Underground Web sites can be a useful barometer for the daily volume of criminal trade in goods like stolen credit card numbers and hijacked PayPal or eBay accounts. And if the current low prices at one of Underweb’s newer and more brazen card shops are indicative of a trend, the market for these commodities has never been more cutthroat.

    Visa, Amex cards for sale at Badb.su

    Badb.su is distinguishable from dozens of underground carding shops chiefly by its slick interface and tiny domain name, which borrows on the pseudonym and notoriety of the Underweb’s most recognizable carder. It’s difficult to say whether “Badb” himself would have endorsed the use of his brand for this particular venture, but it seems unlikely: The man alleged by U.S. authorities to be Badb — 29-year-old Vladislav Anatolievich Horohorin — has been in a French prison since his arrest there in 2010. Authorities believe Horohorin is one of the founding members of CarderPlanet, a site that helped move millions of stolen accounts. He remains jailed in France, fighting extradition to the United States (more about his case in an upcoming story).

    Badb.su’s price list shows that purloined American Express and Discover accounts issued to Americans cost between $2.50 and $3 apiece, with MasterCard and Visa accounts commanding slightly lower prices ($2-$3). Cards of any type issued by banks in the United Kingdom or European Union fetch between $4-$7 each, while accounts from Canadian financial institutions cost between $3 to $5 a pop.

    The site also sells verified PayPal and eBay accounts. Verified PayPal accounts with credit cards and bank accounts attached to them go for between 2-3$, while the same combination + access to the account holder’s email inbox increases the price by $2. PayPal accounts that are associated with bank and/or credit accounts and include a balance are sold for between 2 and 10 percent of the available balance. That rate is considerably lower than the last PayPal underground shop I reviewed, which charged 8 to 12 percent of the total compromised account balance.

    Verified PayPal accounts with positive balances sell for between 2-10% of the available balance.

    Ebay auction accounts are priced according to the number of positive “feedback” points that each victim account possesses (feedback is the core of eBay’s reputation system, whereby members evaluate their buying and selling experiences with other members). eBay accounts with fewer than 75 feedback history sell for $2 each, while those with higher levels of feedback command prices of $5 and higher apiece, because these accounts are more likely to be perceived as trustworthy by other eBay members.

    But don’t count on paying for any of these goods with a credit card; Badb.su accepts payment only through virtual currencies such as Liberty Reserve and WebMoney.

    Badb.su, like many other card shops, offers an a-la-carte, card-checking service that allows buyers to gauge the validity of stolen cards before or after purchasing them. Typically, these services will test stolen card numbers using a hijacked merchant account that initiates tiny charges or so-called pre-authorization checks against the card; if the charge or pre-auth clears, the card-checking service issues a “valid” response for the checked card number.

    Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.012 Comments
    9
    Feb 12

    Collaboration Fuels Rapid Growth of Citadel Trojan

    Late last month I wrote about Citadel, an “open source” version of the ZeuS Trojan whose defining feature is a social networking platform where users can report and fix programming bugs, suggest and vote on new features, and generally guide future development of the botnet malware. Since then, I’ve been given a peek inside that community, and the view so far suggests that Citadel’s collaborative approach is fueling rapid growth of this new malware strain.

    The CRM page shows democracy in action among Citadel botnet users.

    A customer who bought a license to the Citadel Trojan extended an invitation to drop in on that community of hackers. Those who have purchased the software can interact with the developers and other buyers via comments submitted to the Citadel Store, a front-end interface that is made available after users successfully navigate through a two-step authentication process.

    Upon logging into the Citadel Store, users see the main “customer resource management” page, which shows the latest breakdown of votes cast by all users regarding the desirability of proposed new features in the botnet code.

    In the screen shot to the right, we can see democracy in action among miscreants: The image shows the outcome of voting on several newly proposed modules for Citadel, including a plugin that searches for specific files on the victim’s PC, and a “mini-antivirus” program that can clean up a variety of malware, adware and other parasites already on the victim’s computer that may prevent Citadel from operating cleanly or stealthily. Currently, there are nine separate modules that can be voted and commented on by the Citadel community.

    Drilling down into the details page for each suggested botnet plugin reveals comments from various users about the suggested feature (screenshot below). Overall, users seem enthusiastic about most suggested new features, although several customers used the comments section to warn about potential pitfalls in implementing the proposed changes. Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.02 Comments
    8
    Feb 12

    Crimevertising: Selling Into the Malware Channel

    Anyone who’s run a Web site is probably familiar with the term “malvertising,” which occurs when crooks hide exploits and malware inside of legitimate-looking ads that are submitted to major online advertising networks. But there’s a relatively new form of malware-based advertising that’s gaining ground — otherwise harmless ads for illicit services that are embedded inside the malware itself.

    At its most basic, this form of advertising — which I’m calling “crimevertising” for want of a better term — has been around for many years. Most often it takes the form of banner ads on underground forums that hawk everything from cybercriminal employment opportunities to banking Trojans and crooked cashout services. More recently, malware authors have started offering the ability to place paid ads in the Web-based administrative panels that customers use to control their botnets. Such placements afford advertisers an unprecedented opportunity to keep their brand name in front of the eyeballs of their target audience for hours on end.

    The author of the Blackhole exploit pack is selling ad space on his kit's administration page, as seen in this screenshot.

    A perfect example of crimevertising 2.0 is the interface for the Blackhole Exploit Kit, crimeware that makes it simple for just about anyone to build a botnet. The business end of this kit is stitched into hacked or malicious Web sites, and visitors with outdated browser plugins get redirected to sites that serve malware of the miscreant’s choosing. Blackhole users can monitor new victims and the success rates of the compromised sites using a browser-based administrative panel.

    In the screen shot above, the administration panel of a working Blackhole exploit kit shows two different ads; both promote the purchase and sale of Internet traffic. And here is a prime example of just how targeted this advertising can be: The most common reason miscreants purchase Internet traffic is to redirect it to sites they’ve retrofitted with exploit kits like Blackhole.

    Continue reading →

    ← Older Entries