Ddos-for-hire site ragebooter.net

This bizarre story began about a week ago, when I first started trying to learn who was responsible for running RageBooter. In late March, someone hacked and leaked the users table for ragebooter.net. The database showed that the very first user registered on the site picked the username “Justin,” and signed up with the email address “primalpoland@gmail.com.”

That email address is tied to a now-defunct Facebook account for 22-year-old Justin Poland from Memphis, Tenn. Poland’s personal Facebook account used the alias “PRIMALRAGE,” and was connected to a Facebook page for an entity called Rage Productions. Shortly after an interview with KrebsOnSecurity, Poland’s personal Facebook page was deleted, and his name was removed from the Rage Productions page.

Ragebooter.net’s registration records are hidden behind WHOIS privacy protection services. But according to a historic WHOIS lookup at domaintools.com, that veil of secrecy briefly fell away when the site was moved behind Cloudflare.com, a content distribution network that also protects sites against DDoS attacks like the ones Ragebooter and its ilk help to create (as I noted in Monday’s story, some of the biggest targets of booter services are in fact other booter services). For a brief period in Oct. 2012, the WHOIS records showed that ragebooter.net was registered by a Justin Poland in Memphis.

I “friended” Poland on Facebook and said I wanted to interview him. He accepted my request and sent me a chat to ask why I wanted to speak with him. I said I was eager to learn more about his business, and in particular why he thought it was okay to run a DDoS-for-hire service. While we were chatting, I took the liberty of perusing his profile pictures, which included several of a large tattoo he’d had inked across the top of his back — “Primal Rage” in a typeface fashioned after the text used in the Transformers movie series.

Poland is serious about his business.

“Since it is a public service on a public connection to other public servers this is not illegal,” Poland explained, saying that he’d even consulted with an attorney about the legality of his business. When I asked whether launching reflected DNS attacks was okay, Poland said his service merely took advantage of the default settings of some DNS servers.

“Nor is spoofing the sender address [illegal],” he wrote. “If the root user of the server does not want that used they can simple disable recursive DNS. My service is a legal testing service. How individuals use it is at there [sic] own risk and responsibilitys [sic].  I do not advertise this service anywhere nor do I entice or encourage illegal usage of the product. How the user uses it is at their own risk. I provide logs to any legal law enforcement and keep logs for up to 7 days.”

The conversation got interesting when I asked the logical follow-up question: Had the police or federal authorities ever asked for information about his customers?

That was when Poland dropped the bomb, informing me that he was actually working for the FBI.

“I also work for the FBI on Tuesdays at 1pm in memphis, tn,” Poland wrote. “They allow me to continue this business and have full access. The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.”

When I asked Poland to provide more information that I might use to verify his claims that he was working for the FBI, the conversation turned combative, and he informed me that I wasn’t allowed to use any of the information he’d already shared with me. I replied that I hadn’t and wouldn’t agree that any of our discussion was to be off the record, and he in turn promised to sue me if I ran this story. That was more or less the end of that conversation.

As to the relative legality of booter services, I consulted Mark Rasch, a security expert and former attorney for the U.S. Department of Justice. Rasch said companies hire stress testing services all the time, but usually as part of a more inclusive penetration testing engagement. In such engagements, Rasch said, it is common for the parties conducting the tests to insist upon and obtain beforehand a “get out of jail free card,” essentially a notarized letter from the customer stating that the testing firm was hired to break into and otherwise probe the security and stability of the targeted Web site.

“This is also why locksmiths generally force you to show ID that proves your address before they’ll break into a house for you,” Rasch said. “The standard in the security industry is not only to require proof that you own the sites that are going to be shut down or attacked, but also an indemnification provision.”

On Monday, I pinged Mr. Poland once more, again using Facebook’s chat function. I wanted to hear more about his claim that he was working for the feds. To my surprise, he gave me the number of a Memphis man he referred to as his FBI contact, a man Poland said he knew only as “Agent Lies.”

The man who answered at the phone number supplied by Poland declined to verify his name, seemed peeved that I’d called, and demanded to know who gave me his phone number. When I told him that I was referred to him by Mr. Poland, the person on the other end of the line informed me that he was not authorized to to speak with the press directly. He rattled off the name and number of the press officer in the FBI’s Memphis field office, and hung up.

Just minutes after I spoke with “Agent Lies,” Justin dropped me a line to say that he could not be my ‘friend’ any longer. “I have been asked to block you. Have a nice day,” Poland wrote in a Facebook chat, without elaborating. His personal Facebook page disappeared moments later.

Not long after that, I heard back from Joel Siskovic, spokesman for the Memphis FBI field office, who said he could neither confirm nor deny Poland’s claims. Siskovic also declined to verify whether the FBI had an Agent Lies.

“People come forward all the time and make claims they are working with us, and sometimes it’s true and sometimes it’s not,” Siskovic said. “But it wouldn’t be prudent for us to confirm that we have individuals helping us or assisting us, either because they’re being good citizens or because they’re somehow compelled to.”

I tried to imagine a scenario in which someone in Poland’s situation would make up a story like that, or — if the story were true — might be bold enough to brag about it. I went back over some of the screen shots I’d taken from Poland’s Facebook account before it was deleted, and discovered a saddening discussion where Poland says he is depressed because he can’t quit his habit of smoking marijuana incessantly. In one post he admits to spending more than $1,200 a week on pot. I’m not sure if $1,200 worth of weed is even humanly possible for one man to consume on his own in a week and still function, but it would certainly explain his erratic behavior. Anyway, apparently business is good.

I had a lot of help on this research from Brandon Levene and Allison Nixon, two security consultants who have been digging into the booter scene for some time now. Levene and Nixon said they happened on ragebooter.net after a generic search for other booters indicated it was one of the top three results.

“What made things interesting, however, were the top advertisements for this service from a forum poster using the name ‘Primal Rage,’” Levene said. “The contact information across multiple forums included the email Velocitypro@live.com, which tied to a [now-defunct] Facebook page for Velocity Production, and from this page we identified the private Facebook account of the owner, Justin Poland. Further research revealed more forum profiles using the name Primal Rage and another domain, Hybrid-host.com, registered to Justin Poland (polandjd@gmail.com).

Levene said the biggest break in their research came from a fawning post on a slightly less public site – leakforums.org – a forum dedicated to sharing information on, well, leaked forum databases for one thing. In a twist that makes this already odd story even weirder, Primal Rage/Justin says in his application for membership on leakforums.org that he is starting a new company called “Booter Be Gone,” which he said would be all about “leaking booters online and there [sic] databases.”

The short CV he posted to the leakforums application said he had experience as a computer repair technician and “Ddos mitigation specialist.” Translation: Eliminate the competition by leaking their databases, and then sell DDoS mitigation services to businesses besieged by attacks of the sort launched by his booter services. What could go wrong?

“Justin’s cross-contamination of online personas  led me to dig deeper,” Levene said. “Simply by drawing focus he made himself a target. The whole thing with his service being for ‘legitimate stressing’ is silly. Even the news updates from the login panel are discussing ways to target users.”

Nixon said her research on ragebooter.net showed it to be a booter under active development and one that seems to average more than 400 attacks per day.

Ragebooter’s network structure. Image: Allison Nixon.

Oh, and that backdoor Poland claims he added for the FBI? Nixon may have found at least one of them:

“The booter has some information leakage problems too,” Nixon said.  ”The victims can see the ragebooter.net username of the logged in attacker because that info is, bizzarely, sent within attack traffic.”

The real irony of all this? Poland admitted in one of our Facebook chats that his own site was recently breached, leading to the leak of ragerbooter’s user database; the attackers broke into his Skype account, and then rifled through his Skype chats until they found login credentials to his servers. Was it the work of hackers allied with competing booter services? A spurned FBI agent? Or Justin himself? One thing’s for sure: If Poland’s “booter be gone” soon, it is nobody’s fault but his own.

One final note: Services like ragebooter.net would not be nearly as usable or profitable if they were unable to accept payment via PayPal. A Paypal spokesperson declined to comment on this particular booter service, but said the use of its service for DDoS-for-hire sites would violate its terms of use agreement.

“While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly. We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.”

Microsoft’s Patch Tuesday bundle includes two separate updates for Internet Explorer; the first (MS13-037) is a cumulative update for Internet Explorer. The second is a fix (MS13-038) specifically for a critical bug in IE 8 that miscreants and malware have been using to break into Windows computers. Other, slightly less severe holes were fixed in Microsoft Publisher, Word, Visio and Windows Essentials.

Last week, Microsoft released a stopgap “Fix-it” tool to help blunt the threat from the IE8 zero-day flaw. If you installed that interim fix, Microsoft recommends taking a moment to disable it before applying today’s patches.

<soapbox>On a side note..Dear Microsoft: Please stop asking people to install Silverlight every time they visit a Microsoft.com property. I realize that Silverlight is a Microsoft product, but it really is not needed to view information about security updates. In keeping with the principle of reducing the attack surface of an operating system, you should not be foisting additional software on visitors who are coming to you for information on how to fix bugs and vulnerabilities in Microsoft products that they already have installed. </soapbox>

Silverlight required? C’mon, Microsoft!

As it usually does on Microsoft’s Patch Tuesday, Adobe used the occasion to push its own security updates. A new version of Flash (v. 11.7.700.202 for Mac and Windows systems) fixes 13 vulnerabilities.  IE 10 and Google Chrome automatically update themselves to fix Flash flaws. This link should tell you which version of Flash your browser has installed. If your version of Chrome is not yet updated to v. 11.7.700.202, you may need to just restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

In addition, Adode AIR (required by some applications like Pandora Desktop, for example) was updated to v. 3.7.0.1860. Also, Adobe has released new versions of Adobe Reader and Acrobat that fix at least 27 security holes in these products. See this link for more detail on those patches. Adobe said it is not aware of any active exploits or attacks in the wild targeting any of the issues addressed in these updates.

As always, please drop a note in the comments section if you experience problems applying any of these updates.

Asylum’s attack options.

Many of these booter sites are based on the same source code, meaning that any vulnerabilities in that code can be used to siphon data from the back-end databases of multiple, competing services. This happened in March to booter.tw, a service that was used to launch a volley of attacks against this blog, among others.

Today we’ll be taking a closer look at another booter service whose customer database was recently leaked: asylumstresser.com (a.k.a. asylumbooter.com/net/us). Like other booter services, asylumstresser.com isn’t designed to take down large Web sites that are accustomed to dealing with massive attacks from Internet extortionists. But these services can and are used to sideline medium-sized sites, although their most common targets are online gaming servers.

Asylum says it deletes records of attacked sites after one month, and the leaked database confirms that. But the database also shows the sheer volume of online attacks that are channeled through these services: Between the week of Mar. 17, 2013 and Mar. 23, 2013, asylumstresser.com was used to launch more than 10,000 online attacks.

According to the leaked database for Asylum, the administrator and first registrant on the site uses the address chandlerdowns1995@gmail.com. That same email address was the beneficiary of more than $35,000 in Paypal payments made by customers of the service. Overall, more than 33,000 user accounts were created on the site.

That chanderdowns1995@gmail.com address also is tied to a Facebook account for a 17-year-old honor roll student named Chandler Downs from suburban Chicago. A reverse WHOIS report (PDF) ordered from domaintools.com shows other interesting sites registered with that same email address.

In a brief interview conducted over Gmail chat, Downs maintained that the service is intended only for “stress testing” one’s own site, not for attacking others. And yet, asylumstresser.com includes a Skype resolver service that lets users locate the Internet address of anyone using Skype. Asylum’s resolver wouldn’t let me look up Downs’ own Skype address — “hugocub1.” But another Skype resolver service shows that that Skype username traces back to a Comcast Internet address outside of Chicago.

Asylumstresser.com also features a youtube.com ad that highlights the service’s ability to “take down your competitors’ servers or Web site.”

“Do you get annoyed all the time because of skids on xBox Live? Do you want to take down your competitors’ servers or Web site?,” reads the site’s ad, apparently recorded by this paid actor at Fiverr.com. “Well, boy, do we have the product for you! Now, with asylumstresser, you can take your enemies offline for just 30 cents for a 10 minute time period. Sounds awesome, right? Well, it gets even better: For only $18 per month, you can have an unlimited number of attacks with an increased boot time. We also offer Skype and tiny chat IP resolvers.”

Downs said he was not the owner of the site – just the administrator. He shrugged off the ad’s message, and said Asylum wasn’t responsible for what customers did with the service.

“You are able to block any of the ‘attacks’ as you say with rather basic networking knowledge,” Downs said. “If you’re unable to do such a thing you probably shouldn’t be running a website in the first place. No one would spend money to stress a site without a reason. If you’re giving someone a reason, that’s your own fault.”

Not so fast, said Mark Rasch, a computer security expert and former U.S. Justice Department attorney.

“If they’ve got their fingers on the trigger and they launch the attacks when they’re paid to, then I would say they’re criminally and civilly liable for it,” Rasch said.

Allison Nixon, a security consultant who recently left a job analyzing attack traffic at Dell SecureWorks, looked at all of the attack methods offered by Aslyum. Nixon said she was disappointed to discover a glitch in the site’s code: No matter which attack method she chose, the booter ran the same attack: A reflected DNS attack, and some weeks later, a UDP flood.

“They promise all these attacks – like Layer 7 attacks, SYN floods, Apache memory exhaustion, and all I ever got was reflected DNS attacks and UDP floods,” Nixon said. ”Booters are written and modified by amateur coders who often don’t know what they are doing, so these sort of bugs are unsurprising.”

Nixon noted that all of the packets incoming from the traffic she ordered to her test machines appeared to have been sent from spoofed IP addresses. However, when she used the “Down or Not?” host checker function on Asylum, the site responded from what appears to be the real Internet address of one of the servers that are used to launch the attacks: 93.114.42.28. She noted that a booter service that appears to be a clone of Asylum – vastresser.ru – is hosted on the same network — at 93.114.41.94.

Asylum, like most other booter services, is hidden behind Cloudflare, a content distribution network that helps sites block attacks that services like Asylum are designed to launch. Apparently, getting attacked is something of an occupational hazard for those running a booter services. Behind the Cloudflare proxy, Nixon found that the secret IP for the Asylum stresser Web frontend was 93.114.42.205.

Both IP addresses map back to Voxility, a hosting facility in Romania that has a solid reputation in the cybercrime underground for providing so-called “bulletproof hosting” services, or those that generally turn a deaf ear to abuse complaints and requests from law enforcement officials. In January 2013, I profiled one data center at this ISP called Powerhost.ro that was being used as the home base of operations for the organized cybercrime gang that is currently facing charges of developing and distributing the Gozi Banking Trojan.

“I think it is outrageous that Paypal processes money for these people,” Nixon said of Asylum. “If law enforcement cared at all, every booter uses Paypal and the owners’ real financial info will be tied up in it.  It would be super easy for the cops to find them and round all of them up.  And if the info is fake, Paypal should be freezing those accounts.”

Update, 8:24 p.m. ET: A Paypal spokesperson sent the following statement in response to this story:

“While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly. We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.”

Update, May 16, 12:07 p.m. ET: Downs took rather strong exception to several statements in this story. Principally, he maintains the site is owned by someone else, but he has not supplied any information about that individual other than a commonly-used hacker handle. I thought it made sense to share a few more details about my reporting that led me to believe Downs was running the site, if not also profiting directly from it. Check out this thread from Hackforums.net, where this service is primarily advertised. It shows that the user “Asylum” states that his contact nickname on Skype is “hugocub1,” which as mentioned in the story above traces back to a user in Chicago. But a more important and interesting find comes from Downs’ youtube.com channel (referred to by his gaming profile XBLvirus — one of the nicks listed in the Domaintools report linked above), which features mostly videos of his xBox Live gaming and hacking prowess. In one video, the narrator can be heard stating, “Hey youtube, what’s up, it’s Chandler from darklitstudios.” At around  4:01 in this video, if you pause it just right, you can see Lastpass listing his available stored passwords, including several different accounts using the nickname “hugocub”. Hat tip to Allison Nixon for digging up this additional information.

Microsoft is working on an official fix for the IE8 bug. In the meantime affected users should take advantage of the interim fix that the company released today. It is a one-click fix-it tool that does not require a system restart to take effect.

To do that, visit this link with IE8 and click the fix-it icon under the “Enable” heading. If you need to remove this workaround for any reason, just head back to that page and click the fix-it image beneath the “Disable” heading.

The Syrian Electron Army complains about its domain seizures, saying Network Solutions cited trade sanctions against Syria. Source: HP

Network Solutions LLC. and its parent firm — Jacksonville, Fla. based Web.com — have assumed control over more than 700 domains that were being used mostly for sites hosted in Damascus. The seizures all occurred within a three- to four-day period in mid-April.

The apparently coordinated action ended with each of the site’s registration records being changed to include Web.com’s Florida address, as well as the notation “OFAC Holding.”

OFAC is short for the Office of Foreign Assets Control, an office of the U.S. Treasury Department‘s  Under Secretary of the Treasury for Terrorism and Financial Intelligence. OFAC administers and enforces U.S. economic trade sanctions against targeted foreign countries, including Syria.

Web.com declined to say whether it had coordinated the seizures or why it may have done so. “We do not comment publicly about specific accounts so we cannot provide details about the websites or domains mentioned in your inquiry,” the company said in an emailed statement.  ”However, you should know that we cooperate with law enforcement and regulators in order to prevent illegal activity online and take the necessary steps to be in compliance with applicable laws and regulations.”

Under a series of executive orders, U.S. businesses are prohibited from selling goods and services into Syria. While there are a number of exceptions — referred to as “general licenses” in OFAC-speak — domain hosting and registration services are not among them. Although the general licenses permit services that are designed for personal communications, the provision of Web hosting and domain name registration is specifically called out in Treasury regulations (PDF) as not authorized under general licenses.

A spokesman for the Treasury Department said OFAC had not contacted either Web.com or Network Solutions regarding these Web sites.

“OFAC has offered a general license authorizing the  export of certain services for the exchange of personal communications over the Internet, such as instant messaging, chat and email, so that these sanctions don’t have the inadvertent effect of cutting the Syrian people off from the rest of the world,” said John Sullivan, spokesman for the Treasury Department’s Terrorism and Financial Intelligence division. “But the [general license] that allows for that does not authorize the exportation of Web hosting or registration services, so those could be subject to enforcement actions under our Syrian sanctions program.”

The domain seizures came to my attention after reading a report produced last month by HP‘s security and research team, which noted that individuals associated with a pro-Assad hacker group known as Syrian Electronic Army were complaining that NetworkSolutions had seized their domains, including syrian-es.com, syrian-es.net and syrian-es.org.

A reverse WHOIS report ordered from domaintools.com produced this list (PDF) of some 708 Syrian domains recently shuttered and assigned an “OFAC” designation by Web.com. According to historic Web hosting records also maintained by domaintools.com, the vast majority of the 700+ domains were hosted at Internet addresses assigned to the Syrian Computer Society (SCS). Interestingly, prior to assuming the presidency, Syria’s Assad was president of the SCS, a group now widely believed to have been a precursor to the Syrian Electronic Army.

Image: HP

Probably best known for hijacking the Associated Press’s Twitter account and sending the stock markets swooning after posting a fake tweet about a bomb going off at the White House last month, the Syrian Electronic Army uses distributed denial-of-service attacks, phishing scams and other tricks to target dissidents within Syria as well as sympathizers outside the country.

The hacking of the AP’s Twitter account may have been the first widespread exposure for the Syrian Electronic Army, but it has been targeting and successfully compromising other high-profile media outfits for the past two years. As the HP report notes, the SEA took credit for hacking Reuters’ Twitter account in Aug. 2012, and for hijacking various social media accounts belonging to NPR, BBC, CBS, and even organizations that might be more sympathetic to the pro-Assad activists, such as Al-Jazeera, Sky News Arabia and the Qatar Foundation.

WHAC-A-MOLE MARTYRDOM?

According to HP, the SEA is somewhat unique because of the combination of the tactics used in support of their pro-Assad agenda. Past actions by the SEA have involved setting up fake Facebook and Youtube sites in a bid to collect login credentials and spread malware. “When an account has been compromised, it is used to collect information on the user and to distribute pro-Assad messages,” the HP researchers wrote. “For Syrians participating in anti-Assad protest movements this can be dangerous, as it has been alleged that the SEA turns information on these individuals over to the government.”

The HP report details how the SEA’s other social media and propaganda arms on Twitter and Facebook are constantly being shuttered, often for unspecified violations of those sites’ terms of service.  Undeterred, the group simply registers another Facebook account with the same name, adding tacking on successive digits to the end of their Facebook account names (its latest account name ends in 207).

Ted Ross, executive technologist at HP’s Office of Advanced Technology, said he worries that all of this Whac-a-Mole activity targeting the Syrian Electronic Army’s various social media properties is creating a digital martyrdom effect.

Syria went offline on the evening of May 7. Image: Arbor.

“We feel like there is this unfortunate side effect of this whac-a-mole game played by Facebook and Twitter,” Ross said. “It impacts SEA’ ability to propagate their propaganda, but you can’t help but wonder what the impact is to the people who are following them and who agree with their motives. This whac-a-mole game almost gives people who are doing this the type of [activity] the legitimacy they seek. When their Facebook page gets disabled, the community rallies behind that.”

It’s not clear how much hacking the Syrian Electronic Army is going to be doing for the time being. In an abrupt move, Internet access in Syria was taken completely offline by the Syrian government last night. At roughly 18:45 UTC on May 7, nearly all of the Internet paths from Syria were withdrawn from the global routing table, according to Renesys. OpenDNS and Arbor Networks also have more information on this outage.

In the meantime, U.S. hosting providers and domain name registrars should be aware that supporting Syrian businesses and other entities associated with the Syrian government or regime could result in civil enforcement actions from the Treasury Department and potentially hefty fines.

“US companies need to be aware of our sanctions program,”  Treasury’s Sullivan said. “A very important part of doing business is that they do not enter into financial transactions with sanctioned parties. And OFAC is very active about pursuing enforcement cases where they need to happen.”

In an advisory released May 3, Microsoft said it was investigating reports of a vulnerability in IE8, and that it was aware of attacks that attempt to exploit this bug. The company stresses that other versions of IE — including IE6, 7, 9 and 10 are not affected by the vulnerability. However, all versions of IE8 are vulnerable, including copies running on Windows XP, Vista and Windows 7.

Meanwhile, a new module that exploits this IE8 bug is now available for the Metasploit Framework, a free penetration testing tool. I would expect this exploit or some version of it will soon be rolled into commercial exploit kits that are sold in the cybercrime underground (assuming this has not already happened).

Update, May 9, 9:00 a.m. ET: Microsoft has released a fix-it tool to blunt attacks on this bug. See this story for more information.

Original post:

The security hole has already been leveraged in at least one high-profile attack. Over the weekend, several security vendors reported that the U.S. Department of Labor Web site had been hacked and seeded with code designed to exploit the flaw and download malicious software.

The attack on the Labor Department site is seen as a watering hole attack, which involves the targeted compromise of legitimate websites thought to be of interest to or frequented by end users who belong to organizations that attackers wish to infiltrate. Previous watering hole attacks have targeted the Web site for the Council on Foreign Relations, the Association of Southeast Asian Nations, and the National Democratic Institute.

According to CrowdStrike, the server used to control this latest attack on the Labor Department site was microsoftupdate.ns1.name. The company said analysis of the logs from the attacker’s infrastructure revealed that visitors from 37 different countries browsed the site during the time it was compromised with the malicious code. AlienVault, Invincea and Cisco Systems have published additional details on this attack. AlienVault also said it has since spotted the same exploit used on at least nine other hacked Web sites, including several non-profit groups and a large European company.

The application page of EMET.

Microsoft is working on an official patch for this bug. What can you do in the meantime to mitigate the threat from this flaw? For now,  browsing the Web with another browser is one answer, of course, and it may be more or less advisable depending on which version of Windows you run. For example, Windows XP users can use another browser, and the only other option is rolling and using Internet Explorer 7 until Microsoft fixes this issue (not a great alternative). Windows Vista and Windows 7 users can run Internet Explorer 9, and Windows 7 users can upgrade to IE 10, but should verify compatibility with their applications, as some custom settings may be necessary.

Also, if you use Windows and haven’t taken advantage of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), now would be an excellent time to check that out. EMET is a free tool from Microsoft that can help Windows users beef up the security of commonly used applications, whether they are made by a third-party vendor or by Microsoft. EMET allows users to force applications to use one or both of two key security defenses built into Windows Vista and Windows 7 — Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Read more about this program at my Tools for a Safer PC primer.

Bx1′s profile page on darkode.com

Hamza Bendelladj, who authorities say used the nickname “Bx1″ online, is accused of operating a botnet powered by SpyEye, a complex banking trojan that he also allegedly sold and helped develop. Bendelladj was arraigned on May 2, 2013 in Atlanta, where he is accused of leasing a server from a local Internet company to help manage his SpyEye botnet.

A redacted copy of the indictment (PDF) against Bendelladj was unsealed this week; the document says Bendelladj developed and customized components of SpyEye that helped customers steal online banking credentials and funds from specific banks.

The government alleges that as Bx1, Bendelladj was an active member of darkode.com, an underground fraud forum that I’ve covered in numerous posts on this blog. Bx1′s core focus in the community was selling “web injects” — custom add-ons for SpyEye that can change the appearance and function of banking Web sites as displayed in a victim’s Web browser. More specifically, Bx1 sold a type of web inject called an automated transfer system or ATS; this type of malware component was used extensively with SpyEye — and with its close cousin the ZeuS Trojan — to silently and invisibly automate the execution of bank transfers just seconds after the owners of infected PCs logged into their bank accounts.

“Zeus/SpyEYE/Ice9 ATS for Sale,” Bx1 announced in a post on darkode.com thread dated Jan. 16, 2012:

“Hey all. I’m selling private ATS’s. Working and Tested.

We got  IT / DE / AT / UK / US / CO / NL / FR / AU

Contact me for bank.

can develop bank ATS from your choice.”

The government alleges that Bx1/Bendelladj made millions selling SpyEye, SpyEye components and harvesting financial data from victims in his own SpyEye botnet. But Bx1 customers and associates on darkode.com expressed strong doubts about this claim, noting that someone who was making that kind of money would not blab or be as open about his activities as Bx1 apparently was.

Darkode discusses Symlink’s arrest

In my previous post on Bx1, I noted that he reached out to me on several occasions to brag about his botnet and to share information about his illicit activities. In one case, he even related a story about breaking into the networks of a rival ATS/web inject developer named Symlink. Bx1 said he told Symlink to expect a visit from the local cops if he didn’t pay Bx1 to keep his mouth shut. It’s not clear whether that story is true or if Symlink ever paid the money; in any case, Symlink was arrested on cybercrime charges in Oct. 2012 by authorities in Moldova.

The redacted portions of the government indictment of Bendelladj are all references to Bx1′s partner — the author of the SpyEye Trojan and a malware developer known in the underground alternatively as “Gribodemon” and “Harderman.” In a conference call with reporters today, U.S. Attorney Sally Quillian Yates said the real name of the principal author of SpyEye was redacted from the indictment because he had not yet been arrested.

Interestingly, several lengthy discussion threads on darkode.com show that Bx1 himself tried to warn fellow forum members that he had been approached by individuals either working for the FBI or acting as intermediaries for U.S. federal law enforcement.

In another thread posted Jan. 21, 2011 and titled “Feds, Feds, Feds,” Bx1 pastes an excerpt from an online chat with an interloper who describes himself as an information broker who is seeking clues about the identities of Gribodemon and a hacker who went by the screen name “jam3s,” and who is suspected of leaking the source code to the ZeuS Trojan. In that thread, Bx1 urges fellow forum members to “double encrypt” their computer hard drives and to “make a contact with a good lawyer.” Most of the forum members simply dismiss Bx1 as paranoid.

On Nov. 29, Bx1 posted an urgent thread on darkode.com titled, “FBI are after some members.”

“I spoke today with a friend working on FBI. he said there is an operation to find some hackers, we spoke deeply and he mention darkode. so guys, please be careful.” [see screen shot below]

If convicted, Bendelladj faces a maximum sentence of up to 30 years is prison on charges of conspiracy to commit wire and bank fraud, as well as sentences of five to 20 years for related charges. He also faces fines of up to $14 million.

Less than a month before his arrest, Bx1 tries to warn fellow darkode.com members of the FBI’s interest.

A confidential alert, produced by DHS on May 1 and obtained by KrebsOnSecurity, predicts that the attacks “likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation. Independent of the success of the attacks, the criminal hackers likely will leverage press coverage and social media to propagate an anti-US message.”

The DHS alert is in response to chest-thumping declarations from anonymous hackers who have promised to team up and launch a volley of online attacks against a range of U.S. targets beginning May 7. “Anonymous will make sure that’s this May 7th will be a day to remember,” reads a rambling, profane manifesto posted Apr. 21 to Pastebin by a group calling itself N4M3LE55 CR3W.

“On that day anonymous will start phase one of operation USA. America you have committed multiple war crimes in Iraq, Afghanistan, Pakistan, and recently you have committed war crimes in your own country,” the hackers wrote. “We will now wipe you off the cyber map. Do not take this as a warning. You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs.”

Ronen Kenig, director of security solutions at Tel Aviv-based network security firm Radware, said the impact of the attack campaign will be entirely dependent on which hacking groups join the fray. He noted that a recent campaign called “OpIsrael” that similarly promised to wipe Israel off the cyber map fizzled spectacularly.

“There were some Web site defacements, but OpIsrael was not successful from the attackers point-of-view,” Kenig said. “The main reason was the fact that the groups that initiated the attack were not able to recruit a massive botnet. Lacking that, they depended on human supporters, and those attacks from individuals were not very massive.”

But Rodney Joffe, senior vice president at Sterling, Va. based security and intelligence firm Neustar, said all bets are off if the campaign is joined by the likes of the Izz ad-Din al-Qassam Cyber Fighters, a hacker group that has been disrupting consumer-facing Web sites for U.S. financial institutions since last fall. The hacker group has said its attacks will continue until copies of the controversial film Innocence of Muslims movie are removed from Youtube.

Joffe said it’s easy to dismiss a hacker manifesto full of swear words and leetspeak as the ramblings of script kiddies and impressionable, wannabe hackers who are just begging for attention. But when that talk is backed by real firepower, the attacks tend to speak for themselves.

“I think we learned our lesson with the al-Qassam Cyber Fighters,” Joffe said. “The damage they’re capable of doing may be out of proportion with their skills, but that’s been going on for seven months and it’s been brutally damaging.”

According to the DHS alert, 46 U.S. financial institutions have been targeted with DDoS attacks since September 2012 — with various degrees of  impact — in over 200 separate DDoS attacks.

“These attacks have utilized high bandwidth webservers with vulnerable content management systems,” the agency alert states. ”Typically a customer account is compromised and attack scripts are  then uploaded to a hidden directory on the customer website. To date the botnets have been identified as  ’Brobot’ and ‘Kamikaze/Toxin.’”

In an interview with Softpedia, representatives of Izz ad-Din al-Qassam said they do indeed plan to lend their firepower to the OpUSA attack campaign.

Source: Bankinfosecurity.com

What’s more, the DHS warning comes just days after the FBI issued a flash alert on Brobot (PDF) warning that hackers have been modifying the attack scripts to ensure they can evade their targets’ mitigation efforts.

“Because the attacks have been ongoing for seven months, the actors are changing their attack methodology to circumvent mitigation efforts of the financial institutions,” reads an FBI alert obtained by BankInfoSecurity.com. “The latest version of the ‘Brobot’ attack scripts that have been utilized to attack the login capabilities of a financial institution’s website spoofs a fraudulent access cookie, user-agent string and referrer. The login script includes several random strings, but does contain one hard-coded string, ‘63.83.61.17-1365521883478351’, in the script,” it continues.

The FBI alert notes that the hard-coded string does not affect the new attack script, but can be used as signatures for intrusion detection and intrusion prevention devices to detect and block attacks from the Brobot botnet.

A copy of the full DHS alert on this topic is available here (PDF).

Last Friday, The Wenatchatee World broke the news of the heist, which struck Chelan County Public Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.

On Wednesday of last week, I began alerting the hospital that it had apparently been breached. Neither the hospital nor the staff at Cascade Medical returned repeated calls. I reached out to the two entities because I’d spoken with two unwitting accomplices who were used in the scam, and who reported helping to launder more than $14,000 siphoned from the hospital’s accounts.

Jesus Contreras, a 31-year-old from San Bernadino, Calif., had been out of work for more than two months when he received an email from a company calling itself Best Inc. and supposedly located in Melbourne, Australia. Best Inc. presented itself as a software development firm, and told Contreras it’d found his resume on Careerbuilders.com. Contreras said the firm told him that he’d qualified for a work-at-home job that involved forwarding payments to software developers who worked for the company’s overseas partners.

Could he start right away? All he needed was a home computer. He could keep eight percent of any transfers he made on behalf of the company. Contreras said he was desperate to find work since he got laid off in February from his previous job, which was doing inventory for an airplane parts company.

Best Inc. Website

His boss at Best Inc., a woman with a European accent who went by the name Erin Foster, called Contreras and conducted a phone interview in which she asked about his prior experience and work-life balance expectations. In short order, he was hired. His first assignment: To produce a report on the commercial real estate market in Southern California. Contreras said Ms. Foster told him that their employer was thinking of opening up an office in the area.

On Monday, Apr. 22 — shortly after he turned in his research assignment — Contreras received his first (and last) task from his employer: Take the $9,180 just deposited into his account and send nearly equal parts via Western Union and Moneygram to four individuals, two who were located in Russia and the other pair in Ukraine. After the wire fees — which were to come out of his commission — Contreras said he had about $100 left over.

“I’m asking myself how I fell for this because the money seemed too good to be true,” Contreras said. “But we’ve got bills piling up, and my dad has hospital bills. I didn’t have much money in my account, so I figured what did I have to lose? I had no idea I would be a part of something like this.”

A small, but significant part, as it happens. Contreras never got to use any of his meager earnings: His financial institution, Bank of America, froze his account and seized what little funds he had in it.

Meanwhile, the Chelan County treasurer’s office is struggling to claw back the fraudulent transfers. According to press reports, roughly $133,000 of the lost funds have been recovered so far, and it may take at least 30 days to learn how much was actually lost.

Some observations about this crime:

-It could have been far worse of a loss. The Chelan County bank accounts that were hacked also are used to administer 54 other junior taxing districts in the county. My guess is this attack would have been worse, but that the fraudsters simply exhausted their supply of money mules.

-Just as real-life bank robbers are restricted in what they can steal by the amount of loot that they can physically haul away from the scene of the crime, the crooks behind these cyberheists are limited in how much they can steal to how many money mules they can recruit to help launder the fraudulent transfers. That’s because unless the mules have access to business accounts that can receive and forward much larger wire transfers, the amounts sent to mules typically range from just below $5,000 to slightly less than $10,000. Edwin Walker of Alpharetta, Ga. – another mule who unwittingly helped launder money for Best Inc. — received and processed a $4,970 transfer on April 20. And while available mules may be a bottleneck for this type of crime, this group appears to have a well-oiled mule-recruitment machine going 24/7.

-Mr. Contreras’ erstwhile employer, Best Inc., is part of a transnational organized cybercriminal gang operating in Russia and Ukraine. Its distinguishing feature is that it operates its own money mule recruitment division. This eliminates the middle man and increases the gang’s overall haul from any cyberheist. “Cashing out” hacked accounts is a complex, time-consuming process that is normally contracted out to third party criminal operations, which can take anywhere from 40-60 percent of the haul for their trouble.

-This gang uses several telltale signatures in its operations, and has been hitting small to mid-sized organizations for the past five years at least. They’ve stolen many, many times more than the millions taken from Chelan County, from hundreds of victim organizations. In fact, this gang appears to have been involved in nearly every cyberheist I have written about for the past four years.

-Mr. Contreras is something of an oddity: A West Coast money mule. The mule recruitment gangs generally prefer to hire  mules that are on the East Coast or in the Midwest. That’s because mules on the West Coast are not particularly attractive for cashing out accounts from victim banks and businesses that open several hours before the banks on the West Coast; time is money, and in this business, the more time that elapses before the mules can withdraw and move the stolen funds, the more likely the victim and its bank will be able to claw back the fraudulent transfers.

-The reporting so far includes no information about the victim’s bank, or what kinds of security procedures they may have required of Chelan County for moving large sums of money. But my guess is it was a small to regional bank, and there were few security hurdles for the bad guys to overcome, aside from maybe a one-time token and a password. But that is just speculation based on lots of experience reporting on these crimes.

Broken record alert: If you are running a small business and managing your accounts online, you’d be wise to expect a similar attack on your own accounts and prepare accordingly. That means taking your business to a bank that offers more than just usernames, passwords and tokens for security. Shop around for a bank that lets you secure your transfers with some sort of out-of-band authentication (a text message sent to a mobile device, for example). These security methods can be defeated of course, but they present an extra hurdle for the bad guys, who probably are more likely to go after the lower-hanging fruit at thousands of other financial institutions that don’t offer more modern security approaches.

But if you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.

Facebook profile picture of Sven Olaf Kamphuis

According to a press release issued by the Public Prosecutor Service in The Netherlands, the National Prosecutor in Barcelona ordered SK’s arrest and the seizure of computers and mobile phones from the accused’s residence there. The arrest is being billed as a collaboration of a unit called Eurojust, the European Union’s Judicial Cooperation Unit.

The dispute began late last year, when Spamhaus added to its blacklist several Internet address ranges in the Netherlands. Those addresses belong to a Dutch company called “Cyberbunker,” so named because the organization is housed in a five-story NATO bunker, and has advertised its services as a bulletproof hosting provider.

“A year ago, we started seeing pharma and botnet controllers at Cyberbunker’s address ranges, so we started to list them,” said a Spamhaus member who asked to remain anonymous. “”We got a rude reply back, and he made claims about being his own independent country in the Republic of Cyberbunker, and said he was not bound by any laws and whatnot. He also would sign his emails ‘Prince of Cyberbunker Republic.” On Facebook, he even claimed that he had diplomatic immunity.”

Cyberbunker’s IP ranges. Its WHOIS records put the organization in Antarctica.

Spamhaus took its complaint to the upstream Internet providers that connected Cyberbunker to the larger Internet. According to Spamhaus, those providers one by one severed their connections with Cyberbunker’s Internet addresses. Just hours after the last ISP dropped Cyberbunker, Spamhaus found itself the target of an enormous amount of attack traffic designed to knock its operations offline.

It is not clear who SK is, but according to multiple sources, the man identified as SK is likely one Sven Olaf Kamphuis. The attack on Spamhaus was the subject of a New York Times article on Mar. 26, 2013, which quoted Mr. Kamphuis as a representative of Cyberbunker and saying, “We are aware that this is one of the largest DDoS attacks the world had publicly seen.” Kamphuis also reportedly told The Times that Cyberbunker was retaliating against Spamhaus for “abusing their influence.”

Also, a Facebook profile by that same name identifies its account holder as living in Barcelona and a native of Amsterdam, as well as affiliated with “Republic Cyberbunker.”

Mr. Kamphuis could not be immediately reached for comment.