Posts Tagged: Facebook


2
Apr 14

Android Botnet Targets Middle East Banks

I recently encountered a botnet targeting Android smartphone users who bank at financial institutions in the Middle East. The crude yet remarkably effective mobile bot that powers this whole operation comes disguised as one of several online banking apps, has infected more than 2,700 phones, and has intercepted at least 28,000 text messages.

The botnet — which I’ve affectionately dubbed “Sandroid” — comes bundled with Android apps made to look like mobile two-factor authentication modules for various banks, including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.

The fake Android bank apps employed by this botnet.

The fake Android bank apps employed by the Sandroid botnet.

It’s not clear how the apps are initially presented to victims, but if previous such scams are any indication they are likely offered after infecting the victim’s computer with a password-stealing banking Trojan. Many banks send customers text messages containing one-time codes that are used to supplement a username and password when the customer logs on to the bank’s Web site. And that precaution of course requires attackers interested in compromising those accounts to also hack the would-be victim’s phone.

Banking Trojans — particularly those targeting customers of financial institutions outside of the United States — will often throw up a browser pop-up box that mimics the bank and asks the user to download a “security application” on their mobile phones. Those apps are instead phony programs that merely intercept and then relay the victim’s incoming SMS messages to the botnet master, who can then use the code along with the victim’s banking username and password to log in as the victim.

Text messages intercepted by the Sandroid botnet malware.

Some of the 28,000+ text messages intercepted by the Sandroid botnet malware.

Continue reading →


5
Dec 13

How Many Zero-Days Hit You Today?

On any given day, nation-states and criminal hackers have access to an entire arsenal of zero-day vulnerabilities  — undocumented and unpatched software flaws that can be used to silently slip past most organizations’ digital defenses, new research suggests.  That sobering conclusion comes amid mounting evidence that thieves and cyberspies are ramping up spending to acquire and stockpile these digital armaments.

b

Security experts have long suspected that governments and cybercriminals alike are stockpiling zero-day bugs: After all, the thinking goes, if the goal is to exploit these weaknesses in future offensive online attacks, you’d better have more than a few tricks up your sleeve because it’s never clear whether or when those bugs will be independently discovered by researchers or fixed by the vendor. Those suspicions were confirmed very publicly in 2010 with the discovery of Stuxnet, a weapon apparently designed to delay Iran’s nuclear ambitions and one that relied upon at least four zero-day vulnerabilities.

Documents recently leaked by National Security Agency whistleblower Edward Snowden indicate that the NSA spent more than $25 million this year alone to acquire software vulnerabilities from vendors. But just how many software exploits does that buy, and what does that say about the number of zero-day flaws in private circulation on any given day?

These are some of the questions posed by Stefan Frei, research director for Austin, Texas-based NSS Labs. Frei pored over reports from and about some of those private vendors — including boutique exploit providers like Endgame Systems, Exodus Intelligence, Netragard, ReVuln and VUPEN — and concluded that jointly these firms alone have the capacity to sell more than 100 zero-day exploits per year.

According to Frei, if we accept that the average zero-day exploit persists for about 312 days before it is detected (an estimate made by researchers at Symantec Research Labs), this means that these firms probably provide access to at least 85 zero-day exploits on any given day of the year. These companies all say they reserve the right to restrict which organizations, individuals and nation states may purchase their products, but they all expressly do not share information about exploits and flaws with the affected software vendors.

Frei's minimum estimate of exploits offered by boutique exploit providers each year.

Frei’s minimum estimate of exploits offered by boutique exploit providers each year.

KNOWN UNKNOWNS

That approach stands apart from the likes of HP TippingPoint‘s Zero-Day Initiative (ZDI) and Verisign‘s iDefense Vulnerability Contributor Program (VCP), which pay researchers in exchange for the rights to their vulnerability research. Both ZDI and iDefense also manage the communication with the affected vendors, ship stopgap protection for the vulnerabilities to their customers, and otherwise keep mum on the flaws until the vendor ships an update to fix the bugs.

Frei also took stock of the software vulnerabilities collected by these two companies, and found that between 2010 and 2012, the ZDI and VCP programs together published 1,026 flaws, of which 425 (44 percent) targeted flaws in Microsoft, Apple, Oracle, Sun and Adobe products. The average time from purchase to publication was 187 days.

“On any given day during these three years, the VCP and ZDI programs possessed 58 unpublished vulnerabilities affecting five vendors, or 152 vulnerabilities total,” Frei wrote in a research paper released today.

vcp-zdi

Frei notes that the VCP and ZDI programs use the information they purchase only for the purpose of building better protection for their customers, and since they share the information with the software vendors in order to develop and release patches, the overall risk is comparatively low. Also, the vulnerabilities collected and reported by VCP and ZDI are not technically zero-days, since one important quality of a zero-day is that it is used in-the-wild to attack targets before the responsible vendor can ship a patch to fix the problem.

In any case, Frei says his analysis clearly demonstrates that critical vulnerability information is available in significant quantities for private groups, for extended periods and at a relatively low cost.

“So everybody knows there are zero days, but when we talk to C-Level executives, very often we find that these guys don’t have a clue, because they tell us, ‘Yeah, but we’ve never been compromised’,” Frei said in an interview.  “And we always ask them, ‘How do you know?'”

Continue reading →


25
Nov 13

Spam-Friendly Registrar ‘Dynamic Dolphin’ Shuttered

The organization that oversees the Internet domain name registration industry last week revoked the charter of Dynamic Dolphin, a registrar that has long been closely associated with spam and cybercrime.

Scott Richter. Image: 4law.co.il

Scott Richter. Image: 4law.co.il

The move came almost five years after this reporter asked the Internet Corporation for Assigned Names and Numbers (ICANN) to investigate whether the man at the helm of this registrar was none other than Scottie Richter, an avowed spammer who has settled multi-million-dollar spam lawsuits with Facebook, Microsoft and MySpace over the past decade.

According to the contracts that ICANN requires all registrars to sign, registrars may not have anyone as an officer of the company who has been convicted of a criminal offense involving financial activities. While Richter’s spam offenses all involve civil matters, this reporter discovered several years ago that Richter had actually pleaded guilty in 2003 to a felony grand larceny charge.

Richter’s felony rap was detailed in a January 2004 story in the now-defunct Rocky Mountain News; a cached copy of that story is here. It explains that Denver police were investigating a suspected fencing operation involving the purchase and sale of stolen goods by Richter and his associates. Richter, then 32, was busted for conspiring to deal in stolen goods, including a Bobcat, a generator, laptop computers, cigarettes and tools. He later pleaded guilty to one count of grand larceny, and was ordered to pay nearly $38,000 in restitution to cover costs linked to the case.

After reading this story, I registered with the Colorado state courts Website and purchased a copy of the court record detailing Richter’s conviction — available at this link (PDF) — and shared it with ICANN. I also filed an official request with ICANN (PDF) to determine whether Richter was in fact listed as a principal in Dynamic Dolphin. ICANN responded in 2008 that it wasn’t clear whether he was in fact listed as an officer of the company.

But in a ruling issued last week, ICANN said that analysis changed after it had an opportunity to review information regarding Dynamic Dolphin’s voting shares.

“Prior to this review, ICANN had no knowledge that Scott Richter was the 100% beneficial owner of Dynamic Dolphin,” ICANN wrote. “In light of this review, ICANN initiates a review of the application for accreditation from 2011. Based on Section II. B. of the Statement of Registrar Accreditation Policy, Dynamic Dolphin did not disclose in its application for accreditation that Scott Richter was the 100% beneficial owner of Dynamic Dolphin or that Scott Richter was convicted in 2003 for a felony relating to financial activities.”

ICANN has ordered that Dynamic Dolphin be stripped of its accreditation as a registrar, and that all domains registered with Dynamic Dolphin be transferred to another registrar within 28 days. Neither Richter nor a representative for Dynamic Dolphin could be immediately reached for comment.

ICANN’s action is long overdue. Writing for The Washington Post in May 2008, this author called attention to statistics gathered by anti-spam outfit Knujon (“NOJUNK” spelled backwards), which found that more than three quarters of all Web sites advertised through spam at the time were clustered at just 10 domain name registrars. Near the top of that list was Dynamic Dolphin, a registrar owned by an entity called CPA Empire, which in turn is owned by Media Breakaway LLC – Richter’s company. Another story published around that same time by The Washington Post showed that Media Breakaway was behind the wholesale hijacking of some 65,586 Internet addresses from a San Francisco, Calif. organization that was among the early pioneers of the Internet.

Continue reading →


11
Nov 13

Facebook Warns Users After Adobe Breach

Facebook is mining data leaked from the recent breach at Adobe in an effort to help its users better secure their accounts. Facebook users who used the same email and password combinations at both Facebook and Adobe’s site are being asked to change their password and to answer some additional security questions.

Message that Facebook has been sending to certain users whose information was found in the stolen Adobe user data.

Message that Facebook has been sending to certain users whose information was found in the stolen Adobe data.

Facebook spokesman Jay Nancarrow said Facebook is constantly on the lookout for data leaked from other breach incidents that may endanger accounts of its own users. Nancarrow said that the social networking service has similarly acted in the wake of other high profile breaches to determine if any of its own users’ credentials may have been affected.

“We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said Nancarrow, who declined to say exactly how many Facebook users were seeing the above message. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.”

In a breach first announced on this blog Oct. 3, 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts. Earlier this month, Adobe said it had actually notified more than 38 million users that their encrypted account data may have been compromised. But as first reported here on Oct. 29, the breach may have impacted closer to 150 million Adobe users.

What’s more, experts say Adobe appears to have used a single encryption key to scramble all of the leaked user credentials, meaning that anyone who computes, guesses or acquires the decryption key immediately gets access to all the passwords in the database. In a detailed analysis of the enormity of Adobe’s blunder, Paul Ducklin of Sophos describes how researchers managed to work out a decent chunk of the encrypted user passwords just by comparing the leaked data to other large password breaches and to password hint information included in the Adobe account cache.

Update, 2:07 p.m. ET: Looks like Diapers.com and Soap.com sent similar notices to their customers on Sunday. A hit tip to readers Arthur and Dave for sharing copies of the emails from those two sites.

Update, Nov. 12, 4:07 p.m. ET: The initial story seems to have confused a number of readers, perhaps because I left out an explanation of what exactly Facebook did. As a result, many readers seem to have hastily and erroneously concluded that Facebook doesn’t properly secure its users passwords if it can simply compare them in plain text to the Adobe passwords that have already been worked out.

As I proffered in a follow-up comment on this story, Facebook and any other company can take any of the Adobe passwords that have already been guessed or figured out and simply hash those passwords with whatever one-way hashing mechanism(s) they use internally. After that, it’s just a matter of finding any overlapping email addresses that use the same password. Facebook’s Chris Long confirmed that this is more less what the company did.


11
Sep 13

‘Yahoo Boys’ Have 419 Facebook Friends

Earlier this week, I wrote about an online data theft service that got hacked. That compromise exposed a user base of mostly young Nigerian men apparently engaged in an array of cybercrime activities — from online dating scams to 419 schemes. It turned out that many of these guys signed up for the data theft service using the same email address they used to register their Facebook accounts. Today’s post looks at the social networks between and among these individuals.

Of the nearly 3,000 BestRecovery users, about 280 of them had Facebook accounts tied to their BestRecovery email addresses. George Mason University associate professor Damon McCoy and several of his grad students volunteered to scrape those profiles that were open and map their social networks to see if there were any obvious or discernible patterns in the data.

The raw data itself — which ranked the BestRecovery users on number of connections they had to other users — was potentially useful, but difficult to parse into meaningful chunks. Oddly enough, as I was poring over that data I heard from Chris Ahlberg, the CEO of Recorded Future Inc., a Cambridge, Mass. software company that specializes in Web intelligence and predictive analytics. Ahlberg was writing to say that he enjoyed the blog — particularly the posts with data-intensive analyses — and that he’d be delighted to collaborate on a data-rich research project at some point. I told him his timing couldn’t have been more serendipitous.

Ahlberg and his team took the raw scraped data sets from the Facebook accounts and ran it through their cyber intelligence applications. In short order, they produced some very compelling and beautiful graphs, shown below.

Staffan Truvé, Recorded Future’s chief technology officer noted that — with few exceptions — the BestRecovery users largely appear to belong to one of two very separate social networks.

RecordedFuture's rendering of the Facebook profiles shows fairly two tight-knit social networks.

RecordedFuture’s rendering of the Facebook profiles shows fairly two tight-knit social networks.

“There appears to be two fairly separate, quite tightly knit networks, each with a few central leaders, and also with just a few individuals being the bridge between the two networks — and that those middlemen are themselves not connected,” said Staffan Truvé, Recorded Future’s chief technology officer.

I noted in my previous story that a majority of the BestRecovery keylog service users who had Facebook pages that reported a location listed either somewhere in Nigeria (usually Lagos), or Kuala Lumpur, Malaysia. Not surprisingly, those two geographic groups are generally represented by these two globs of Facebook users (with several exceptions of users who are from Nigeria but living in Kuala Lumpur and vice versa).

Here’s a closer look at the most influential/connected members at the center of Cluster 1 (upper in the diagram above)

cluster1

Continue reading →


22
May 13

Krebs, KrebsOnSecurity, As Malware Memes

Hardly a week goes by when I don’t hear from some malware researcher or reader who’s discovered what appears to be a new sample of malicious software or nasty link that invokes this author’s name or the name of this blog. I’ve compiled this post to document a few of these examples, some of which are quite funny.

loginbetabot1

Source: Exposedbotnets.com

Take, for example, the login panel for “Betabot“: Attempt to log in to this malware control panel with credentials that don’t work and you’ll be greeted with a picture of this author, accompanied by the following warning: “Enter the correct password or I will write a 3-part article on this failed login attempt.”

The coders behind Betabot evidently have several versions of this login panel warning: According to a threat intelligence report being released tomorrow by RSA, the latest iteration of this kit uses the mugshot from my accounts at Twtter (follow me!) and Facebook (like it!).

As first detailed by Sophos’s award-winning Naked Security blog, the code inside recent versions of the Redkit exploit kit includes what appears to be a message blaming me for…well, something. The message reads: “Crebs, its [sic] your fault.”

sophosredkit

Text string inside of the Redkit exploit kit. Source: Sophos

The one I probably hear about most from researchers is a text string that is built into Citadel (PDF), an offshoot of the ZeuS banking trojan botnet kit that includes the following reference: “Coded by BRIAN KREBS for personal use only. I love my job and my wife.”

A text string inside of the Citadel trojan. Source: AhnLab

A text string within the code of the Citadel trojan. Source: AhnLab

Those are just the most visible examples. More commonly, if Yours Truly is invoked in the name of cybercrime, it tends to show up in malicious links that lead to malware. Here are a few just from the past couple of weeks:

Continue reading →


20
Feb 13

Critical Security Updates for Adobe Reader, Java

Adobe and Oracle each released updates to fix critical security holes in their software. Adobe’s patch plugs two zero-day holes that hackers have been using to break into computers via Adobe Reader and Acrobat. Separately, Oracle issued updates to correct at least five security issues with Java.

javaiconThe Java update comes amid revelations by Apple, Facebook and Twitter that employees at these organizations were hacked using exploits that attacked Java vulnerabilities on Mac and Windows machines. According to Bloomberg News, at least 40 companies were targeted in malware attacks linked to an Eastern European gang of hackers that has been trying to steal corporate secrets.

Oracle’s update brings Java on Windows systems to Java SE 7 Update 15, and Java 6 Update 41. Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin. To find out if you have Java installed, visit java.com and click the “Do I have Java?” link below the big red button. Existing users can update Java from the Java Control Panel, clicking the Update tab and then the “Update Now” button.

Apple has issued an update that brings Java up-to-date on security patches but also disables the Java plugin from Web browsers on the system. Apple also issued a malware removal tool that it said should remove from Macs the most common variants of malware that used the most recent Java exploits. Continue reading →


9
Jan 13

Facebook, Yahoo Fix Valuable $ecurity Hole$

Both Facebook and Yahoo! recently fixed security holes that let hackers hijack user accounts. Interestingly, access to methods for exploiting both of the flaws appears to have been sold by the same miscreant in the cybercrime underground.

According to Softpedia, Facebook has addressed a serious vulnerability after being notified by independent security researcher Sow Ching Shiong.

Image: http://chingshiong.blogspot.ro/

Image: http://chingshiong.blogspot.ro/

“The security hole allowed hackers to change the passwords of accounts they had compromised without knowing the old passwords. Whenever users change the password that protects their Facebook account, they’re required to enter the current password before they can set the new one. However, the expert found that cybercriminals could change a user’s password without knowing the old one by accessing the “https://www.facebook.com/hacked” URL, which automatically redirected to the compromised account recovery page.”

Information obtained by KrebsOnSecurity indicates that this “exploit” was being sold to a handful of members of an elite underground forum for $4,000 per buyer. The individual selling the exploit is the same hacker that I reported last year as selling access to a vulnerability in Yahoo!  that let attackers hijack email accounts.

In late November 2012, I wrote about a cross-site scripting (XSS) vulnerability in Yahoo! that was being sold for $700 in the underground by an Egyptian hacker named TheHell. Shortly after that story, the hacker changed his nickname, but continued selling the exploit. Earlier this week, The Wall Street Journal‘s AllThingsD blog reported that Yahoo! had fixed the flaw I pictured in the video from that blog post.

“Web giant Yahoo just confirmed that it has been dealing with a vulnerability to its email service that may be connected to a surge in breaches of email accounts that are being used to send spam and other annoying content,” wrote Arik Hesseldahl. “I just got a statement from a Yahoo spokeswoman saying that the vulnerability seen in a video has been fixed.”


31
Jul 12

Email-Based Malware Attacks, July 2012

Last month’s post examining the top email-based malware attacks received so much attention and provocative feedback that I thought it was worth revisiting. I assembled it because victims of cyberheists rarely discover or disclose how they got infected with the Trojan that helped thieves siphon their money, and I wanted to test conventional wisdom about the source of these attacks.

Top malware attacks and their antivirus detection rates, past 30 days. Source: UAB

While the data from the past month again shows why that wisdom remains conventional, I believe the subject is worth periodically revisiting because it serves as a reminder that these attacks can be stealthier than they appear at first glance.

The threat data draws from daily reports compiled by the computer forensics and security management students at the University of Alabama at Birmingham. The UAB reports track the top email-based threats from each day, and include information about the spoofed brand or lure, the method of delivering the malware, and links to Virustotal.com, which show the number of antivirus products that detected the malware as hostile (virustotal.com scans any submitted file or link using about 40 different antivirus and security tools, and then provides a report showing each tool’s opinion).

As the chart I compiled above indicates, attackers are switching the lure or spoofed brand quite often, but popular choices include such household names as American Airlines, Ameritrade, Craigslist, Facebook, FedEx, Hewlett-Packard (HP), Kraft, UPS and Xerox. In most of the emails, the senders spoofed the brand name in the “from:” field, and used embedded images stolen from the brands being spoofed.

The one detail most readers will probably focus on most this report is the atrociously low detection rate for these spammed malware samples. On average, antivirus software detected these threats about 22 percent of the time on the first day they were sent and scanned at virustotal.com. If we take the median score, the detection rate falls to just 17 percent. That’s actually down from last month’s average and median detection rates, 24.47 percent and 19 percent, respectively.

Continue reading →