Posts Tagged: fbi


10
Jul 14

Crooks Seek Revival of ‘Gameover Zeus’ Botnet

Cybercrooks today began taking steps to resurrect the Gameover ZeuS botnet, a complex crime machine that has been blamed for the theft more than $100 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it. gameover

The researchers who helped dismantle Gameover Zeus said they were surprised that the botmasters didn’t fight back. Indeed, for the past month the crooks responsible seem to have kept a low profile.

But that changed earlier this morning when researchers at Malcovery [full disclosure: Malcovery is an advertiser on this blog] began noticing spam being blasted out with phishing lures that included zip files booby-trapped with malware.

Looking closer, the company found that the malware shares roughly 90 percent of its code base with Gameover Zeus. Part of what made the original GameOver ZeuS so difficult to shut down was its reliance in part on an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems.

But according to Gary Warner, Malcovery’s co-founder and chief technologist, this new Gameover variant is stripped of the P2P code, and relies instead on an approach known as fast-flux hosting. Fast-flux is a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind an ever-changing network of compromised systems acting as proxies, in a bid to make the botnet more resilient to takedowns. Continue reading →


12
May 14

Teen Arrested for 30+ Swattings, Bomb Threats

A 16-year-old male from Ottawa, Canada has been arrested for allegedly making at least 30 fraudulent calls to emergency services across North America over the past few months. The false alarms — two of which targeted this reporter — involved calling in phony bomb threats and multiple attempts at “swatting” — a hoax in which the perpetrator spoofs a call about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.

po2-swatbkOn March 9, a user on Twitter named @ProbablyOnion (possibly NSFW) started sending me rude and annoying messages. A month later (and several weeks after blocking him on Twitter), I received a phone call from the local police department. It was early in the morning on Apr. 10, and the cops wanted to know if everything was okay at our address.

Since this was not the first time someone had called in a fake hostage situation at my home, the call I received came from the police department’s non-emergency number, and they were unsurprised when I told them that the Krebs manor and all of its inhabitants were just fine.

Minutes after my local police department received that fake notification, @ProbablyOnion was bragging on Twitter about swatting me, including me on his public messages: “You have 5 hostages? And you will kill 1 hostage every 6 times and the police have 25 minutes to get you $100k in clear plastic.” Another message read: “Good morning! Just dispatched a swat team to your house, they didn’t even call you this time, hahaha.”

I told this user privately that targeting an investigative reporter maybe wasn’t the brightest idea, and that he was likely to wind up in jail soon. But @ProbablyOnion was on a roll: That same day, he hung out his for-hire sign on Twitter, with the following message: “want someone swatted? Tweet me  their name, address and I’ll make it happen.” Continue reading →


30
Apr 14

Tax Fraud Gang Targeted Healthcare Firms

Earlier this month, I wrote about an organized cybercrime gang that has been hacking into HR departments at organizations across the country and filing fraudulent tax refund requests with the IRS on employees of those victim firms. Today, we’ll look a bit closer at the activities of this crime gang, which appears to have targeted a large number of healthcare and senior living organizations that were all using the same third-party payroll and HR services provider.

taxfraudAs I wrote in the previous story, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W-2 forms for all employees.

Among the organizations listed in that panel were Plaintree Inc. and Griffin Faculty Practice Plan. Both entities are subsidiaries of Derby, Conn.-based Griffin Health Services Corp.

Steve Mordecai, director of human resources at Griffin Hospital, confirmed that a security breach at his organization had exposed the personal and tax data on “a limited number of employees for Griffin Health Services Corp. and Griffin Hospital.” Mordecai said the attackers obtained the information after stealing the organization’s credentials at a third-party payroll and HR management provider called UltiPro.

Mordecai said that the bad guys only managed to steal data on roughly four percent of the organization’s employees, but he declined to say how many employees the healthcare system currently has. An annual report (PDF) from 2009 states that Griffin Hospital alone had more than 1,384 employees.

Griffin employee tax records, as recorded in the fraudsters' Web-based control panel.

Griffin employee tax records, as recorded in the fraudsters’ Web-based control panel.

“Fortunately for us it was a limited number of employees who may have had their information breached or stolen,” Mordecai said. “There is a criminal investigation with the FBI that is ongoing, so I can’t say much more.”

The FBI did not return calls seeking comment. But according Reuters, the FBI recently circulated a private notice to healthcare providers, warning that the “cybersecurity systems at many healthcare providers are lax compared to other sectors, making them vulnerable to attacks by hackers searching for Americans’ personal medical records and health insurance data.”

According to information in their Web-based control panel, the attackers responsible for hacking into Griffin also may have infiltrated an organization called Medical Career Center Inc., but that could not be independently confirmed.

This crime gang also appears to have targeted senior living facilities, including SL Bella Terra LLC, a subsidiary of Chicago-based Senior Lifestyle Corp, an assisted living firm that operates in seven states. Senior Living did not return calls seeking comment.

In addition, the attackers hit  Swan Home Health LLC  in Menomonee Falls, Wisc., a company that recently changed its named to EnlivantMonica Lang, vice president of communications for Enlivant, said Swan Home Health is a subsidiary of Chicago-based Assisted Living Concepts Inc., an organization that owns and operates roughly 200 assisted living facilities in 20 states.

Swan Home Health employee's tax info, as recorded by the fraudsters.

Swan Home Health employee’s tax info, as recorded by the fraudsters.

ALC disclosed in March 2014 that a data breach in December 2013 had exposed the personal information on approximately 43,600 current and former employees. In its March disclosure, ALC said that its internal employee records were compromised after attackers stole login credentials to the company’s third-party payroll provider.

That disclosure didn’t name the third-party provider, but every victim organization I’ve spoken with that’s been targeted by this crime gang had outsourced their payroll and/or human resources operations to UltiPro.

Enlivant’s Lang confirmed that the company also relied on UltiPro, and that some employees have come forward to report attempts to file fraudulent tax refunds on their behalf with the IRS.

“We believe that [the attackers] accessed employee names, addresses, birthdays, Social Security numbers and pay information, which is plenty to get someone going from a tax fraud perspective,” Lang said in a telephone interview. Continue reading →


14
Apr 14

Crimeware Helps File Fraudulent Tax Returns

Many companies believe that if they protect their intellectual property and customers’ information, they’ve done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees.

Last month, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W2 forms for all employees.

The control panel for a tax fraud botnet involving more than a half dozen victim organizations.

An obfuscated look at the he control panel for a tax fraud operation involving more than a half dozen victim organizations.

According to the control panel seen by this reporter, the scammers in charge of this scheme have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.

The control panel includes a menu listing every employee’s W2 form, including all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number. Each fake return was apparently filed using the e-filing service provided by H&R Block, a major tax preparation and filing company. H&R Block did not return calls seeking comment for this story.

The "drops" page of this tax  fraud operation lists the nicknames of the co-conspirators who agreed to "cash out" funds on the prepaid cards generated by the bogus returns -- minus a small commission.

The “drops” page of this tax fraud operation lists the nicknames of the co-conspirators who agreed to “cash out” funds on the prepaid cards generated by the bogus returns — minus a small commission.

Fraudulent returns listed in the miscreants’ control panel that were successfully filed produced a specific five-digit tax filing Personal Identification Number (PIN) apparently generated by H&R Block’s online filing system. An examination of the panel suggests that successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Alex Holden, chief information security officer at Hold Security, said although tax fraud is nothing new, automating the exploitation of human resource systems for mass tax fraud is an innovation.

“The depth of this specific operation permits them to act as a malicious middle-man and tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims maybe exploited not only for 2013 tax year but also down the road,  and perhaps subject of higher scrutiny by IRS — not to mention potential financial losses. Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.” Continue reading →


8
Apr 14

‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

Credit: Heartbleed.com

Credit: Heartbleed.com

From Heartbleed.com:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

An advisory from Carnegie Mellon University’s CERT notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included Yahoo.com, and — ironically — the Web site of openssl.org. This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.

An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library [full disclosure: AlienVault is an advertiser on this blog].

It is likely that a great many Internet users will be asked to change their passwords this week (I hope). Meantime, companies and organizations running vulnerable versions should upgrade to the latest iteration of OpenSSL - OpenSSL 1.0.1g — as quickly as possible.

Update, 2:26 p.m.: It appears that this Github page allows visitors to test whether a site is vulnerable to this bug (hat tip to Sandro Süffert). For more on what you can do you to protect yourself from this vulnerability, see this post.


17
Mar 14

The Long Tail of ColdFusion Fail

Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Today’s post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions.

cffailLast Tuesday’s story looked at two victims; the jam and jelly maker Smucker’s, and SecurePay, a credit card processor based in Georgia. Most of the companies contacted for this story did not respond to requests for comment. The few business listed that did respond had remarkably similar stories to tell about the ordeal of trying to keep their businesses up and running in the face of such intrusions. Each of them learned important lessons that any small online business would be wise to heed going forward.

The two companies that agreed to talk with me were both lighting firms, and both first learned of their site compromises after the credit card firm Discover alerted their card processors to a pattern of fraudulent activity on cards that were recently used at the stores.

Elightbulbs.com, a Maple Grove, Minn. based company that sells lighting products, was among those listed in the ColdFusion botnet panel. Elightbulbs.com Vice President Paul McLellan said he first learned of the breach on Nov. 7, 2013 from his company’s processor – Heartland Payment Systems.

elight

McLellan said the unpatched ColdFusion vulnerabilities on the company’s site was certainly a glaring oversight. But he said he’s frustrated that his company was paying a third-party security compliance firm upwards of $6,000 a year to test Elightbulbs.com for vulnerabilities and that the firm also missed the ColdFusion flaws.

“Shortly before we were told by Heartland, we paid $6,000 a year for a company to brutalize our server, for protection and peace of mind,” McLellan said. “Turns out this flaw had existed for two years and they never saw it. 

McLellan said the company received a visit from the FBI last year, and the agent said the group responsible for hitting Elightbulbs had compromised much more high-profile targets.

“The FBI investigator said, ‘Hey, don’t beat yourself up. We’ve got credit card processors and government institutions that run ColdFusion who were breached, this is small potatoes’,” McLellan said. “That was a small consolation.”

Continue reading →


29
Jan 14

New Clues in the Target Breach

An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internal network.

As I noted in  Jan. 15′s story – A First Look at the Target Intrusion, Malware – the attackers were able to infect Target’s point-of-sale registers with a malware strain that stole credit and debit card data. The intruders also set up a control server within Target’s internal network that served as a central repository for data hoovered up from all of the infected registers.

According to sources, "ttcopscli3acs" is the name of the Windows share point used by the POS malware planted at Target stores; the username that the thieves used to log in remotely and download stolen card data was "Best1_user"; the password was "BackupU$r"

“ttcopscli3acs” is the name of the Windows share used by the POS malware planted at Target stores; the username that malware used to upload stolen card data was “Best1_user”; the password was “BackupU$r”

That analysis looked at a malware component used in Target breach that was uploaded to Symantec’s ThreatExpert scanning service on Dec. 18 but which was later deleted (a local PDF copy of it is here). The ThreatExpert writeup suggests that the malware was responsible for moving stolen data from the compromised cash registers to that shared central repository, which had the internal address of 10.116.240.31. The “ttcopscli3acs” bit is the Windows domain name used on Target’s network. The user account “Best1_user” and password “BackupU$r” were used to log in to the shared drive (indicated by the “S:” under the “Resource Type” heading in the image above.

That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called “Best1_user.”

This knowledge base article (PDF) published by BMC explains the Best1_user account is installed by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine, customers shouldn’t concern themselves with this account because “it is not a member of any group (not even the ‘users’ group) and therefore can’t be used to login to the system.”

“The only privilege that the account is granted is the ability to run as a batch job,” the document states, indicating that it could be used to run programs if invoked from a command prompt. Here’s my favorite part:

Perform Technical Support does not have the password to this account and this password has not be released by Perform Development. Knowing the password to the account should not be important as you cannot log into the machine using this account. The password is known internally and used internally by the Perform agent to assume the identity of the “Best1_user” account.”

I pinged BMC to find out if perhaps the password supplied in the Target malware (BackupU$r) is in fact the secret password for the Best1_user account. The company has so far remained silent on this question.

This was the hunch put forward by the Counter Threat Unit (CTU) of Dell SecureWorks in an analysis that was privately released to some of the company’s clients this week.

Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks.

Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks.

“Attackers exfiltrate data by creating a mount point for a remote file share and copying the data stored by the memory-scraping component to that share,” the SecureWorks paper notes. “In the previous listing showing the data’s move to an internal server, 10.116.240.31 is the intermediate server selected by attackers, and CTU researchers believe the “ttcopscli3acs” string is the Windows domain name used on Target’s network. The Best1_user account appears to be associated with the Performance Assurance component of BMC Software’s Patrol product. According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network.

According to SecureWorks, one component of the malware installed itself as a service called “BladeLogic,” a service name no doubt designed to mimic another BMC product called BMC BladeLogic Automation Suite. BMC spokeswoman Ann Duhon said that the attackers were simply invoking BMC’s trademark to make the malicious program appear legitimate to the casual observer, but it seems likely that at least some BMC software was running inside of Target’s network, and that the attackers were well aware of it.

Update Jan. 30, 5:48 p.m.: BMC just issued the following statement:

There have been several articles in the press speculating about the Target breach.  BMC Software has received no information from Target or the investigators regarding the breach. In some of those articles, BMC products were mentioned in two different ways.

The first was a mention of a “bladelogic.exe” reference in the attack.   The executable name “bladelogic.exe” does not exist in any piece of legitimate BMC software.  McAfee has issued a security advisory stating that: “The reference to “bladelogic” is a method of obfuscation.  The malware does not compromise, or integrate with, any BMC products in any way.

The second reference was to a password that was possibly utilized as part of the attack, with the implication that it was a BMC password.  BMC has confirmed that the password mentioned in the press is not a BMC-generated password.

At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack.

Malware is a problem for all IT environments. BMC asks all of our customers to be diligent in ensuring that their environments are secure and protected.

I parse their statement to mean that the “BackupU$r” password referenced in the Target malware is not their software’s secret password. But nothing in the statement seems to rule out the possibility that the attackers leveraged a domain user account installed by BMC software to help exfiltrate card data from Target’s network.

Original story:

According to a trusted source who uses mostly open-source data to keep tabs on the software and hardware used in various retail environments, BMC’s software is in use at many major retail and grocery chains across the country, including Kroger, Safeway, Home Depot, Sam’s Club and The Vons Companies, among many others.

A copy of the SecureWorks report is here (PDF). It contains some fairly detailed analysis of this and other portions of the malware used in the Target intrusion. What it states up front that it does not have — and what we still have not heard from Target — is how the attackers broke in to begin with….

Continue reading →


1
Oct 13

Data Broker Hackers Also Compromised NW3C

The same miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data from the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.

The bot that was resident for  almost 3 months inside of NW3C.

The bot that was resident for almost 3 months inside of NW3C.

Last week, KrebsOnSecurity reported that entrepreneurs behind the underground criminal identity theft service ssndob[dot]ms also were responsible for operating a small but powerful collection of hacked computers exclusively at top data brokers, including LexisNexis, Dun & Bradstreet and HireRight/Kroll. A closer analysis of the Web server used to control that collection of hacked PCs shows that the attackers also had at least one infected system for several months this summer inside of the NW3c.

Core to the NW3C’s mission is its Investigative Support division, which according to the organization’s site “provides timely, relevant and effective services to member agencies involved in the prevention, investigation and prosecution of economic and high-tech crimes. The section has no investigative authority but can provide analytical assistance and perform public database searches.”

The NW3C said its analysts are frequently called upon to assist in establishing financial transaction patterns, developing possible links between criminal targets and associated criminal activity and providing link charts, timelines and graphs for court presentations. “Information obtained through public database searches can assist investigations by locating suspects, establishing property ownership and finding hidden assets, just to name a few of the benefits,” the organization’s Web site explains.

The NW3C also works with the Federal Bureau of Investigation (FBI) to run the Internet Crime Complaint Center (IC3), which accepts online Internet crime complaints from victims of cybercrime.

Neither the NW3C nor the IC3 responded to requests for comment on this story. FBI Spokeswoman Lindsay Godwin would say only that the FBI was “looking into it,” but declined to elaborate further, citing the ongoing nature of the investigation.

THE CRIME MACHINE

A number of indicators suggest that the attackers first gained access to the NW3C’s internal network on or around May 28, 2013. According to records in the online communications panel that the miscreants used to control their network of hacked systems, the affected NW3C server was taken offline on or around Aug. 17, 2013, indicating that the organization’s networks were compromised for approximately 11 weeks this summer. It’s not clear at this point why the miscreants marked this organization’s listing with a “(hacker)” designation, as shown in the snapshot of their botnet control panel below.

nw3cBAP

The attackers appear to have compromised a public-facing server at NW3C that was designed to handle incoming virtual private network (VPN) communications. Organizations frequently set up VPNs so that their remote employees can create an encrypted communications tunnel back to an otherwise closed network, and these setups are an integral component of most modern business applications.

A page from the ColdFusion exploit server used by the attackers.

A page from the ColdFusion exploit server used by the attackers.

Alarmingly, the machine name of the compromised NW3C system was “data.” On May 28, 2013, the attackers uploaded a file — nbc.exe — designed to open up an encrypted tunnel of communications from the hacked VPN server to their botnet controller on the public Internet. This appears to be the same nbc.exe file that was found on the two hacked servers at LexisNexis.

Abundant evidence left behind by the attackers suggests that they broke into the NW3C using a Web-based attack tool that focuses on exploiting recently-patched weaknesses in servers powered by ColdFusion, a Web application platform owned by Adobe Systems. I managed to get hold of the multiple exploits used in the attack server, and shared them with Adobe and with Rob Brooks-Bilson, a ColdFusion expert and author of the O’Reilly books Programming ColdFusion MX and Programming ColdFusion.

Although some of the exploits were listed as “0day” in the attack tool — suggesting they were zero-day, unpatched vulnerabilities in Adobe ColdFusion — Bilson said all of the exploits appear to attack vulnerabilities that are fixed in the most recent versions of ColdFusion. For example, three of the four exploits seems to have involved CVE-2013-0632, a vulnerability that Adobe first patched in January 2013, not long after the flaw was first spotted in actual zero-day online attacks. The remaining exploit in the attack kit targets a bug that Adobe fixed in 2010.

“The big issue with ColdFusion is that so many people install and set it up without following any of Adobe’s hardening guidelines,” Brooks-Bilson said in an email to KrebsOnSecurity. “Most of the exploits that have come out in the recent past have all worked via a similar mechanism that is easily mitigated by following Adobe’s guide. Of course, so many people disregard that advice and end up with servers that are easily compromised.”

STEALING DATA ON VICTIMS AND FELLOW CROOKS ALIKE

The ColdFusion exploit server contains plenty of records indicating that the attackers in this case plundered many of the databases that they were able to access while inside of NW3C. Part of the reason for the persistence of this evidence has to do with the way that the attackers queried local databases and offloaded stolen data. It appears that once inside the NW3C’s network, the bad guys quickly scanned all of the organization’s systems for security vulnerabilities and database servers. They also uploaded a Web-based “shell” which let them gain remote access to the hacked server via a Web browser.

The attack server and shell also let the attackers execute system commands on the compromised hosts, which appear to be Microsoft IIS servers. Their method also left a detailed (if not complete) log of many of their activities inside the network. One of the first things the attackers did upon compromising the “Data” server on the network was run a query that forced the local database to dump a copy of itself to a file — including a list of the authorized users and passwords —  that the attackers could download.

A snippet of redacted complaint data stolen from IC3.

A snippet of redacted complaint data stolen from IC3.

The bad guys in this case also appear to have used their access to the NW3C to steal 10 years’ worth of consumer complaint information from the Internet Crime Complaint Center (IC3), the aforementioned partnership between the NW3C and the FBI that tracks complaints about cybercrime.

Present on the attacker’s server are some 2.659 million records apparently lifted from the IC3. The records range in date from about the time of the IC3′s inception — May 8, 2000 — to Jan. 22, 2013.

It’s not clear if the stolen IC3 data set includes all of the consumer complaints ever filed, but it seems likely that the archive is lacking just the past few months of records. In a report released earlier this year, the IC3 said it was receiving about 24,000 complaints per month, and that consumers had filed 289,874 complaints last year. The IC3′s site doesn’t maintain annual complaint numbers prior to 2003, but according to the site some 2.35 million have been filed with the system since then. To put the year-over-year growth in complaints in perspective, the IC3 said it wasn’t until 2007 — nearly seven years after its birth — that the organization received its millionth complaint.

Continue reading →


25
Sep 13

Data Broker Giants Hacked by ID Theft Service

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

ssndobhomeThe Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney.

Until very recently, the source of the data sold by SSNDOB has remained a mystery. That mystery began to unravel in March 2013, when teenage hackers allegedly associated with the hacktivist group UGNazi showed just how deeply the service’s access went. The young hackers used SSNDOB to collect data for exposed.su, a Web site that listed the SSNs, birthdays, phone numbers, current and previous addresses for dozens of top celebrities — such as performers Beyonce, Kanye West and Jay Z — as well as prominent public figures, including First Lady Michelle Obama, CIA Director John Brennan, and then-FBI Director Robert Mueller.

Earlier this summer, SSNDOB was compromised by multiple attackers, its own database plundered. A copy of the SSNDOB database was exhaustively reviewed by KrebsOnSecurity.com. The database shows that the site’s 1,300 customers have spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.

Frustratingly, the SSNDOB database did not list the sources of that stolen information; it merely indicated that the data was being drawn from a number of different places designated only as “DB1,” “DB2,” and so on.

But late last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet — a collection of hacked computers that are controlled remotely by attackers. This botnet appears to have been in direct communications with internal systems at several large data brokers in the United States.  The botnet’s Web-based interface (portions of which are shown below) indicated that the miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators.

The botnet interface used by  the miscreants who own and operate ssndob[dot]ms

The botnet interface used by the miscreants who own and operate ssndob[dot]ms

DATA-BROKER BOTNET

Two of the hacked servers were inside the networks of Atlanta, Ga.-based LexisNexis Inc., a company that according to Wikipedia maintains the world’s largest electronic database for legal and public-records related information. Contacted about the findings, LexisNexis confirmed that the two systems listed in the botnet interface were public-facing LexisNexis Web servers that had been compromised.

One of two bots connected to SSNDOB that was inside of LexisNexis.

One of two bots connected to SSNDOB that was inside of LexisNexis.

The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called “nbc.exe” was placed on the servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months. The program was designed to open an encrypted channel of communications from within LexisNexis’s internal systems to the botnet controller on the public Internet.

Two other compromised systems were located inside the networks of Dun & Bradstreet, a Short Hills, New Jersey data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing and supply chain management. According to the date on the files listed in the botnet administration panel, those machines were compromised at least as far back as March 27, 2013.

The fifth server compromised as part of this botnet was located at Internet addresses assigned to Kroll Background America, Inc., a company that provides employment background, drug and health screening. Kroll Background America is now part of HireRight, a background-checking firm managed by the Falls Church, Va.-based holding company Altegrity, which owns both the Kroll and HireRight properties. Files left behind by intruders into the company’s internal network suggest the HireRight breach extends back to at least June 2013.

An initial analysis of the malicious bot program installed on the hacked servers reveals that it was carefully engineered to avoid detection by antivirus tools. A review of the bot malware in early September using Virustotal.com – which scrutinizes submitted files for signs of malicious behavior by scanning them with antivirus software from nearly four dozen security firms simultaneously — gave it a clean bill of health: none of the 46 top anti-malware tools on the market today detected it as malicious (as of publication, the malware is currently detected by 6 out of 46 anti-malware tools at Virustotal).

Continue reading →


9
Sep 13

Spy Service Exposes Nigerian ‘Yahoo Boys’

A crude but effective online service that lets users deploy keystroke logging malware and then view the stolen data remotely was hacked recently. The information leaked from that service has revealed a network of several thousand Nigerian email scammers and offers a fascinating glimpse into an entire underground economy that is seldom explored.

The login page for the BestRecovery online keylog service.

The login page for the BestRecovery online keylog service.

At issue is a service named “BestRecovery” (recently renamed PrivateRecovery). When I first became aware of this business several months ago, I had a difficult time understanding why anyone would pay the $25 to $33 per month fee to use the service, which is visually quite amateurish and kludgy (see screenshot at right).

But that was before I shared a link to the site with a grey hat hacker friend, who replied in short order with the entire username and password database of more than 3,000 paying customers.

Initially, I assumed my source had unearthed the data via an SQL injection attack or some other  database weakness. As it happens, the entire list of users is recoverable from the site using little more than a Web browser.

The first thing I noticed upon viewing the user list was that a majority of this service’s customers had signed up with yahoo.com emails, and appeared to have African-sounding usernames or email addresses. Also, running a simple online search for some of the user emails (dittoswiss@yahoo.com, for example) turned up complaints related to a variety of lottery, dating, reshipping and confidence scams.

The site was so poorly locked down that it also exposed the keylog records that customers kept on the service. Logs were indexed and archived each month, and most customers used the service to keep tabs on multiple computers in several countries. A closer look at the logs revealed that a huge number of the users appear to be Nigerian 419 scammers using computers with Internet addresses in Nigeria.

The seriously ghetto options page for BestRecovery web-based keylogger service.

The seriously ghetto options page for BestRecovery web-based keylogger service.

Also known as “advance fee” and “Nigerian letter” scams, 419 schemes have been around for many years and are surprisingly effective at duping people. The schemes themselves violate Section 419 of the Nigerian criminal code, hence the name. Nigerian romance scammers often will troll online dating sites using stolen photos and posing as attractive U.S. or U.K. residents working in Nigeria or Ghana, asking for money to further their studies, care for sick relatives, or some such sob story.

More traditionally, these miscreants pretend to be an employee at a Nigerian bank or government institution and claim to need your help in spiriting away millions of dollars. Those who fall for the ruses are strung along and milked for increasingly large money transfers, supposedly to help cover taxes, bribes and legal fees. As the FBI notes, once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances. “While such an invitation impresses most law-abiding citizens as a laughable hoax, millions of dollars in losses are caused by these schemes annually,” the FBI warns. “Some victims have been lured to Nigeria, where they have been imprisoned against their will along with losing large sums of money. The Nigerian government is not sympathetic to victims of these schemes, since the victim actually conspires to remove funds from Nigeria in a manner that is contrary to Nigerian law.”

Oddly enough, a large percentage of the keylog data stored at BestRecovery indicates that many of those keylog victims are in fact Nigerian 419 scammers themselves. One explanation is that this is the result of scammer-on-scammer attacks. According to a study of 419ers published in the Dec. 2011 edition of Cyberpsychology, Behavior, and Social Networking (available from the Library of Congress here or via this site for a fee), much of the 419 activity takes place in cybercafes, where “bulk tickets are sold for sending spam emails and some systems are dedicated to fraudsters for hacking and spamming.”

The keylog records available for the entries marked "Yahoo Boys" show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

The keylog records available for the entries marked “Yahoo Boys” show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

Perhaps some enterprising Nigerian spammers simply infected a bunch of these cybercafe machines to save themselves some work. It is also possible that vigilante groups which target 419 scammers — such as Artists Against 419 and 419eater.com – were involved, although it’s difficult to believe those guys would bother with such a rudimentary service.

BestRecovery gives customers instructions on how to use a provided tool to create a custom Windows-based keylogger and then disguise it as a legitimate screensaver application. New victims are indexed by date, time, Internet address, country, and PC name. Each keylogger instance lets the user specify a short identifier in the “note” field (failing to manually enter an identifier in the note field appears to result in that field being populated by the version number of the keylogger used). Interestingly, many of the victim PCs have a curious notation: “Yahoo Boys”.

Keylog data apparently collected from a Yahoo Boy.

Keylog data [partially redacted] that was apparently collected from a Yahoo Boy.

BLACK HAT OR BLACK MAGIC?

As noted in the above-mentioned academic paper (“Understanding Cybercrime Perpetrators and the Strategies They Employ in Nigeria”), the term “Yahoo Boys” is the nickname given to categories of young men in Nigeria who specialize in various types of cybercrime.  According to that paper, in which researchers spent time with and interviewed at least 40 active Yahoo Boys, most of the cybercrime perpetrators in Nigeria are between the age of 22 and 29, and are undergraduates who have distinct lifestyles from other youths.

“Their strategies include collaboration with security agents and bank officials, local and international networking, and the use of voodoo [emphasis added]. It was clear that most were involved in online dating and buying and selling with fake identities. The Yahoo boys usually brag, sag, do things loudly, drive flashy cars, and change cars frequently. They turn their music loud and wear expensive and latest clothes and jewelry. They also have a special way of dressing and relate, they spend lavishly, love material things, and go to clubs. They are prominent at night parties picking prostitutes at night. They also move in groups of two, three, and four when going to eateries. They speak different coded languages and use coded words such as “Mugun,” “Maga,” and “Maga don pay,” which all means “the fool (i.e., their victim) has paid.”

Continue reading →