The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.

From the FBI’s advisory:

“Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The warning is a good opportunity to revisit some wireless safety tips I’ve doled out over the years. Avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless. This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.

There are a number of free attack tools that can be used to spoof software update prompts, and these are especially effective against users on small local networks. Bear in mind that false update prompts don’t have to involve pop-ups. I’ve written at least two blog posts about EvilGrade, a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles. The deviousness of this tool is that it can be used to hijack the legitimate updaters built into software already installed on your computer.

If you must update while on the road, make sure that you initiate the update process. Avoid clicking pop-up prompts or anything that looks like it was launched from an auto-updater. When in doubt, always update from the vendor’s Web site. Most importantly — and Rule #1 of Krebs’s 3 Basic Rules for Online Safety covers this nicely — “if you didn’t go looking for it, don’t install it!” Also, using an update tracker, such as Secunia‘s Personal Software Inspector or File Hippo‘s Update Checker, can help you stay on top of the latest security patches for widely-used software, and make it easier for you to plan your software updates ahead of time.

A series of hacks perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. The law enforcement agency said this is the first known report of criminals compromising the hi-tech meters, and that it expects this type of fraud to spread across the country as more utilities deploy smart grid technology.

Part of an FBI alert about smart meter hacks.

Smart meters are intended to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. Smart grid technology also holds the promise of improving a utility’s ability to remotely read meters to determine electric usage.

But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet.

Sometime in 2009, an electric utility in Puerto Rico asked the FBI to help it investigate widespread incidents of power thefts that it believed was related to its smart meter deployment. In May 2010, the bureau distributed an intelligence alert about its findings to select industry personnel and law enforcement officials.

Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert states.

The FBI believes that miscreants hacked into the smart meters using an optical converter device — such as an infrared light — connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.

“The optical converter used in this scheme can be obtained on the Internet for about $400,” the alert reads. “The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact.”

The bureau also said another method of attacking the meters involves placing a strong magnet on the devices, which causes it to stop measuring usage, while still providing electricity to the customer.

“This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company.”

“Each method causes the smart meter to report less than the actual amount of electricity used.  The altered meter typically reduces a customer’s bill by 50 percent to 75 percent.  Because the meter continues to report electricity usage, it appears be operating normally.  Since the meter is read remotely, detection of the  fraud is very difficult.  A spot check of meters conducted by the utility found that approximately 10 percent of meters had been altered.”

“The FBI assesses with medium confidence that as Smart Grid use continues to spread throughout the country, this type of fraud will also spread because of the ease of intrusion and the economic benefit to both the hacker and the electric customer,” the agency said in its bulletin.

The feds estimate that the Puerto Rican utility’s losses from the smart meter fraud could reach $400 million annually. The FBI didn’t say which meter technology or utility was affected, but the only power company in Puerto Rico with anywhere near that volume of business is the publicly-owned Puerto Rican Electric Power Authority (PREPA). The company did not respond to requests for comment on this story.

The hacks described by the FBI do not work remotely, and require miscreants to have physical access to the devices. They succeed because many smart meter devices deployed today do little to obfuscate the credentials needed to change their settings, said according to Tom Liston and Don Weber, analysts with InGuardians Inc., a security consultancy based in Washington, D.C.

Liston and Weber have developed a prototype of a tool and software program that lets anyone access the memory of a vulnerable smart meter device and intercept the credentials used to administer it. Weber said the toolkit relies in part on a device called an optical probe, which can be made for about $150 in parts, or purchased off the Internet for roughly $300.

“This is a well-known and common issue, one that we’ve warning people about for three years now, where some of these smart meter devices implement unencrypted memory,” Weber said. “If you know where and how to look for it, you can gather the security code from the device, because it passes them unencrypted from one component of the device to another.”

The two researchers were slated to demo their smart meter hacking tools at the Shmoocon security conference earlier this year, but agreed to pull the presentation at the last minute at the request of several vendors and utilities that they declined to name.

“It turns out that the vendor has a consortium of utility customers with whom they have regular conference calls,” Weber said. “Several of the utilities in this group had a concern about the information becoming public. Luckily we have worked with several of the utilities in the group. We have been able to stem the fears of all but one utility. We hope to have
them on board very soon.”

Liston said utilities have become accustomed to deploying meters that can last 30 years before needing to be replaced, but that the advanced interactive components being built into modern smart meters requires a much more thoughtful and careful approach to security.

“Traditionally, metering technology has been very cost effective, because much of it is very resilient. But these older devices didn’t have a lot of technology in them, and they certainly didn’t have wireless connections and things like memory storage,” Liston said. “The utilities are still expecting the lifecycle of newer pieces of equipment to be 2o to 30 years, and they’re just coming to the realization that some of new stuff deployed is not going to last nearly that long.”

Robert Former, a security engineer at smart meter manufacturer Itron, said he hopes that researchers continue to push the industry toward adopting technologies that can withstand these and potentially other, as-yet-undiscovered attacks.

“What you’re hearing is the sound of [a] paradigm shifting without a clutch,” Former said. “Utilities have to be more enterprise security-aware. With these incidents at  organizations of any size or age, the first reaction is to cover it up. The thinking is if we keep this kind of thing secret, nobody will find it or exploit it. But for those of us who are inside the industry, and have been at this long enough, the only way we’re going to fix a security problem is to expose it.”

Millions of PCs sickened by a global computer contagion known as DNSChanger were slated to have their life support yanked on March 8. But an order handed down Monday by a federal judge will delay that disconnection by 120 days to give companies, businesses and governments more time to respond to the epidemic.

The reprieve came late Monday, when the judge overseeing the U.S. government’s landmark case against an international cyber fraud network agreed that extending the deadline was necessary “to continue to provide remediation details to industry channels approved by the FBI.”

DNSChanger modifies settings on a host PC that tell the computer how to find Web sites on the Internet, hijacking victims’ search results and preventing them from visiting security sites that might help detect and scrub the infections. The Internet servers that were used to control infected PCs were located in the United States, and in coordination with the arrest of the Estonian men in November, a New York district court ordered a private U.S. company to assume control over those servers. The government argued that the arrangement would give ISPs and companies time to identify and scrub infected PCs, systems that would otherwise be disconnected from the Internet if the control servers were shut down. The court agreed, and ordered that the surrogate control servers remain in operation until March 8.

But by early last month, it was becoming clear that more than 3 million PCs worldwide — including at least 500,000 in the United States — were still infected with DNSChanger. The company that released those estimates, security firm Internet Identity, reported that 50 percent of Fortune 500s and about half of all U.S. government agencies were still struggling with infections.

Known DNSChanger address ranges. Source: dcwg.org

Updated infection figures released last week indicate that the government has made great strides in scrubbing the malware from its networks, but that more work is still needed. On Feb. 23, 2012, Internet Identity found that 94 of all Fortune 500 companies and three out of 55 major government entities had at least one computer or router that was infected with DNSChanger.

Internet users can quickly see if their PCs are infected with DNSChanger by visiting one of several “eye check” sites, including this one. DNSChanger also infected Mac OS X systems and home routers; go here if you need instructions for checking those systems for infections. A larger network owner can find out if any PCs on the local network are infected by reaching out to one of the entities in the DNSChanger Working Group.

A signed copy of the court order extending the deadline until July 9, 2012 is available here (.PDF).

The proprietors of shadowy online businesses that have become synonymous with cybercrime in recent years were arrested in their native Estonia on Tuesday and charged with running a sophisticated click fraud scheme that infected with malware more than four million computers in over 100 countries — including an estimated 500,000 PCs in the United States. The law enforcement action, dubbed “Operation Ghost Click,” was the result  of a multi-year investigation, and is being called the “biggest cybercriminal takedown in history.”

Vladimir Tsastsin, in undated photo.

Estonian authorities arrested six men, including Vladimir Tsastsin, 31, the owner of several Internet companies that have been closely associated with the malware community for many years. Tsastsin previously headed EstDomains Inc. a domain name registrar that handled the registrations for tens of thousands of domains associated with the far-flung Russian Business Network.

Reporting for The Washington Post in September 2008, I detailed how Tsastsin’s prior convictions in Estonia for credit card fraud, money laundering and forgery violated the registrar agreement set forth by the Internet Corporation for Assigned Names and Numbers (ICANN), which bars convicted felons from serving as officers of a registrar. ICANN later agreed, and revoked EstDomains’ ability to act as a domain registrar, citing Tsastsin’s criminal history.

Also arrested were Timur Gerassimenko, 31; Dmitri Jegorov, 33; Valeri Aleksejev, 31; Konstantin Poltev, 28 (quoted in the above-linked stories as the spokesperson for EstDomains); and Anton Ivanvov, 26. All six men were arrested and taken into custody this week by the Estonian Police and Border Guard. A seventh defendant, a 31-year-old Russian national named Andrey Taame, is still at large.

Source: FBI

Indictments returned against the defendants in the U.S. District Court for the South District of New York detail how the defendants allegedly used a strain of malware generically known as DNS Changer to hijack victim computers for the purposes of redirecting Web browsers to ads that generated pay-per-click revenue for the defendants and their clients. U.S. authorities allege that the men made more than $14 million through click hijacking and advertisement replacement fraud.

DNS Changer most often comes disguised as a video “codec” supposedly needed to view adult movies. It infects systems at the boot sector level, hooking into the host computer at a very low level and making it often very challenging to remove. This malware family didn’t just infect Microsoft Windows systems: Several versions of DNS changer would just as happily infect Mac systems as well. Other variants of the malware even hijacked DNS settings on wireless home routers. The FBI has posted several useful links to help users learn whether their systems are infected with DNS Changer.

Feike Hacquebord, senior threat researcher for security vendor Trend Micro, called the arrest the “biggest cybercriminal takedown in history.” In a blog post published today, Hacquebord and Trend detail the multi-year takedown, which involved a number of front companies, but principally an entity that Tsastsin founded named Rove Digital:

In 2009 we obtained a copy of the hard drives of two C&C servers that replaced advertisements on websites when loaded by DNS Changer victims. On the hard drives we found public SSH keys of several Rove Digital employees. These keys allowed the Rove Digital employees to log in on the C&C servers without password, but with their private key. From log files on the servers we were able to conclude that the C&C servers were controlled from Rove Digital’s office in Tartu.

Rove Digital had also been running a fake AV / rogue DNS affiliate program called Nelicash. We were able to download a schema of the infrastructure for the fake AV part. From a Nelicash C&C server we discovered data on victims who bought fake AV software. Among the purchases of victims, there were several test orders placed by employees of Rove Digital from IP addresses controlled by Rove Digital in Estonia and the US. This shows that Rove Digital was directly involved in the sales of the fake AV.

From the same Nelicash C&C server we were also able to download a detailed planning of the deployment of new rogue DNS servers in 2010 and 2011. Every day, Rove Digital spread a new malware sample that changed systems’ DNS settings to a unique pair of foreign servers. We checked DNS Changer Trojans for a couple of days and we learned that these Trojans changed DNS settings of victims exactly according to their plan.

We collected much more evidence but we are unable to include them all here. All of our findings indicate that Rove Digital is committing cybercrimes on a large scale indeed and is directly responsible for the large DNS Changer botnet.

As its name suggests, DNS Changer works by hijacking the domain name system (DNS) server settings on a computer; these settings point to Internet servers that are responsible for translating human-friendly domain names like example.com into numeric Internet addresses that are easier for computers to understand. DNS Changer swapped out victims’ legitimate DNS server settings with the addresses of DNS Servers controlled by Rove Digital. Armed with that control, the defendants could redirect any part of the Web browsing session on an infected user’s computer.

This presented a unique challenge for the law enforcement officials and private security experts who sought to dismantle the fraud network. Experts had identified a large number of rogue DNS servers that were owned by front companies tied to Rove Digital, and indeed secured a court order to seize control over those servers. But experts warned the FBI that seizing the rogue DNS servers without first putting in place a backup system would effectively kill Internet access for the four million computers worldwide that were infected with DNS Changer.

In response, the court appointed the job of swapping out the rogue DNS servers for clean ones to Internet Systems Consortium (ISC), a California nonprofit that maintains BIND, a DNS software package that is widely used throughout the Internet.

“The big concerns came when all the evidence had built up on the law enforcement side, and people said, ‘Hey, there are millions of infected systems whose DNS is wrong,’” said Barry Greene, president and CEO of ISC. “We really wanted to keep people from having their DNS shut down, and everyone calling the help desk at their ISP or security provider to complain that their Internet wasn’t working.”

In a press call with reporters, FBI officials said they would be working with industry to help notify ISPs about customers infected with DNS Changer.

“It’s a complicated cleanup because the malware they put on there is boot-sector stuff,” Greene said. “So we’re not finished. We just finished phase 1, which is law enforcement putting handcuffs on people and making sure we don’t black out people on the ‘Net. The press release and outreach is phase two, and cleanup is phase three. We’ll be doing that for some time, I think.”

Officials from the FBI and the U.S. Attorney for the Southern District of New York said they would seek to extradite the defendants to the United States. An FBI official told reporters that four of the arrested have been charged in Estonia and will probably face trial and any judgment over in that country before being extradited. The FBI said it would concentrate on extraditing two of the men arrested — Anton Ivanov and Valeri Aleksejev — neither of whom were charged in Estonia but were arrested provisionally.

The U.S. government has had some success in extraditing Estonian cybercriminals. Sergei Tsurikov, an Estonian man convicted of participating in the coordinated $9 million ATM heist against RBS Worldpay in late 2008, was extradited to the U.S. last year after serving part of his time in an Estonian prison. Tsurikov is currently being processed through an federal jail in Atlanta.

A copy of the indictments returned against the seven men is available here (PDF). This link from Estonian news outlet Delfi includes several pictures of the arrest and seizure of equipment from Rove Digital properties.

Law enforcement officials in Romania and the United States have arrested and charged more than 100 individuals in connection with an organized fraud ring that used phony online auctions for cars, boats and other high-priced items to bilk consumers out of at least $10 million.

According to a statement from the Justice Department, the scams run by this ring followed a familiar script. Conspirators located in Romania would post items for sale such as cars, motorcycles and boats on Internet auction and online websites. They would instruct interested buyers to wire transfer the purchase money to a fictitious name they claimed to be an employee of an escrow company. Once the victim wired the funds, the co-conspirators in Romania would text information about the wire transfer to co-conspirators in the United States known as “arrows” to enable them to retrieve the wired funds. They would also provide the arrows with instructions as to where to send the funds after retrieval.

The arrows in the United States would then visit wire transfer services such as Western Union or MoneyGram, provide false documents including passports and drivers’ licenses in the name of the recipient of the wire transfer, and grab the cash. They would subsequently wire the funds overseas, typically to individuals in Romania, minus a percentage kept for commissions. The victims would not receive the items they believed they were purchasing. In some cases, co-conspirators in Romania also directed arrows to provide bank accounts in the United States where larger amounts of funds could be wired by victims of the fraud.

Since February 2011, FBI agents and U.S. Justice Department authorities in Florida, Pennsylvania and Texas have arrested or charged at least 21 Romanians and Moldovans in the U.S. who were allegedly members of the ring. Thirteen of those charged have pleaded guilty, and three remain at large.

The Bucharest news agency Adevarul.ro has more details on the 90 Romanians arrested by authorities there in nine different cities. The Romanian authorities say the group stole almost $20 million, about twice as much as the Justice Department estimates.

Some of the Romanians arrested were from the town of Râmnicu Vâlcea, a location that has become synonymous with online auction fraud. In January, Wired published a fascinating and readable article on how this remote town of 120,000 residents has become cybercrime central, earning the town the nickname “hackerville.”

Authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake anti-virus products. Police in Ukraine said the thieves fleeced unsuspecting consumers with the help of the infamous Conficker worm, although it remains unclear how big a role the fast-spreading worm played in this crime.

Image courtesy fbi.gov

The Security Service of Ukraine (SBU) said today that it had seized at least 74 pieces of computer equipment and cash from a criminal group suspected of running a massive operation to steal banking information from consumers with the help of Conficker and scareware, a scam that uses misleading security alerts to frighten people into paying for worthless security software. A Google-translated version of an SBU press release suggests that the crime gang used Conficker to deploy the scareware, and then used the scareware to launch a virus that stole victims’ financial information.

The Ukrainian action appears to be related to an ongoing international law enforcement effort dubbed Operation Trident Tribunal by the FBI. In a statement released Wednesday, the U.S. Justice Department said it had seized 22 computers and servers in the United States that were involved in the scareware scheme. The Justice Department said 25 additional computers and servers located abroad were taken down as part of the operation, in cooperation with authorities in the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom.

On Tuesday, The New York Times reported that dozens of Web sites were knocked offline when FBI officials raided a data center in Reston, Va. and seized Web servers. Officials from an affected hosting company told the Times that they didn’t know the reason for the raid, but the story suggested it may have been related to an ongoing investigation into a string of brazen intrusions by the hacktivist group “Lulzsec.” Sources close to the investigation told KrebsOnSecurity that the raid was instead related to the scareware investigation.

The FBI’s statement confirms the SBU’s estimate of $72 million losses, estimating that the scam claimed at least 960,000 victims. Although the FBI made no mention of Conficker in any of its press materials, the Ukrainian SBU’s press release names and quotes Special Agent Norman Sanders from the FBI’s Seattle field office, broadly known in the security industry as the agency’s lead in the Conficker investigation. Conficker first surfaced in November 2008. The SBU said the FBI has been investigating the case for three years. [Update, June 24, 9:37 a.m.: Not sure whether this was an oversight or a deliberate attempt to deceive, but the picture showing the stack of PCs confiscated in this raid is identical to the one shown in an SBU press release last fall, when the Ukrainian police detained five individuals connected to high-profile ZeuS Trojan attacks.]

“Exchanging information with the Security Service, it became clear that the intelligence services of both countries [were] investigating criminal acts of the same persons,” the SBU said in its prepared statement.

There are no court records of this case publicly available in the United States; a spokesperson at the Justice Department office in the Western District of Washington said the documents remain sealed. She referred questions about the case to the FBI headquarters in Washington, D.C. When asked specifically about the Conficker connection, FBI spokeswoman Jenny Shearer would say only that “there are indications that one of the delivery mechanisms for the scareware in this investigation was a Conficker variant.”

The Conficker element of this case is interesting for several reasons: The worm was so sophisticated and spread so quickly that it prompted unprecedented cooperation among governments and security experts, who formed the Conficker Working Group to help contain the damage wrought by the worm. Conficker certainly wrought financial damage — it is estimated to have infected more than 12 million PCs –  but until today there has been little information to suggest that this massive crime machine was used to generate profits for cyber crooks.

I know of two previous instances in which Conficker was linked to scareware scams. The first involved the initial version of the worm, which instructed all infected PCs to visit and download a file from TrafficConverter.biz, the domain of an affiliate program that paid hackers to distribute its brand of scareware. As I reported in a March 2009 story in The Washington Post, the top affiliates for that program were making hundreds of thousands of dollars a month pushing scareware, although it is not clear whether Conficker-infected systems ever received any scareware downloads from the domain. From that story:

“By the time Conficker first surfaced, TrafficConverter was nearing the end of a contest in which the top-selling affiliates competed for prizes, such as computers, fancy cell phones and other electronics. The grand prize? A Lexus IS250, a sports sedan that starts at $36,000.

At first glance, it is tempting to assume that the Conficker worm authors were in league with the operators of TrafficConverter.biz, and thus trying to drive traffic to the site — perhaps in an attempt to push the contest in favor of one or more affiliates. On the other hand, this may have been an attempt by the Conficker authors or a competing affiliate program to hinder and ultimately shutter TrafficConverter.biz, either by causing law enforcement and the security community to focus their attention on it, or by flooding the site with traffic from hundreds of thousands of Conficker-infected systems.”

And flood the site it did. According to [SecureWorks's Joe] Stewart’s review of the traffic log files for TrafficConverter.biz, during a 12-hour period on Nov. 24, the site was bombarded by more than 83 million hits from at least 179,000 unique Internet addresses.

The traffic from Conficker.A infected systems to TrafficConverter.biz might have translated into monster installs for affiliates of the site. Ironically, all of that traffic from Conficker-infected systems appears to have gone to a non-existent page on TrafficConverter.biz, Stewart said. In short, the site missed a pretty huge opportunity to convert a whole lot of traffic.

Still, had the curators of TrafficConverter.biz actually placed a file at that link for download, the resulting traffic from 179,000 systems trying to download that file at the same time probably would have crashed the site entirely, Stewart said.”

Conficker’s second association with scareware came three weeks after that story. On April 8, 2009, Kaspersky Lab reported that it had seen some Conficker infected systems updated with a scareware product called Spyware Protect 2009. Kaspersky analysts also discovered that infected PCs were seeded with another update: a version of the Waledac worm, which is able to steal data and send spam.

Anyone with information about the identity of the Conficker author(s) could have a lucrative tip on their hands: Microsoft has an outstanding $250,000 bounty for information leading to the arrest and conviction of those responsible for launching the worm.

The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court last week. The effort is part of an ongoing and unprecedented legal campaign to destroy one of the longest-running and most menacing online crime machines ever built.

In April, the Justice Department and the FBI were granted authority to seize control over Coreflood, a criminal botnet that enslaved millions of computers. On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut was granted authority to seize 29 domain names used to control the daily operations of the botnet, and to redirect traffic destined for the control servers to a substitute server that the FBI controlled. More significantly, the FBI was awarded a temporary restraining order allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

In a declaration filed with the district court, FBI special agent Kenneth Keller said the bureau has issued approximately 19,000 uninstall commands to infected computers of two dozen identifiable victims in the United States. The FBI said it obtained written consent from all 24 victims, and that none reported any adverse or unintended consequences from the uninstall commands.

Keller said the FBI has directly notified hundreds of identifiable victims, and that it has provided information to approximately 25 of the largest Internet service providers in the United States, enabling them to notify their infected customers.

“The FBI has also provided information about infected computers to law enforcement agencies overseas,” Keller told the court. “While it has not been possible to notify the owner of every infected computer, due in part to the difficulty in identifying the computer owners and obtaining accurate contact information for them, the decline in the size of the Coreflood Botnet is likely attributable in large part to the success of the victim notification efforts.”

Keller said that the continued operation of the substitute server was no longer necessary to prevent the as-yet unidentified defendants from using the Coreflood botnet to commit further wire fraud and bank fraud, or to eavesdrop on victim PC communications.

“The continued operation of the substitute server is consuming considerable law enforcement resources, because the server is being closely monitored to ensure its proper operation,” Keller wrote. “Those resources can be better allocated to other law enforcement investigations, now that the decline in the size of the Coreflood Botnet has leveled off. Also, while the Coreflood software will begin to run on still-infected computers once the substitute server is taken out of operation, the seizure of the Coreflood domains will continue reasonably to prevent the Defendants from obtaining access to those computers or to data stolen from those computers.”

A copy of Keller’s declaration is available at this link (PDF).

The Federal Bureau of Investigation warned this week that cyber thieves have stolen approximately $20 million  over the past year from small to mid-sized U.S. businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies located near the country’s border with Russia.

The FBI said that between March 2010 and April 2011, it identified twenty incidents in which small to mid-sized organizations had fraudulent wire transfers to China after their online banking credentials were stolen by malicious software. The alert was sent out Tuesday in cooperation with the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium. The alert notes that actual victim losses are $11 million, suggesting that victim banks were able to claw back some of the fraudulent transfers.

The FBI says it doesn’t know who is behind these fraudulent transfers, but that the intended recipients are companies based in the Heilongjiang province of the People’s Republic of China, and that these firms are registered in port cities that are located near the Russia-China border. The agency says the companies all use the name of a Chinese port city in their names, such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Donging, and that the official name of the companies also include the words “economic and trade,” “trade,” and “LTD”. The recipient entities usually hold accounts with a the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

From the advisory (PDF):

“In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing email or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating that the bank Web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account funds are then transferred to the Chinese economic and trade company bank account.”

The alert said the unauthorized wires range in value from $50,000 to $985,000. While most transfers tend to be toward the upper end of that spectrum, “the malicious actors have been more successful in receiving the funds when the unauthorized wire transfers were under $500,000.” In addition, the attackers initiated fraudulent automated clearing house (ACH) transfers to money mules in the United States within minutes of conducting the overseas wire transfers.

According to the alert, the thieves  used a variety of malicious software to steal victim online banking credentials, including the ZeuS Trojan, backdoor.bot and Spybot, all malware families that let the crooks steal passwords and control infected systems remotely.

None of this should be news to anyone who has followed my reporting on this type of crime. I’ve written more than 70 stories over the past two years about these type of attacks. Earlier this year, victims at three Iowa banks lost about $2 million in a series of fraudulent wire transfers to Hong Kong. Last fall, thieves stole close to $1 million in a single fraudulent wire transfer from the University of Virginia to the Agricultural Bank of China.

It is vital for small business owners to understand the risks they face when banking online, and to get a sense of the sophistication of today’s attackers. Unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them. Small business owners wondering what they can do to protect themselves should read the tips at this post. One of the surest ways that business owners can avoid becoming the next victim is for the person handling the company’s books to bank online only from a dedicated machine — preferably one that is not Windows-based (since all of the malware used in the attacks to date won’t run on anything but Windows). Using a Mac or a Live CD approach may seem expensive or impractical, but losing hundreds of thousands of dollars because your PC got a virus infection isn’t so great either.

The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs.

Sample network diagram of Coreflood, Source:FBI

The target of the takedown was “Coreflood,” an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. Over the years, the crooks running the botnet began to use it to defraud owners of the victim PCs by stealing bank account information and draining balances.

Coreflood has morphed into a menacing crime machine since its emergence in 2002. As I noted in a 2008 story for The Washington Post, this is the same botnet that was used to steal more than $90,000 from Joe Lopez in 2005, kicking off the first of many high profile lawsuits that would be brought against banks by victims of commercial account takeovers. According to the Justice Department, Coreflood also was implicated in the theft of $241,866 from a defense contractor in Tennessee; $115,771 from a real estate company in Michigan; and $151,201 from an investment firm in North Carolina.

By 2008, Coreflood had infected some 378,000 PCs, including computers at hospitals and government agencies. According to research done by Joe Stewart, senior malware researcher for Dell SecureWorks, the thieves in charge of Coreflood had stolen more than 500 gigabytes of banking credentials and other sensitive data, enough data to fill 500 pickup trucks if printed on paper.

On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unknown (“John Doe”) defendants responsible for running Coreflood, and was granted authority to seize 29 domain names used to control the daily operations of the botnet. The government also was awarded a temporary restraining order (TRO) allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

The government was able to do this because it also won the right to have the Coreflood control servers redirected to networks run by the nonprofit Internet Systems Consortium (ISC). When bots reported to the control servers – as they were programmed to do periodically – the ISC servers would reply with commands telling the bot program to quit.

ISC President Barry Greene said the government was wary of removing the bot software from infected machines.

“They didn’t want to do the uninstall, just exit,” Greene said. “Baby steps. But this was significant for the DOJ to be able to do this. People have been saying we should be able to do this for a long time, and nobody has done what we’re doing until now.”

No U.S. law enforcement authority has ever sought to commandeer a botnet using such an approach. Last year, Dutch authorities took down the Bredolab botnet using a similar method that directed affected users to a Web page warning of the infection. Last month, Microsoft took down the Rustock spam botnet by convincing a court to grant it control over both the botnet’s control domains and the hard drives used by those control servers.

Andrew Fried, a botnet expert who runs Deteque, a security consultancy in Alexandria, Va., said the action was a long time coming, but he applauded the feds for making it happen. “We finally saw exactly how effective law enforcement and our judicial system can be when they attack problems using strategic rather than political methods,” Fried said.

Greene said the job now falls to ISPs, security firms, and Microsoft to help clean up the pool of PCs that remain infected with Coreflood. Microsoft this week shipped an update to remove Coreflood from Windows machines of users who take advantage of  the Malicious Software Removal Tool, an anti-malware tool offered through Windows Updates and Automatic Update that looks for and removes many families of infectious software.

Some readers may be alarmed by this news because they are wary of any government actions that involve access to individual computers. Wired.com’s Kim Zetter writes that the Electronic Frontier Foundation is uneasy with the government’s move, which called it “an extremely sketchy action to take.” However, as noted cybercrime expert Gary Warner points out in his blog, the government is offering computer users affected by the this week’s takedown the option to “opt out” of the terms of the temporary restraining order.

“The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood,” the FBI’s press release states. “Identified owners of infected computers will also be told how to ‘opt out’ from the TRO, if for some reason they want to keep Coreflood running on their computers.”

U.S. Justice Department press release

Coreflood Complaint (PDF)

Coreflood Seizure Warrant (PDF)

Coreflood Temporary Restraining Order (PDF)

McDonald’s and Walgreens this week revealed that data breaches at partner marketing firms had exposed customer information. There has been a great deal of media coverage treating these and other similar cases as isolated incidents, but all signs indicate they are directly tied to a spate of “spear phishing” attacks against e-mail marketing firms that have siphoned customer data from more than 100 companies in the past few months.

On Nov. 24, I published an investigative piece that said criminals were conducting complex, targeted e-mail attacks against employees at more than 100 e-mail service providers (ESPs) over the past several months in a bid to hijack computers at companies that market directly to customers of some of the world’s largest corporations. From that story:

“The attacks are a textbook example of how organized thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks. According to multiple sources, the so-called “spear phishing” attacks in this fraud campaign arrived as virus-laden e-mails addressing ESP employees by name, and many cases included the name of the ESP in the body of the message.”

Artist haven deviantART also disclosed this week that its e-mail database — including 13 million addresses — had been hacked. deviantART blamed the breach on SilverPop Systems Inc., an e-mail marketing firm with whom it partners.

McDonald’s said its data spill was due to hacked computer systems operated by an e-mail database management firm hired by its longtime business partner Arc Worldwide, a marketing services arm of advertising firm Leo Burnett. Contacted by phone, Arc Worldwide President William Rosen referred all questions to another employee, who declined to return calls seeking comment.

Walgreens didn’t name the source of the breach, but said it was due to “unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data.” Interestingly, Arc Worldwide stated in a July 27, 2009 press release that Walgreens had chosen it as the promotion marketing agency of record.

As I was putting this blog post together, I read a story by The Register reporter Dan Goodin that cited an FBI agent who tied a thread  between all of the breaches. Goodin reported that FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems. From that piece:

“The breach is with Silverpop, an email service provider that has over 105 customers,” Stephen Emmett, a special agent in the FBI’s Atlanta field office, told The Register. “It appears to be emanating from an overseas location.”

In other words, it’s fair to say we can expect plenty more of these disclosures in the days and weeks ahead. The other thing to keep in mind is that while the customer data at issue in these breach disclosures isn’t exactly super-sensitive — e-mail addresses and birthdays, for example — this information can enable skilled attackers to be more convincing in posing as the victim company in a bid to extract even more useful customer data, such as passwords. One need only look to the recent breach at Gawker Media — which exposed passwords and user names of 1.3 million users — to see how often users recycle passwords across a large number of Web sites.

Update, Dec. 16, 5:01 p.m. ET: SilverPop CEO Bill Nussey has published a brief response to the incident on the company’s blog.