A new service aims to be the Google search of underground Web sites, connecting buyers to a vast sea of shops that offer an array of dodgy goods and services, from stolen credit card numbers to identity information and anonymity tools.

MegaSearch results for BIN #423953

A glut of data breaches and stolen card numbers has spawned dozens of stores that sell the information. The trouble is that each shop requires users to create accounts and sign in before they can search for cards.

Enter MegaSearch.cc, which lets potential buyers discover which fraud shops hold the cards they’re looking for without having to first create accounts at each store. This free search engine aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.

According to its creator, the search engine does not store the compromised card numbers or any information about the card holders. Instead, it works with card shop owners to index the first six digits of all compromised account numbers that are for sale.  These six digits, also known the “Bank Identification Number” — or BIN — identify which bank issued the cards. Searching by BIN, MegaSearch users are given links to different fraud shops that are currently selling cards issued by the corresponding bank.

I first read about this offering in a blog post by RSA Fraud Action Research Labs. It didn’t take much time poking around a few hacker boards to find the brains behind MegaSearch pitching his idea to the owners of different fraud shops. He agreed to discuss his offering with me via instant message, using the search service as his screen name.

“I’m standing on a big startup that is going to be [referred to as] the ‘underground Google,’” MegaSearch told KrebsOnSecurity. “Many users spend a lot of time looking [through] shops, and I thought why not make that convenient?”

The service currently indexes compromised BINs from five different card shops, although he said several more shops are close to completing their integration with MegaSearch. He acknowledged garnering a small advertising fee for each relationship, although he repeatedly declined to discuss the particulars of those arrangements. But he said both sides benefit: stolen card data grows less reliable with age, and fraud shops that are indexed by MegaSearch stand a better chance of clearing their inventory faster, the hacker argues.

MegaSearch said that when his site first launched at the end of 2011 and began indexing the five card shops he’s now tracking, those shops had some 360,000 compromised accounts for sale, collectively. Since then, those shops have moved more than 200,000 cards. The search engine currently has indexed 352,000 stolen account numbers that are for sale right now in the underground.

According to BIN search stats published on the site, Citibank cards are the most sought-after, followed by cards issued by FIA Card Services, Capital One and Chase.

In the coming weeks, he said, the site will include new features that index other types of criminal wares, including Social Security numbers and proxies — addresses of hacked PCs that paying clients can use as a relay to anonymize their online communications.

“I’m about to add more services to that site that would help newbie underground, including proxies, stolen identity information, etc.,” MegaSearch told me. “I’m also going to add a survey [to rate] the best shop.”

2011 has been called the Year of the Data Breach. If services like MegaSearch are indicative of a trend, 2012 may well become known as the year the criminal underground started getting a clue about how to better index and use all of its stolen data.

Jobs in the hi-tech sector can be hard to find, but employers in one corner of the industry are creating hundreds of full-time positions, offering workers on-the-job training and the freedom to work from home. The catch? Employees will likely toil for cybercrooks, and their weekly paychecks may barely cover the cost of a McDonald’s Happy Meal.

Kolotibablo.com home page

The abundance of these low-skilled, low-paying jobs is coming from firms that specialize in the shadowy market of mass-solving CAPTCHAs, those blurry and squiggly words that some websites force you to retype. One big player in this industry is KolotiBablo.com, a service that appeals to spammers and exploits low cost labor in China, India, Pakistan, and Vietnam.

KolotiBablo, which means “earn money” in transliterated Russian, helps clients automate the solving of puzzles designed to prevent automated activity by bots, such as leaving spammy comments or mass-registering accounts at Webmail providers and social networking sites. The service offers an application programming interface (API) that allows clients to feed kolotibablo.com CAPTCHAs served in real time by various sites, which are then solved by KolotiBablo workers and fed back to the client’s system.

Paying clients interface with the service at antigate.com, a site hosted on the same server as kolotibablo.com. Antigate charges clients 70 cents to $1 for each batch of 1,000 CAPTCHAs solved, with the price influenced heavily by volume. KolotiBablo says employees can expect to earn between $0.35 to $1 for every thousand CAPTCHAs they solve.

The twin operations say they do not condone the use of their services to promote spam, or “all those related things that generate butthurt for the ‘big guys,’” mostly likely a reference to big free Webmail providers like Google and Microsoft. Still, both services can be found heavily advertised and recommended in several underground forums that cater to spammers and scam artists.

Registered antigate.com users can read more about why customers typically purchase the service, and how KolotiBablo is run. From the description:

“All CAPTCHAs in our service are completely solved by real humans, there are usually 500-1000 (and growing) workers online from all the world. That’s why we can process any CAPTCHAs at any volume for a fixed price $1 per 1000 CAPTCHAs.

You may probably think that using human resource inappropriate or inhumane. However, keep in mind that we pay the most of collected money to our workers who sit in the poorest corners of our planet and this work gives them a stable ability to buy food, clothes for themselves and their families. Most of our staff is from China, India, Pakistan and Vietnam.”

To get started as a CAPTCHA-solving worker at Kolotibabo.com (pictured at left), you’ll need to provide a working account at WebMoney, a virtual currency. After that, the system will start feeding you live CAPTCHAs to solve, prefacing each with an notice about the rate that the client has agreed to pay per batch.

Depending on the demands that clients place on the service, there may be a brief delay between CAPTCHAs, but generally only a few seconds pass between the time a solved puzzle is submitted and when a new one is offered. Each new puzzle is preceded by an audible “beep,” and workers are expected to solve and type each of the CAPTCHAs in less than 10 seconds. During downtime, the system displays workers’ average puzzle solving times, as well as actual and projected weekly earnings.

If sort of drudgery sounds like easy money, take a moment to work out the math. Assuming that you can solve six CAPTCHAs per minute and work eight hours straight, you’d be able to solve about 2,880 puzzles each day. Even at the highest CAPTCHA solving rate, you’d only make $2.88 daily; at the lowest rate, you’d make just over a dollar a day.

No, the real earnings only come when you assemble an army of workers to solve CAPTCHAs for your WebMoney account, as described by this FAQ at KolotiBablo.com.

As long as there is low-cost human labor willing to do this kind of work for pennies per day, CAPTCHAs will continue to be an ineffective way to prevent automated account creation and spammy Web site comments. But at least experts are working on making CAPTCHAs less annoying: Some firms are starting to pitch more user-friendly alternatives to the hard-to-read squiggly CAPTCHAs.

If you’d like to learn more about CAPTCHAs and the semi-automated systems being built to defeat them, I’d suggest reading this paper (PDF) on CAPTCHA-solving services, from researchers at University of California, San Diego. Also, in Nov. 2010, I wrote about CAPTCHABot, another puzzle-solving service with similar rates and practices.

The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.

Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.

Reactor Mailer Terms of Service, 2005

Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”

This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by  “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).

That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.

BOTMASTER BATTLE

SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.

Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.

The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.

ICQ 360000 (alias “SPM”): I want my logo to be next to yours on the forum.

Stupin: Understood.

SPM: Let’s decide.

Stupin: We can think of something.

SPM: Let’s do it. Fakir suggests that I start recommending your partnerka to my clients. I am not against that.

SPM: But I want to have the status of official software for spamdot. It will come to it, since majority of moderators on the forum are with me already.

Stupin: We can think of something like this  – we are placing your logo with ours,  in return you add our logo to your software, like you are recommending us.

SPM: Not a problem. I am leaving to draw the logo.

SPM: Give me a piece of the header, and I will draw right on it. I mean the header for the forum.

Stupin: Wait,  it cannot be decided that fast,  I need to discuss it with my partner and simply think all of this over.

SPM: Fine. Let me know when you discuss it.

Stupin: Certainly.

SPM: Thanks in advance. And when you are discussing this matter with your partner, let him know, that SPM’s plan is to become the ONLY system on the market, and I stay by my words

Stupin: Google is saying the same thing

SPM: Google is no match, believe me. I’ve already destroyed one competitive system on the market. So I have the experience

SPM: Google offered me a bribe for my going out of business That’s his method )

Stupin: Honestly, it’s more pleasurable to deal with you than with him.

SPM: I was surprised that someone is competing with me on spam soft market.  On the other hand, competition is always a good thing. So I am not against it.

The exchange above is part of a much longer conversation thread that is translated and reproduced in its entirety at this link. It recounts how SpamIt administrators debated and ultimately acquiesced to SPM’s demands, and how they later distanced themselves from Srizbi when security researchers turned up the heat on the criminal operation.

WHO IS SPM?

Clues about the identity and location of SPM are all over the SpamIt database and the chats. When SPM first registered with SpamIt in early 2007, he provided the email address mserver@mail.ru, and of course the ICQ address 360000. Early forum posts show that SPM rented his Reactor/Srizbi botnet to spammers who would log in to their accounts at reactormailer.com. The original Web site registration records for that domain list the same email address SPM provided to SpamIt: mserver@mail.ru.

When reactormailer.com was shuttered, SPM moved operations to www.reactor2.com, a domain originally registered to ronnich@gmail.com. SpamIt affiliate records show that a spammer who registered in 2007 with that same email address was a referral of SPM’s. Records also show that SPM referred at least two other affiliates, a “nenastnyj” who used the email address nenastnyj@gmail.com, and a programmer who used two accounts under separate nicknames, “Vladie” (volodyja@gmail.com) and “SigmaZ” (vlaman@gmail.com).

These names show up in an insightful analysis of Srizbi published in 2007 by Joe Stewart, senior security researcher at Atlanta-based SecureWorks. That report was prompted in part by a strange blast of spam sent via Srizbi that promoted the presidential candidacy of Texas Congressman Ron Paul.

Stewart wrote:

Reactor Mailer is the brainchild of a spammer who goes by the pseudonym “spm” He calls his company “Elphisoft,” and has even been interviewed about his operation by the Russian hacker website xakep.ru. He claims to hire some of the best coders in the CIS (Commonwealth of Independent States, the post-Soviet confederation) to write the software. This claim is probably true; by examining details in the source code, we were able to identify at least one of the principal coders of Reactor 3/Srizbi, a Ukrainian who goes by the nickname “vlaman.” Various postings by vlaman indicate he is proficient in C and assembler, and would certainly be capable of writing the Srizbi trojan.

Reactor Mailer operates with a software-as-a-service model. Spammers are given accounts on a Reactor server, and use a web-based interface to manage their spam tasks. In the case of the Ron Paul spam, there was only one account on the server in addition to spm, which was named “nenastnyj.”

So Stewart’s conclusions about SPM’s business associates seem to have been spot-on. But what about SPM? Some of the more promising leads come from the spam king himself. As Stewart noted, SPM gave an interview in Jan. 2007 with the storied Russian hacker magazine Xakep.ru, in which he discusses how his Reactor Mailer botnet — “wholly owned” by him but built with the help of “some of the best coders from the former Soviet Union” –  had recently seized a quarter of the market for spam services. Early in the profile, SPM says he is the “owner of a company producing game software.”

The game company lead is the most tantalizing. Here’s why: Googling around for SPM’s ICQ — 360000 — I discovered that SPM has indeed been developing freeware games for many years. At freeware.ru, there are a number of games posted by a guy named Philipp Pogosov, who uses that same ICQ and the mserver@mail.ru address.

Things started really heating up when I located this thread from 2005 on the user forum of UCA Networks, an Internet service provider serving the Southwestern and Southern districts of Moscow. In it, a user named “spm” says he is selling his 2001 BMW 530ia. SPM tells interested buyers to contact him at ICQ 360000, and that pictures of the car are available at http://www.reactor2.com/bossmobile. Later in the thread, SPM tells a fellow forum member to send his resume to game@gameprom.com.

I had a look at Gameprom, which seems to be doing very well developing and selling video games for mobile devices. Russian incorporation records show that Gameprom was founded in 2004 and is owned by Philipp Pogosov. This is also the name on the domain registration records of gameprom.com. What is the email address used to register gameprom.com? You guessed it: mserver@mail.ru.

I made several unsuccessful attempts to contact Mr. Pogosov. Gameprom did not respond to requests for comment. Having no luck with email, I turned to social networking sites. LinkedIn.com includes 19 users who list their current or former employer as Gameprom, including a “Philipp P.” who is listed as the company’s owner. My attempts at convincing two of my mutual LinkedIn.com connections to introduce me to Pogosov failed, but I did learn one interesting thing from his LinkedIn profile: He is apparently based in Thailand.

If Pogosov really is SPM, then it seems he has resided in Thailand for several years. Earlier in my Pharma Wars series, I detailed the activities of Cosma — the top SpamIt affiliate who appears to have been responsible for a botnet that competed directly with SPM’s – Rustock.. In a chat between Cosma and Stupin on Oct. 1, 2008, Cosma jokes that he may soon be making enough money spamming that he can ditch his day job and go join SPM in Thailand. Here’s a snippet from that chat:

ICQ 761474 (alias=Cosma): When we reach $6-7k a day, I will leave you alone….I will go to SPM in Thailand and will drink cognac with him all day long =)

REACH OUT AND SPAM SOMEONE

It’s not clear why SPM left SpamIt, but it may have been because his botnet got clobbered in a double-whammy. First, the takedown of cybercriminal hosting hub McColo kneecapped Srizbi for a few weeks because all of its control servers were hosted there. Srizbi briefly recovered in Feb. 2009, only to be hammered again by Microsoft, which pushed out an update to its malicious software removal tool that uninstalled Srizbi from Windows PCs.

There is a year-long gap in the chat records between Stupin and SPM during 2009. When SPM does turn up again early 2010, it’s to pitch an ambitious scheme to spam mobile phones with text message ads for SpamIt’s rogue pharmacies.

The following chat was recorded on Jan. 24, 2010, roughly 9 months before SpamIt’s demise:

ICQ: 635635 alias “Namaste”: Hi. This is SPM. What’s new in the community?

Stupin: Nothing new. Everything repeats itself.

SPM: That’s the law of life.  How’s business?

SPM: Am I interrupting something?  I can knock later if I am.

Stupin: No, you are not interrupting. Business is going fine. It’s going and growing.

SPM: There are a couple of ideas to discuss. Idea 1) In short – I can do SMS spam. It is serious, many and fast. I believe the friends of ours told you about that already.

SPM: Maybe not.

Stupin: I am very happy for you.

SPM: In other words, you are not interested in using SMS for SpamIt spam?

Stupin: Well, I have not really heard an offer from you.

SPM: Well, we can produce an offering together. I do not have a finished offer yet. Simply, there is a way to send SMS spam, that’s it. Any text. Speed is about 100 SMS per second. Any provider. Inbox delivery – 80%, but outcome cannot be predicted by anyone, since, as far as I know nobody has been doing SMS spam yet.

Stupin: Well, go get our URLs and try.

SPM: We’ll need a version of your shops adapted for smartphones. With limited graphics.

Stupin: They are adapted automatically, using User-Agent.

SPM: Give me any link, and I will check on the phone.

Stupin: http://canadian-medshop.com

SPM: Do you have stats of connections to shops from smartphones?

Stupin: Yes, a small percent from overall traffic.

SPM: What kind of phones? Do you have this information?

Stupin: No surprises…iPhones, and Blackberry

SPM: How about Nokias?

Stupin: Very few.

SPM: Inconvenience that URL should be entered manually, but on the other hand – Inbox 80%….

Stupin: Databases are not targeted also, as far as I understand.

SPM: Surely, but on the other hand, there is a possibility to spam the entire provider’s space.

Stupin: Ask some hackers to give you a phone listing generated from an on-line pharmacy.

SPM: I thought about it. Is my account still alive? I forgot my password.

Stupin: Tell us login and which new password you want us to set.

SPM: spam101

Stupin: Okay.

SPM: Does your pharmacy serve Russia?

Stupin: No.

SPM: Pity. Our providers are very easy to harvest. All three of them.

Stupin: Password is done.

Stupin: Tell us if everything is okay.

SPM: Everything is okay. My GOD, there is even some money there Will you send to my WM?

Stupin: Yes. Let support know, if you need domains,  we can leave one theme for smartphones,  similar to what we have here: http://www.medshop.mobi

Previous stories in my Pharma Wars series have identified top kingpins behind the some of the biggest spam botnets. Today’s post does that and more, including never-before-published information on “Google,” the lead hacker behind the world’s busiest spam botnet — Cutwail.

December 2011 spam stats from M86Security

For many years, Cutwail has been among the top three most prolific spam botnets. With the recent takedown of the Rustock botnet, Cutwail now is the top spam bot; according to M86 Security, versions of Cutwail are responsible for about 22 percent of the daily spam volumes worldwide.

Security researchers have extensively dissected the technical machinery that powers Cutwail (a.k.a. “Pushdo” and “Pandex”), but until now little has been published about the brains behind it. Krebs On Security has learned that the individual principally responsible for developing and renting this crime machine to other miscreants was a top moneymaker for SpamIt, until recently the world’s largest rogue Internet pharmacy affiliate program.

By the time he joined SpamIt in early 2007, the hacker named Google had already spent several years fine-tuning his spam botnet. Just months prior to its closure in Oct. 2010, SpamIt was hacked, and its customer and affiliate data leaked online. The data shows that Google used close to a dozen affiliate accounts at SpamIt, and made nearly $175,000 in commissions advertising SpamIt’s rogue online pharmacies with the help of Cutwail.

But Google would make far more money renting his botnet to other spammers, and SpamIt affiliates quickly became his biggest client base. Interestingly, the proprietors of SpamIt initially asked for Google’s help not to spam rogue pharmacies, but to jump-start a new affiliate program called Warezcash to sell “OEM” software — mostly pirated copies of Microsoft Windows and other high-priced software titles.

That relationship is evident from hundreds of chat logs between Google and SpamIt co-founder Dmitry “Saintd” Stupin. The conversations were part of thousands of hours of logs obtained by Russian cybercrime investigators who examined Stupin’s computer. The chats were later leaked online, and provide a rare glimpse into the day-to-day operations of Cutwail from the botmaster’s perspective. They also provide tantalizing clues as to the real-life identity of Google and his co-workers. Snippets of those conversations appear below, translated from their original Russian into English by native Russian speakers.

THE CUTWAIL MACHINE

Some of the best techical analysis of Cutwail came earlier this year in a paper from researchers at the University of California, Santa Barbara and Ruhr-University Bochum, which described in detail how the Cutwail botnet was operated, rented and promoted on the exclusive SpamIt forums. From their paper (PDF):

“The Cutwail spam engine is known in spam forums by the name 0bulk Psyche Evolution, where it is rented to a community of spam affiliates. These affiliates pay a fee to Cutwail botmasters in order to use their botnet infrastructure. In return, the clients are provided with access to a Web interface (available in Russian or English language) that simplifies the process of creating and managing spam campaigns…”

SpamIt affiliate records show that Google registered with the program using the email address psyche.evolution@gmail.com (according to historical WHOIS records, the domain name psyche-evolution.com was registered in 2005 by that same email address, to an organizations called “0bulk corp.” in Moscow).

In several chats with Stupin, Google describes how he and his pals switched to pharmacy spamming when promoting stocks via spam became less lucrative. In a discussion on Feb. 25, 2007, Google said he was “renting software for spam,” to competing spam affiliate programs “Mailien,” “Bulker,” and “Aff Connection,” and that all of his clients had great success converting traffic into sales. “We have been spamming stocks, however now stocks started converting badly, so we decided to spam in parallel with some affiliate programs. We organized people, gave them tasks to do. We’ve been spamming them for a week only, but I think we’ll do good.”

From a chat dated August 16, 2007, Google explains how to use the Cutwail botnet:

1) Access to the interface: http://208.72.173.10:3571/login.cgi

2) Stats and loader: http://208.66.194.231:3081/ldr/vn.cgi

3) Manual about our software: http://208.72.173.10:3571/man.cgi

4) Technical support contacts/Personal ICQ addresses for support:

198922489 – Psyche Support 1

468559240 – Psyche Support 2

481896712 – Psyche Support 3

353149439 – Psyche Sypport 4

5) Contact of Manager:  He handles questions about payments and all non-technical questions, also questions regarding complaints about the software and technical support, ICQ: 43266131

6) Technical support forum: http://psychetalk.com, Login  saintd, Password: VeryNice

Google’s alliance with SpamIt would quickly cement the Cutwail botnet as a top contender. On Sept. 7, 2007, Google bragged to Stupin that his malware had “made it to #14″ on Kaspersky’s most prevalent malware threats, pasting this link into the conversation. Kaspersky Labs confirmed that the Trojan Downloader.Win32.Agen.brk listed at #14 in that index is one of the aliases for a downloader Trojan used to deploy Cutwail.

GOOGLE’S IDENTITY REVEALED?

According to the Stupin logs, the SpamIt administrators worried that Google would not be mature enough to handle such a big operation, noting in one chat that Google was said to be only about 25 years old. Shortly after that conversation, on May 14, 2007 Stupin and Google agreed to hold a face-to-face meeting in Moscow to discuss the Warezcash OEM partnership. In that chat, Google asks Stupin to call him on his mobile number, which he gives as +7-916-4444474.

That same phone number is tied to the historic Web site registration records for several domains, including  antirootkit.ru, einfinity.ru, electronicinfinity.ru, hoha.ru, lancelotsoft.com, and ssbuilder.ru. In each record, the name of the initial registrant is “Dmitry S Nechvolod,” and the contact phone number is +7-916-4444474.

According to the Web site of Russian software firm Digital Infinity Developers Group (the search engine Google currently flags diginfo.ru as malicious), Nechvolod is part of a team of developers, and is described as an “administrator of UNIX-based systems (ATT/BSDi),” an “administrator of Cisco routers,” and “a specialist in information security software.”

It’s unclear whether Nechvolod is Google’s real name, a pseudonym, or merely clever misdirection to implicate someone else. But there are other interesting connections: spam.hoha.ru was at one point listed as a reliable place to rent mass spam campaigns, at least according to several members participating in this Russian Webmaster forum discussion.

Probably the best clue in support of a connection between Google and Nechvolod comes from the payment data that Google himself provided to SpamIt. Google asked SpamIt administrators to send his affiliate payments via WebMoney, a virtual currency that is quite popular in Russia and Eastern Europe. He requested that his commissions be paid to the WebMoney purse Z046726201099. According to a source that has the ability to look up identity information tied to WebMoney accounts, the personal information provided when this account was opened in 2004 was:

Нечволод Дмитрий Сергеевич (“Nechvolod Dmitry Sergeyvich”)

•  Passport  – 4507496669
•  Date of Issue (ММ/DD/YYYY) – 7/23/2004
•  Place of Issue – Moscow/Russia
•  Issued – ATS District Cheryomushki
•  Date of birth (as on passport) – July 9, 1983
•  E-mail – wm.lancelot@gmail.com
•  Telephone – +7 9164444474

Another strong link provided by Google (the search engine Google, not the spammer) stems from one of the domains registered to Nechvolod — einfinity.ru. In 2006, a Stanislav representing himself as a job recruiter for a company called “E-infinity” posted a message to the Russian programmer forum Delphimaster.net that he was seeking UNIX programmers for work at an E-infinity office in Moscow. Stanislav asked interested applicants to contact him at ICQ number 903445.

The Diginf.ru Team

SpamIt affiliate records show that in Sept. 2007, a new spammer signed up with the usernames Feligz/Eagle providing the email address maravanio@gmail.com and ICQ 903445 as his contact information. Stupin’s ICQ chat logs show that on Sept. 3, 2007, Stupin contacted Google’s manager (ICQ 43266131, see above) about an urgent problem, complaining that he was unable to reach Google or two of Google’s usual support personnel by ICQ or by phone. The manager says he will try to get in touch with the technical director within Google’s operation, a hacker who uses the screen name Eagle. Minutes later, Stupin receives an instant message from Eagle, who is using the ICQ number…wait for it….. 903445.

Remember the page at Diginf.ru referenced above that lists Dmitry Nechvolod as a system administrator? That same page lists a Stanislav Kuznetsov as another team member. What is Stanislav’s email? Eagle@diginf.ru.

CRIMEWARE EVOLUTION

For a variety of reasons, spam is not nearly as prevalent as it once was. According to a recent report (PDF) from Symantec, just 70 percent of email sent worldwide was spam in November 2011, the lowest rate since the rogue ISP McColo was shut down in late 2008. At that time, about 90 percent of email was junk.

Cutwail may have begun as a popular vehicle for sending male enhancement and OEM software spam, but in recent years it has morphed into a major spam cannon for malicious software. These days it seems more often involved in sending emails that try to trick recipients into opening malware-laden attachments, most often variants of the ZeuS and SpyEye trojans.

Information obtained by KrebsOnSecurity.com shows that as early as 2009, Google’s botnet was hired by a Ukrainian cyber fraud gang known as the JabberZeuS crew to help spread malicious emails that the gang used to conduct a number of lucrative cyber heists.

More recently, Cutwail has been seen sending out malicious spam campaigns with a variety of themes such as airline ticket orders, wayward Automated Clearing House (ACH) payments, Facebook notifications, and scanned documents. On Dec. 19, Microsoft warned about a Cutwail campaign that was blasting out ransomware attacks that used information about the recipient’s geographic location to tailor the email lure, which spoofed various national law enforcement organizations and warned victims that they were being investigated for possessing child pornography.

Talk about geek chic. Facebook has started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws.

Facebook's Bug Bounty debit card for security researchers who report security flaws in its site and applications.

I first read about this card on the Polish IT security portal Niebezpiecznik.pl, which recently published an image of a bug bounty card given to Szymon Gruszecki, a Polish security researcher and penetration tester. A sucker for most things credit/debit card related, I wanted to hear more from researchers who’d received the cards.

Like many participants in Facebook’s program, Gruszecki also is hunting bugs for other companies that offer researchers money in exchange for privately reporting vulnerabilities, including Google, Mozilla, CCBill and Piwik. That’s not to say he only finds bugs for money.

“I regularly report Web app vulnerabilities to various companies [that don't offer bounties], including Microsoft, Apple, etc.,” Gruszecki wrote in an email exchange.

The bug bounty programs are a clever way for Internet-based companies to simultaneously generate goodwill within the security community and to convince researchers to report bugs privately. Researchers are rewarded if their bugs can be confirmed, and if they give the affected companies time to fix the flaws before going public with the information.

As an added bonus, some researchers — like Gruszecki — choose not to disclose the bugs at all.

“My rule #1 as participant of bug bounties: Don’t tell details about reported bugs,” he replied, when asked about the details behind his most recent Facebug find. “This is my personal decision, but perhaps in the future I change my mind. So I prefer to fix the bugs silently, but it’s nice that they can mention about me by putting my name on their White Hat list.”

Gurszecki said that as cool as the White Hat card is, he has asked Facebook to send his earnings another way, saying that using the card carried too many fees in his country.

“I have found the card is too expensive to use in Poland, and chose another way to get my reward,” he said. “The Facebook team sent me the card only as a souvenir.”

Neal Poole, a junior at Brown University, has reported close to a dozen flaws to Facebook, and also recently received a White Hat card. Poole has earned cash reporting flaws to Google and Mozilla, but unlike Gruszecki he blogs about each vulnerability he finds after they are fixed, detailing every step of his discovery and interaction with the affected vendor.

Poole’s research and diligent write-ups eventually caught the attention of Facebook’s recruiters: Next summer, he’ll be interning at Facebook, working directly with the company’s security team.

The New York native welcomed the bug bounty card, which makes it a bit easier to get paid. Initially, he’d asked to be paid via Western Union, but he ended up having the payment sent via PayPal. Now he just takes the card into JP Morgan Chase (the issuer of the card) and has them dump the cash into his bank account. “It was a little confusing at first for the people at my bank. They’d never seen one of these cards before.”

The young researcher said although the White Hat card definitely carries some geek cred, he won’t be flashing it at security conferences to buy drinks for his contemporaries anytime soon.

“I don’t think I’d want to use card like that at [hacker conventions like] Black Hat or DefCon,” Poole said. “It’d probably get cloned, or I’d feel like if you pulled out the card it you would immediately become a target.”

Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software.

Google security engineer Damian Menscher said he discovered the monster network of hacked machines while conducting routine maintenance at a Google data center. Menscher said when Google takes a data center off-line, search traffic directed to that center is temporarily stopped. Unexpectedly, Menscher found that a data center recently taken off-line was still receiving thousands of requests per second.

Screenshot of the image Google is displaying to notify users of infected PCs.

Menscher dug further and discovered the source of the traffic: more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack results when users search for keywords at Google.com and other major search engines. Ironically, the traffic wasn’t search traffic at all: The malware instructed host PCs to periodically ping a specific Google Internet address to check whether the systems were online.

Menscher said the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software. He suspects that the fake AV program either ships with or later downloads the search hijacker component.

The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites.

Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification at the top of victims’ Google search results; it includes links to resources to help remove the infection.

Google should be applauded for alerting users, but the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools.

Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, “Google: China Hacked Email.”

The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn’t exactly news. I’m surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for them. A more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.

Google said “the goal of this effort seems to have been to monitor the contents of targeted users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)”

This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution I highlighted in a February blog post.

To my mind, the most valuable content in the Google Blog entry is a footnote that points to the Contagio Malware Dump blog, an incredibly detailed and insightful (if slightly dangerous) resource for information on targeted attacks. It’s worth noting that Google relied on Contagio to reconstruct how the attacks took place, and the author –blogger Mila Parkour — first wrote about these attacks almost four months ago.

Most of targeted email attacks chronicled on Parkour’s blog involve poisoned file attachments that exploit zero-day software flaws in programs like Adobe Flash or Microsoft Word.  This campaign also encouraged people to click a link to download a file, but the file was instead an HTML page that mimicked Gmail’s login page. The scam page also was custom-coded to fill in the target’s Gmail username. Contagiodump has a proof-of-concept page available at this link that shows the exact attack, except populated with “JDoe” in the username field.

Parkour also published an informative graphic highlighting the differences between the fake Google login page and the legitimate page at https://mail.google.com.

Some readers may think they’re not important enough to warrant targeted phishing attacks such as these, but the truth is that such phishing attacks can be automated quite easily. I’d be willing to bet that it won’t be long before more traditional, financially-motivated cyber crooks start incorporating these techniques in their scam emails.

Along these lines comes a blog post today from security vendor Trusteer, which warned that scam artists are once again using cleverly disguised LinkedIn invites to foist password-stealing malicious software. Trusteer said this latest attack started with a simple connect request via email that was made to look it came from another user of the social networking service. Users who click the link are redirected to a site in Russia outfitted with a version of the Blackhole Exploit Pack, which tries to silently install a copy of the ZeuS trojan by heaving a kitchen sink full of browser exploits at visitors.

The image below, taken from Trusteer’s blog, shows the booby-trapped LinkedIn request on the top; the image below is what a legitimate LinkedIn request looks like. Would you have been able to tell them apart?

Image courtesy Trusteer

Here are a few simple tips that can help you avoid becoming the next victim of these attack methods:

• Keep your software up-to-date. Legitimate, high-traffic Web sites get hacked all the time and seeded with exploit kits. Take advantage of programs like Secunia’s Personal Software Inspector or Filehippo’s Update Checker to stay abreast of the latest security updates.
• Be extremely judicious about clicking links in emails. Try to avoid responding to invites by clicking links in emails. I notice that Twitter has now started sending emails when someone re-tweets your posts: Avoid clicking on those as well. It’s safest to manage these accounts by visiting the sites manually, preferably using a bookmark as opposed to typing these site names into a browser address bar.
• Pay close attention to what’s in the address bar: Checking this area can prevent many email-based attacks. Staying vigilant here can also block far more stealthy attacks, such as tabnabbing.
• Consider using an email client, such as Mozilla’s Thunderbird, to handle your messages. It’s a good idea to have emails displayed in plain text instead of allowing HTML code to be displayed in emails by default.

Microsoft has fingered  a possible author of the late Rustock spam botnet – a self-described software engineer and mathematician who aspired to one day be hired by Google. Microsoft has apparently allocated significant resources to finding the author, but has not been able to locate him.

Rustock remains dead, but Microsoft is still on the hunt for the Rustock author. In its Second Status Report (PDF) filed last week with a district court in Seattle, Microsoft said it inquired with virtual currency provider Webmoney about the owner of an account used to rent Rustock control servers,  and confirmed that the account was affiliated with a man named Vladimir Alexandrovich Shergin. Microsoft also mentioned another suspect, “Cosma2k,” possibly named Dmitri A. Sergeev, Artem Sergeev, or Sergey Vladomirovich Sergeev. Microsoft said it is continuing its investigation of these names, to determine whether additional contact information can be identified and to which notice and service can be effected.

To help in the hunt, I hereby offer some details about him.

Microsoft helped to dismantle Rustock in March after a coordinated and well-timed “stun” targeting the spam botnet’s infrastructure, which was mainly comprised of servers based in U.S. hosting facilities. Two weeks after that takedown, I tracked down a Web hosting reseller in Eastern Europe who acknowledged renting some of those servers to the apparent Rustock author. That reseller shared the Webmoney account number used to purchase access to the servers, and Russian investigators I spoke with confirmed that the account had been registered by a Russian named Vladimir Shergin. By consulting a leaked database I obtained last year of the top earners for Spamit.com — at the time the world’s largest rogue online pharmacy network — I discovered that the same Webmoney account was shared by three of the top ten Spamit affiliates.

The information from the reseller and from the Spamit database traced back to a Spamit affiliate who used the pseudonym “Cosma2k.” The email address tied to that Cosma2K account was “ger-mes@ger-mes.ru”. When I came into possession of the Spamit.com data back in August 2010, the site ger-mes.ru was still responding to requests, and the homepage presented some very interesting information. It included a job résumé, underneath a picture of a young man holding a mug. Above the image was the name “Sergeev, Dmitri A.” At the very top of the page was a simple message: “I want to work in Google.” Beneath the résumé is the author’s email address, followed by the message, “Waiting for your job”!

Here is the complete page and résumé, in case anyone wants a closer look at this Belorussian-educated job seeker. I shared the information with Google in August 2010, to find out if they’d received a job application from this person, or if they’d considered flying him to Mountain View, Calif. for an interview. I still don’t have an answer to either question. I shared this same information with Microsoft in March.

Microsoft seems determined to bring the Rustock malefactors to court. Maybe the mug shot in this résumé will help to identify at least one of them.

Adobe warned today attackers are exploiting a previously unknown security flaw in all supported versions of its Flash Player software. The company said the same vulnerability exists in Adobe Reader and Acrobat, but that it hasn’t yet seen attacks targeting the flaw in those programs.

In an advisory released today, Adobe said malicious hackers were exploiting a critical security hole in Flash (up to and including the latest version of Flash. The software maker warned the vulnerability also exists in Adobe Flash player 10.2.152.33 and earlier versions for Windows, Mac, Linux and Solaris operating systems (10.2.154.13 and earlier for Chrome users), Flash Player 101.106.16 and earlier for Android. In addition, Adobe believes the bug lives in the “authplay.dll” component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Mac systems.

Adobe warns that the security hole is currently being exploited via Flash (.swf) files embedded in a Microsoft Excel document delivered as an email attachment. Why someone would need to embed a Flash file in an Excel document is anyone’s guess.

The company says it is in the process of churning out a fix for the problem, which should be available during the week of March 21.

For those readers wondering whether the security fortifications built into Reader X block this attack, Adobe says you will have to take their word for it:  “Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.”  Brad Arkin, senior director of product security and privacy for Adobe, said in a blog post that providing an out-of-cycle update for Adobe Reader X would have delayed the current patch release schedule by about another week.

Now is a good time to point out that the “Noscript” plugin for Firefox will block Flash on sites that you have not specifically allowed to load Flash files. If you are looking for alternative PDF readers, there are several.

In other news, Google said Friday that it is seeing some highly targeted and apparently politically motivated attacks against users that abuse a publicly-disclosed vulnerability in Internet Explorer. Microsoft has not issued an official patch for this IE flaw yet, but if you browse the Web with IE, it would be a great idea to take advantage of the FixIt tool that Microsoft has made available to blunt the threat from this vulnerability.

Stolen or easily-guessed passwords have long been the weakest link in security, leaving many Webmail accounts subject to hijacking by identity thieves, spammers and extortionists. To combat this threat on its platform, Google is announcing that starting today, users of Google’s Gmail service and other applications will have the option to beef up the security around these accounts by adding one-time pass codes sent to their mobile or land line phones.

For several months, Google has been offering this option to business customers and to “hundreds of thousands” of regular users who lost control over their accounts due to password theft, said Nishit Shah, product Manager for Google Security. Today, Google will begin rolling this feature out to all users, although it may be available to all users immediately, Shah said.

“It’s an extra step, but it’s one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone,” Shah wrote in a blog post published today. “A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a ‘Remember verification for this computer for 30 days’ option, and you won’t need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.”

I set up the 2-step verification process for my Gmail account, and found the process to be quick and painless, if a little involved. I choose to set it up to call my Skype line and read the code aloud, and the call came in three seconds after I hit the submit button. The setup wizard then gave me 10 backup codes to use in cases when for whatever reason I don’t have access to my Skype account. Another setup page offered the ability to add a secondary backup phone to send the code via SMS/text message, or automated voice message.

A final page warned that “Google has detected that you need to create application-specific passwords” to use applications like mobile Gmail, desktop Picassa or AdWords editor. I skipped this step because I don’t use those services, but was confused by the prompt that said “Your two-step verification settings have not changed.” When I went back again and ran through all the setup options, Google’s system did not prompt me to add the application specific codes, but instead gave a page with a button to “turn on 2-step verification”, which signed me out of my Gmail and then called me with the one-time code. At the corresponding login page, the option to “Remember this computer for 30 days,” was pre-checked.

This feature is undoubtedly a useful tool for securing accounts; the challenge will be making users aware of the option. For now, the option to enable it is tucked inside of the “user settings” panel in Gmail, an area into which many users probably never venture. And to be sure, many users probably will end up locking themselves out of their accounts, despite the availability of multiple means of obtaining a secondary code that Google has offered. On top of that, threats to mobile devices or cleverly-designed social engineering attacks could still trick users into giving away the codes.

Still, the 2-step verification process is more robust than many banks are offering their customers for online authentication these days. Given the epidemic of commercial and consumer e-banking account takeovers aided by password theft, it would be nice to see financial institutions taking a cue from Google’s offering.