Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: kim zetter

    A Little Sunshine / The Coming Storm28 Comments
    14
    Apr 11

    U.S. Government Takes Down Coreflood Botnet

    The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs.

    Sample network diagram of Coreflood, Source:FBI

    Sample network diagram of Coreflood, Source:FBI

    The target of the takedown was “Coreflood,” an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. Over the years, the crooks running the botnet began to use it to defraud owners of the victim PCs by stealing bank account information and draining balances.

    Coreflood has morphed into a menacing crime machine since its emergence in 2002. As I noted in a 2008 story for The Washington Post, this is the same botnet that was used to steal more than $90,000 from Joe Lopez in 2005, kicking off the first of many high profile lawsuits that would be brought against banks by victims of commercial account takeovers. According to the Justice Department, Coreflood also was implicated in the theft of $241,866 from a defense contractor in Tennessee; $115,771 from a real estate company in Michigan; and $151,201 from an investment firm in North Carolina.

    By 2008, Coreflood had infected some 378,000 PCs, including computers at hospitals and government agencies. According to research done by Joe Stewart, senior malware researcher for Dell SecureWorks, the thieves in charge of Coreflood had stolen more than 500 gigabytes of banking credentials and other sensitive data, enough data to fill 500 pickup trucks if printed on paper.

    On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unknown (“John Doe”) defendants responsible for running Coreflood, and was granted authority to seize 29 domain names used to control the daily operations of the botnet. The government also was awarded a temporary restraining order (TRO) allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

    The government was able to do this because it also won the right to have the Coreflood control servers redirected to networks run by the nonprofit Internet Systems Consortium (ISC). When bots reported to the control servers – as they were programmed to do periodically – the ISC servers would reply with commands telling the bot program to quit.

    ISC President Barry Greene said the government was wary of removing the bot software from infected machines.

    “They didn’t want to do the uninstall, just exit,” Greene said. “Baby steps. But this was significant for the DOJ to be able to do this. People have been saying we should be able to do this for a long time, and nobody has done what we’re doing until now.”

    No U.S. law enforcement authority has ever sought to commandeer a botnet using such an approach. Last year, Dutch authorities took down the Bredolab botnet using a similar method that directed affected users to a Web page warning of the infection. Last month, Microsoft took down the Rustock spam botnet by convincing a court to grant it control over both the botnet’s control domains and the hard drives used by those control servers.

    Continue reading →

    Other18 Comments
    28
    Jul 10

    Hacked Companies Hit by the Obvious in 2009

    As a rule, I tend to avoid writing about reports and studies unless they offer truly valuable and actionable insights: Too often, reports have preconceived findings that merely serve to increase hype and drum up business for the companies that commission them. But I always make an exception for the annual data breach report issued by the Verizon Business RISK team, which is consistently so chock full of hype-slaying useful data and conclusions that it is often hard to know what not to write about from its contents.

    Once again, some of the best stuff is buried deep in this year’s report and is likely to be missed in the mainstream coverage. But let’s get the headline-grabbing findings out of the way first:

    -Verizon’s report on 2009 breaches for the first time includes data from the U.S. Secret Service. Yet, the report tracks a sharp decline in the total number of compromised records (143 million compromised records vs.  285 million in 2008).

    -85 percent of records last year were compromised by organized criminal groups (this is virtually unchanged from the previous report).

    -94 percent of compromised records were the result of breaches at companies in the financial services industry.

    -45 percent of breaches were from external sources only, while 27 percent were solely perpetrated from the inside by trusted employees.

    Among the most counter-intuitive findings in the report?

    There wasn’t a single confirmed intrusion that exploited a patchable vulnerability. Rather, 85 percent of the breaches involved common configuration errors or weaknesses that led to things like SQL database injection attacks, and did not require the exploitation of a flaw that could be fixed with a software patch. In most cases, the breaches were caused by weaknesses that could be picked up by a free Web vulnerability scanner:

    “Organizations exert a great deal of effort around the testing and deployment of patches — and well they should. Vulnerability management is a critical aspect of any security program. However, based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner. Many organizations treat patching as if it were all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by week’s end but hadn’t even glanced at their log files in months.”

    Speaking of log files, one of the most interesting sections of the 66-page report comes in a sidebar titled “Of Needles and Haystacks,” which states that 86 percent of all breaches last year could have been prevented if victim companies had simply looked for unusual patterns in the log files created by their Web servers.

    Continue reading →

    A Little Sunshine / Web Fraud 2.014 Comments
    20
    Apr 10

    Call Centers for Computer Criminals

    A call service that catered to bank and identity thieves has been busted up by U.S. and international authorities. The takedown provides a fascinating glimpse into a bustling and relatively crowded niche of fraud services in the criminal hacker underground.

    In an indictment unsealed on Monday, New York authorities said two Belarusian nationals suspected of operating a rent-a-fraudster service called Callservice.biz were arrested overseas. Wired.com’s Kim Zetter has the lowdown:

    According to the indictment (.pdf), the two entrepreneurs launched the site in Lithuania in June 2007 and filled a much-needed niche in the criminal world — providing English- and German-speaking “stand-ins” to help crooks thwart bank security screening measures.

    In order to conduct certain transactions — such as initiating wire transfers, unblocking accounts or changing the contact information on an account — some financial institutions require the legitimate account holder to authorize the transaction by phone.

    Thieves could provide the stolen account information and biographical information of the account holder to CallService.biz, along with instructions about what needed to be authorized. The biographical information sometimes included the account holder’s name, address, Social Security number, e-mail address and answers to security questions the financial institution might ask, such as the age of the victim’s father when the victim was born, the nickname of the victim’s oldest sibling or the city where the victim was married.

    U.S. authorities have seized the Callservice.biz Web site, which now features the seals for the FBI and Justice Department prominently on its homepage. The feds also seized Cardingworld.cc, a highly-restricted online criminal forum where Callservice.biz was hosted.

    If you spend any amount of time on underground forums like Cardingworld.cc, however, you’ll quickly discover that these criminal call centers are among the most popular of fraud services offered. For example, another fraud forum — Verified.su — is home to a number of calling services. Among them are two competing call centers that each began as point-and-click fraud shops that helped customers purchase electronics with stolen credit cards and then split the profits after selling the goods on eBay.

    One such service, Atlanta Alliance, used to offer paying members a password-protected Web site where customers could select a range of high-priced gadgets — such as digital cameras, laptops and smart phones — that could be bought with stolen credit cards. The service even allowed customers to manage the shipment of these products to awaiting “reshipping mules,” individuals in the United States recruited for the purpose of receiving stolen goods and reshipping them to Russia, Ukraine and other nations where many vendors refuse to ship due to the high incidence of fraud from those areas.

    Continue reading →