Posts Tagged: webmoney


20
Dec 13

Cards Stolen in Target Breach Flood Underground Markets

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

targetgoboom

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the "base" name, this "Dumps" shop sells only cards stolen in the Target breach.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Continue reading →


26
Nov 13

An Anti-Fraud Service for Fraudsters

Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also “test buys” from security researchers, law enforcement and other meddlers.

One anti-fraud measure commonly used in e-commerce is the address verification service (AVS), which seeks to verify the address of a person claiming to own a credit card. Some business employ additional “geo-IP” checks, which try to determine the geographical location of Website visitors based on their Internet addresses, and then match that with the billing address provided by the customer.

The trouble with these services is that they can get pricey in a hurry, and they’re often sold by the very companies that spammers are trying to outsmart. Enter services like fraudcheck[dot]cc: This service, run by an established spammer on a semi-private cybercrime forum, performs a multitude of checks on each transaction, apparently drawing on accounts from different, legitimate anti-fraud services. It accepts payment solely via WebMoney, a virtual currency that is popular in Russia and Eastern Europe.

fraudcheck[dot]cc resells bundles of anti-fraud services from legitimate providers like MaxMind.

fraudcheck[dot]cc resells bundles of anti-fraud services from legitimate providers like MaxMind.

This fraudster-friendly antifraud service does the following analysis:

  • Queries the geo-IP location from four distinct sources;
  • Calculates the billing ZIP code distance from the customer’s geo-IP coordinates;
  • Checks the customer’s Internet address against lists of known proxies that are used to mask an Internet user’s true location, and assigns a “risk score” of zero to 4.2 (the higher the number, the greater the certainty that the purchase was made via a proxy).
  • Generates a “fraud score” from 0-100 to rate the riskiness of the transaction (100 being the riskiest)

The bulk of the fraud checks appear to be conducted through [hijacked?] accounts at MaxMind.com, a Waltham, Mass. company that screens more than 45 million online transactions per month for 7,000 companies. MaxMind sells a suite of legitimate anti-fraud solutions, including two specifically called out in the screen shot above (minFraud and GeoIP).

As detailed in this white paper (PDF), MaxMind’s minFraud service checks for a number of potential risk factors, such as whether the customer is using a free Webmail account, or there is a mismatch in the shipping and billing address. It also looks to see whether the customer is paying with a card from a known bank. Failure to identify a “bank identification number” (BIN) — the first six digits of any card — may indicate the customer is paying with a prepaid card and thus trying to mask their identity or location.

Based on the combined results of these tests, MaxMind’s service will assign a “fraud score” from 0 to 100, indicating the service’s best guess about whether the transaction should be allowed or declined. In the example from the screenshot above, it’s not clear why the service assigned such a high fraud score (96.84) to the transaction in question — perhaps because the service could not identify the bank that issued the card used in the transaction and determined that it was a prepaid card.

Continue reading →


20
Oct 13

Experian Sold Consumer Data to ID Theft Service

An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.

superget.info home page

superget.info home page

In November 2011, this publication ran a story about an underground service called Superget.info, a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans. Registration was free, and accounts were funded via WebMoney and other virtual currencies that are popular in the cybercriminal underground.

Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others. I asked readers who may have a clue about the meaning or source of those abbreviations to contact me. In the weeks following that post, I heard from many readers who had guesses and ideas, but none who seemed to have conclusive information.

That changed in the past week. An individual who read a story about the operators of a similar ID theft service online having broken into the networks of LexisNexis and other major data brokers wrote to say that he’d gone back and reviewed my previous stories on this topic, and that he’d identified the source of the data being resold by Superget.info. The reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.

Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.

Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of courtventures.com are available through archive.org.

THE ROLE OF EXPERIAN

In March 2012, Court Ventures was purchased by Costa Mesa, Calif.-based Experian, one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget.info were based in Vietnam.

Martin said he first learned of the ID theft service after hearing from a U.S. Secret Service agent who called and said the law enforcement agency was investigating Experian and had obtained a grand jury subpoena against the company.

The "sourceid" abbreviations pointed toward Court Ventures.

The “sourceid” abbreviations pointed toward Court Ventures.

While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.

“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month? Experian portrays themselves as the databreach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”

Experian declined multiple requests for an interview. But in a written statement provided to KrebsOnSecurity, Experian acknowledged the broad outlines of Martin’s story and said it had worked with the Secret Service to bring a Vietnamese national to justice in connection with the online ID theft service. Their statement is as follows:

“Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice.  Experian’s credit files were not accessed.  Because of the ongoing federal investigation, we are not free to say anything further at this time.”

Continue reading →


19
Jul 13

Styx Crypt Makers Push DDoS, Anti-Antivirus Services

I recently published a piece that examined the role of several Ukrainian men likely responsible for making and marketing the Styx Pack malware exploit kit. Today’s post will show how this same enterprise is linked to a DDoS protection scheme and a sprawling cybercrook-friendly malware scanning service that is bundled with Styx-Crypt.

Anonymous antivirus scanning service -- captain-checker[dot]com -- bundled with the Styx exploit pack.

Anonymous antivirus scanning service — captain-checker.com — bundled with Styx.

As I noted in a graphic accompanying a July 8 analysis of Styx, the $3,000 exploit pack includes a built-in antivirus scanning service that employs at least 17 antivirus products. The scanning service is “anonymous,” in that it alerts Styx customers whenever one of the antivirus tool detects their malware  as such, but the service also prevents the antivirus products from reporting home about the new malware detections.

When Styx customers click on one of these malware scanning reports from within the Styx pack panel itself, the full scanning results are displayed in a new browser window at the domain captain-checker[dot]com (see screenshot above). The Styx panel that I examined earlier this month was based at the Internet address 5.199.167.196, and was reachable only by appending the port number 10665 to the numeric address. At first, I thought this might be a standard port used by Styx installations but that turns out not to be the case, according to interviews with other researchers. I didn’t realize it at the time, but now I’m thinking it’s likely that the panel I examined was actually one run by the Styx Pack curators themselves.

I discovered that although captain-checker[dot]com is hosted at another address (46.21.146.130), it also had this 10665 port open. I noticed then that captain-checker shares that server with 12 other Web sites. All of those sites also respond on port 10665, each revealing a captain-checker login page. Among the 12 is uptimer[dot]biz, one of two sites that led to the identity of Alexander “Nazar” Nazarenko — one of the main marketers and sellers of Styx pack.

styx-reality7-mapNot only are all of these sites on the same server, an Nmap scan of these systems shows that they all are on the same Windows workgroup — “Reality7.” This dovetails nicely with the other domain that I noted in that July 10 story as tied to Nazarenko — reality7solutions[dot]com.

Many of the other domains on the server (see graphic to the left) use some variation of the word “wizard,” and share a Google Analytics code, UA-19307857. According to SameID.net, this code is embedded in the homepage for at least 38 different Web sites.

In my previous story on Nazarenko and his Styx Pack business partner — Max “Ikar” Gavryuk —  I noted that both men were advertising “Reality Guard,” a service to help protect clients from distributed denial-of-service (DDoS) attacks designed to knock sites offline. I had a closer look at their site — reality-guard[dot]com — and learned several interesting things: For starters, the site also responds with a captain-checker[dot]com login page when you append “:10665″ to the domain name. It also is on a Microsoft Windows workgroup called “Reality7″. Finally, the reality-guard[dot]com home page includes an icon for virtual currency Webmoney that when hovered over pops up Nazar’s Webmoney account (someone changed the name on this account from “Nazar” to “Lives” within hours after my July 10 story on the Styx Pack purveyors).

Continue reading →


10
Jul 13

Who’s Behind The Styx-Crypt Exploit Pack?

Earlier this week I wrote about the Styx Pack, an extremely sophisticated and increasingly popular crimeware kit that is being sold to help miscreants booby-trap compromised Web sites with malware. Today, I’ll be following a trail of breadcrumbs that leads back to central Ukraine and to a trio of friends who appear to be responsible for marketing (if not also making) this crimeware-as-a-service.

styxlogoAs I noted in Monday’s story, what’s remarkable about Styx is that while most exploit kits are sold on private and semi-private underground forums, Styx has been marketed and sold via a regular Web site: styx-crypt[dot]com. The peddlers of this service took down their site just hours after my story ran, but versions of the site cached by archive.org hold some important clues about who’s responsible for selling this product.

At the bottom of the archived styx-crypt homepage, we can see two clickable banners for an account at virtual currency Webmoney to which potential customers of Styx will need to send money in order to purchase a license for the software. The Webmoney account #268711559579 belongs to a Webmoney Purse number Z268711559579. Follow that link and you’ll see that the registered username attached to that purse is “Ikar.” If we look closer we can see that Ikar’s Webmoney purse is connected to another purse at Webmoney account 317426476957, which is this purse belonging to a user named “Nazar.” (Update: July 11, 10:14 p.m.: Both Ikar and Nazar changed the names on their Webmoney accounts after this story ran. Thankfully, archive.org cached the old data. The links to the purses above have been changed accordingly.)

Both Ikar and Nazar are nicknames that were used in Styx sales threads on several underground forums, including damagelab[dot]org, secnull[dot]cc and antichat[dot]ru. In these threads, Ikar used the contact address “ikar@core.im“, while Nazar listed “nazar@hush.ai“. Both addresses are associated with forum accounts named “Ikar” and “Renzor” (for examples, see this cached, Google-Translated page from Renzor’s account on antichat.ru, and this cached page from secnull[dot]cc). Nazar’s address is linked to a “Max Lighter” profile on Facebook, but not much more information is available on that profile.

reality7solutions.com

reality7solutions.com

Ikar@core.im doesn’t appear to be connected to anything special, but Nazar’s address was used as the point-of-contact in registering two very interesting domains: reality7solutions.com and uptimer.biz. Looking at the familiar wormhole-like squiggly at the top of reality7solutions.com, I noticed it was very similar to the rotating icon (youtube.com video) used by the Styx pack.

Reality7solutions.com’s homepage lists an address in the United States for a company called EPAM Systems, which according to the business directory maintained by Hoovers  is a public company that specializes in IT outsourcing. Hoovers says the company provides “software development and other IT services to US and European customers primarily from development centers in Russia, Belarus, Hungary, Ukraine, Kazakhstan and Poland.”

The ICQ number listed on the homepage of reality7solutions.com belongs to a Website design professional from Khmelnitsky, Ukraine named Stanislav Shangin. If we look at Schangin’s personal page where he lists all of the Web sites he’s been hired to create, we can see he designed both styx-crypt[dot]com and reality7solutions.com, among dozens of other sites. Shangin did not respond to requests for comment.

Continue reading →


30
May 13

Underweb Payments, Post-Liberty Reserve

Following the U.S. government’s seizure this week of virtual currency Liberty Reserve, denizens of the cybercrime underground collectively have been progressing through the classic stages of grief, from denial to anger and bargaining, and now grudging acceptance that any funds they had stashed in the e-currency system are likely gone forever. Over the past few days, the top discussion on many cybercrime forums has been which virtual currency will be the safest bet going forward?

As I mentioned in an appearance today on NPR’s show On Point, the predictable refrain from many in the underground community has been that the demise of Costa Rica-based Liberty Reserve — and of eGold, eBullion, StormPay and a host of other virtual currencies before it — is the death knell of centrally-managed e-currencies. Just as the entertainment industry’s crackdown on music file-sharing network Napster in the late 1990s spawned a plethora of decentralized peer-to-peer (P2P) file-sharing networks, the argument goes, so too does the U.S. government’s action against centrally-managed digital currencies herald the ascendancy of P2P currencies — particularly Bitcoin.

Fluctuation in BTC values. Source: Bitcoincharts.com

Fluctuation in BTC values. Source: Bitcoincharts.com

This knee-jerk reaction is understandable, given that private crime forums are now replete with postings from members who reported losing tens of thousands of LR dollars this week. But as some of the more seasoned and reasoned members of these communities point out, there are several aspects of Bitcoin that make it especially unsuited for everyday criminal commerce.

For one thing, Bitcoin’s conversion rate fluctuates far too wildly for communities accustomed to virtual currencies that are tied to the US Dollar: In both Liberty Reserve and WebMoney — a digital currency founded in Russia — one LR or WMZ (the “Z” designation is added to all purses kept in US currency) has always equaled $1 USD.

The following hypothetical scenario, outlined by one member of an exclusive crime forum, illustrates how Bitcoin’s price volatility could turn an otherwise simple transaction into an ugly mess for both parties.

“Say I pay you $1k today for a project, and its late, and you decide to withdraw tomorrow. You wake up and the $1k I just sent you in Bitcoins is now worth just $600. It’s not yet stable to be used in such a way.”

Another forum member agreed: “BTC on large scale or saving big amounts is a mess because the price changes. Maybe it’s only good cashing out,” noting WebMoney now allows users to convert Bitcoins into a new unit called WMX.

Others compared Bitcoin to a fashionable high-yield investment program (HYIP), a Ponzi-scheme investment scam that promises unsustainably high return on investment by paying previous investors with the money invested by new investors.  As the U.S. government’s complaint alleges, dozens of HYIP schemes had a significant amount of funds wrapped up in Liberty Reserve.

“Bitcoin is a trendy HYIP. There are far more stable and attractive currencies to invest in, if you are willing to take the risk,” wrote “Off-Sho.re,” a bulletproof hosting provider I profiled in an interview earlier this month. “In the legit ‘real products’ area, which I represent, a very small niche of businesses are willing to accept this form of payment. I understand the drug dealers on Tor sites, since this is pretty much the only thing they can receive without concerns about their identities, but if you sell anything illegal, WMZ should be the choice.”

What’s more, MtGox — Bitcoin’s biggest exchanger and the primary method that users get money into and out of the P2P currency — today posted a note saying that it will now be requiring ID verification from anyone who wants to deposit money with it in order to buy Bitcoins.

A logo from perfectmoney.com

A logo from perfectmoney.com

Perhaps the closest competitor to Liberty Reserve and WebMoney — a Panamanian e-currency known as Perfect Money (or just “PM” to many) — appears to have been busy over the past few days seizing and closing accounts of some of its more active users, according to the dozens of complaints I saw on several different crime forums. Perfect Money also announced on Saturday, May 25 that it would no longer accept new account registrations from U.S. citizens or companies.

For now, it seems the primary beneficiary of the Liberty Reserve takedown will be WebMoney. This virtual currency also has barred U.S. citizens from creating new accounts (it did so in March 2013, in apparent response to the U.S. Treasury Department’s new regulations on virtual currencies.) Still, WebMoney has been around for so long — and its logo is about as ubiquitous on Underweb stores as the Visa and MasterCard logos are at legitimate Web storefronts — that most miscreants and n’er-do-wells in the underground already have accounts there.

But not everyone in the underground who got burned by Liberty Reserve is ready to place his trust in yet another virtual currency. The curmudgeon-in-chief on this point is a hacker nicknamed “Ninja,” the administrator of Carder.pro – a crime forum with thousands of active members from around the world. Ninja was among the most vocal and prominent doubters that Liberty Reserve had been seized, even after the company’s homepage featured seizure warnings from a trio of U.S. federal law enforcement agencies. Ninja so adamantly believed this that, prior to the official press announcements from the U.S. Justice Department on Tuesday, he offered a standing bet of $1,000 to any takers on the forum that Liberty Reserve would return. Only two forum members took him up on the wager.

Now, Ninja says, he’s ready to pay up, but he’s not interested in buying into yet another virtual currency. Instead, he says he’s planning to create a new “carding payment system,” one that will serve forum members and be housed at Internet servers in North Korea, or perhaps Iran (really, any country that has declared the United States a sworn enemy would do).

ninjapost

Continue reading →


28
May 13

U.S. Government Seizes LibertyReserve.com

Indictment, arrest of virtual currency founder targets alleged “financial hub of the cybercrime world.”

U.S. federal law enforcement agencies on Tuesday announced the closure and seizure of Liberty Reserve, an online, virtual currency that the U.S. government alleges acted as “a financial hub of the cyber-crime world” and processed more more than $6 billion in criminal proceeds over the past seven years.

After being unreachable for four days, Libertyreserve.com's homepage now includes this seizure notice.

After being unreachable for four days, Libertyreserve.com now includes this seizure notice.

The news comes four days after libertyreserve.com inexplicably went offline and newspapers in Costa Rica began reporting the arrest in Spain of the company’s founder Arthur Budovsky, 39-year-old Ukrainian native who moved to Costa Rica to start the business.

According to an indictment (PDF) filed in the U.S. District Court for the Southern District of New York, Budovsky and five alleged co-conspirators designed and operated Liberty Reserve as “a financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.”

The U.S. government alleges that Liberty Reserve processed more than 12 million financial transactions annually, with a combined value of more than $1.4 billion. “Overall, from 2006 to May 2013, Liberty Reserve processed an estimated 55 million separate financial transactions and is believed to have laundered more than $6  billion in criminal proceeds,” the government’s indictment reads. Liberty Reserve “deliberately attracted and maintained a customer base of criminals by making financial activity on Liberty Reserve anonymous and untraceable.”

Despite the government’s claims, certainly not everyone using Liberty Reserve was involved in shady or criminal activity. As noted by the BBC, many users — principally those outside the United States — simply viewed the currency as cheaper, more secure and private alternative to PayPal. The company charged a one percent fee for each transaction, plus a 75 cent “privacy fee” according to court documents.

“It had allowed users to open accounts and transfer money, only requiring them to provide a name, date of birth and an email address,”  BBC wrote. “Cash could be put into the service using a credit card, bank wire, postal money order or other money transfer service. It was then “converted” into one of the firm’s own currencies – mirroring either the Euro or US dollar – at which point it could be transferred to another account holder who could then extract the funds.”

But according to the Justice Department, one of the ways that Liberty Reserve enabled the use of its services for criminal activity was by offering a shopping cart interface that merchant Web sites could use to accept Liberty Reserve as a form of payment (I’ve written numerous stories about many such services).

“The ‘merchants’ who accepted LR currency were overwhelmingly criminal in nature,” the government’s indictment alleges. “They included, for example, traffickers of stolen credit card data and personal identity information; peddlers of various types of online Ponzi and get-rich-quick schemes; computer hackers for hire; unregulated gambling enterprises; and underground drug-dealing websites.”

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

It remains unclear how much money is still tied up in Liberty Reserve, and whether existing customers will be afforded access to their funds. At a press conference today on the indictments, representatives from the Justice Department said the Liberty Reserve accounts are frozen. In a press release, the agency didn’t exactly address this question, saying: “If you believe you were a victim of a crime and were defrauded of funds through the use of Liberty Reserve, and you wish to provide information to law enforcement and/or receive notice of future developments in the case or additional information, please contact (888) 238- 0696 or (212) 637-1583.”

Continue reading →


8
Apr 13

Phoenix Exploit Kit Author Arrested In Russia?

The creator of a popular crimeware package known as the Phoenix Exploit Kit was arrested in his native Russia for distributing malicious software and for illegally possessing multiple firearms, according to underground forum posts from the malware author himself.

The last version of the Phoenix Exploit Kit. Source: Xylibox.com

The last version of the Phoenix Exploit Kit. Source: Xylibox.com

The Phoenix Exploit Kit is a commercial crimeware tool that until fairly recently was sold by its maker in the underground for a base price of $2,200. It is designed to booby-trap hacked and malicious Web sites so that they foist drive-by downloads on visitors.

Like other exploit packs, Phoenix probes the visitor’s browser for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader. If the visitor is unlucky enough to have fallen behind in applying updates, the exploit kit will silently install malware of the attacker’s choosing on the victim’s PC (Phoenix targets only Microsoft Windows computers).

The author of Phoenix — a hacker who uses the nickname AlexUdakov on several forums — does not appear to have been overly concerned about covering his tracks or hiding his identity. And as we’ll see in a moment, his online persona has been all-too-willing to discuss his current legal situation with former clients and fellow underground denizens.

Exploit.in forum member AlexUdakov selling his Phoenix Exploit Kit.

Exploit.in forum member AlexUdakov selling his Phoenix Exploit Kit.

For example, AlexUdakov was a member of Darkode.com, a fairly exclusive English-language cybercrime forum that I profiled last week. That post revealed that the administrator accounts for Darkode had been compromised in a recent break-in, and that the intruders were able to gain access to private communications of the administrators. That access included authority to view full profiles of Darkode members, as well as the private email addresses of Darkode members.

AlexUdakov registered at Darkode using the address “nrew89@gmail.com”. That email is tied to a profile at Vkontakte.ru (a Russian version of Facebook) for one Andrey Alexandrov, a 23-year-old male (born May 20, 1989) from Yoshkar-Ola, a historic city of about a quarter-million residents situated on the banks of the Malaya Kokshaga river in Russia, about 450 miles east of Moscow.

ASK-74u rifles. Source: Wikimedia Commons.

AKS-74u rifles. Source: Wikimedia Commons.

That nrew89@gmail.com address also is connected to accounts at several Russian-language forums and Web sites dedicated to discussing guns, including talk.guns.ru and popgun.ru. This is interesting because, as I was searching AlexUdakov’s Phoenix Exploit kit sales postings on various cybercrime forums, I came across him discussing guns on one of his sales threads at exploit.in, a semi-exclusive underground forum. There, a user with the nickname AlexUdakov had been selling Phoenix Exploit Kit for many months, until around July 2012, when customers on exploit.in began complaining that he was no longer responding to sales and support requests. Meanwhile, AlexUdakov account remained silent for many months.

Then, in February 2013, AlexUdakov began posting again, explaining his absence by detailing his arrest by the Federal Security Service (FSB), the Russian equivalent of the FBI. The Phoenix Exploit Kit author explained that he was arrested by FSB officers for distributing malware and the illegal possession of firearms, including two AKS-74U assault rifles, a Glock, a TT (Russian-made pistol), and a PM (also known as a Makarov).

Continue reading →


2
Apr 13

Fool Me Once…

When you’re lurking in the computer crime underground, it pays to watch your back and to keep your BS meter set to  ‘maximum.’ But when you’ve gained access to an elite black market section of a closely guarded crime forum to which very few have access, it’s easy to let your guard down. That’s what I did earlier this year, and it caused me to chase a false story. This blog post aims to set the record straight on that front, and to offer a cautionary (and possibly entertaining) tale to other would-be cybersleuths.

baitOn Jan. 16, 2013, I published a post titled, “New Java Exploit Fetches $5,000 Per Buyer.” The details in that story came from a sales thread posted to an exclusive subforum of Darkode.com, a secretive underground community that has long served as a bazaar for all manner of cybercriminal wares, including exploit kitsspam services, ransomware programs, and stealthy botnets. I’ve maintained a presence on this forum off and on (mostly on) for the past three years, in large part because Darkode has been a reliable place to find information about zero-days, or highly valuable threats that exploit previously unknown vulnerabilities in software — threats that are shared or used by attackers before the developer of the target software knows about the vulnerability.

I had previously broken several other stories about zero-day exploits for sale on Darkode that later showed up “in-the-wild” and confirmed by the affected vendors, and this sales thread was posted by one of the forum’s most trusted members. The sales thread also was created during a time in which Java’s maker Oracle Corp. was struggling with multiple zero-days in Java.

What I didn’t know at the time was that this particular sales thread was little more than a carefully laid trap by the Darkode administrators to discover which accounts I was using to lurk on their forum. Ironically, I recently learned of this snare after white/grey hat hackers compromised virtually all of the administrator accounts and private messages on Darkode.

“Looks like Krebs swallowed the bait, and i got an idea how to catch him now for the next thread,” wrote Darkode administrator “Mafi” in a Jan. 16 private message to a co-admin who uses the nickname “sp3cial1st”.

Following this post, the administrators compared notes as to which users had viewed the fake Java zero-day sales thread during the brief, two-day period it was live on a restricted portion of Darkode. “I have taken a careful examination of the logs related to the java 0day thread,” sp3cial1st wrote to a Darkode administrator who used the nick “187″.

Continue reading →


13
Mar 13

Credit Reports Sold for Cheap in the Underweb

Following the online publication of Social Security numbers and other sensitive data on high-profile Americans, the three major credit reporting bureaus say they’ve uncovered cases where hackers gained access to users’ information, Bloomberg reports. The disclosure, while probably discomforting for many, offers but a glimpse of the sensitive data available to denizens of the cybercrime underworld, which hosts several storefronts that sell cheap, illegal access to consumer credit reports.

mueller

Redacted screen shot of leaked records.

The acknowledgement by Experian, Equifax and Trans Union comes hours after hackers posted online Social Security numbers and other sensitive data on FBI Director Robert Muller, First Lady Michelle Obama, Paris Hilton and others.

Sadly, Social Security numbers and even credit reports are not difficult to find using inexpensive services advertised openly in several cybercrime forums. In most cases, these services are open to all comers; the only limitation is knowing the site’s current Web address (such sites tend to move frequently) and being able to fund an account with a virtual currency, such as WebMoney or Liberty Reserve.

Case in point: ssndob.ru, a Web site that sells access to consumer credit reports for $15 per report. The site also sells access to drivers license records ($4) and background reports ($12), as well as straight SSN and date of birth lookups. Random “fulls” records — which include first, middle and last names, plus the target’s address, phone number, SSN and DOB — sell for 50 cents each. Fulls located by DOB cost $1, and $1.50 if searched by ZIP Code.

Credit report lookup page at ssndob.ru

Credit report lookup page at ssndob.ru

It’s not clear from where this service gets its credit reports and other data, but it appears that at least some of the lookups are done manually by the proprietors. Pending new records requests are tracked with varying messages, such as “in queue,” and “in progress,” and often take more than 15 minutes to process.

A source who agreed to have their information looked up at this service provided his Social Security number, date of birth and address. Within 15 minutes, the site returned a full credit report produced by TransUnion; the report, saved as an HMTL file, was archived in a password protected zip file and uploaded to sendspace.com, with a link to the file and a password to unlock the archive.

Continue reading →