Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: zeus

    A Little Sunshine / Latest Warnings41 Comments
    9
    Jun 10

    ZeuS Trojan Attack Spoofs IRS, Twitter, Youtube

    Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos.

    According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack appears to be an extension of a broad malware spam campaign that began at the end of May.

    The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement.

    All of the latest e-mails use a variety of URL shortening services. For example, this shortened link (currently live and dangerous, and therefore neutered here)…

    Continue reading →

    A Little Sunshine / Latest Warnings / Time to Patch / Web Fraud 2.014 Comments
    15
    Apr 10

    Java Patch Targets Latest Attacks

    Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.

    Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

    On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

    If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

    Continue reading →

    A Little Sunshine / Latest Warnings / Target: Small Businesses / The Coming Storm30 Comments
    6
    Apr 10

    Computer Crooks Steal $100,000 from Ill. Town

    A rash of home foreclosures and abandoned dwellings had already taken its toll on the tax revenue for the Village of Summit, a town of 10,000 just outside Chicago. Then, in March, computer crooks broke into the town’s online bank account, making off with nearly $100,000.

    “As little as we are, $100,000 represents a good chunk of money, and it hurts,” said Judy Rivera, the town’s administrator. “We were already on a very lean budget, because the tax money just isn’t coming in.”

    Summit is just the latest in a string of towns, cities, counties and municipalities across America that have seen their coffers cleaned out by organized thieves who specialize in looting online bank accounts. Recently, crooks stole $100,000 from the New Jersey township of Egg Harbor; $130,000 from a public water utility in Arkansas; $378,000 from a New York town; $160,000 from a Florida public library; $500,000 from a New York middle school district; $415,000 from a Kentucky county (this is far from a comprehensive list).

    Continue reading →

    A Little Sunshine / Web Fraud 2.017 Comments
    1
    Apr 10

    SpyEye vs. ZeuS Rivalry

    It’s common for malware writers to taunt one another with petty insults nested within their respective creations. Competing crime groups also often seek to wrest infected machines from one another. A very public turf war between those responsible for maintaining the Netsky and Bagle worms back in 2005, for example, caused a substantial increase in the volume of threats generated by both gangs.

    The latest rivalry appears to be budding between the authors of the Zeus Trojan — a crime kit used by a large number of cyber thieves — and “SpyEye,” a relatively new kit on the block that is taking every opportunity to jeer at, undercut and otherwise siphon market share from the mighty Zeus.

    Symantec alluded to this in a February blog post that highlighted a key selling point of the SpyEye crimeware kit:  If the malware created with SpyEye lands on a computer that is already infected with Zeus, it will hijack and/or remove the Zeus infection.

    Now, just a few months later, the SpyEye author is releasing a new update (v. 1.1) that he claims includes the ability to inject content into Firefox and Internet Explorer browsers, just as Zeus does (this screen shot shows the result of a demo configuration file on the left, which instructs the malware to inject SpyEye and “Zeuskiller”  banner ads into a live Bank of America Web site). It is precisely this injection ability that allows thieves using Zeus to defeat the security tokens that many banks require commercial customers to use for online banking.

    The new version comes as the Zeus author is pushing out his own updates (v. 1.4), along with a hefty price tag hike. The old Zeus kit started at around $4,000, while the base price of the newer version is double that. According to research from Atlanta-based security firm SecureWorks, Zeus plug-ins that offer additional functionality raise the price even more. For example:

    Continue reading →

    Target: Small Businesses63 Comments
    30
    Mar 10

    Online Thieves Take $205,000 Bite Out of Missouri Dental Practice

    Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online.

    Dentists working at the Smile Zone, a Springfield, Mo. based dental practice that caters specifically to the needs of children, weren’t exactly all smiles on March 22. That was the day unidentified crooks sent at least $205,000 of the practice’s money to nearly a dozen individuals around the country.

    Eric Hudkins, the office manager and husband of one of the dentists at Smile Zone, said the money was taken in 11 different transfers, including three large wires. Once again, it seems the attack was carried out with the help of money mules, willing or unwitting individuals hired through work-at-home job schemes over the Internet and lured into helping the attackers launder the stolen money.

    “I’ve got the names, account numbers, and phone numbers for most of them, and have even looked some of them up on Facebook,” Hudkins said of the co-conspirators. “The bank talked to two of the [mule] account holders and asked them why they opened the account, who it was for, that kind of thing. Both of them said they’d had their resumes out on careerbuilder.com or monster.com and that someone they’d never met contacted them and offered to help them make some money.”

    Hudkins said he contacted the FBI, and that the agent he spoke with told him the FBI wouldn’t open a case on the theft unless it was over $500,000 in losses. As it stands, he was told, his case would be lumped into a group of similar investigations that is being run out of an FBI task force in Omaha, Nebraska. It also appears there is little appetite for prosecuting the money mules, he said.

    “The FBI said prosecuting these [mules] for doing anything wrong is near impossible,” Hudkins said.

    Continue reading →

    A Little Sunshine / Web Fraud 2.010 Comments
    24
    Mar 10

    AVprofit: Rogue AV + Zeus = $

    The presence of rogue anti-virus products, also known as scareware, on a Microsoft Windows computer is often just the most visible symptom of a more serious and insidious system-wide infection. To understand why, it helps to take a peek inside some of the more popular rogue anti-virus distribution networks that are paying people to peddle scareware alongside far more invasive threats.

    Distributors or “affiliates” who sign up with avprofit.com, for example, are given access to an installer program that downloads not only rogue anti-virus but also ZeuS, a stealthy piece of malware that specializes in mining online banking credentials from infected PCs. ZeuS is the very piece of malware directly responsible for helping thieves steal tens of millions of dollars from small to mid-sized businesses over the past year.

    Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install. Typically, affiliates will embed these installers at porn sites or bundle them with programs seeded on peer-to-peer file-sharing services. The nightmare for the victim starts when he or she responds to the fake anti-virus pop-up warning of supposed threats resident on the victim’s PC, by agreeing to download and run a scanning tool.

    What’s remarkable about this entire ecosystem is that in many cases, victims who have this installer run on their systems often end up paying for the rogue anti-virus, in addition to unknowingly giving up their passwords and handing complete control of their computer to the bad guys running this distribution network.

    Continue reading →

    Target: Small Businesses60 Comments
    16
    Mar 10

    eBanking Victim? Take a Number.

    Over the past nine months, I have spent a substantial amount of time investigating and detailing the plight of dozens of small businesses that have had their bank accounts cleaned out by organized criminals. One of the most frequent questions I get from readers and from my journalist peers is, “How many of these stories are you going to tell?”

    The answer is simple: As many as I can verify. The reason is just as plain: I’m finding that most small business owners have no clue about the threats they face or the liability they assume when banking online, even as the frequency and sophistication of attacks appears to be increasing.

    I am now hearing from multiple companies each week that have suffered tens of thousands or hundreds of thousands of dollar losses from a single virus infection (last week I spoke with people from four different companies that had been victimized over the past two months alone). In each of these dramas, the plot line is roughly the same: Attackers planted malicious software on the victim’s PC to steal the company’s online banking credentials, and then used those credentials to siphon massive amounts of money from the targeted accounts. The twists to the stories come in how the crooks evade security technologies, how the banks react, and whether the customers are left holding the (empty) bag.

    In most cases I’ve followed, the banks will do what they can to reverse the fraudulent transactions. But beyond that, the bank’s liability generally ends, because — unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them.

    Earlier this month, I spoke with the CEO of Eskola LLC, a Treadway, Tenn. roofing firm that had $130,000 stolen from its online bank accounts in a series of five unauthorized wire transfers in late January. The bank was able to reverse most of those transfers, but Eskola was unable to recover more than $30,000 of the stolen money.

    “It really took our bank by surprise and triggered a whole series of internal reviews, because they told me they’ve been hit several other times since then,” Jon Eskola said. “They said so far this year, it’s been the number one thing that’s come across their plate, and that this type of crime had increased 500 to 600 percent over a year ago.”

    Continue reading →

    A Little Sunshine / The Coming Storm33 Comments
    10
    Mar 10

    Dozens of ZeuS Botnets Knocked Offline

    NB: This story has been updated several times. Please read through to the end

    Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

    Image courtesy ZeusTracker

    Sold for anywhere from $300-$2,000 in shadowy underground forums, ZeuS is a software kit that allows criminals to set up distributed networks of hacked PCs, usually for the purposes of siphoning user names, passwords and financial data from victim computers. A criminal operating a ZeuS botnet can control the systems from afar using a central “command and control” (C&C) server, and it is not uncommon for a single ZeuS C&C server to control tens of thousands of infected hosts. In most cases, the infected PCs continuously upload the victim’s personal data to so-called “drop servers,” or data repositories online that are specified by the criminal controlling the ZeuS botnet.

    According to Roman Hüssy, the Swiss information technology expert who runs ZeusTracker – probably the most comprehensive site that tracks ZeuS activity — on the evening of Mar. 9, the number of active ZeuS C&C servers he was tracking fell instantly from 249 to 181.

    In an online chat conversation with Krebs on Security, Hüssy said the average ZeuS C&C he tracks has anywhere from 20,000 to 50,000 unique infected computers under its thumb. That means this takedown may have had a massive impact on a large number of criminal operations. For starters, even if we take a conservative estimate, and assume that each of the C&Cs knocked offline controlled just 25,000 PCs, that would mean more than 1.7 million infected systems were released from ZeuS captivity by this apparently coordinated takedown.

    Continue reading →

    Target: Small Businesses105 Comments
    24
    Feb 10

    N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss

    A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.

    Karen McCarthy, owner of Merrick, N.Y. based Little & King LLC, a small promotions company, discovered on Monday, Feb. 15 that her firm’s bank account had been emptied the previous Friday. McCarthy said she immediately called her bank – Cherry Hill, N.J. based TD Bank – and learned that between Feb. 10 and Feb. 12, unknown thieves had made five wire transfers out of the account to two individuals and two companies with whom the McCarthys had never had any prior business.

    “She was told to go to the branch next day, and she did, and the people at the branch were very nice, apologetic, and said, ‘Whatever happened, we’ll replace it,’” Karen McCarthy’s husband Craig said. “She called them up on Wednesday, and they gave her the runaround. Then she finally got to talk to someone and they said ‘We don’t see the error on our side.’”

    Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer.

    Later, McCarthy’s friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash.

    Karen McCarthy said TDBank has dug in its heels and is now saying it has no responsibility for the loss.

    “They feel that because [the thieves] compromised my computer that it’s my responsibility and that I should look into my insurance, but I don’t have insurance,” McCarthy said. “I had a company that was interested in purchasing us, but they’re not going to do that now.  I’m basically looking at bankruptcy, because I have very little money to operate on now.”

    Krebsonsecurity spoke briefly with John G. McCluskey, vice president of TDBank’s corporate security and investigations. McCluskey referred all questions about the incident to the bank’s marketing department, which hasn’t returned calls seeking additional information and comment.

    Continue reading →

    A Little Sunshine / Other / Target: Small Businesses62 Comments
    19
    Feb 10

    ZeuS: ‘A Virus Known as Botnet’

    As a journalist who for almost ten years has sought to explain complex computer security topics to a broad audience,  it’s sometimes difficult to be picky when major news publications over-hype an important security story or screw up tiny details: For one thing, Internet security so seldom receives more than surface treatment in the media that the increased attention to the issue often seems to excuse the breathlessness with which news organizations cover what may seem like breaking, exclusive stories.

    The trouble with that line of thinking is that an over-hyped story tends to lack important context that helps frame the piece in ways that make it more relevant, timely, and actionable, as opposed to just sensational.

    I say this because several major media outlets, including The Washington Post and the Wall Street Journal, on Thursday ran somewhat uncritical stories about a discovery by NetWitness, a security firm in Northern Virginia that has spent some time detailing the breadth of infections by a single botnet made up of PCs infected with ZeuS, a password stealing Trojan that lets criminals control the systems from afar. NetWitness found that this particular variant of the botnet, which it dubbed “Kneber,” had invaded more than 2,500 corporations and 75,000 computers worldwide.

    The Post’s headline: More than 75,000 Computer Systems Hacked in one of the Largest Cyber Attacks, Security Firm Says.

    From the WSJ: Broad New Hacking Attack Detected: Global Offensive Snagged Corporate, Personal Data at Nearly 2,500 Companies: Operation is Still Running.

    Yahoo!’s coverage tells us, Scary Global Hacking Offensive Finally Outed.

    After a day of dodging countless PR people pitching their experts to pile on to the story, I finally resolved to add my two cents when I heard this gem from the PBS Newshour with Jim Lehrer: “A major new case of computer hacking has been uncovered. A virus known as botnet invaded the computers and used them to steal data from commercial and government systems. Among other things, the hackers have gained access to e-mail systems and online banking.”

    Continue reading →

    ← Older Entries