January, 2011

Jan 11

PlentyofFish.com Hacked, Blames Messenger

Hackers have breached the database of online dating site PlentyOfFish.com, exposing the personal and password information on nearly 30 million users. In response, the company’s founder has implied that the editor of KrebsOnSecurity.com was involved in an elaborate extortion plot.

Getting hacked is no fun. Learning that you’ve been hacked when a reporter calls is probably even less fun. But for better or worse, I have notified dozens of companies about various breaches over the years, and I’ve learned to read between the lines in how victims respond. Usually, when the company in question replies by implicating you in an alleged extortion scheme, two things become clear:

1) You’re probably not going to get any real answers to your direct questions about the incident, and;

2) The company almost certainly did have a serious breach.

Continue reading →

Jan 11

ATM Skimmers That Never Touch the ATM

Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.

The most common of these off-ATM skimmers can be found near cash machines that are located in the antechamber of a bank or building lobby, where access is controlled by a key card lock that is activated when the customer swipes his or her ATM card. In these scams, the thieves remove the card swipe device attached to the outside door, add a skimmer, and then reattach the device to the door. The attackers then place a hidden camera just above or beside the ATM, so that the camera is angled to record unsuspecting customers entering their PINs.

The crooks usually return later in the evening to remove the theft devices. Armed with skimmed card data and victim PINs, skimmer thieves are able to encode the information onto counterfeit cards and withdraw money from compromised accounts at ATMs across the country.

On July 24, 2009, California police officers responded to a report that a customer had uncovered a camera hidden behind a mirror that was stuck to the wall above an ATM at a bank in Sherman Oaks, Calif. There were two ATMs in the lobby where the camera was found, and officers discovered that the thieves had placed an “Out of Order” sign on the ATM that did not have the camera pointed at its PIN pad. The sign was a simple ruse designed to trick all customers into using the cash machine that was compromised.

Bank security cameras at the scene of the crime show the fake mirror installed over the ATM on the right.

Here’s a front view of the hidden camera, which probably would appear to most ATM users as nothing more than a parabolic mirror designed to give customers a view of anyone standing behind them.

Behind the glass, however, was a battery-operated hidden camera. A tiny hole was cut out of the bottom of the mirror housing to enable the camera to record PIN entries.

Below are several images showing the key card door lock that was compromised in this attack. The top left image shows the device as it would appear attached to the door securing access to the ATM lobby. The other two pictures show the skimmer device with the electronic components added by the thieves.

Continue reading →

Jan 11

Microsoft: Exploit Published for Windows Flaw

Microsoft warned today that hackers have published instructions for attacking a previously unknown security hole in all versions of Windows that could be exploited to siphon user data or trick users into installing malicious code.

Redmond published an advisory about a vulnerability in the way Windows handles MHTML code that could let attackers run Javascript code if the user is browsing a malicious site using Internet Explorer. As Wolfgang Kandek, chief technology officer at Qualys notes, that means that IE is the only known exploit vehicle for this flaw, and that other browsers such as Firefox and Chrome are not affected in their default configuration because they don’t support MHTML without the installation of specific add-ons.

Microsoft said it may issue a patch to fix the flaw, but that in the meantime IE users who are concerned about this threat can use a supplied “FixIt” tool to help shore up the way Windows handles MHTML documents. The enable that fix, visit this link and click the FixIt icon.

Jan 11

Egypt Unplugged from the Internet

As many readers no doubt know, the Egyptian government on Thursday severed the nation’s ties with the rest of the Internet, in an apparent effort to disrupt political protests calling for an end to the 30-year rule of Egyptian leader Hosni Mubarak.

I’ve been tweeting about new developments as they arise, but I wanted to point to a few of the more dramatic graphs that different sources have drawn up to show the precipitous decline in Internet traffic and connectivity to and from Egypt as leaders there sought to isolate phone and computer networks from the rest of the world.

Arbor Networks put together this graphic, which shows what happens when 80 million people are disconnected from the Web all at once:

The Extraexploit blog looked at the Internet routing situation around Egypt before and after the disconnection, using the handy (but tricky) tool available here. This Java-based tool charts the routing activity between and among separate networks on the Internet. The first image below shows what some of the main routes to and from Egypt’s various networks looked like just before the incident.

Check out the same route view from today, and it’s clear that Egypt has isolated itself from the rest of the Internet.

As the folks at Renesys.com wrote, there are still a handful of Internet connections that remain live in Egypt, but the comments to that post suggest that those connections may have been left tightly in the grip of the Egyptian government. Link Egypt, Vodafone/Raya, Telecom Egypt, and Etisalat Misr — all have been blocked, Renesys found.

In response to the Egyptian government’s crackdown on protesters there, Wikileaks released new State Department cables that reveal human rights abuses and political arrests in the country. Too bad nobody in Egypt is going to be able to see those cables.

Have you discovered a graphic that shows the network isolation of Egypt in a compelling way? Post a link in the comments below, please.

Update, 11:19 a.m.: A reader wrote in with a link to a decent graph maintained by RIPE (French for “European IP Networks”), which shows the disconnection starting on Jan. 27.

Update, Jan. 29, 7:34 p.m. ET: A relatively new data leak prevention firm called Unveillance sent a pointer to their blog post, which chronicled the disconnection of Egypt from a slightly different perspective: The drop in network activity from computer systems within Egypt that were infected with malicious software or controlling other infected hosts.

Jan 11

Battling the Zombie Web Site Armies

Peter Bennett first suspected his own Web site might have been turned into a spam-spewing zombie on the night of Nov. 11, when he discovered that a tiny program secretly uploaded to his site was forcing it to belch out ads for rogue Internet pharmacies.

Bennett’s site had been silently “infected” via an unknown (at the time) vulnerability in a popular e-commerce software package. While most site owners probably would have just cleaned up the mess and moved on, Bennett — a longtime anti-spam vigilante — took the attack as a personal challenge.

“Spammers always know it is me attacking their resources in whatever form that takes,” Bennett said. “In other words, I make myself a target because I have a clue or two about server security and defense and just love taunting them to crank them up.”

And taunt them he has. For years, the New Zealand resident was part of a ragtag band of anti-spam activists, or “antis,” that helped to bring down infamous pill spammer Shane Atkinson and other junk e-mail purveyors. After taking a break from anti activity in 2007 to pursue other professional goals, Bennett – now 50 – seems eager to jump back into the fray.

In the interim, however, spammers have been refining their techniques. Like reluctant conscripts in a global guerilla army, hundreds  — sometimes thousands — of legitimate Web sites are now enslaved each month and sold to criminals who use them to blast out spam and host spam sites. The attackers Bennett is tracking mainly pick on orphaned Web sites running Linux with insecure, unpatched software packages (Bennett says his site was hacked thanks to a zero-day bug in OScommerce, a popular e-commerce software program).

Bennett found that his Web site was part of a larger botnet of at least 1,200 compromised sites that was being used to send roughly 25 million junk e-mail messages each day, although he said it appears the botnet is used for spam runs only intermittently.

“They only run the botnet once a week or so at a time, and then shut it off,” Bennett said.

An ad soliciting EvaPharmacy affiliates.

The hacked sites in the botnet Bennett identified mainly advertise one of three types of rogue pill sites: MyCanadianPharmacy, Canadian Family Pharmacy, and Canadian Health&Care Mall. The latter has been tied to a pharmacy affiliate program called EvaPharmacy, one of the few remaining pharmacy affiliate programs that pays members to promote fly-by-night pill sites via spam.

Continue reading →

Jan 11

Ready for Cyberwar?

Amid all of the media and public fascination with threats like Stuxnet and weighty terms such as “cyberwar,” it’s easy to overlook the more humdrum and persistent security threats, such as Web site vulnerabilities. But none of these distractions should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies.

Security vendor Imperva today blogged about a hacker who claims to have access to and control over several top dot-gov, dot-mil and dot-edu Web sites. I’ve seen some of the back-end evidence of his hacks, so it doesn’t seem like he’s making this up. Perhaps out of deference to the federal government, the Imperva folks blocked out the best part of that screen shot — the actual names of the Web site domains that this hacker is selling. For example, the hacker is advertising full control and root access to cecom.army.mil, a site whose stated purpose is “to develop, acquire, provide and sustain world-class…systems and Battle Command capabilities for the joint warfighter.” It can be yours, for just $499 (sorry, no credit cards accepted; only the virtual currency Liberty Reserve).

Here is an unredacted (well, mostly) shot of that site:

Continue reading →

Jan 11

Experi-Metal vs. Comerica Case Heads to Trial

A lawsuit headed to court this week over the 2009 cyber theft of more than a half-million dollars from a small metals shop in Michigan could help draw brighter lines on how far banks need to go to protect their business customers from account takeovers and fraud.

The case is being closely watched by a number of small to mid-sized organizations that have lost millions to cyber thieves and have been waiting for some sign that courts might be willing to force banks to assume at least some of those losses.

Nearly two years ago, cyber crooks stole more than $560,000 from Sterling Heights, Mich. based Experi-Metal Inc. (EMI), sending the money to co-conspirators in a half-dozen countries.

Continue reading →

Jan 11

ATM Skimmers, Up Close

Recently, I found a guy on an exclusive online scammer forum who has been hawking a variety of paraphernalia used in ATM skimmers, devices designed to be stuck on the outside of cash machines and to steal ATM card and PIN data from bank customers. I wasn’t sure whether I could take this person seriously, but his ratings on the forum — in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions — were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.

Also, this seller’s profile showed that he was a longtime member, and had been vouched for as a “verified” vendor. This meant that forum administrators had vetted him by checking his reputation on other fraud forums, and that he’d paid a fee to use its escrow service if any potential buyers insisted.

Anyway, I wasn’t looking to purchase his skimmers, just to check out his wares. I chatted him up on ICQ, and he said he only sold the plastic housings for the skimmer devices, but that he could show me pictures and videos of what some of his customers had done with them. Above is a video of the seller demonstrating how one of his card skimmer housings fits over the mouth of the card slot on a working Diebold Aptiva ATM.

Below are images he sent that demonstrate two very different skimmers made with his housings. The device on the top in the picture below is a flash-based spy camera nested in a beige plastic molding meant to be attached directly above the ATM PIN pad to steal the customer’s personal identification number. The image on the bottom is the skimmer itself. To the right of each are instructions for configuring the skimmer devices and for harvesting the stolen data stored on them.

A hidden camera (top) and ATM card skimmer (bottom), along with instructions for their use.

Continue reading →

Jan 11

Pill Pushers Pop Military, Government, Education Sites

A software vulnerability at a U.S. based Web hosting provider let hackers secretly add dozens of Web pages to military, educational, financial and government sites in a bid to promote rogue online pharmacies.

For four months in 2010, a customer of Hostmonster.com, a Provo, Utah based hosting provider, exploited a bug in CPanel — a Web site administration tool used by Hostmonster and a majority of other hosting providers. The customer used the vulnerability to create nearly four dozen subdomains on a number of other Web sites at the hosting facility, said Danny Ashworth, co-founder of Bluehost.com, the parent company of Hostmonster.

The subdomains were linked to dozens of pages created to hijack the sites’ search engine rankings, and to redirect visitors to fly-by-night online stores selling prescription drugs without a prescription. Among the compromised domains were:

Omaha, Neb. financial institution Accessbank.com;
Bankler.com, the sole investigative tax accountant for the U.S. Senate Whitewater Committee;
Ejercito.mil.do, the official site of the Army of the Dominican Republic;
Sacmetrofire.ca.gov, the Sacramento Metropolitan Fire District;
Wi.edu, The Wright Institute.

Ashworth said all of the bogus subdomains were created between April 2nd 2010 and July 1st 2010. But they remained there until the company was contacted by a reporter last week.

Continue reading →

Jan 11

Microsoft Plugs Three Windows Security Holes

Microsoft today released security updates to fix at least three vulnerabilities in its Windows operating systems, including one labeled “critical,” the company’s most serious rating. However, none of the patches address five zero-day flaws that can be used to attack Windows users.

The critical update targets two weaknesses present in all versions of Windows that Microsoft said hackers could exploit to break into unpatched systems just by getting users to visit a compromised or malicious Web site. A second update fixes a security issue in the Windows backup tool that affects Windows Vista machines.

The vulnerability in the Windows backup tool stems from a weakness that extends to hundreds of third-party, non-Microsoft applications built to run on Windows. I discussed this issue at length in a blog post in September, but the upshot is that Microsoft has made available a FixIt tool to help fortify a number of these applications against a broad swath of security threats that stem from a mix of insecure default behaviors in Windows and poorly-written third party apps. If you haven’t already done so, take a moment to read at least the short version of that post, and apply the supplied FixIt tool from Microsoft.

Continue reading →