March 23, 2011

Business gurus have long maintained that time = $$, but that doesn’t mean that playtime necessarily decreases the bottom line. Many corporations have discovered that their employees tend to be more productive when they have time to give their brains a break, and gameplay is the perfect escape. So it’s not surprising that some cyber criminals have taken this lesson to heart, and are crafting crime machines to include games that allow their evildoing customers to steal money and set their hi-scores at the same time.

I had a laugh when I stumbled upon the administrative panel shown in the video below. It’s a back-end Web database designed to interact with a collection of Windows PCs infected by the ZeuS Trojan. This panel receives financial data stolen from victim machines, including PayPal and Bank of America account credentials. This video shows the Bank of America tab of the tool, which also allows the criminal to inject specific “challenge/response” questions into BofA’s Web page as displayed in the victim’s browser, as a way to steal the answers to these questions should the criminal later be asked for them when later logging in to victim accounts.

Directly to the right of an option to export all stolen credentials to an easy-to-read .csv file is a button labeled “Pacman”. Clicking launches a playable, exact replica of the 1980s arcade game (enlarge the video by clicking the icon in the bottom right corner of the video panel):

I can’t help but wonder whether we will witness some perverse kind of Moore’s law with future criminal Web administration panels. I can just see it now: In 18 months, crooks writing these panels will be bundling Halo 3 and Counter-Strike with their creations!

On a more serious note, the tab labeled “Arcot” is interesting: Arcot Systems is the company whose software powers the authentication system used by MasterCard’s SecureCode and Visa’s Verified by Visa programs. What’s interesting is that the thieves could defeat these security systems by gathering personal data on victim card holders, which they appear to have done here. This panel, like others used in tandem with ZeuS (for example, Jabberzeus) also is set up to alert the botmaster via Jabber instant message when a new set of credentials is stolen.


15 thoughts on “Big Scores and Hi-Scores

  1. David

    If their criminal skills are on par with their Pac-Man chops, we have nothing to worry about… or was that you that dropped a quarter into the machine Brian?

  2. JCitizen

    Will wonders never cease? Thanks for this unexpected peak into another world, Brian!

  3. Russ

    You’ve really filled a niche Brian. Nobody else that I’ve found talks about this kind of stuff. The admin interface screenshots and ATM skimmer stuff is all interesting information. Good use of the podium sir.

  4. george

    I hope Matt Groening or whoever owns the rights to Bender’s image will sue the guy or gal who coded this admin panel for using the image without paying royalties and inflict some monetary damage on them :).

    1. AlphaCentauri

      If the guy whose mind created Bart Simpson decided to take down ZeuS, I’d be in the cheering section for sure. Too bad it probably wouldn’t involve prank phone calls. That would be very fitting in the case of ZeuS, after they SWATted Roman Hussy.

  5. helly

    As a security measure, I suggest we release Angry Birds for Zeus. That game is so much of a time suck the bad guys would be stuck playing all the time, with no time to actually commit fraud.

  6. Nick P

    I never expected the Verified by Visa and SecureCode approaches to work. Looking at their design, they don’t consider the threat model at all. The threat model for malware is that the user’s PC is subverted, giving the bad guys read and write access to everything they do. To counter this, Visa and Mastercard ask the users to enter extra information on their subverted computer. Make sense, anyone?

    1. george

      I suspect in the time they were designed the main treats were perceived to be:
      1. Phishing sites pretending to sell real wares but actually after getting you CC data – by them not being able to supply the personalized message, image or question one should realize it is about to supply CC information to a fake site.
      2. Cases when CC info is leaked to restaurant/hotel personnel, via skimming devices, etc.
      I think it made sense and was a positive initiative in 2005-2007, but is almost 100% ineffective today as the threats have shifted dramatically.

      1. Jane

        I don’t recall seeing a personalized image for “Verified by Visa” — was this a general statement or do Visa and MasterCard do that?

        Then again, my war story for Verified Visa is the time NoScript blocked the vendor’s attempt to use it, we never received a challenge or provided a response, and the transaction still went through.

        1. george

          Hi Jane,
          I do have a Visa which gives me a message I introduced myself back in early 2007 every time “Verified by Visa” activates. I seem to remember there was also an option to upload a picture and have that displayed, though I might be confusing with yahoo mail (which also had/have something similar). I also have a Mastercard with SecureCode which did not gave me the option to add any personal message – a bit strange when considering they are both operated by the same company – International Card Services. Disappointed to hear in your case despite NoScript blocking the “Verified by Visa” script, the transaction went through, it seems to me on top of being an outdated security measure, it was also poorly implemented in many places. (or at the very least, they wrongly chose to place “customer purchasing experience” above security when decided to allow transactions to be processed without successfully running the Verified by Visa authentication for any card that has it activated). And to add insult to injury, it is, as pointed by other readers, far too easy to reset a forgotten password using just trivially obtainable information.

          1. Bob

            The trivial information does not have to be anything that remotely answers the question. You could answer “red Ferrari” for the name of your first grade teacher. Favorite pet could “desktop computer”.

            As long as YOU remember how you answered the questions, then ‘trivial information’ is meaningless.

            Nobody ever said you had to really say who your first sweetheart was, just give a name. The banks and CC companies already know the mothers maiden name, but how much else do they know? Some of the challenge questions are really dumb.

    2. Conrad Longmore

      Verified by Visa and MasterCard SecureCode are completely useless. As Nick P says, the extra information they ask for is usually trivially easy to find. They mainly seem to inconvenience the genuine users by adding an additional password which mysteriously the systems seem to forget.

      If you want two good reasons to use an AmEx.. these are those!

Comments are closed.