December 13, 2013

Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service that rents access to hacked PCs at organizations that make this all-too-common mistake.

Makost[dot]net is a service advertised on cybercrime forums which sells access to “RDPs”, mainly Microsoft Windows systems that have been configured (poorly) to accept “Remote Desktop Protocol” connections from the Internet. Windows ships with its own RDP interface built-in; to connect to another Windows desktop or server remotely, simply fire up the Remote Desktop Connection utility in Windows, type in the Internet address of the remote system, and enter the correct username and password for a valid user account on that remote system. Once the connection is made, you’ll see the remote computer’s desktop as if you were sitting right in front of it, and have access to all its programs and files.

Makhost[dot]net sells access to thousands of hacked RDP installations. Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC's upload and download speeds.


Makhost[dot]net sells access to thousands of hacked RDP installations. Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC’s upload and download speeds.

Makost currently is selling access to more than 6,000 compromised RDP installations worldwide. As we can see from the screen shot above, hacked systems are priced according to a combination of qualities of the server:

  • city, state, country of host;
  • administrative or regular user rights;
  • operating system version;
  • number and speed of computer processors;
  • amount of system memory;
  • network download and upload speeds;
  • NAT or direct

KrebsOnSecurity was given a glimpse inside the account of a very active user of this service, an individual who has paid more than $2,000 over the past six months to purchase some 425 hacked RDPs. I took the Internet addresses in this customer’s purchase history and ran WHOIS database lookups on them all in a bid to learn more about the victim organizations. As expected, roughly three-quarters of those addresses told me nothing about the victims; the addresses were assigned to residential or commercial Internet service providers.

But the WHOIS records turned up the names of businesses for approximately 25 percent of the addresses I looked up. The largest group of organizations on this list were in the manufacturing (21 victims) and retail services (20) industries. As I sought to categorize the long tail of other victim organizations, I was reminded of the Twelve Days of Christmas carol.

twelve healthcare providers;
ten education providers;
eight government agencies;
seven technology firms;
six insurance companies;
five law firms;
four financial institutions;
three architects;
two real estate firms;
and a forestry company (in a pear tree?)

How did these companies end up for sale on makost[dot]net? That is explained deftly in a report produced earlier this year by Trustwave, a company which frequently gets called in when companies experience a data breach that exposes credit card information. Trustwave looked at all of the breaches it responded to in 2012 and found — just as in years past — “IP remote access remained the most widely used method of infiltration in 2012. Unfortunately for victim organizations, the front door is still open.”

The report continues:

“Organizations that use third-party support typically use remote access applications like Terminal Services (termserv) or Remote Desktop Protocol (RDP), pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote Administrator to access their customers’ systems. If these utilities are left enabled, attackers can access them as though they are legitimate system administrators.”

Source: Trustwave 2013 Global Security Report

Source: Trustwave 2013 Global Security Report

“Would-be attackers simply scan blocks of Internet addresses looking for hosts that respond to queries on one of these ports. Once they have a focused target list of Internet addresses with open remote administration ports, they can move on to the next part of the attack: The number 2 most-exploited weakness: deafult/weak credentials.”

In case the point wasn’t clear enough yet, I’ve gathered all of the username and password pairs picked by all 430 RDP-enabled systems that were sold to this miscreant. As evidenced by the list below, the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password. In each of the following cases, the username and password are the same.

Some of these credential pairs even give you an idea of the type of organization involved, the employee account that was compromised (“intern,” “techsupport,”); the purpose of the hacked system (“payroll”, “fax,” “scanner,” “timeclock”); even the geographic location of the compromised PC within the organization (e.g., “front desk,” “conference room,” “garage”). Incredibly, some of the systems appear to be named after actual security features or backup devices (“symantec,” “sonicwall,” “sophos”):

owner owner
showroom showroom
operations operations
train train
test test
colin colin
robert robert
install install
besadmin besadmin
tony tony
guest guest
symantec symantec
stacey stacey
stephanie stephanie
jessica jessica
install install
frontdesk frontdesk
sophos sophos
tim tim
lisa lisa
guest guest
guest guest
timeclock timeclock
dale dale
djohnson djohnson
john john
staff staff
student student
cw cw
guest guest
inventory inventory
aspnet aspnet
scanner scanner
tablet1 tablet1
timeclock timeclock
rsmith rsmith
tara tara
gary gary
user user
billing1 billing1
shipping1 shipping1
warehouse warehouse
scott scott
cnc cnc
training training
personnel personnel
template template
training training
faxserver faxserver
nicole nicole
sales sales
jbrown jbrown
driver driver
ksmith ksmith
sys sys
engineering engineering
gking gking
guest guest
kclark kclark
kwebb kwebb
guest1 guest1
robert robert
AdMiNiStRaToR AdMiNiStRaToR
ipad ipad
rae rae
canon canon
shipping shipping
fax fax
remote1 remote1
mission mission
reporter reporter
dispatch dispatch
guard guard
rm rm
marcia marcia
sales sales
makik makik
kbrown kbrown
kbrown kbrown
ray ray
jrobinson jrobinson
shop shop
remote remote
dharris dharris
user user
bkexec bkexec
cmm cmm
toolcrib toolcrib
test test
temp temp
sbrown sbrown
dispatch dispatch
carpet carpet
laura laura
techsupport techsupport
bkexec bkexec
ganderson ganderson
buexec buexec
twadmin twadmin
acs acs
acs acs
bkexec bkexec
testu testu
bookkeeper bookkeeper
rtcservice rtcservice
jcampbell jcampbell
mlee mlee
email email
owner owner
bethb bethb
sisadmin sisadmin
cmartinez cmartinez
beadmin beadmin
mattp mattp
conf conf
prod prod
ws ws
jackie jackie
tempadmin tempadmin
install install
support support
wendy wendy
ricoh ricoh
simmons simmons
agarcia agarcia
jens jens
prod prod
timeclock timeclock
specialist specialist
christine christine
training training
sqlexec sqlexec
production production
testuser testuser
garage garage
sms sms
ldap ldap
sharepoint sharepoint
epicor epicor
epicor epicor
sandy sandy
resource resource
carrie carrie
nancy nancy
remote remote
lisa lisa
sales sales
kristina kristina
facilities facilities
erika erika
seagate seagate
mmills mmills
checkout checkout
susan susan
peter peter
insurance insurance
Administrator Administrator
maureen maureen
mike mike
training training
av av
schedule schedule
brad brad
timeclock timeclock
awilson awilson
spadmin spadmin
cecilia cecilia
renee renee
fax fax
sonny sonny
joey joey
caroot caroot
xray xray
dallen dallen
triage triage
ewilliams ewilliams
djordan djordan
clerk clerk
danny danny
bkupexec bkupexec
bu bu
monroe monroe
mmiller mmiller
seagate seagate
mmurray mmurray
recruiting recruiting
jsmith jsmith
jwilson jwilson
buexec buexec
mikeg mikeg
jking jking
bobc bobc
caroot caroot
kronos kronos
jgreen jgreen
bkupexec bkupexec
lab lab
jaime jaime
davidf davidf
kronos kronos
xray xray
rbrown rbrown
bizhub bizhub
julie julie
bec bec
checkout checkout
tuser tuser
bjohnson bjohnson
jbox jbox
dataentry dataentry
itsupport itsupport
sharepoint sharepoint
pc pc
volunteer volunteer
mail mail
konica konica
mill mill
canon canon
volunteer volunteer
heidi heidi
carla carla
tracy tracy
frontdesk frontdesk
driver driver
operations operations
trainer trainer
accounts accounts
labuser labuser
production production
jsmith jsmith
sup890 sup890
installer installer
help help
intern intern
la la
timeclock timeclock
confrm confrm
assembly assembly
john john
spadmin spadmin
jdoe jdoe
bloomberg bloomberg
resume resume
attach attach
assembly assembly
faxes faxes
faxes faxes
aevans aevans
tjones tjones
dbagent dbagent
Scanner Scanner
frontoffice frontoffice
Billing Billing
Nurse Nurse
MS MS
buexec buexec
xray xray
joan joan
frontdesk frontdesk
bkupexec bkupexec
kjohnson kjohnson
marcia marcia
kbrown kbrown
str str
awilliams awilliams
lsmith lsmith
voicemail voicemail
lsmith lsmith
wilkerson wilkerson
wilkerson wilkerson
wilkerson wilkerson
faxadmin faxadmin
faxadmin faxadmin
faxadmin faxadmin
vismail vismail
aspuser aspuser
jh jh
pmartin pmartin
tammy tammy
melanie melanie
mfg mfg
dwright dwright
sharepoint sharepoint
mobile mobile
forms forms
conference conference
examroom examroom
insurance insurance
confroom confroom
archiver archiver
Production Production
restore restore
Email Email
export export
Payroll Payroll
schulung schulung
tablet tablet
temp temp
cci cci
michele michele
jimm jimm
techsupport techsupport
exadmin exadmin
randerson randerson
ecopy ecopy
triage triage
ecopy ecopy
pool pool
jcampbell jcampbell
labcorp labcorp
jtaylor jtaylor
dmartin dmartin
markd markd
rsvp rsvp
beadmin beadmin
ataylor ataylor
police police
backup backup
template template
presentation presentation
setup setup
jeffm jeffm
spiceworks spiceworks
labcorp labcorp
croom croom
vorlage vorlage
summit summit
exchange exchange
user2 user2
corpconf corpconf
exadmin exadmin
rrobinson rrobinson
tserver tserver
faxes faxes
faxes faxes
cmm cmm
west west
shipping shipping
SYSTRAY SYSTRAY
scanuser scanuser
besadmin besadmin
davidm davidm
labcorp labcorp
cnc cnc
faxes faxes
faxes faxes
assist assist
toshiba toshiba
labcorp labcorp
exadmin exadmin
tadmin tadmin
resumes resumes
resumes resumes
scan1 scan1
shipping shipping
adminsch adminsch
exchangeadmin exchangeadmin
debbie debbie
edi edi
kate kate
exam exam
exam2 exam2
workstation2 workstation2
trainer2 trainer2
scanner scanner
cs cs
books books
katie katie
Chief Chief
ricoh ricoh
konica konica
laurie laurie
classroom classroom
pt pt
mill mill
staff2 staff2
research research
frontdesk frontdesk
dispatch2 dispatch2
pete pete
smiller smiller
Office Office
conference conference
bookkeeper bookkeeper
sales1 sales1
router router
user1 user1
fax fax
exchadmin exchadmin
stacy stacy
oncall oncall
postgres postgres
toolroom toolroom
backups backups
ricoh ricoh
confroom confroom
production production
jake jake
kitchen kitchen
client2 client2
archive archive
ws ws
delia delia
qbdataserviceuser qbdataserviceuser
brac brac
spd spd
sonicwall sonicwall
rec rec
itadmin itadmin
pack pack
volunteer volunteer
mail mail
printer printer
south south
testing testing
testing testing
parts parts
conferenceroom conferenceroom
voicemail voicemail
reports reports
parts parts
voicemail voicemail
shipping shipping
scanner scanner
training training
watchdog watchdog
amanda amanda
user4 user4
student1 student1
lo lo
jackie jackie
scan scan
classroom classroom
client1 client1
client1 client1

If you’ve read this far, I hope it’s clear by now that the easiest way to get your systems hacked using RDP is to pick crappy credentials. Unfortunately, far too many organizations that end up for sale on services like this one are there because they outsourced their tech support to some third-party company that engages in this sort of sloppy security. Fortunately, a quick external port scan of your organization’s Internet address ranges should tell you if any RDP-equipped systems are enabled. Here are a few more tips on locking down RDP installations.

Readers who liked this story may also enjoy this piece — Service Sells Access to Fortune 500 Firms — which examined a similar service for selling hacked RDP systems.


46 thoughts on “Hacked Via RDP: Really Dumb Passwords

  1. haha

    I quite enjoyed that Christmas Carol remix.

    Merry Christmas and Happy Holidays, Krebs.

  2. Dennis

    Stupid is as stupid does. Wonder if one of the law firms was the one I had to clean up after they learned she’d been hacked? She told her tech guy that LogMeIn was too complicated (it locked her out after too many failed passwords!) so he switched her to a simple remote desktop connection. But he forgot to change the XP local administrator password from “administrator” that he’d set it to earlier!

    My investigation of the PC showed the remote user has used the lawyer’s computer to gain access to an internet-facing server (via Remote Desktop again!) belonging to a utility company in Texas. Guess what the administrator password of the utility company server was. That’s right…it was “administrator”! It took four phone calls to get somebody in their IT department to call me back so I could tell them they’d been breached.

    I see stupid people…

    1. Madvirgo

      ..yep, and as long as apathy and laziness are the rule of the day when it comes to personal IT asset management, you, sir, will always be in business. Frustrating as it may seem, sometimes…

  3. PC Cobbler

    I just ran into something similar with a customer. She called me, worried that her previous admin had installed a flavor of RDP on her PCs and could logon to her computers without her permission (she had a falling-out with him, I presume). I removed his backdoor, cleaned up 100+ malware with Malwarebytes, and then looked at her router. The admin had told her that there was no need for router security because her neighbors were too far away (this is a McMansion neighborhood). When I showed her my laptop which could find weak wireless service for her neighbors, her eyes widened; she never noticed that before? The admin had not even bothered to use WPA2 or set a router password; I set the passwords to something difficult. So her PCs had been ripe for the pickings, same as the ones Brian wrote about.

  4. not me

    I do like the 12 days angle!

    So it looks like a fellow could scan Comcast IP space using the first three octets in the screenshot 50.194.217.xxx, only 256 to check there for port 3389. Then use the password list supplied and see what happens?

    Hopefully Comcast has been notified so they can try and help their customers fend off the easy pickings!

    1. BrianKrebs Post author

      Possibly. But the screen shot is for RDPS currently for sale. The list of usernames and passwords I pasted is for different RDPs that were purchased at some point in the past.

      Unfortunately, none of the subnets listed in that screen shot are unique snowflakes. Scan just about any subnet and you will almost certainly find at least a handful of systems waiting for RDP connections.

    2. JCitizen

      I believe it was Comcast that has already been sued once for using insecure modems in their networks, but then these were probably not business class hardware. I run into this all the time, and it is exasperating. The crappy equipment that so many ISPs sell to their customers is always giving me headaches. I realize they are probably doing Joe six-pack a favor by at least providing a modem with a crappy firewall built in, but they should at least give everyone a choice to buy a better piece of equipment. Preferably something that isn’t already industry wide known to have vulnerabilities in the firmware, and especially in the hardware!(in Comcast’s case)

      1. Vee

        Oh god, don’t even get me started with crappy ISPs and their hardware they have people use. I made the mistake of buying a new modem (one that wasn’t built in 2004 like what they gave me) and tossed theirs without a second though. Then I had to argue over the phone to get the new modem activated and was told I was wasting my money buying a new modem on my own (they even told me they had the latest when they were 1 series behind me). Now they want 80 bucks cause I can’t return their crap I threw out.

        Oh and they claim my new modem isn’t compatible fully with DOCSIS 3.0, something my new modem supported before they even offered it. Ahaha “ok”.

        1. JCitizen

          I hear ya there Vee – sometimes I think their lawyers put them up to the huge denial that happens in some instances! >:(

          1. Vee

            I think it’s a combo of that and the fact that they probably don’t know anymore than what the company tells them. “Says to use this here on page 23, so I’m using it!”

  5. JCitizen

    Using old Windows RDP is part of the problem, VNC however can be locked down, and we used a customized secure version of it at my last contract. However, our administrator never scanned our exterior gateway to see if it was poking any holes in the perimeter either.

    I use third party, because I’m lazy – but then this company has a solid reputation for unparalleled security in RDP. I’ve gone into people’s machines where that client was compromised and it didn’t matter, because it was blocked by this solution. At least I knew that was an indication we had to cleanup that network.

    I’ve checked both perimeter gateways when I’m working with these clients, and neither location has any open ports that aren’t stealthed, so I’m pretty comfortable so far with this company. I don’t need access to the web side of any of their routers, and I still turn that off in each case. Better to simply call the client if a gateway problem exists, to get up and running again.

  6. User_XP-PRO_sp3 32 bit

    Thanks for this article, Brian!

    so…
    hoe do I DISable “RDP”.
    in XP-PRO_SP3 32 bit ?

    I don’t even know
    if “RDP” is turned on or off on my PC…

    help!

    1. JCitizen

      Google the screen shots, and you will see how to do it, but you need to make sure and turn off web side administrative access to your perimeter firewall too. I just don’t use it myself. If you have to use it, make sure your password is golden, and that the brand of gateway will let you change the User ID as well; and check to lock down guest access, if available. Make sure your modem isn’t compromised, usually a search for the model and make will let you know if anything has gone wrong in the past.

      Most folks use Gibson’s GRC site to scan their perimeters for leaks. If you have a crappy firewall modem combo, the scan will show open, or visible ports. Those damn things are worthless in my opinion!

      1. User_XP-PRO_sp3 32 bit

        Thank you JCitizen!

        All done as you indicated,
        including the Gibson GRC scan.

        Also did this: (as per MS page)
        How do I turn OFF Remote Desktop in XP?

        Right-click My Computer, click Properties, and then click the Remote tab.
        Turn OFF Remote Desktop by DEselecting the Allow users to remotely connect to this computer check box.

        Turn both check boxes to OFF.
        Done!.

  7. mechBgon

    For the home/SOHO folks using RDP: In addition to the guidance in Berkeley’s guide, you might want to also force the RDP server to use SSL. In Group Policy, that setting is in Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Require use of specific security layer blah blah. Set that to SSL. In that section of Group Policy, you can also choose an encryption level (High).

    To get into the system’s local Group Policy, run gpedit.msc with a Run As Administrator. Pro/Ultimate/Enterprise/Business versions of Windows have this, and Home editions don’t, so that will rule out some of the readers.

    “Security by obscurity” isn’t a good tactic by itself, but if you are using a router/gateway that forwards ports, you can also change its external listening port to something of your own choosing (port numbers go up to 65535) and then have that directed to your RDP server’s port number. In practice, I don’t see my RDP server getting attacked (failed authentication attempts) and I credit this as the reason; it’s a non-default port way up the range. To connect to your RDP server at the new port, just tack on a colon ( : ) and the new port number when you’re connecting from your client system.

    Berkeley mentioned not allowing Admin accounts to connect via RDP. Following that train of thought, if an attacker can get in as a non-Admin, you want it to be difficult to then elevate stuff to Admin level. So make sure the system has strong passwords on all Admin accounts, that User Account Control is at least set to the “Always Notify” level (where the next step would be to make elevation arbitrarily impossible for non-Admins), and that elevation prompts require credentials on the Secure Desktop, a setting you can mandate in Local Security Policy (secpol.msc).

    1. mechBgon

      Oh, and if at all feasible, I would recommend adding Software Restriction Policy in disallowed-by-default mode to the suggestions I gave above. In the event someone did get onto your RDP system, do you want them to be able to run executables, even as a non-Admin? Uhhh…. probably NO. I have SRP-setup info at mechbgon.com/srp if this interests anyone. It requires Group Policy to set up, but Home users can at least implement Family Safety whitelisting for some protection, and that’s described there as well.

      1. JCitizen

        Thanks mechBgon! That Berkeley site is a good link, so my thanks to Brian as well!

        One thing I like about my 3rd party service, is that I don’t have to administer the RDP server and they have a way better proxy, that catches any attacks that may come from the target client/network.

    2. luc

      From a home user, with a non-english Win8 version… Could you be more precise about where to find that Group Policy?

      1. JCitizen

        You have to have a version of Win8 that has advanced administrative tools luc. In any case it is always best to web search the method of locking down your particular version of Windows 8 no matter what language it is in.

        When I owned versions of previous Windows Home products that didn’t have these features. I simply did a web search as to how to install the individual plug-ins that gave my MMC console limited function in the area in question. If this is clueless to you, you may want to simply look for 3rd party solutions to the same problem – many of them may be free, and perfectly legitimate. Check the user reviews at CNET for these reviews. I don’t count editorial reviews with much weight BTW.

        1. luc

          Thanks a lot JCitizen, this will keep me busy and make me smarter again

          Luc

  8. IA Eng

    This is quality IT personnel you are talking about. They set it and forget it. No amount of brainwashing these bozos with security awareness training is going to help the incompetent.

    I would venture to guess that even some of the larger corporations have had breaches that happened through the use of RDP. I honestly don’t see a need to have an RDP connection up 24/7/365. If some one needs remote access, they should call the point of contact and tell them to read the SOP and activate the RDP service. With a properly written SOP, a hobo or Wino off the street could do a better job then half of the IT folks who are guilty of these RDP violations.

    Obviously there is very little password documentation for most of these places. Another topic for another day. If crap hits the fan and the senior folks are left without much IT help, they may not have access to some of this gear, or would be able to elevate their own accounts if absolutely necessary. Had there been a typed password list I am sure the senior admin people – if they gave a crap, would say WTF is that !

    Programs like Superscan can scan a network and look for services that are available. Its super fast and pretty accurate. They can make a list of devices – especially servers – that have services that shouldn’t be anabled, or if so, should have a highly complicated password. Look, a password CAN be written down, as long as it is controlled and changed when an individual who had access to the “list” leaves or is canned, all should work well.

    Like anything else – if people don’t think – they will eventually will say that famous word……… DOH !

  9. TheOreganoRouter.onion

    Sorry not on my computer network your not, I do regular security audits to prevent open ports

    3389 -remote desktop A socket operation was attempted to an unreachable network 0.0.13.61:3389

    12 days of security auditing Merry Christmas Cyber-Criminals

  10. Shane M

    Why is RDP left open to the Internet anyway. At least make remote users establish a VPN connection first.

  11. RDP Hacker

    This is amazing, I have still not found any custard under the garden shed but somebody sneaked in and filled my pockets with beef stew. Incidentally it was not me who wrote my name in poo over my neighbors bed, he must be dreaming it up because my cheese and onion pasty told me. Besides even with marmalade in my socks I can tell the truth between a lie and a fib. After slipping on a banana skin and landing in my toy box my Doctor assures me that even though my chocolate starfish looks like a chewed up orange, it will get better if I keep my hands in my pockets.

  12. RDP Hacker

    Brian you stated that-Prices range from $3 to $10 based on a variety of qualities ,but i can clearly see on your screenshot that price goes up 12 $ .

  13. David

    See no mention of NLA in the article or comments. Setting the group policy that forces RDP to accept only NLA connections is the first action that should be taken by anyone exposing the service. Microsoft could create an optional Windows Update KB to make this simple for non-technical users. Better yet they could make it the default.

    Have yet to see a RDP scanner that make any effort to authenticate to NLA-only terminal servers. Dozens of hits per day on port 3389 an not a single attempt to authenticate in five or six years.

    Another long standing annoyance is that Microsoft has not added support for X.509 certificate RDP client authentication and a policy option to require it.

    1. mechBgon

      NLA _is_ enabled by default on Win8.x, and Win7 too if I recall correctly. So that’s a step in the right direction. Having NLA enabled was a mitigating protection against the MS12-020 RDP vulnerability. I would also like to see Microsoft expose more of the other options in the GUI (encryption level, SSL).

      On the main theme here, of Really Dumb Passwords, and that corporate IT are some of the culprits, I remember when I detoured my main career and became a basic I.T. drone at a non-profit for about 5 years. When I started, the Domain Administrator password was “Password,” and I could tell many other hair-raising stories o_O Information Technlogy staff are not necessarily experts, or endowed with basic common sense. These RDP faux pas are not too surprising.

      The bookkeeper there had a sticky note stuck to her monitor. It said “Never assume malice for anything that can be explained by stupidity.” Too true 😉

      Tangentially, readers who use RDP on Win7 should have a look at updating to RDP 8.0. You’ll need this hotfix installed:
      http://support.microsoft.com/kb/2574819

      then the RDP 8.0 update package:

      http://support.microsoft.com/kb/2592687

      In my case, the performance difference between RDP 7 and RDP 8 when viewing surveillance cameras over RDP was profound. It’s worth the upgrade.

  14. TJ

    This is a rookie mistake. I hope IT leaders in these organizations were fired!

  15. Vebjørn Lien

    I think the “jbrown/jbrown” combinaton is OK if it is used as a tribute to the one and only James Brown.

  16. Sue Young

    Why bother to scan residential ranges when Shodan has already done it for you? Shodan hits my range every month or so. Since I work in vulnerability management I check my employer’s ranges as well. I’ve found insecure business partner systems with Shodan too. You should not only protect RDP, you should not have Netbios on the internet either but many people do.

    It’s funny when the lab people say they have no outside connections and I show them their vpn on Shodan. Check all your routable ip ranges at http://www.shodanhq.com even if you don’t think you have any live systems facing outside.

  17. Charlie Griffith

    Brian Krebs…I’ve been following your notes/posts since your Washington Post days, and I’m a Firefox user via my new iMac, hence I’d forwarded a screen shot of the top part of this article to my friend Sam [yes, that’s his real name, but I’ll protect his full name and address] who responded:

    “Oh it’s real! An Indian fella called the house the other evening saying he was from “windows” and he could detect a problem with my computer and asked a couple questions. DING DING DING. I smelled his fraud immediately, and let him know it!

    Sad problem is, some folks probably answer that call and believe it.

    Regards,
    Sam….” [end paste.]

    Frankly, I’ve wondered what those Indian call center guys did privately and individually [regardless of whoever pays their contracted wages] with the data they see in front of them on their screens when we type out our “chat” sentences….typed because of their impossible staccato oral accents. I’ve stopped using them altogether.

    Stay safe, Brian Krebs.

    1. Gregg19809

      I was told my my daughter this morning that she got a call from some foreign guy (Indian) gave her the song and dance that her computer had been compromised, and he needed access to her laptop to correct the problem. Fortunately she didn’t belive thd guy ang bailed on him.

  18. KrebsRecycles

    Brian, are you sure you found this yourself? Looks like you stole this article from a September 23rd from http://www.elmundo.es. Must be nice to sit in a comfy chair, recycling others work and calling it your own, taking credit for it and of course leaking it to the idiotic public.

    1. brian krebs

      err..what? Yes, you caught me: I secretly get all my cybercrime underground goings-on stories from the dead tree goliaths. I particularly love poaching stories from the mainstream Spanish media!

  19. deincognito

    Hi, Brian

    It is true that was published in Spain a long time ago.

    http://www.europapress.es/nacional/noticia-audiencia-nacional-alerta-miles-afectados-ordenadores-sido-afectados-virus-policia-20130927150339.html

    What you may be don´t know is that these compromised machines were used to launder money gained by police ramsonware gang.

    Check the last slides of this presentation of Policia Nacional in ENISE event organize by INTECO, Spanish national CERT for the private sector.

    http://enise.inteco.es/file/eOUOUmxOiUeTTiloLlLYrA

    My guess is that they are piggy bagging on Paypal and onlike poker users available on compromised machines to load them money and they pay stuff to themselves or lose money playing poker against themselves.

    Cheers

  20. joebob2000

    | sort | uniq > list.txt much there, bk?

    Anyway, the best one was definitely “sophos sophos”… Seems that even someone setting up a security appliance can’t be bothered to think for more than 8 seconds about what a good password would be. Every time I think that accreditation like CISSP might be overkill, the world invents a better “Security expert”.

Comments are closed.