February, 2019


6
Feb 19

More Alleged SIM Swappers Face Justice

Prosecutors in Northern California have charged two men with using unauthorized SIM swaps to steal and extort money from victims. One of the individuals charged allegedly used a hacker nickname belonging to a key figure in the underground who’s built a solid reputation hijacking mobile phone numbers for profit.

According to indictments unsealed this week, Tucson, Ariz. resident Ahmad Wagaafe Hared and Matthew Gene Ditman of Las Vegas were part of a group that specialized in tricking or bribing representatives at the major wireless providers into giving them control over phone numbers belonging to people they later targeted for extortion and theft.

Investigators allege that between October 2016 and May 2018, Hared and Ditman grew proficient at SIM swapping, a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.

The Justice Department says Hared was better known to his co-conspirators as “winblo.” That nickname corresponds to an extremely active and at one time revered member of the forum ogusers[.]com, a marketplace for people who wish to sell highly prized social media account names — including short usernames at Twitter, Instagram and other sites that can fetch thousands of dollars apiece.

Winblo’s account on ogusers[.]com

Winblo was an associate and business partner of another top Oguser member, a serial SIM swapper known to Oguser members as “Xzavyer.” In August 2018, authorities in California arrested a hacker by the same name — whose real name is Xzavyer Clemente Narvaez — charging him with identity theft, grand theft, and computer intrusion.

Prosecutors allege Narvaez used the proceeds of his crimes (estimated at > $1 million in virtual currencies) to purchase luxury items, including a McLaren — a $200,000 high-performance sports car.

According to the indictments against Hared and Ditman, one of the men (the indictment doesn’t specify which) allegedly used his ill-gotten gains to purchase a BMW i8, an automobile that sells for about $150,000.

Investigators also say the two men stole approximately 40 bitcoins from their SIM swapping victims. That’s roughly $136,000 in today’s conversion, but it would have been substantially more in 2017 when the price of a single bitcoin reached nearly $20,000.

Interestingly, KrebsOnSecurity was contacted in 2018 by a California man who said he was SIM swapped by Winblo and several associates. That victim, who asked not to be identified for fear of reprisals, said his Verizon mobile number was SIM hijacked by Winblo and others who used that access to take over his Twitter and PayPal accounts and then demand payment for the return of the accounts.

A computer specialist by trade, the victim said he was targeted because he’d invested in a cryptocurrency startup, and that the hackers found his contact information from a list of investors they’d somehow obtained. As luck would have it, he didn’t have much of value to steal in his accounts.

The victim said he learned more about his tormentors and exactly how they’d taken over his mobile number after they invited him to an online chat to negotiate a price for the return of his accounts.

“They told me they had called a Verizon employee line [posing as a Verizon employee] and managed to get my Verizon account ID number,” said my victim source. “Once they had that, they called Verizon customer service and had them reset the password. They literally just called and pretended to be me, and were able to get my account tied to another SIM card.”

The victim said his attackers even called his mom because the mobile account was in her name. Soon after that, his phone went dead.

“The funny thing was, after I got my account back the next day, there was a voicemail from a Verizon customer service agent who said something like, ‘Hey [omitted], heard you were having trouble with your line, hope the new SIM card is working okay, give us a call if not, have a nice day.'” Continue reading →


4
Feb 19

Crooks Continue to Exploit GoDaddy Hole

Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.

On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion and bomb threat spam campaigns throughout 2018 — an adversary that’s been dubbed “Spammy Bear” —  achieved an unusual amount of inbox delivery by exploiting a weakness at GoDaddy which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain.

Spammy Bear targeted dormant but otherwise legitimate domains that had one thing in common: They all at one time used GoDaddy’s hosted Domain Name System (DNS) service. Researcher Ron Guilmette discovered that Spammy Bear was able to hijack thousands of these dormant domains for spam simply by registering free accounts at GoDaddy and telling the company’s automated DNS service to allow the sending of email with those domains from an Internet address controlled by the spammers.

Very soon after that story ran, GoDaddy said it had put in place a fix for the problem, and had scrubbed more than 4,000 domain names used in the spam campaigns that were identified in my Jan. 22 story. But on or around February 1, a new spam campaign that leveraged similarly hijacked domains at GoDaddy began distributing Gand Crab, a potent strain of ransomware.

As noted in a post last week at the blog MyOnlineSecurity, the Gand Crab campaign used a variety of lures, including fake DHL shipping notices and phony AT&T e-fax alerts. The domains documented by MyOnlineSecurity all had their DNS records altered between Jan. 31 and Feb. 1 to allow the sending of email from Internet addresses tied to two ISPs identified in my original Jan. 22 report on the GoDaddy weakness.

“What makes these malware laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation,” MyOnlineSecurity observed. “There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.”

A “passive DNS” lookup shows the DNS changes made by the spammers on Jan. 31 for one of the domains used in the Gand Crab spam campaign documented by MyOnlineSecurity. Image: Farsight Security.

In a statement provided to KrebsOnSecurity, GoDaddy said the company was confident the steps it took to address the problem were working as intended, and that GoDaddy had simply overlooked the domains abused in the recent GandCrab spam campaign.

“The domains used in the Gand Crab campaign were modified before then, but we missed them in our initial sweep,” GoDaddy spokesperson Dan Race said. “While we are otherwise confident of the mitigation steps we took to prevent the dangling DNS issue, we are working to identify any other domains that need to be fixed.”

“We do not believe it is possible for a person to hijack the DNS of one or more domains using the same tactics as used in the Spammy Bear and Gand Crab campaigns,” Race continued. “However, we are assessing if there are other methods that may be used to achieve the same results, and we continue our normal monitoring for account takeover. We have also set up a reporting alias at dns-spam-concerns@godaddy.com to make it easier to report any suspicious activity or any details that might help our efforts to stop this kind of abuse.”

That email address is likely to receive quite a few tips in the short run. Virus Bulletin editor Martijn Grooten this week published his analysis on a January 29 malware email campaign that came disguised as a shipping notice from UPS. Grooten said the spam intercepted from that campaign included links to an Internet address that was previously used to distribute GandCrab, and that virtually all of the domains seen sending the fake UPS notices used one of two pairs of DNS servers managed by GoDaddy.

“The majority of domains, which we think had probably had their DNS compromised, still point to the same IP address though,” Grooten wrote. That IP address is currently home to a Web site that sells stolen credit card data.

The fake UPS message used in a Jan. 29 Gand Crab malware spam campaign. Source: Virus Bulletin.

Grooten told KrebsOnSecurity he suspects criminals may have succeeded at actually compromising several of GoDaddy’s hosted DNS servers. For one thing, he said, the same pair (sometimes two pairs) of name servers keep appearing in the same campaign.

“In quite a few campaigns we saw domains used that were alphabetically close, [and] there are other domains used that had moved away from GoDaddy before these campaigns, yet were still used,” Grooten said. “It’s also interesting to note that hundreds — and perhaps thousands — of domains had their DNS changed within a short period of time. Such a thing is hard to do if you have to log into individual accounts.”

GoDaddy said there has been no such breach.

“Our DNS servers have not been compromised,” Race said. “The examples provided were dangled domains that had zone files created by the threat actor prior to when we implemented our mitigation on January 23. These domain names were parked until the threat actors activated them. They had the ability to do that because they owned the zone files already. We’re continuing to review customer accounts for other potential zone entries.”
Continue reading →


1
Feb 19

250 Webstresser Users to Face Legal Action

More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union’s law enforcement agency.

In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators. Prior to the takedown, the service had more than 151,000 registered users and was responsible for launching some four million attacks over three years. Now, those same authorities are targeting people who paid the service to conduct attacks.

Webstresser.org (formerly Webstresser.co), as it appeared in 2017.

In the United Kingdom, police have seized more than 60 personal electronic devices from a number of Webstresser users, and some 250 customers of the service will soon face legal action, Europol said in a statement released this week.

“Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol officials warned.

The focus on Webstresser’s customers is the latest phase of “Operation Power Off,” which targeted one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that even completely unskilled users can rent to knock nearly any website or Internet user offline.

Operation Power Off is part of a broader law enforcement effort to disrupt the burgeoning booter service industry and to weaken demand for such services. In December, authorities in the United States filed criminal charges against three men accused of running booter services, and orchestrated a coordinated takedown of 15 different booter sites.

This seizure notice appeared on the homepage of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites in December 2018.

Continue reading →