Breadcrumbs


18
Apr 19

Wipro Intruders Targeted Other Major IT Firms

The crooks responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant, new evidence suggests. The clues so far suggest the work of a fairly experienced crime group that is focused on perpetrating gift card fraud.

On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.

A screen shot of the Wipro phishing site securemail.wipro.com.internal-message[.]app. Image: urlscan.io

In a follow-up story Wednesday on the tone-deaf nature of Wipro’s public response to this incident, KrebsOnSecurity published a list of “indicators of compromise” or IOCs, telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

If one examines the subdomains tied to just one of the malicious domains mentioned in the IoCs list (internal-message[.]app), one very interesting Internet address is connected to all of them — 185.159.83[.]24. This address is owned by King Servers, a well-known bulletproof hosting company based in Russia.

According to records maintained by Farsight Security, that address is home to a number of other likely phishing domains:

securemail.pcm.com.internal-message[.]app
secure.wipro.com.internal-message[.]app
securemail.wipro.com.internal-message[.]app
secure.elavon.com.internal-message[.]app
securemail.slalom.com.internal-message[.]app
securemail.avanade.com.internal-message[.]app
securemail.infosys.com.internal-message[.]app
securemail.searshc.com.internal-message[.]app
securemail.capgemini.com.internal-message[.]app
securemail.cognizant.com.internal-message[.]app
secure.rackspace.com.internal-message[.]app
securemail.virginpulse.com.internal-message[.]app
secure.expediagroup.com.internal-message[.]app
securemail.greendotcorp.com.internal-message[.]app
secure.bridge2solutions.com.internal-message[.]app
ns1.internal-message[.]app
ns2.internal-message[.]app
mail.internal-message[.]app
ns3.microsoftonline-secure-login[.]com
ns4.microsoftonline-secure-login[.]com
tashabsolutions[.]xyz
www.tashabsolutions[.]xyz

The subdomains listed above suggest the attackers may also have targeted American retailer Sears; Green Dot, the world’s largest prepaid card vendor; payment processing firm Elavon; hosting firm Rackspace; business consulting firm Avanade; IT provider PCM; and French consulting firm Capgemini, among others. KrebsOnSecurity has reached out to all of these companies for comment, and will update this story in the event any of them respond with relevant information.

WHAT ARE THEY AFTER?

It appears the attackers in this case are targeting companies that in one form or another have access to either a ton of third-party company resources, and/or companies that can be abused to conduct gift card fraud.

Wednesday’s follow-up on the Wipro breach quoted an anonymous source close to the investigation saying the criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. That source, who works for a large U.S. retailer, said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.

Another source said the investigation into the Wipro breach by a third party company has determined so far the intruders compromised more than 100 Wipro systems  and installed on each of them ScreenConnect, a legitimate remote access tool. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.

This is remarkably similar to activity that was directed against a U.S. based company in 2016 and 2017. In May 2018, Maritz Holdings Inc., a Missouri-based firm that handles customer loyalty and gift card programs for third-parties, sued Cognizant (PDF), saying a forensic investigation determined that hackers used Cognizant’s resources in an attack on Maritz’s loyalty program that netted the attackers more than $11 million in fraudulent eGift cards. Continue reading →


2
Apr 19

Canadian Police Raid ‘Orcus RAT’ Author

Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

An advertisement for Orcus RAT.

As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”

Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”

“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.

Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity. Continue reading →


4
Mar 19

Hackers Sell Access to Bait-and-Switch Empire

Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.

Earlier this week, a cybercriminal on a Dark Web forum posted an auction notice for access to a Web-based administrative panel for an unidentified “US Search center” that he claimed holds some four million customer records, including names, email addresses, passwords and phone numbers. The starting bid price for that auction was $800.

Several screen shots shared by the seller suggested the customers in question had all purchased subscriptions to a variety of sites that aggregate and sell public records, such as dmv.us.org, carhistory.us.org, police.us.org, and criminalrecords.us.org.

A (redacted) screen shot shared by the apparent hacker who was selling access to usernames and passwords for customers of multiple data-search Web sites.

A few hours of online sleuthing showed that these sites and dozens of others with similar names all at one time shared several toll-free phone numbers for customer support. The results returned by searching on those numbers suggests a singular reason this network of data-search Web sites changed their support numbers so frequently: They quickly became associated with online reports of fraud by angry customers.

That’s because countless people who were enticed to pay for reports generated by these services later complained that although the sites advertised access for just $1, they were soon hit with a series of much larger charges on their credit cards.

Using historic Web site registration records obtained from Domaintools.com (a former advertiser on this site), KrebsOnSecurity discovered that all of the sites linked back to two related companies — Las Vegas, Nev.-based Penguin Marketing, and Terra Marketing Group out of Alberta, Canada.

Both of these entities are owned by Jesse Willms, a man The Atlantic magazine described in an unflattering January 2014 profile as “The Dark Lord of the Internet” [not to be confused with The Dark Overlord].

Jesse Willms’ Linkedin profile.

The Atlantic pointed to a sprawling lawsuit filed by the Federal Trade Commission, which alleged that between 2007 and 2011, Willms defrauded consumers of some $467 million by enticing them to sign up for “risk free” product trials and then billing their cards recurring fees for a litany of automatically enrolled services they hadn’t noticed in the fine print.

“In just a few months, Willms’ companies could charge a consumer hundreds of dollars like this, and making the flurry of debits stop was such a convoluted process for those ensnared by one of his schemes that some customers just canceled their credit cards and opened new ones,” wrote The Atlantic’s Taylor Clark.

Willms’ various previous ventures reportedly extended far beyond selling access to public records. In fact, it’s likely everyone reading this story has at one time encountered an ad for one of his dodgy, bait-and-switch business schemes, The Atlantic noted:

“If you’ve used the Internet at all in the past six years, your cursor has probably lingered over ads for Willms’s Web sites more times than you’d suspect. His pitches generally fit in nicely with what have become the classics of the dubious-ad genre: tropes like photos of comely newscasters alongside fake headlines such as “Shocking Diet Secrets Exposed!”; too-good-to-be-true stories of a “local mom” who “earns $629/day working from home”; clusters of text links for miracle teeth whiteners and “loopholes” entitling you to government grants; and most notorious of all, eye-grabbing animations of disappearing “belly fat” coupled with a tagline promising the same results if you follow “1 weird old trick.” (A clue: the “trick” involves typing in 16 digits and an expiration date.)”

In a separate lawsuit, Microsoft accused Willms’ businesses of trafficking in massive quantities of counterfeit copies of its software. Oprah Winfrey also sued a Willms-affiliated site (oprahsdietscecrets.com) for linking her to products and services she claimed she had never endorsed.

KrebsOnSecurity reached out to multiple customers whose name, email address and cleartext passwords were exposed in the screenshot shared by the Dark Web auctioneer who apparently hacked Willms’ Web sites. All three of those who responded shared roughly the same experience: They said they’d ordered reports for specific criminal background checks from the sites on the promise of a $1 risk-free fee, never found what they were looking for, and were subsequently hit by the same merchant for credit card charges ranging from $20 to $38. Continue reading →


17
Jan 19

773M Password ‘Megabreach’ is Years Old

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled “Collection #1” and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely “made up of many different individual data breaches from literally thousands of different sources.”

KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.

Here’s a screenshot of a subset of that seller’s current offerings, which total almost 1 Terabyte of stolen and hacked passwords:

The 87GB “Collection1” archive is one of but many similar tranches of stolen passwords being sold by a particularly prolific ne’er-do-well in the underground.

As we can see above, Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — “Sanixer.” So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.

Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his “freshest” offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.

By way of explaining the provenance of Collection #1, Sanixer said it was a mix of “dumps and leaked bases,” and then he offered an interesting screen shot of his additional collections. Click on the image below and notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Hunt’s published research on this 773 million Collection #1.

Sanixer says Collection #1 was from a mix of sources. A description of those sources can be seen in the directory tree on the left side of this screenshot.

Holden said the habit of collecting large amounts of credentials and posting it online is not new at all, and that the data is far more useful for things like phishing, blackmail and other indirect attacks — as opposed to plundering inboxes. Holden added that his company had already derived 99 percent of the data in Collection #1 from other sources.

“It was popularized several years ago by Russian hackers on various Dark Web forums,” he said. “Because the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful.”

A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when they are available.

If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that. As we can see from the offering above, your password is probably worth way more to you than it is to cybercriminals (in the case of Collection #1, just .000002 cents per password). Continue reading →


4
Nov 18

Who’s In Your Online Shopping Cart?

Crooks who hack online merchants to steal payment card data are constantly coming up with crafty ways to hide their malicious code on Web sites. In Internet ages past, this often meant obfuscating it as giant blobs of gibberish text that was obvious even to the untrained eye. These days, a compromised e-commerce site is more likely to be seeded with a tiny snippet of code that invokes a hostile domain which appears harmless or that is virtually indistinguishable from the hacked site’s own domain.

Before going further, I should note that this post includes references to domains that are either compromised or actively stealing user data. Although the malcode implanted on these sites is not designed to foist malicious software on visitors, please be aware that this could change at a moment’s notice. Anyone seeking to view the raw code on sites referenced here should proceed with caution; using an online source code viewer like this one can let readers safely view the HTML code on any Web page without actually rendering it in a Web browser.

As its name suggests, asianfoodgrocer-dot-com offers a range of comestibles. It also currently includes a spicy bit of card-skimming code that is hosted on the domain zoobashop-dot-com. In this case, it is easy to miss the malicious code when reviewing the HTML source, as it fits neatly into a single, brief line of code.

Zoobashop is also a presently hacked e-commerce site. Based in Accra, Ghana, zoobashop bills itself as Ghana’s “largest online store.” In addition to offering great deals on a range of electronics and home appliances, it is currently serving a tiny obfuscated script called “js.js” that snarfs data submitted into online forms.

As sneaky as this attack may be, the hackers in this case did not go out of their way to make the domain hosting the malicious script blend in with the surrounding code. However, increasingly these data-slurping scripts are hidden behind fully fraudulent https:// domains that are custom-made to look like they might be associated with content delivery networks (CDNs) or web-based scripts, and include terms like “jquery,” “bootstrap,” and “js.”

Publicwww.com is a handy online service that lets you search the Web for sites running snippets of specific code. Searching publicwww.com for sites pulling code from bootstrap-js-dot-com currently reveals more than 50 e-commerce sites seeded with this malicious script. A search at publicwww for the malcode hosted at js-react-dot-com indicates the presence of this code on at least a dozen online merchants.

Sometimes, the malicious domain created to host a data-snarfing script mimics the host domain by referencing a doppelganger Web site name. For example, check out the source code for the e-commerce site bargainjunkie-dot-com and you’ll notice at the bottom that it pulls a malicious script from the domain “bargalnjunkie-dot-com,” where the “i” in “bargain” is sneakily replaced with a lowercase “L”.

In many cases, running a reverse search for other domain names where the doppelganger domain is hosted reveals additional compromised hosts, or other methods of compromising them. For example, the look-alike domain bargalnjunkie-dot-com is hosted on the address 46.161.40.49, which is the home to several domains, including payselector-dot-com and billgetstatus-dot-com.

Payselector-dot-com and billgetstatus-dot-com were apparently registered so that they appear related to online payment services. But both of these domains actually host complex malicious scripts that are loaded in an obfuscated way on a number of Web sites — including the ballet enthusiast store balletbeautiful-dot-com. Interestingly, the Internet address hosting the payselector and billgetstatus domains — the aforementioned 46.161.40.49 — also hosts the doppelganger domain “balletbeautlful-dot-com,” again with the “i” replaced by a lowercase “L”. Continue reading →


22
Oct 18

Who Is Agent Tesla?

A powerful, easy-to-use password stealing program known as Agent Tesla has been infecting computers since 2014, but recently this malware strain has seen a surge in popularity — attracting more than 6,300 customers who pay subscription fees to license the software. Although Agent Tesla includes a multitude of features designed to help it remain undetected on host computers, the malware’s apparent creator seems to have done little to hide his real-life identity.

The proprietors of Agent Tesla market their product at agenttesla-dot-com, selling access to the software in licenses paid for via bitcoin, for prices ranging from $15 to $69 depending on the desired features.

The Agent Tesla Web site emphasizes that the software is strictly “for monitoring your personel [sic] computer.” The site’s “about” page states that Agent Tesla “is not a malware. Please, don’t use for computers which is not access permission.” To backstop this disclaimer, the site warns that any users caught doing otherwise will have their software licenses revoked and subscriptions canceled.

At the same time, the Agent Tesla Web site and its 24/7 technical support channel (offered via Discord) is replete with instances of support personnel instructing users on ways to evade antivirus software detection, use software vulnerabilities to deploy the product, and secretly bundle the program inside of other file types, such as images, text, audio and even Microsoft Office files.

A description of some of the options posted to the Agent Tesla sales Web site.

In August 2018, computer security firm LastLine said it witnessed a 100 percent increase in Agent Tesla instances detected in the wild over just a three month period.

“Acting as a fully-functional information stealer, it is capable of extracting credentials from different browsers, mail, and FTP clients,” LastLine wrote. “It logs keys and clipboards data, captures screen and video, and performs form-grabbing (Instagram, Twitter, Gmail, Facebook, etc.) attacks.”

Most of the options included in Agent Tesla revolve around stealth, persistence, evading security tools, spreading to other computers, or tampering with system settings.

I CAN HAZ TESLA

The earliest versions of Agent Tesla were made available for free via a Turkish-language WordPress site that oddly enough remains online (agenttesla.wordpress-dot-com), although its home page now instructs users to visit the current AgentTesla-dot-com domain. Not long after that WordPress site was erected, its author(s) began charging for the software, accepting payments via a variety of means, including PayPal, Bitcoin and even wire transfer to several bank accounts in Turkey.

Historic WHOIS Web site registration records maintained by Domaintools.com show that the current domain for the software — agenttesla-dot-com — was registered in 2014 to a young man from Antalya, Turkey named Mustafa can Ozaydin, and to the email address mcanozaydin@gmail.com. Sometime in mid-2016 the site’s registration records were hidden behind WHOIS privacy services [full disclosure: Domaintools is a previous advertiser on KrebsOnSecurity].

That Gmail address is tied to a Youtube.com account for a Turkish individual by the same name who has uploaded exactly three videos over the past four years. In one of them, uploaded in October 2017 and titled “web panel,” Mr. can Ozaydin demonstrates how to configure a Web site. At around 3:45 in the video, we can see the purpose of this demonstration is to show people one way to install an Agent Tesla control panel to keep track of systems infected with the malware.

Incidentally, the administrator of the 24/7 live support channel for Agent Tesla users at one point instructed customers to view this same video if they were having trouble figuring out how to deploy the control panel.

The profile picture shown in that Youtube account is remarkably similar to the one displayed on the Twitter account “MCanOZAYDIN.” This Twitter profile makes no mention of Agent Tesla, but it does state that Mustafa can Ozaydin is an “information technology specialist” in Antalya, Turkey.

That Twitter profile also shows up on a Facebook account for a Mustafa can Ozaydin from Turkey. A LinkedIn profile for a person by the same name from Antalya, Turkey states that Mr. can Ozaydin is currently a “systems support expert” for Memorial Healthcare Group, a hospital in Istanbul.

KrebsOnSecurity first reached out for comment to all of these accounts back in August 2018, but received no reply. Repeated attempts to reach those accounts this past week also elicited no response. Continue reading →


25
Aug 18

Who’s Behind the Screencam Extortion Scam?

The sextortion email scam last month that invoked a real password used by each recipient and threatened to release embarrassing Webcam videos almost certainly was not the work of one criminal or even one group of criminals. Rather, it’s likely that additional spammers and scammers piled on with their own versions of the phishing email after noticing that some recipients were actually paying up. The truth is we may never find out who’s responsible, but it’s still fun to follow some promising leads and see where they take us.

On August 7, 2018, a user on the forum of free email service hMailServer posted a copy of the sextortion email he received, noting that it included a password he’d formerly used online.

Helpfully, this user pasted a great deal of information from the spam email message, including the domain name from which it was sent (williehowell-dot-com) and the Internet address of the server that sent the message (46.161.42.91).

A look at the other domain names registered to this IP address block 46.161.42.x reveals some interesting patterns:

46.161.42.51 mail25.uscourtsgov[.]com
46.161.42.52 mail24.uscourtsgov[.]com
46.161.42.53 mail23.uscourtsgov[.]com
46.161.42.54 mail22.uscourtsgov[.]com
46.161.42.55 mail21.uscourtsgov[.]com
46.161.42.56 mail20.uscourtsgov[.]com
46.161.42.57 mail19.uscourtsgov[.]com
46.161.42.58 mail18.uscourtsgov[.]com
46.161.42.59 mail17.uscourtsgov[.]com
46.161.42.60 mail16.uscourtsgov[.]com
46.161.42.61 mail15.uscourtsgov[.]com
46.161.42.62 mail14.uscourtsgov[.]com
46.161.42.63 mail13.uscourtsgov[.]com
46.161.42.64 mail12.uscourtsgov[.]com
46.161.42.65 mail11.uscourtsgov[.]com
46.161.42.66 mail10.uscourtsgov[.]com
46.161.42.67 mail9.uscourtsgov[.]com
46.161.42.68 mail8.uscourtsgov[.]com
46.161.42.69 mail7.uscourtsgov[.]com
46.161.42.70 mail6.uscourtsgov[.]com
46.161.42.71 mail5.uscourtsgov[.]com
46.161.42.72 mail4.uscourtsgov[.]com
46.161.42.73 mail3.uscourtsgov[.]com
46.161.42.74 mail2.uscourtsgov[.]com
46.161.42.75 mail1.uscourtsgov[.]com
46.161.42.76 mail[.]commarysmith[.]com
46.161.42.77 mail.joancooper[.]com
46.161.42.78 mail.florencewoods[.]com
46.161.42.79 mail.ednawest[.]com
46.161.42.80 mail.ethelwebb[.]com
46.161.42.81 mail.eleanorhunt[.]com
46.161.42.82 mail.sallypierce[.]com
46.161.42.83 mail.reginaberry[.]com
46.161.42.84 mail.junecarroll[.]com
46.161.42.85 mail.robertaharper[.]com
46.161.42.86 mail.reneelane[.]com
46.161.42.87 mail.almaaustin[.]com
46.161.42.88 mail.elsiekelley[.]com
46.161.42.89 mail.vickifields[.]com
46.161.42.90 mail.ellaoliver[.]com
46.161.42.91 mail.williehowell[.]com
46.161.42.92 mail.veramccoy[.]com
46.161.42.93 mail.agnesbishop[.]com
46.161.42.94 mail.tanyagilbert[.]com
46.161.42.95 mail.mattiehoffman[.]com
46.161.42.96 mail.hildahopkins[.]com
46.161.42.97 beckymiles[.]com
46.161.42.98 mail.fayenorris[.]com
46.161.42.99 mail.joannaleonard[.]com
46.161.42.100 mail.rosieweber[.]com
46.161.42.101 mail.candicemanning[.]com
46.161.42.102 mail.sherirowe[.]com
46.161.42.103 mail.leticiagoodman[.]com
46.161.42.104 mail.myrafrancis[.]com
46.161.42.105 mail.jasminemaxwell[.]com
46.161.42.106 mail.eloisefrench[.]com

Search Google for any of those two-name domains above (e.g., fayenorris-dot-com) and you’ll see virtually all of them were used in these sextortion emails, and most were registered at the end of May 2018 through domain registrar Namecheap.

Notice the preponderance of the domain uscourtsgov-dot-com in the list above. All of those two-name domains used domain name servers (DNS servers) from uscourtsgov-dot-com at the time these emails were sent. In early June 2018, uscourtsgov-dot-com was associated with a Sigma ransomware scam delivered via spam. Victims who wanted their files back had to pay a bitcoin ransom.

In the months just before either the password-laced sextortion scam or the uscourtsgov-dot-com ransomware scam, uscourtsgov-com was devoid of content, aside from a message promoting the spamming services of the web site mtaexpert-dot-info. Uscourtsgov-dot-com is now offline, but it was active as of two weeks ago. Here’s what its homepage looked like:

The domain uscourtsgov-dot-com was redirecting visitors to mtaexpert-dot-info for many months up to and including the sextortion email campaign. Image: Domaintools.com

Interestingly, this same message promoting mtaexpert-dot-info appeared on the homepages of many other two-name domain names mentioned above (including fayenorris-dot-com):

Like uscourtsgov-dot-com, Fayenorris-dot-com also urged visitors to go to mtaexpert-dot-info.

Continue reading →


29
May 18

Will the Real Joker’s Stash Come Forward?

For as long as scam artists have been around so too have opportunistic thieves who specialize in ripping off other scam artists. This is the story about a group of Pakistani Web site designers who apparently have made an impressive living impersonating some of the most popular and well known “carding” markets, or online stores that sell stolen credit cards.

An ad for new stolen cards on Joker’s Stash.

One wildly popular carding site that has been featured in-depth at KrebsOnSecurity — Joker’s Stash — brags that the millions of credit and debit card accounts for sale via their service were stolen from merchants firsthand.

That is, the people running Joker’s Stash say they are hacking merchants and directly selling card data stolen from those merchants. Joker’s Stash has been tied to several recent retail breaches, including those at Saks Fifth Avenue, Lord and Taylor, Bebe Stores, Hilton HotelsJason’s Deli, Whole Foods, Chipotle and Sonic. Indeed, with most of these breaches, the first signs that any of the companies were hacked was when their customers’ credit cards started showing up for sale on Joker’s Stash.

Joker’s Stash maintains a presence on several cybercrime forums, and its owners use those forum accounts to remind prospective customers that its Web site — jokerstash[dot]bazar — is the only way in to the marketplace.

The administrators constantly warn buyers to be aware there are many look-alike shops set up to steal logins to the real Joker’s Stash or to make off with any funds deposited with the impostor carding shop as a prerequisite to shopping there.

But that didn’t stop a prominent security researcher (not this author) from recently plunking down $100 in bitcoin at a site he thought was run by Joker’s Stash (jokersstash[dot]su). Instead, the proprietors of the impostor site said the minimum deposit for viewing stolen card data on the marketplace had increased to $200 in bitcoin.

The researcher, who asked not to be named, said he obliged with an additional $100 bitcoin deposit, only to find that his username and password to the card shop no longer worked. He’d been conned by scammers scamming scammers.

As it happens, prior to hearing from this researcher I’d received a mountain of research from Jett Chapman, another security researcher who swore he’d unmasked the real-world identity of the people behind the Joker’s Stash carding empire.

Chapman’s research, detailed in a 57-page report shared with KrebsOnSecurity, pivoted off of public information leading from the same jokersstash[dot]su that ripped off my researcher friend.

“I’ve gone to a few cybercrime forums where people who have used jokersstash[dot]su that were confused about who they really were,” Chapman said. “Many of them left feedback saying they’re scammers who will just ask for money to deposit on the site, and then you’ll never hear from them again.”

But the conclusion of Chapman’s report — that somehow jokersstash[dot]su was related to the real criminals running Joker’s Stash — didn’t ring completely accurate, although it was expertly documented and thoroughly researched. So with Chapman’s blessing, I shared his report with both the researcher who’d been scammed and a law enforcement source who’d been tracking Joker’s Stash.

Both confirmed my suspicions: Chapman had unearthed a vast network of sites registered and set up over several years to impersonate some of the biggest and longest-running criminal credit card theft syndicates on the Internet. Continue reading →


18
Apr 18

A Sobering Look at Fake Online Reviews

In 2016, KrebsOnSecurity exposed a network of phony Web sites and fake online reviews that funneled those seeking help for drug and alcohol addiction toward rehab centers that were secretly affiliated with the Church of Scientology. Not long after the story ran, that network of bogus reviews disappeared from the Web. Over the past few months, however, the same prolific purveyor of these phantom sites and reviews appears to be back at it again, enlisting the help of Internet users and paying people $25-$35 for each fake listing.

Sometime in March 2018, ads began appearing on Craigslist promoting part-time “social media assistant” jobs, in which interested applicants are directed to sign up for positions at seorehabs[dot]com. This site promotes itself as “leaders in addiction recovery consulting,” explaining that assistants can earn a minimum of $25 just for creating individual Google for Business listings tied to a few dozen generic-sounding addiction recovery center names, such as “Integra Addiction Center,” and “First Exit Recovery.”

The listing on Craigslist.com advertising jobs for creating fake online businesses tied to addiction rehabilitation centers.

Applicants who sign up are given detailed instructions on how to step through Google’s anti-abuse process for creating listings, which include receiving a postcard via snail mail from Google that contains a PIN which needs to be entered at Google’s site before a listing can be created.

Assistants are cautioned not to create more than two listings per street address, but otherwise to use any U.S.-based street address and to leave blank the phone number and Web site for the new business listing.

A screen shot from Seorehabs’ instructions for those hired to create rehab center listings.

In my story Scientology Seeks Captive Converts Via Google Maps, Drug Rehab Centers, I showed how a labyrinthine network of fake online reviews that steered Internet searches toward rehab centers funded by Scientology adherents was set up by TopSeek Inc., which bills itself as a collection of “local marketing experts.” According to LinkedIn, TopSeek is owned by John Harvey, an individual (or alias) who lists his address variously as Sacramento, Calif. and Hawaii.

Although the current Web site registration records from registrar giant Godaddy obscure the information for the current owner of seorehabs[dot]com, a historic WHOIS search via DomainTools shows the site was also registered by John Harvey and TopSeek in 2015. Mr. Harvey did not respond to requests for comment. [Full disclosure: DomainTools previously was an advertiser on KrebsOnSecurity].

TopSeek’s Web site says it works with several clients, but most especially Narconon International — an organization that promotes the rather unorthodox theories of Scientology founder L. Ron Hubbard regarding substance abuse treatment and addiction.

As described in Narconon’s Wikipedia entry, Narconon facilities are known not only for attempting to win over new converts to Scientology, but also for treating all substance abuse addictions with a rather bizarre cocktail consisting mainly of vitamins and long hours in extremely hot saunas. Their Wiki entry documents multiple cases of accidental deaths at Narconon facilities, where some addicts reportedly died from overdoses of vitamins or neglect. Continue reading →


13
Dec 17

Mirai IoT Botnet Co-Authors Plead Guilty

The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called “Internet of Things” devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site).

Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania.

Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks.

CLICK FRAUD BOTNET

In addition, the Mirai co-creators pleaded guilty to charges of using their botnet to conduct click fraud — a form of online advertising fraud that will cost Internet advertisers more than $16 billion this year, according to estimates from ad verification company Adloox. 

The plea agreements state that Jha, White and another person who also pleaded guilty to click fraud conspiracy charges — a 21-year-old from Metairie, Louisiana named Dalton Norman — leased access to their botnet for the purposes of earning fraudulent advertising revenue through click fraud activity and renting out their botnet to other cybercriminals.

As part of this scheme, victim devices were used to transmit high volumes of requests to view web addresses associated with affiliate advertising content. Because the victim activity resembled legitimate views of these websites, the activity generated fraudulent profits through the sites hosting the advertising content, at the expense of online advertising companies.

Jha and his co-conspirators admitted receiving as part of the click fraud scheme approximately two hundred bitcoin, valued on January 29, 2017 at over $180,000.

Prosecutors say Norman personally earned over 30 bitcoin, valued on January 29, 2017 at approximately $27,000. The documents show that Norman helped Jha and White discover new, previously unknown vulnerabilities in IoT devices that could be used to beef up their Mirai botnet, which at its height grew to more than 300,000 hacked devices.

MASSIVE ATTACKS

The Mirai malware is responsible for coordinating some of the largest and most disruptive online attacks the Internet has ever witnessed. The biggest and first to gain widespread media attention began on Sept. 20, 2016, when KrebsOnSecurity came under a sustained distributed denial-of-service attack from more than 175,000 IoT devices (the size estimates come from this Usenix paper (PDF) on the Mirai botnet evolution).

That September 2016 digital siege maxed out at 620 Gbps, almost twice the size of the next-largest attack that Akamai — my DDoS mitigation provider at the time — had ever seen.

Continue reading →