The Coming Storm


21
Mar 19

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Continue reading →


8
Mar 19

MyEquifax.com Bypasses Credit Freeze PIN

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.

In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.

Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did not previously possess.

Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.

The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I could recall bits about my recent financial history.

In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.

One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.

Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.

Equifax’s site says it will require users requesting changes to an existing credit freeze to have access to their freeze PIN and be ready to supply it. But Equifax never actually asks for the PIN.

This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email. 

In other words, credit freezes and thaws requested via myEquifax don’t require users to supply any pre-existing PIN.

Fine, I said. Let’s do this.

myEquifax then asked for the date range requested to thaw my credit freeze. Submit.

“We’ve successfully processed your security freeze request!,” the site declared.

This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.

In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.

Successfully unfreezing (temporarily thawing) my credit freeze did not require me to ever supply my previously-issued freeze PIN from Equifax. Anyone who knew the vaguest and most knowable details about me could have done the same.

myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).

Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.

It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.

Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..

“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.” Continue reading →


18
Feb 19

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.

Before we delve into the extensive research that culminated in this post, it’s helpful to review the facts disclosed publicly so far. On Nov. 27, 2018, Cisco’s Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed “DNSpionage.”

The DNS part of that moniker refers to the global “Domain Name System,” which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains (e.g. webmail.finance.gov.lb), which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text.

On January 9, 2019, security vendor FireEye released its report, “Global DNS Hijacking Campaign: DNS Record Manipulation at Scale,” which went into far greater technical detail about the “how” of the espionage campaign, but contained few additional details about its victims.

About the same time as the FireEye report, the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the login credentials for their Internet domain records. As part of that mandate, DHS published a short list of domain names and Internet addresses that were used in the DNSpionage campaign, although those details did not go beyond what was previously released by either Cisco Talos or FireEye.

That changed on Jan. 25, 2019, when security firm CrowdStrike published a blog post listing virtually every Internet address known to be (ab)used by the espionage campaign to date. The remainder of this story is based on open-source research and interviews conducted by KrebsOnSecurity in an effort to shed more light on the true extent of this extraordinary — and ongoing — attack.

The “indicators of compromise” related to the DNSpionage campaign, as published by CrowdStrike.

PASSIVE DNS

I began my research by taking each of the Internet addresses laid out in the CrowdStrike report and running them through both Farsight Security and SecurityTrails, services that passively collect data about changes to DNS records tied to tens of millions of Web site domains around the world.

Working backwards from each Internet address, I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies, including targets in Albania, Cyprus, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Saudi Arabia and the United Arab Emirates.

For example, the passive DNS data shows the attackers were able to hijack the DNS records for mail.gov.ae, which handles email for government offices of the United Arab Emirates. Here are just a few other interesting assets successfully compromised in this cyber espionage campaign:

-nsa.gov.iq: the National Security Advisory of Iraq
-webmail.mofa.gov.ae: email for the United Arab Emirates’ Ministry of Foreign Affairs
-shish.gov.al: the State Intelligence Service of Albania
-mail.mfa.gov.eg: mail server for Egypt’s Ministry of Foreign Affairs
-mod.gov.eg: Egyptian Ministry of Defense
-embassy.ly: Embassy of Libya
-owa.e-albania.al: the Outlook Web Access portal for the e-government portal of Albania
-mail.dgca.gov.kw: email server for Kuwait’s Civil Aviation Bureau
-gid.gov.jo: Jordan’s General Intelligence Directorate
-adpvpn.adpolice.gov.ae: VPN service for the Abu Dhabi Police
-mail.asp.gov.al: email for Albanian State Police
-owa.gov.cy: Microsoft Outlook Web Access for Government of Cyprus
-webmail.finance.gov.lb: email for Lebanon Ministry of Finance
-mail.petroleum.gov.eg: Egyptian Ministry of Petroleum
-mail.cyta.com.cy: Cyta telecommunications and Internet provider, Cyprus
-mail.mea.com.lb: email access for Middle East Airlines

The passive DNS data provided by Farsight and SecurityTrails also offered clues about when each of these domains was hijacked. In most cases, the attackers appear to have changed the DNS records for these domains (we’ll get to the “how” in a moment) so that the domains pointed to servers in Europe that they controlled.

Shortly after the DNS records for these TLDs were hijacked — sometimes weeks, sometimes just days or hours — the attackers were able to obtain SSL certificates for those domains from SSL providers Comodo and/or Let’s Encrypt. The preparation for several of these attacks can be seen at crt.sh, which provides a searchable database of all new SSL certificate creations.

Let’s take a closer look at one example. The CrowdStrike report references the Internet address 139.59.134[.]216 (see above), which according to Farsight was home to just seven different domains over the years. Two of those domains only appeared at that Internet address in December 2018, including domains in Lebanon and — curiously — Sweden.

The first domain was “ns0.idm.net.lb,” which is a server for the Lebanese Internet service provider IDM. From early 2014 until December 2018, ns0.idm.net.lb pointed to 194.126.10[.]18, which appropriately enough is an Internet address based in Lebanon. But as we can see in the screenshot from Farsight’s data below, on Dec. 18, 2018, the DNS records for this ISP were changed to point Internet traffic destined for IDM to a hosting provider in Germany (the 139.59.134[.]216 address).

Source: Farsight Security

Notice what else is listed along with IDM’s domain at 139.59.134[.]216, according to Farsight:

The DNS records for the domains sa1.dnsnode.net and fork.sth.dnsnode.net also were changed from their rightful home in Sweden to the German hosting provider controlled by the attackers in December. These domains are owned by Netnod Internet Exchange, a major global DNS provider based in Sweden. Netnod also operates one of the 13 “root” name servers, a critical resource that forms the very foundation of the global DNS system.

We’ll come back to Netnod in a moment. But first let’s look at another Internet address referenced in the CrowdStrike report as part of the infrastructure abused by the DNSpionage hackers: 82.196.11[.]127. This address in The Netherlands also is home to the domain mmfasi[.]com, which Crowdstrike says was one of the attacker’s domains that was used as a DNS server for some of the hijacked infrastructure.

As we can see in the screenshot above, 82.196.11[.]127 was temporarily home to another pair of Netnod DNS servers, as well as the server “ns.anycast.woodynet.net.” That domain is derived from the nickname of Bill Woodcock, who serves as executive director of Packet Clearing House (PCH).

PCH is a nonprofit entity based in northern California that also manages significant amounts of the world’s DNS infrastructure, particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage. Continue reading →


4
Feb 19

Crooks Continue to Exploit GoDaddy Hole

Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.

On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion and bomb threat spam campaigns throughout 2018 — an adversary that’s been dubbed “Spammy Bear” —  achieved an unusual amount of inbox delivery by exploiting a weakness at GoDaddy which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain.

Spammy Bear targeted dormant but otherwise legitimate domains that had one thing in common: They all at one time used GoDaddy’s hosted Domain Name System (DNS) service. Researcher Ron Guilmette discovered that Spammy Bear was able to hijack thousands of these dormant domains for spam simply by registering free accounts at GoDaddy and telling the company’s automated DNS service to allow the sending of email with those domains from an Internet address controlled by the spammers.

Very soon after that story ran, GoDaddy said it had put in place a fix for the problem, and had scrubbed more than 4,000 domain names used in the spam campaigns that were identified in my Jan. 22 story. But on or around February 1, a new spam campaign that leveraged similarly hijacked domains at GoDaddy began distributing Gand Crab, a potent strain of ransomware.

As noted in a post last week at the blog MyOnlineSecurity, the Gand Crab campaign used a variety of lures, including fake DHL shipping notices and phony AT&T e-fax alerts. The domains documented by MyOnlineSecurity all had their DNS records altered between Jan. 31 and Feb. 1 to allow the sending of email from Internet addresses tied to two ISPs identified in my original Jan. 22 report on the GoDaddy weakness.

“What makes these malware laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation,” MyOnlineSecurity observed. “There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.”

A “passive DNS” lookup shows the DNS changes made by the spammers on Jan. 31 for one of the domains used in the Gand Crab spam campaign documented by MyOnlineSecurity. Image: Farsight Security.

In a statement provided to KrebsOnSecurity, GoDaddy said the company was confident the steps it took to address the problem were working as intended, and that GoDaddy had simply overlooked the domains abused in the recent GandCrab spam campaign.

“The domains used in the Gand Crab campaign were modified before then, but we missed them in our initial sweep,” GoDaddy spokesperson Dan Race said. “While we are otherwise confident of the mitigation steps we took to prevent the dangling DNS issue, we are working to identify any other domains that need to be fixed.”

“We do not believe it is possible for a person to hijack the DNS of one or more domains using the same tactics as used in the Spammy Bear and Gand Crab campaigns,” Race continued. “However, we are assessing if there are other methods that may be used to achieve the same results, and we continue our normal monitoring for account takeover. We have also set up a reporting alias at dns-spam-concerns@godaddy.com to make it easier to report any suspicious activity or any details that might help our efforts to stop this kind of abuse.”

That email address is likely to receive quite a few tips in the short run. Virus Bulletin editor Martijn Grooten this week published his analysis on a January 29 malware email campaign that came disguised as a shipping notice from UPS. Grooten said the spam intercepted from that campaign included links to an Internet address that was previously used to distribute GandCrab, and that virtually all of the domains seen sending the fake UPS notices used one of two pairs of DNS servers managed by GoDaddy.

“The majority of domains, which we think had probably had their DNS compromised, still point to the same IP address though,” Grooten wrote. That IP address is currently home to a Web site that sells stolen credit card data.

The fake UPS message used in a Jan. 29 Gand Crab malware spam campaign. Source: Virus Bulletin.

Grooten told KrebsOnSecurity he suspects criminals may have succeeded at actually compromising several of GoDaddy’s hosted DNS servers. For one thing, he said, the same pair (sometimes two pairs) of name servers keep appearing in the same campaign.

“In quite a few campaigns we saw domains used that were alphabetically close, [and] there are other domains used that had moved away from GoDaddy before these campaigns, yet were still used,” Grooten said. “It’s also interesting to note that hundreds — and perhaps thousands — of domains had their DNS changed within a short period of time. Such a thing is hard to do if you have to log into individual accounts.”

GoDaddy said there has been no such breach.

“Our DNS servers have not been compromised,” Race said. “The examples provided were dangled domains that had zone files created by the threat actor prior to when we implemented our mitigation on January 23. These domain names were parked until the threat actors activated them. They had the ability to do that because they owned the zone files already. We’re continuing to review customer accounts for other potential zone entries.”
Continue reading →


23
Jan 19

How the U.S. Govt. Shutdown Harms Security

The ongoing partial U.S. federal government shutdown is having a tangible, negative impact on cybercrime investigations, according to interviews with federal law enforcement investigators and a report issued this week by a group representing the interests of FBI agents. Even if lawmakers move forward on new proposals to reopen the government, sources say the standoff is likely to have serious repercussions for federal law enforcement agencies for years to come.

One federal agent with more than 20 years on the job told KrebsOnSecurity the shutdown “is crushing our ability to take the fight to cyber criminals.”

“The talent drain after this is finally resolved will cost us five years,” said the source, who asked to remain anonymous because he was not authorized to speak to the news media. “Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting. As a nation, we are much less safe from a cyber security posture than we were a month ago.”

The source said his agency can’t even get agents and analysts the higher clearances needed for sensitive cases because everyone who does the clearance processing is furloughed.

“Investigators who are eligible to retire or who simply wish to walk away from their job aren’t retiring or quitting now because they can’t even be processed out due to furlough of the organization’s human resources people,” the source said. “These are criminal investigations involving national security. It’s also a giant distraction and people aren’t as focused.”

The source’s comments echoed some of the points made in a 72-page report (PDF) released this week by the FBI Agents Association, a group that advocates on behalf of active and retired FBI special agents.

“Today we have no funds for making Confidential Human Source payments,” reads a quote from the FBIAA report, attributed to an agent in the FBI’s northeast region. “In my situation, I have two sources that support our national security cyber mission that no longer have funding. They are critical sources providing tripwires and intelligence that protect the United States against our foreign adversaries. The loss in productivity and pertinent intelligence is immeasurable.”

My federal law enforcement source mentioned his agency also was unable to pay confidential informants for their help with ongoing investigations.

“We are having the same problems like not being able to pay informants, no travel, critical case coordination meetings postponed, and no procurements to further the mission,” the source said.

The extended shutdown directly affects more than 800,000 workers, many of them furloughed or required to work without pay. Some federal employees, now missing at least two back-to-back paychecks, are having trouble keeping food on the table. CNN reports that FBI field offices across the country are opening food banks to help support special agents and staff struggling without pay.

An extended lack of pay is forcing many agents to seek side hustles and jobs, despite rules that seek to restrict such activity, according to media reports. Missing multiple paychecks also can force investigators to take on additional debt. This is potentially troublesome because excess debt down the road can lead to problems keeping one’s security clearances.

Excessive debt is a threat to clearances because it can make people more susceptible to being drawn into illegal activities or taking bribes for money, which in turn may leave them vulnerable to extortion. Indeed, this story from Clearancejobs.com observes that the shutdown may be inadvertently creating new recruiting opportunities for foreign intelligence operatives.

“If you are a hostile intelligence service human intelligence (HUMINT) targeting officer you are hoping this situation lasts a long time and has a multitude of unintended consequences affecting the cleared government employee population,” writes Christopher Burgess. Continue reading →


22
Jan 19

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains tied to GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.

Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.

Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.

However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. 

That’s according to Ron Guilmette, a dogged anti-spam researcher. Researching the history and reputation of thousands of Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time received service from GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.

Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about a weakness that could be used to hijack email service for 20,000 established domain names at a U.S. based hosting provider. A few months later, Bryant warned that the same technique could be leveraged to send spam from more than 120,000 trusted domains across multiple providers. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.

Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”

SAY WHAT?

For a more concrete example of what’s going on here, we’ll look at just one of the 4,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax. Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients. To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com). After that, the attackers simply claim ownership over the domain, and tell GoDaddy to allow the sending of email with that domain from an Internet address they control.

Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.

“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette.

“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

“We’ve identified a fix and are taking corrective action immediately,” the statement continued. “While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.” Continue reading →


3
Jan 19

Apple Phone Phishing Scams Getting Better

A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s “recent calls” list as a previous call from the legitimate Apple Support line.

Jody Westby is the CEO of Global Cyber Risk LLC,  a security consulting firm based in Washington, D.C. Westby said earlier today she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised (the same scammers had called her at 4:34 p.m. the day before, but she didn’t answer that call). The message said she needed to call a 1-866 number before doing anything else with her phone.

Here’s what her iPhone displayed about the identity of the caller when they first tried her number at 4:34 p.m. on Jan. 2, 2019:

What Westby’s iPhone displayed as the scam caller’s identity. Note that it lists the correct Apple phone number, street address and Web address (minus the https://).

Note in the above screen shot that it lists Apple’s actual street address, their real customer support number, and the real Apple.com domain (albeit without the “s” at the end of “http://”). The same caller ID information showed up when she answered the scammers’ call this morning.

Westby said she immediately went to the Apple.com support page (https://www.support.apple.com) and requested to have a customer support person call her back. The page displayed a “case ID” to track her inquiry, and just a few minutes later someone from the real Apple Inc. called her and referenced that case ID number at the start of the call.

Westby said the Apple agent told her that Apple had not contacted her, that the call was almost certainly a scam, and that Apple would never do that — all of which she already knew. But when Westby looked at her iPhone’s recent calls list, she saw the legitimate call from Apple had been lumped together with the scam call that spoofed Apple:

The fake call spoofing Apple — at 11:44 a.m. — was lumped in the same recent calls list as the legitimate call from Apple. The call at 11:47 was the legitimate call from Apple. The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.

The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.

“I told the Apple representative that they ought to be telling people about this, and he said that was a good point,” Westby said. “This was so convincing I’d think a lot of other people will be falling for it.” Continue reading →


13
Nov 18

That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards

If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card details from unwary shoppers.

For nearly 10 years, Portland, Ore. resident Julie Randall posted pictures for her photography business at julierandallphoto-dot-com, and used an email address at that domain to communicate with clients. The domain was on auto-renew for most of that time, but a change in her credit card details required her to update her records at the domain registrar — a task Randall says she now regrets putting off.

Julierandallphoto-dot-com is now one of hundreds of fake ecommerce sites set up to steal credit card details.

That’s because in June of this year the domain expired, and control over her site went to someone who purchased it soon after. Randall said she didn’t notice at the time because she was in the middle of switching careers, didn’t have any active photography clients, and had gotten out of the habit of checking that email account.

Randall said she only realized she’d lost her domain after failing repeatedly to log in to her Instagram account, which was registered to an email address at julierandallphoto-dot-com.

“When I tried to reset the account password through Instagram’s procedure, I could see that the email address on the account had been changed to a .ru email,” Randall told KrebsOnSecurity. “I still don’t have access to it because I don’t have access to the email account tied to my old domain. It feels a little bit like the last ten years of my life have kind of been taken away.”

Visit julierandallphoto.com today and you’ll see a Spanish language site selling Reebok shoes (screenshot above). The site certainly looks like a real e-commerce shop; it has plenty of product pages and images, and of course a shopping cart. But the site is noticeably devoid of any SSL certificate (the entire site is http://, not https://), and the products for sale are all advertised for roughly half their normal cost.

A review of the neighboring domains that reside at Internet addresses adjacent to julierandallphoto-dot-com (196.196.152/153.x, etc.) shows hundreds of other domains that were apparently registered upon expiration over the past few months and which now feature similar http-only online shops in various languages pimping low-priced, name brand shoes and other clothing.

Until earlier this year, wildcatgroomers-dot-com belonged to a company in Wisconsin that sold equipment for grooming snowmobile trails. It’s now advertising running shoes. Likewise, kavanaghsirishpub-dot-com corresponded to a pub and restaurant in Tennessee until mid-2018; now it’s pretending to sell cheap Nike shoes.

So what’s going here?

According to an in-depth report jointly released today by security firms Flashpoint and RiskIQ, the sites are almost certainly set up simply to siphon payment card data from unwary shoppers looking for specific designer footwear and other clothing at bargain basement prices.

“We have observed more than 800 sites hosting these brand impersonation/skimming stores since June 2018,” the report notes.

Continue reading →


8
Nov 18

U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service

A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.

Image: USPS

The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.

According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”

“Fraudsters were also observed on criminal forums discussing using the Informed Delivery service to surveil potential identity theft victims,” the Secret Service memo reads.

The USPS did not respond to repeated requests for comment over the past six days.

The Michigan incident in the Secret Service alert refers to the September 2018 arrest of seven people accused of running up nearly $400,000 in unauthorized charges on credit cards they ordered in the names of residents. According to a copy of the complaint in that case (PDF), the defendants allegedly stole the new cards out of resident mailboxes, and then used them to fraudulently purchase gift cards and merchandise from department stores.

KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.

However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification — possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name.

Last month, WKMG’s Clickorlando.com wrote that a number of Belle Isle, Fla. residents reported receiving hefty bills for credit cards they never knew they had. One resident was quoted as saying she received a bill for $2,000 in charges on a card she’d never seen before, and only after that did she get a notice from the USPS saying someone at her address had signed up for Informed Delivery. The only problem was she’d never signed up for the USPS program.

“According to a police report, someone opened fraudulent credit card accounts and charged more than $14,000 and signed her neighbors up for Informed Delivery, too,” Clickorlando’s Louis Bolden explained. “Photos of what would be in their mail were going to someone else.”

Residents in Texas have reported similar experiences. Dave Lieber, author of The Watchdog column for The Dallas Morning News, said he heard from victim Chris Torraca, 58, a retired federal bank regulator from Grapevine, a town between Dallas and Ft. Worth.

“Chris discovered it after someone created an account in his name at usps.com,” Lieber wrote in a post published Nov. 2. “The thief began receiving photos of Chris’ mail and also opened a bank credit card in Chris’ wife’s name. Postal officials promote the program as a great way to prevent ID theft, but for Chris, that’s what led to it.” Continue reading →


7
Nov 18

Busting SIM Swappers and SIM Swap Myths

KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. Snippets from that fascinating conversation are recounted below, and punctuated by accounts from a recent victim who lost more than $100,000 after his mobile phone number was hijacked.

In late September 2018, the REACT Task Force spearheaded an investigation that led to the arrest of two Missouri men — both in their early 20s — who are accused of conducting SIM swaps to steal $14 million from a cryptocurrency company based in San Jose, Calif. Two months earlier, the task force was instrumental in apprehending 20-year-old Joel Ortiz, a Boston man suspected of stealing millions of dollars in cryptocoins with the help of SIM swaps.

Samy Tarazi is a sergeant with the Santa Clara County Sheriff’s office and a REACT supervisor. The force was originally created to tackle a range of cybercrimes, but Tarazi says SIM swappers are a primary target now for two reasons. First, many of the individuals targeted by SIM swappers live in or run businesses based in northern California.

More importantly, he says, the frequency of SIM swapping attacks is…well, off the hook right now.

“It’s probably REACT’s highest priority at the moment, given that SIM swapping is actively happening to someone probably even as we speak right now,” Tarazi said. “It’s also because there are a lot of victims in our immediate jurisdiction.”

As common as SIM swapping has become, Tarazi said he and other members of REACT suspect that there are only a few dozen individuals responsible for perpetrating most of these heists.

“For the amounts being stolen and the number of people being successful at taking it, the numbers are probably historic,” Tarazi said. “We’re talking about kids aged mainly between 19 and 22 being able to steal millions of dollars in cryptocurrencies. I mean, if someone gets robbed of $100,000 that’s a huge case, but we’re now dealing with someone who buys a 99 cent SIM card off eBay, plugs it into a cheap burner phone, makes a call and steals millions of dollars. That’s pretty remarkable.

Indeed, the theft of $100,000 worth of cryptocurrency in July 2018 was the impetus for my interview with REACT. I reached out to the task force after hearing about their role in assisting SIM swapping victim Christian Ferri, who is president and CEO of San Francisco-based cryptocurrency firm BlockStar.

In early July 2018, Ferri was traveling in Europe when he discovered his T-Mobile phone no longer had service. He’d later learn that thieves had abused access to T-Mobile’s customer database to deactivate the SIM card in his phone and to activate a new one that they had in their own mobile device.

Soon after, the attackers were able to use their control over his mobile number to reset his Gmail account password. From there, the perpetrators accessed a Google Drive document that Ferri had used to record credentials to other sites, including a cryptocurrency exchange. Although that level of access could have let the crooks steal a great deal more from Ferri, they were simply after his cryptocoins, and in short order he was relieved of approximately $100,000 worth of coinage.

We’ll hear more about Ferri’s case in a moment. But first I should clarify that the REACT task force members did not discuss with me the details of Mr. Ferri’s case — even though according to Ferri a key member of the task force we’ll meet later has been actively investigating on his behalf. The remainder of this interview with REACT pivots off of Ferri’s incident mainly because the details surrounding his case help clarify some of the most confusing and murky aspects of how these crimes are perpetrated — and, more importantly, what we can do about them.

WHO’S THE TARGET?

SIM swapping attacks primarily target individuals who are visibly active in the cryptocurrency space. This includes people who run or work at cryptocurrency-focused companies; those who participate as speakers at public conferences centered around Blockchain and cryptocurrency technologies; and those who like to talk openly on social media about their crypto investments.

REACT Lieutenant John Rose said in addition to or in lieu of stealing cryptocurrency, some SIM swappers will relieve victims of highly prized social media account names (also known as “OG accounts“) — usually short usernames that can convey an aura of prestige or the illusion of an early adopter on a given social network. OG accounts typically can be resold for thousands of dollars.

Rose said even though a successful SIM swap often gives the perpetrator access to traditional bank accounts, the attackers seem to be mainly interested in stealing cryptocurrencies.

“Many SIM swap victims are understandably very scared at how much of their personal information has been exposed when these attacks occur,” Rose said. “But [the attackers] are predominantly interested in targeting cryptocurrencies for the ease with which these funds can be laundered through online exchanges, and because the transactions can’t be reversed.”

FAKE IDs AND PHONY NOTES

The “how” of these SIM swaps is often the most interesting because it’s the one aspect of this crime that’s probably the least well-understood. Ferri said when he initially contacted T-Mobile about his incident, the company told him that the perpetrator had entered a T-Mobile store and presented a fake ID in Ferri’s name.

But Ferri said once the REACT Task Force got involved in his case, it became clear that video surveillance footage from the date and time of his SIM swap showed no such evidence of anyone entering the store to present a fake ID. Rather, he said, this explanation of events was a misunderstanding at best, and more likely a cover-up at some level.

Caleb Tuttle, a detective with the Santa Clara County District Attorney’s office, said he has yet to encounter a single SIM swapping incident in which the perpetrator actually presented ID in person at a mobile phone store. That’s just too risky for the attackers, he said.

“I’ve talked to hundreds of victims, and I haven’t seen any cases where the suspect is going into a store to do this,” Tuttle said.

Tuttle said SIM swapping happens in one of three ways. The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company’s network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target’s existing SIM card with a new one.

“Most of these SIM swaps are being done over the phone, and the notes we’re seeing about the change in the [victim’s] account usually are left either by [a complicit] employee trying to cover their tracks, or because the employee who typed in that note actually believed what they were typing.” In the latter case, the employee who left a note in the customer’s account saying ID had been presented in-store was tricked by a complicit co-worker at another store who falsely claimed that a customer there had already presented ID.

DARK WEB SOFTWARE?

Ferri said the detectives investigating his SIM swap attack let on that the crooks responsible had at some point in the attack used “specialized software to get into T-Mobile’s customer database.”

“The investigator said there were employees of the company who had built a special software tool that they could use to connect to T-Mobile’s customer database, and that they could use this software from their home or couch to log in and see all the customer information there,” Ferri recalled. “The investigator didn’t explain exactly how it worked, but it was basically a backdoor entrance that they were reselling on the Dark Web, and it bypassed whatever security there was and let them go straight into the customer database.”

Asked directly about this mysterious product supposedly being offered on the Dark Web, the REACT task force members put our phone interview on hold for several minutes while they privately huddled to discuss the question. When they finally took me off mute, a member of the task force instead answered a different question that I’d asked much earlier in the interview.

When pressed about the software again, there was a long, uncomfortable silence. Then Detective Tuttle spoke up.

“We’re not going to talk about that,” he said curtly. “Deal with it.”

T-Mobile likewise declined to comment on the allegation that thieves had somehow built software which gave them direct access to T-Mobile customer data. However, in at least three separate instances over the past six months, T-Mobile has been forced to acknowledge incidents of unauthorized access to customer records.

In August 2018, T-Mobile published a notice saying its security team discovered and shut down unauthorized access to certain information, including customer name, billing zip code, phone number, email address, account number, account type (prepaid or postpaid) and/or date of birth. A T-Mobile spokesperson said at the time that this incident impacted roughly two percent of its subscriber base, or approximately 2.5 million customers.

In May 2018, T-Mobile fixed a bug in its Web site that let anyone view the personal account details of any customer. The bug could be exploited simply by adding the phone number of a target to the end of a Web address used by one of the company’s internal tools that was nevertheless accessible via the open Internet. The data provided by that tool reportedly also included references to account PINs used by customers as a security question when contacting T-Mobile customer support.

In April 2018, T-Mobile fixed a related bug in its public Web site that allowed anyone to pull data tied to customer accounts, including the user’s account number and the target phone’s IMSI — a unique number that ties subscribers to their specific mobile device. Continue reading →