Ne’er-Do-Well News


25
Jun 19

Tracing the Supply Chain Attack on Android

Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

“Yehuo” () is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.

An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.

Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.

The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.

Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.

In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.

At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]com, buydudu[.]com, kelisrim[.]com, opnixi[.]com and sonyba[.]comwere seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device. Continue reading →


30
May 19

Canada Uses Civil Anti-Spam Law in Bid to Fine Malware Purveyors

Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software.

In March 2019, the Canadian Radio-television and Telecommunications Commission (CRTC) — Canada’s equivalent of the U.S. Federal Communications Commission (FCC), executed a search warrant in tandem with the Royal Canadian Mounted Police (RCMP) at the home of a Toronto software developer behind the Orcus RAT, a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015.

The CRTC was flexing relatively new administrative muscles gained from the passage of Canada’s Anti-Spam Legislation (CASL), which covers far more than just junk email. Section 7 of CASL deals with the alteration of transmission data, including botnet activity. Section 8 involves the surreptitious installation of computer programs on computers or networks including malware and spyware.

And Section 9 prohibits an individual or organization from aiding, inducing, procuring or causing to be procured the doing of any of the above acts.

CRTC Director Neil Barratt said this allows his agency to target intermediaries who, through their actions or through inaction, facilitate the commission of CASL violations. Businesses found to be in violation of CASL can be fined up to $10 million; individuals can face up to a $1 million fine.

“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said in an interview with KrebsOnSecurity.

“CASL defines spam as commercial electronic messages without consent or the installation of software without consent or the intercepting of electronic messages,” Barratt said. “The installation of software is under Section 8, and this is one of the first major investigations under that statute.” Continue reading →


18
May 19

Account Hijacking Forum OGusers Hacked

Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.

On May 12, the administrator of OGusers explained an outage to forum members by saying a hard drive failure had erased several months’ worth of private messages, forum posts and prestige points, and that he’d restored a backup from January 2019. Little did the administrators of OGusers know at the time, but that May 12 incident coincided with the theft of the forum’s user database, and the wiping of forum hard drives.

On May 16, the administrator of rival hacking community RaidForums announced he’d uploaded the OGusers database for anyone to download for free.

The administrator of the hacking community Raidforums on May 16 posted the database of passwords, email addresses, IP addresses and private messages of more than 113,000 users of Ogusers[.]com.

“On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected,” the message from RaidForums administrator Omnipotent reads. “I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”

The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases). Continue reading →


16
May 19

Feds Target $100M ‘GozNym’ Cybercrime Network

Law enforcement agencies in the United States and Europe today unsealed charges against 11 alleged members of the GozNym malware network, an international cybercriminal syndicate suspected of stealing $100 million from more than 41,000 victims with the help of a stealthy banking trojan by the same name.

The locations of alleged GozNym cybercrime group members. Source: DOJ

The indictments unsealed in a Pennsylvania court this week stem from a slew of cyber heists carried out between October 2015 and December 2016. They’re also related to the 2016 arrest of Krasimir Nikolov, a 47-year-old Bulgarian man who was extradited to the United States to face charges for allegedly cashing out bank accounts that were compromised by the GozNym malware.

Prosecutors say Nikolov, a.k.a. “pablopicasso,” “salvadordali,” and “karlo,” was key player in the GozNym crime group who used stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal their money through electronic funds transfers into bank accounts controlled by fellow conspirators.

According to the indictment, the GozNym network exemplified the concept of ‘cybercrime as a service,’ in that the defendants advertised their specialized technical skills and services on underground, Russian-language, online criminal forums. The malware was dubbed GozNym because it combines the stealth of a previous malware strain called Nymaim with the capabilities of the powerful Gozi banking trojan.

The feds say the ringleader of the group was Alexander Konovolov, 35, of Tbilisi, Georgia, who controlled more than 41,000 victim computers infected with GozNym and recruited various other members of the cybercrime team.

Vladimir Gorin, a.k.a “Voland,”  “mrv,” and “riddler,” of Orenburg, Russia allegedly was a malware developer who oversaw the creation, development, management, and leasing of GozNym.

The indictment alleges 32-year-old Eduard Malancini, a.k.a. “JekaProf” and “procryptgroup” from Moldova, specialized in “crypting” or obfuscating the GozNym malware to evade detection by antivirus software.

Four other men named in the indictment were accused of recruiting and managing “money mules,” willing or unwitting people who can be used to receive stolen funds on behalf of the criminal syndicate. One of those alleged mule managers — Farkhad Rauf Ogly Manokhim (a.k.a. “frusa”) of Volograd, Russia was arrested in 2017 in Sri Lanka on an international warrant from the United States, but escaped and fled back to Russia while on bail awaiting extradition.

Also charged was 28-year-old Muscovite Konstantin Volchkov, a.k.a. “elvi,”  who allegedly provided the spamming service used to disseminate malicious links that tried to foist GozNym on recipients who clicked.

The malicious links referenced in those spam emails were served via the Avalanche bulletproof hosting service, a distributed, cloud-hosting network that for seven years was rented out to hundreds of fraudsters for use in launching malware and phishing attacks. Avalanche was dismantled in Dec. 2016 by a similar international law enforcement action.

The alleged administrator of the Avalanche bulletproof network — 36-year-old Gennady Kapkanov from Poltova, Ukraine — has eluded justice in prior scrapes with the law: During the Avalanche takedown in Dec. 2016, Kapkanov fired an assault rifle at Ukrainian police who were trying to raid his apartment. Continue reading →


15
May 19

A Tough Week for IP Address Scammers

In the early days of the Internet, there was a period when Internet Protocol version 4 (IPv4) addresses (e.g. 4.4.4.4) were given out like cotton candy to anyone who asked. But these days companies are queuing up to obtain new IP space from the various regional registries that periodically dole out the prized digits. With the value of a single IP hovering between $15-$25, those registries are now fighting a wave of shady brokers who specialize in securing new IP address blocks under false pretenses and then reselling to spammers. Here’s the story of one broker who fought back in the courts, and lost spectacularly.

On May 14, South Carolina U.S. Attorney Sherri Lydon filed criminal wire fraud charges against Amir Golestan, alleging he and his Charleston, S.C. based company Micfo LLC orchestrated an elaborate network of phony companies and aliases to secure more than 735,000 IPs from the American Registry for Internet Numbers (ARIN), a nonprofit which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean.

Interestingly, Micfo itself set this process in motion late last year when it sued ARIN. In December 2018, Micfo’s attorneys asked a federal court in Virginia to issue a temporary restraining order against ARIN, which had already told the company about its discovery of the phony front companies and was threatening to revoke some 735,000 IP addresses. That is, unless Micfo agreed to provide more information about its operations and customers.

At the time, many of the IP address blocks assigned to Micfo had been freshly resold to spammers. Micfo ultimately declined to provide ARIN the requested information, and as a result the court denied Micfo’s request (the transcript of that hearing is instructive and amusing).

But by virtue of the contract Micfo signed with ARIN, any further dispute had to be settled via arbitration. On May 13, that arbitration panel ordered Micfo to pay $350,000 for ARIN’s legal fees and to cough up any of those 735,000 IPs the company hadn’t already sold.

According to the criminal indictment in South Carolina, in 2017 and 2018 Golestan sold IP addresses using a third party broker:

“Golestan sold 65,536 IPv4 addresses for $13 each, for a total of $851,896,” the indictment alleges. “Golestan also organized a second transaction for another 65,536 IP addresses, for another approximately $1 million. During this same time period, Golestan had a contract to sell 327,680 IP addresses at $19 per address, for a total of $6.22 million” [this last transaction would be blocked.] Continue reading →


10
May 19

Nine Charged in Alleged SIM Swapping Ring

Eight Americans and an Irishman have been charged with wire fraud this week for allegedly hijacking mobile phones through SIM-swapping, a form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device. From there, the attackers simply start requesting password reset links via text message for a variety of accounts tied to the hijacked phone number.

All told, the government said this gang — allegedly known to its members as “The Community” — made more than $2.4 million stealing cryptocurrencies and extorting people for restoring access to social media accounts that were hijacked after a successful SIM-swap.

Six of those charged this week in Michigan federal court were alleged to have been members of The Community of serial SIM swappers. They face a fifteen count indictment, including charges of wire fraud, conspiracy and aggravated identity theft (a charge that carries a mandatory two-year sentence). A separate criminal complaint unsealed this week charges three former employees of mobile phone providers for collaborating with The Community’s members.

Several of those charged have been mentioned by this blog previously. In August 2018, KrebsOnSecurity broke the news that police in Florida arrested 25-year-old Pasco County, Fla. city employee Ricky Joseph Handschumacher, charging him with grand theft and money laundering. As I reported in that story, “investigators allege Handschumacher was part of a group of at least nine individuals scattered across multiple states who for the past two years have drained bank accounts via an increasingly common scheme involving mobile phone SIM swaps.”

This blog also has featured several stories about the escapades of Ryan Stevenson, a 26-year-old West Haven, Conn. man who goes by the hacker name “Phobia.” Most recently, I wrote about how Mr. Stevenson earned a decent number of bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their Web sites — all the while secretly operating a service that leveraged these same flaws to sell their customers’ personal data to people who were active in the SIM swapping community.

One of the six men charged in the conspiracy — Colton Jurisic, 20 of, Dubuque, Iowa — has been more well known under his hacker alias “Forza,” and “ForzaTheGod.” In December 2016, KrebsOnSecurity heard from a woman who had her Gmail, Instagram, Facebook and LinkedIn accounts hijacked after a group of individuals led by Forza taunted her on Twitter as they took over her phone account.

“They failed to get [her three-letter Twitter account name, redacted] because I had two-factor authentication turned on for twitter, combined with a new phone number of which they were unaware,” the source said in an email to KrebsOnSecurity in 2016. “@forzathegod had the audacity to even tweet me to say I was about to be hacked.” Continue reading →


3
May 19

Feds Bust Up Dark Web Hub Wall Street Market

Federal investigators in the United States, Germany and the Netherlands announced today the arrest and charging of three German nationals and a Brazilian man as the alleged masterminds behind the Wall Street Market (WSM), one of the world’s largest dark web bazaars that allowed vendors to sell illegal drugs, counterfeit goods and malware. Now, at least one former WSM administrator is reportedly trying to extort money from WSM vendors and buyers (supposedly including Yours Truly) — in exchange for not publishing details of the transactions.

The now-defunct Wall Street Market (WSM). Image: Dark Web Reviews.

A complaint filed Wednesday in Los Angeles alleges that the three defendants, who currently are in custody in Germany, were the administrators of WSM, a sophisticated online marketplace available in six languages that allowed approximately 5,400 vendors to sell illegal goods to about 1.15 million customers around the world.

“Like other dark web marketplaces previously shut down by authorities – Silk Road and AlphaBay, for example – WSM functioned like a conventional e-commerce website, but it was a hidden service located beyond the reach of traditional internet browsers, accessible only through the use of networks designed to conceal user identities, such as the Tor network,” reads a Justice Department release issued Friday morning.

The complaint alleges that for nearly three years, WSM was operated on the dark web by three men who engineered an “exit scam” last month, absconding with all of the virtual currency held in marketplace escrow and user accounts. Prosecutors say they believe approximately $11 million worth of virtual currencies was then diverted into the three men’s own accounts.

The defendants charged in the United States and arrested Germany on April 23 and 24 include 23-year-old resident of Kleve, Germany; a 31-year-old resident of Wurzburg, Germany; and a 29-year-old resident of Stuttgart, Germany. The complaint charges the men with two felony counts – conspiracy to launder monetary instruments, and distribution and conspiracy to distribute controlled substances. These three defendants also face charges in Germany.

Signs of the dark market seizure first appeared Thursday when WSM’s site was replaced by a banner saying it had been seized by the German Federal Criminal Police Office (BKA).

The seizure message that replaced the homepage of the Wall Street Market on on May 2.

Writing for ZDNet’s Zero Day blog, Catalin Cimpanu noted that “in this midst of all of this, one of the site’s moderators –named Med3l1n— began blackmailing WSM vendors and buyers, asking for 0.05 Bitcoin (~$280), and threatening to disclose to law enforcement the details of WSM vendors and buyers who made the mistake of sharing various details in support requests in an unencrypted form.

In a direct message sent to my Twitter account this morning, a Twitter user named @FerucciFrances who claimed to be part of the exit scam demanded 0.05 bitcoin (~$286) to keep quiet about a transaction or transactions allegedly made in my name on the dark web market. Continue reading →


22
Apr 19

Who’s Behind the RevCode WebMonitor RAT?

The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the Blackshades RAT, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.

An advertisement for RevCode WebMonitor.

At issue is a program called “WebMonitor,” which was designed to allow users to remotely control a computer (or multiple machines) via a Web browser. The makers of WebMonitor, a company in Sweden called “RevCode,” say their product is legal and legitimate software “that helps firms and personal users handle the security of owned devices.”

But critics say WebMonitor is far more likely to be deployed on “pwned” devices, or those that are surreptitiously hacked. The software is broadly classified as malware by most antivirus companies, likely thanks to an advertised feature list that includes dumping the remote computer’s temporary memory; retrieving passwords from dozens of email programs; snarfing the target’s Wi-Fi credentials; and viewing the target’s Webcam.

In a writeup on WebMonitor published in April 2018, researchers from security firm Palo Alto Networks noted that the product has been primarily advertised on underground hacking forums, and that its developers promoted several qualities of the software likely to appeal to cybercriminals looking to secretly compromise PCs.

For example, RevCode’s website touted the software’s compatibility with all “crypters,” software that can encrypt, obfuscate and manipulate malware to make it harder to detect by antivirus programs. Palo Alto also noted WebMonitor includes the option to suppress any notification boxes that may pop up when the RAT is being installed on a computer.

A screenshot of the WebMonitor builder panel.

RevCode maintains it is a legitimate company officially registered in Sweden that obeys all applicable Swedish laws. A few hours of searching online turned up an interesting record at Ratsit AB, a credit information service based in Sweden. That record indicates RevCode is owned by 28-year-old Swedish resident Alex Yücel.

In February 2015, a then 24-year-old Alex Yücel pleaded guilty in a U.S. court to computer hacking and to creating, marketing and selling Blackshades, a RAT that was used to compromise and spy on hundreds of thousands of computers. Arrested in Moldova in 2013 as part of a large-scale, international takedown against Blackshades and hundreds of customers, Yücel became the first person ever to be extradited from Moldova to the United States. Continue reading →


19
Apr 19

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware

Marcus Hutchins, a 24-year-old blogger and malware researcher arrested in 2017 for allegedly authoring and selling malware designed to steal online banking credentials, has pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

Hutchins, who authors the popular blog MalwareTech, was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.

In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. A British citizen, Hutchins has been barred from leaving the United States since his arrest.

Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a lengthy investigation into activities tied to his various online personas over the years.

As I wrote in summary of that story, the clues suggested “Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.” Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood.

In a statement posted to his Twitter feed and to malwaretech.com, Hutchins said today he had pleaded guilty to two charges related to writing malware in the years prior to his career in security. Continue reading →


8
Apr 19

A Year Later, Cybercrime Groups Still Rampant on Facebook

Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.

Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.

Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.

“Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers found. “While some groups were removed immediately, other groups only had specific posts removed.”

But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings.  This is precisely what I experienced a year ago.

Not long after Facebook deleted most of the 120 cybercrime groups I reported to it back in April 2018, many of the groups began reemerging elsewhere on the social network under similar names with the same members.

Instead of reporting those emergent groups directly to people at Facebook’s public relations arm — something most mere mortals aren’t able to do — KrebsOnSecurity decided to report the re-offenders via Facebook’s regular abuse reporting procedures.

What did we find? KrebsOnSecurity received a series of replies saying that Facebook had reviewed my reports but that none of the groups were found to have violated its standards. KrebsOnSecurity later found that reporting the abusive Facebook groups to a quarter-million followers on Twitter was the fastest way to get them disabled. Continue reading →