A Little Sunshine


25
Mar 20

US Government Sites Give Bad Security Advice

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.

For example, the official U.S. Census Bureau website https://my2020census.gov carries a message that reads, “An official Web site of the United States government. Here’s how you know.” Clicking the last part of that statement brings up a panel with the following information:

A message displayed at the top of many U.S. .gov Web sites.

The text I have a beef with is the bit on the right, beneath the “This site is secure” statement. Specifically, it says, “The https:// ensures that you are connecting to the official website….”

Here’s the deal: The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

However, the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

In other words, while readers should never transmit sensitive information to a site that does not use https://, the presence of this security feature tells you nothing about the trustworthiness of the site in question.

Here’s a sobering statistic: According to PhishLabs, by the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates. PhishLabs found this percentage increased from 68% in Q3 and 54% in Q2 of 2019. Continue reading →


17
Mar 20

Coronavirus Widens the Money Mule Pool

With many people being laid off or working from home thanks to the Coronavirus pandemic, cybercrooks are almost certain to have more than their usual share of recruitable “money mules” — people who get roped into money laundering schemes under the pretense of a work-at-home job offer. Here’s the story of one upstart mule factory that spoofs a major nonprofit and tells new employees they’ll be collecting and transmitting donations for an international “Coronavirus Relief Fund.”

On the surface, the Web site for the Vasty Health Care Foundation certainly looks legitimate. It includes various sections on funding relief efforts around the globe, explaining that it “connects nonprofits, donors, and companies in nearly every country around the world.” The site says it’s a nonprofit with offices based in Nebraska and Quebec, Canada.

Vasty is a phony charity that pretends to raise money for Coronavirus victims but instead hires people to help launder stolen funds. This and the rest of the content at Vasty’s site was lifted from GlobalGiving, a legitimate charity that is helping people affected by the pandemic.

The “Vasty Health Care Foundation” is one of several fraudulent Web sites that recruit money mules in the name of helping Coronavirus victims. The content on Vasty’s site was lifted almost entirely from globalgiving.org, a legitimate charity that actually is trying to help people affected by the pandemic.

“We have been contacted by job seekers asking if we are related to some of these job opportunities they’ve been finding on Indeed.com and Monster.com,” said Kevin Conroy, chief product officer at GlobalGiving. “And we always tell them no that’s not from us, and not to cash any checks someone may be giving them in relation to those offers.”

The Vasty domain — vastyhealthcarefoundation[.]com — was registered just weeks ago, although the site claims its organization has been around for years.

The crooks behind this scheme also seem to have submitted the Vasty name in custom links at vetting sites like The Better Business Bureau and Guidestar that ultimately take one to a summary of data on GlobalGiving. No doubt this is part of an effort to lend legitimacy to the Vasty name (hovering over the links above reveals the trickery).

What proof is there that Vasty isn’t a legitimate charity? None of the dozens of Canadian mules contacted by this author responded to requests for comment. But KrebsOnSecurity received copious amounts of information about this scam from Milwaukee, Wisc. based Hold Security, which managed to intercept key file exchanges between threat actors through public file sharing services.

Among those files were a set of form letters and boilerplate email messages that describe the ideal candidate for the job at Vasty and welcome new recruits to the Vasty payroll. Here’s a look at part of the job description, which includes (not pictured) a description of the healthcare plans and other benefits allegedly offered to Vasty employees.

After congratulating applicants (everyone who applies is “hired”) on their new positions, Vasty asks the recruits to do some busy work. In this case, new hires are sent to local pharmacies on some bogus errand, such as to inspect the pricing of face masks and hand sanitizer products for price-gouging.

“Now we have the first task for you. You will have to perform a trip within your city. So that we can compensate for transportation costs along with your hourly rate, I ask you to keep receipts confirming your expenses.

LOCATION: Sam’s Geneva Street Pharmacy

ADDRESS:  284 Geneva St, St. Catharines, ON L2N 2E8

I ask you to go to the pharmacy at the specified address. We are increasingly receiving reports of private sellers violating the pricing policy for products such as: aspirin, face masks are loose surgical masks with elastic loops that go around the ears, hand sanitizers.”

New recruits are then asked to assemble and submit a written report of their observations at the store in question.

These types of menial, meaningless tasks are a typical tactic of money mule recruitment schemes and they serve two main purposes: They separate out slackers from people who really need and want a job, and they help the employee feel like he’s doing something useful and legitimate (aside from just moving money around, which if brought up too soon might make him question whether the job is legit). Continue reading →


11
Mar 20

Crafty Web Skimming Domain Spoofs “https”

Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site’s source code: “http[.]ps” (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).

This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida. Here’s what a portion of the login page looked like until earlier today when you right-clicked on the page and selected  “view-source”:

The malicious domain added to the HTML code for grandwesternsteaks.com (highlighted in orange) fetched a script that intercepted data entered by customers, including credit card details and logins. The code has since been removed from the site.

Viewing the HTML source for the malicious link highlighted in the screenshot above reveals the obfuscated card-skimming code, a snippet of which is pictured below:

The obfuscated card skimming code is full of references to “ants” and “cockroaches,” which is enough to give any site owner the heebie-jeebies.

A simple search on the malicious domain “http[.]ps” at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations. Continue reading →


19
Feb 20

Hackers Were Inside Citrix for Five Months

Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.

Citrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection.

In March 2019, the Federal Bureau of Investigation (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company’s internal network. The FBI told Citrix the hackers likely got in using a technique called “password spraying,” a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords.

In a statement released at the time, Citrix said it appeared hackers “may have accessed and downloaded business documents,” and that it was still working to identify what precisely was accessed or stolen.

But in a letter sent to affected individuals dated Feb. 10, 2020, Citrix disclosed additional details about the incident. According to the letter, the attackers “had intermittent access” to Citrix’s internal network between Oct. 13, 2018 and Mar. 8, 2019, and that there was no evidence that the cybercrooks still remain in the company’s systems.

Citrix said the information taken by the intruders may have included Social Security Numbers or other tax identification numbers, driver’s license numbers, passport numbers, financial account numbers, payment card numbers, and/or limited health claims information, such as health insurance participant identification number and/or claims information relating to date of service and provider name.

It is unclear how many people received this letter, but the communication suggests Citrix is contacting a broad range of individuals who work or worked for the company at some point, as well as those who applied for jobs or internships there and people who may have received health or other benefits from the company by virtue of having a family member employed by the company. Continue reading →


18
Feb 20

Encoding Stolen Credit Card Data on Barcodes

Crooks are constantly dreaming up new ways to use and conceal stolen credit card data. According to the U.S. Secret Service, the latest scheme involves stolen card information embedded in barcodes affixed to phony money network rewards cards. The scammers then pay for merchandise by instructing a cashier to scan the barcode and enter the expiration date and card security code.

This phony reloadable rewards card conceals stolen credit card data written to a barcode. The barcode and other card data printed on the card have been obfuscated. Image: U.S. Secret Service.

Earlier this month, the Secret Service documented a recent fraud incident in Texas involving a counterfeit club membership card containing a barcode, and a card expiration date and CVV printed below the barcode.

“Located underneath the barcode are instructions to the cashier on the steps necessary to complete the transaction,” reads an alert the Secret Service sent to law enforcement agencies. “They instruct the cashier to select card payment, scan the barcode, then enter the expiration date and CVV. In this instance, the barcode was encoded with a VISA credit card number.” Continue reading →


17
Feb 20

Pay Up, Or We’ll Make Google Ban Your Ads

A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.

A redacted extortion email targeting users of Google’s AdSense program.

Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:

“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”

The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”

The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.

The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially. Continue reading →


14
Feb 20

A Light at the End of Liberty Reserve’s Demise?

In May 2013, the U.S. Justice Department seized Liberty Reserve, alleging the virtual currency service acted as a $6 billion financial hub for the cybercrime world. Prompted by assurances that the government would one day afford Liberty Reserve users a chance to reclaim any funds seized as part of the takedown, KrebsOnSecurity filed a claim shortly thereafter to see if and when this process might take place. This week, an investigator with the U.S. Internal Revenue service finally got in touch to discuss my claim.

Federal officials charged that Liberty Reserve facilitated a “broad range of criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.” The government says from 2006 until the service’s takedown, Liberty Reserve processed an estimated 55 million financial transactions worth more than $6 billion, with more than 600,000 accounts associated with users in the United States alone.

While it’s clear that the digital currency system for years was the go-to money-moving vehicle for many engaged in dodgy online activities, it also was favored by users primarily because it offered a relatively anonymous way to send irrevocable transfers globally with low fees.

The two stories I wrote about the closure of Liberty Reserve in 2013 remain among the most-read on this site, and have generated an enormous volume of emails from readers who saw many thousands of dollars held in legal limbo — much of it related to investments in online gaming platforms, payments to and from adult entertainment services, and various investment schemes.

The IRS official who contacted me was not authorized to be quoted in the media (and indeed did not initially realize he was speaking to a member of the press when he called). But he told me the government had recently obtained legal access to some of the funds held in overseas bank accounts that were used by Liberty Reserve, and that IRS investigators were now starting to contact people and vet any claims made in the wake of the takedown.

“We’re just getting to the point where we have received funds,” the investigator said. “We’ve started to contact people who originally contacted us, to vet their claims, make sure they weren’t involved in any illegal activity, and that the claim amounts match the records that we have.” Continue reading →


5
Feb 20

When Your Used Car is a Little Too ‘Mobile’

Many modern vehicles let owners use the Internet or a mobile device to control the car’s locks, track location and performance data, and start the engine. But who exactly owns that control is not always clear when these smart cars are sold or leased anew. Here’s the story of one former electric vehicle owner who discovered he could still gain remote, online access to his old automobile years after his lease ended.

Mathew Marulla began leasing a Ford Focus electric vehicle in 2013, but turned the car back in to Ford at the end of his lease in 2016. So Marulla was surprised when he recently received an email from Ford.com stating that the clock in his car was set incorrectly.

Out of curiosity, Marulla decided to check if his old MyFordMobile.com credentials from 2016 still worked. They did, and Marulla was presented with an online dashboard showing the current location of his old ride and its mileage statistics.

The dashboard also allowed him to remotely start the vehicle, as well as lock and unlock its doors.

Mathew Marulla turned in his leased Ford EV to Ford 4 years ago, so he is no longer the legal owner of the car. But he can still remotely track its location and usage, lock and unlock it, and start the engine.

“It was a three-year lease from Ford and I turned it in to Ford four years ago, so Ford definitely knows I am no longer the owner,” Marulla said, noting that the dashboard also included historic records showing where the Focus had been driven in days prior.

“I can track its movements, see where it plugs in,” he said. “Now I know where the current owner likely lives, and if I watch it tomorrow I can probably figure out where he works. I have not been the owner of this vehicle for four years, Ford knows this, yet they took no action whatsoever to remove me as the owner in this application.”

Asked to comment on Marulla’s experience, a spokesperson for Ford said all Ford dealerships are supposed to perform a “master reset” as part of their used car checklist prior to the resale of a vehicle. A master reset (carried out via the vehicle’s SYNC infotainment screen by a customer or dealer) disassociates the vehicle from all current accounts. Continue reading →


31
Jan 20

Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).

The courthouse in Dallas County, Iowa. Image: Wikipedia.

Gary DeMercurio, 43 of Seattle, and Justin Wynn, 29 of Naples, Fla., are both professional penetration testers employed by Coalfire Labs, a security firm based in Westminster, Colo. Iowa’s State Court Administration had hired the company to test the security of its judicial buildings.

Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, “tailgate” employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.

When the duo’s early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county’s sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they’d obtained entry to the premises via an unlocked door.

“They said they found a courthouse door unlocked, so they closed it from the outside and let it lock,” Dan Goodin of Ars Technica wrote of the ordeal in November. “Then they slipped a plastic cutting board through a crack in the door and manipulated its locking mechanism. (Pentesters frequently use makeshift or self-created tools in their craft to flip latches, trigger motion-detected mechanisms, and test other security systems.) The deputies seemed impressed.”

To assuage concerns they might be burglars, DeMercurio and Wynn produced an authorization letter detailing the job they’d been hired to do and listing the names and mobile phone numbers of Iowa state employees who could verify their story.

After contacting some of the court officials listed in the letter, the deputies seemed satisfied that the men weren’t thieves. That is, until Dallas County Sheriff Chad Leonard showed up.

“The pentesters had already said they used a tool to open the front door,” Goodin recounted. “Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm—something Coalfire officials vehemently deny. In Leonard’s mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.”

DeMercurio and Wynn were arrested, jailed, and held for nearly 24 hours before being released on a $100,000 bail. Initially they were charged with felony third-degree burglary and possessing burglary tools, although those charges were later downgraded to misdemeanor trespass.

What initially seemed to Coalfire as a momentary lapse of judgment by Iowa authorities quickly morphed into the surreal when state lawmakers held hearings questioning why and how someone in the state’s employ could have so recklessly endangered the safety and security of its citizens.

DeMercurio and Wynn, minus the orange jumpsuits.

Judicial Branch officials in Dallas County said in response to this grilling that they didn’t expect Coalfire’s physical penetration testing to be conducted outside of business hours. State Sen. Amy Sinclair was quoted as telling her colleagues that “the hiring of an outside company to break into the courthouses in September created ‘significant danger, not only to the contractors, but to local law enforcement, and members of the public.'”

“Essentially a branch of government has contracted with a company to commit crimes, and that’s very troubling,” lamented Iowa state Sen. Zach Whiting. “I want to find out who needs to be held accountable for this and how we can do that.”

Those strong words clashed with a joint statement released Thursday by Coalfire and Dallas County Attorney Charles Sinnard:

“Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges,” the statement reads. “Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the judicial branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing.

Matthew Linholm, an attorney representing DeMercurio and Wynn in the case, said the justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas.

“Such a practice endangers the effective administration of justice and our confidence in the criminal justice system,” Linholm told The Des Moines Register, which broke the news of the dropped charges. Continue reading →


22
Jan 20

Apple Addresses iPhone 11 Location Privacy Concern

Apple is rolling out a new update to its iOS operating system that addresses the location privacy issue on iPhone 11 devices that was first detailed here last month.

Beta versions of iOS 13.3.1 include a new setting that lets users disable the “Ultra Wideband” feature, a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature.

In December, KrebsOnSecurity pointed out the new iPhone 11 line queries the user’s location even when all applications and system services are individually set never to request this data.

Apple initially said the company did not see any privacy concerns and that the location tracking icon (a small, upward-facing arrow to the left of the battery icon) appears for system services that do not have a switch in the iPhone’s settings menu.

Apple later acknowledged the mysterious location requests were related to the inclusion of an Ultra Wideband chip in iPhone 11, Pro and Pro Max devices.

The company further explained that the location information indicator appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.

Apple also stressed it doesn’t use the UWB feature to collect user location data, and that this location checking resided “entirely on the device.” Still, it’s nice that iPhone 11 users will now have a setting to disable the feature if they want.

Spotted by journalist Brandon Butch and published on Twitter last week, the new toggle switch to turn off UWB now exists in the “Networking & Wireless” settings in beta versions of iOS 13.3.1, under Locations Services > System Services. Beta versions are released early to developers to help iron out kinks in the software, and it’s not clear yet when 13.3.1 will be released to the general public.