Category Archives: A Little Sunshine

Includes investigative blog posts meant to shine a light on the darker corners of the Internet.

ZeuS Trojan for Google Android Spotted

July 11, 2011

Criminals have developed a component of the ZeuS Trojan designed to run on Google Android phones. The new strain of malware comes as security experts are warning about the threat from mobile malware that may use tainted ads and drive-by downloads.

Researchers at Fortinet said the malicious file is a new version of “Zitmo,” a family of mobile malware first spotted last year that stands for “ZeuS in the mobile.” The Zitmo variant, disguised as a security application, is designed to intercept the one-time passcodes that banks send to mobile users as an added security feature. It masquerades as a component of Rapport, a banking activation application from Trusteer. Once installed, the malware lies in wait for incoming text messages, and forwards them to a remote Web server.

Which Banks Are Enabling Fake AV Scams?

July 6, 2011

45 Comments

Fake antivirus scams and rogue Internet pharmacies relentlessly seek customers who are willing to trade their credit card numbers for a remedy. Banks and financial institutions become partners in crime when they process payments to fraudsters.

Published research has shown that rogue Internet pharmacies and spam would be much less prevalent and profitable if a few top U.S. financial institutions stopped processing payments for dodgy overseas banks. This is also true for fake antivirus scams, which use misleading security alerts to frighten people into purchasing worthless security software.

Where Have All the Spambots Gone?

July 1, 2011

32 Comments

First, the good news: The past year has witnessed the decimation of spam volume, the arrests of several key hackers, and the high-profile takedowns of some of the Web’s most notorious botnets. The bad news? The crooks behind these huge… Read More »

Banks Hold Key to Killing Rogue Pharmacies

June 28, 2011

54 Comments

More than half of all sales at the world’s largest rogue Internet pharmacy in the last four years were charged to credit and debit cards issued by the top seven card-issuing banks, new research suggests.

Unlicensed pharmacies create public health risks and confuse consumers who are looking for safe and reliable prescription medicines. Rogue pharma Web sites are primarily advertised with the help of spam, malicious software, and hacked Web sites. Curbing this drug dealing activity would promote both public health and Internet users’ safety.

Recent findings highlight additional levers that policymakers could use to curb sales at rogue online pharmacies, by convincing the card-issuing banks to stop accepting these charges or by enacting legislation similar to that used to squelch online gambling operations.

$72M Scareware Ring Used Conficker Worm

June 23, 2011

14 Comments

Authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake anti-virus products. Police in Ukraine said the thieves fleeced unsuspecting consumers with the help of the infamous Conficker worm, although it remains unclear how big a role the fast-spreading worm played in this crime.

Financial Mogul Linked to DDoS Attacks

June 23, 2011

22 Comments

Pavel Vrublevsky, the embattled co-founder of ChronoPay — Russia’s largest online payments processor — has reportedly fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against… Read More »

Antichat Hacker Forum Breach Reveals Weak Passwords

June 22, 2011

38 Comments

Ordinary Internet users frequently are scolded for choosing weak, easily-guessed passwords. New research suggests that hackers in the cyber underground are also likely to pick lame passwords for their favorite online forums.

Last month, KrebsOnSecurity was sent a massive database file that the source said was the user database of Antichat.ru, a Russian language hacker forum that has attracted more than 41,000 users since its founding nearly a decade ago. By matching the user names in the database with those listed in the public pages of the forum, I discovered that I’d been given a snapshot of all Antichat user information and private messages prior to June 2010, when Antichat.ru apparently experienced a forum compromise.

FBI Scrubbed 19,000 PCs Snared By Coreflood Botnet

June 21, 2011

17 Comments

The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court this week. The effort is part of an ongoing and unprecedented legal campaign to tackle one of the longest-running and most menacing online crime machines ever built.

In April, the Justice Department and the FBI were granted unprecedented authority to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs. On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut was granted authority to seize 29 domain names used to control the daily operations of the botnet, and to redirect traffic destined for the control servers to a substitute server that the FBI controlled. More significantly, the FBI was awarded a temporary restraining order (TRO) allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

Software Cracks: A Great Way to Infect Your PC

June 20, 2011

49 Comments

I often get emails from people asking if it’s safe to download executable programs from peer-to-peer filesharing networks. I always answer with an emphatic “NO!,” and the warning that pirated software and cracks — programs designed to generate product keys or serial numbers for popular software and games — are almost always bundled with some kind of malware. But I seldom come across more than anecdotal data that backs this up.

Recently, I heard from Alfred Huger, vice president of engineering at Immunet, an anti-virus company recently purchased by Sourcefire. Huger was reaching out to offer feedback on my 3 Rules for Online Safety post. He told me that the rules should have included this warning: Do not download pirated software and cracks from filesharing networks and cracks sites because they are a major source of malware infections.

Organization Chart Reveals ChronoPay’s Links to Shady Internet Projects

June 13, 2011

24 Comments

An online criminal enterprise, as tightly structured as any legitimate business corporation, was exposed in 2010. Emails and documents stolen from employees of ChronoPay — Russia’s largest online payments processor — were shared with a select group of law enforcement agencies and with KrebsOnSecurity.com. The communications provide the strongest evidence yet that a notorious rogue online pharmacy and other shady enterprises are controlled by ChronoPay executives and employees.

The leaked ChronoPay email show that in August 2010 ChronoPay CEO Pavel Vrublevsky authorized a payment of 37,350 Russian Rubles (about $1,200) for a multi-user license of an Intranet service called MegaPlan. The documents indicate that Vrublevsky ordered the service to help manage the sprawling projects related to ChronoPay’s “black” operations, including the processing of payments for rogue anti-virus software, violent “rape” porn sites, and knockoff prescription drugs sold through hundreds of Web sites affiliated with a rogue online pharmacy program called Rx-Promotion.com.

ChronoPay employees were assigned MegaPlan accounts to track payment processing issues, order volumes and advertising partnerships for these black programs. In a move straight out of the Quentin Tarantino film Reservoir Dogs, the employees adopted nicknames like “Mr. Kink, Mr. Heppner,” and “Ms. Nati.” MegaPlan offers an application that makes it simple for clients to create organizational charts, and the account paid for by ChronoPay includes a chart showing the hierarchy and reporting structure of these divisions.