Category Archives: A Little Sunshine

Includes investigative blog posts meant to shine a light on the darker corners of the Internet.

FBI Investigating Cyber Theft of $139,000 from Pittsford, NY

June 10, 2011

Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States.

The attack began on or around June 1, 2011, when someone logged into the online commercial banking account of the Town of Pittsford, a municipality of 25,000 not far from Rochester, N.Y. The thieves initiated a small batch of automated clearing house (ACH) transfers to several money mules, willing or unwitting individuals in the U.S.A. who had been recruited by the attackers prior to the theft. The mules pulled the money out of their bank accounts in cash and wired it to individuals in Saint Petersburg, Russia and Kiev, Ukraine via transfer services Western Union and Moneygram.

Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security

June 8, 2011

126 Comments

A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is drawing to a conclusion. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.

In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.

Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto’s motion for summary judgment and grating the bank’s motion.

Naming & Shaming Sources of Spam

June 7, 2011

21 Comments

A new resource for spotlighting organizations that are unwittingly contributing to the global spam problem aims to shame junk email havens into taking more aggressive security measures.

SpamRankings.net is a project launched by the Center for Research in Electronic Commerce at the University of Texas at Austin. Its goal is to identify and call attention to organizations with networks that have been infiltrated by spammers.

Criminal Classifieds: Malware Writers Wanted

June 6, 2011

28 Comments

The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter. I’ve spent some time lurking on shadowy, online underground forums, and lately I’ve seen a proliferation of banner… Read More »

Spotting Web-Based Email Attacks

June 2, 2011

41 Comments

Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a blog post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, “Google: China Hacked Email.”

The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn’t exactly news. I’m surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for these attacks. I also think a more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.

Rustock Botnet Suspect Sought Job at Google

June 1, 2011

34 Comments

Microsoft has fingered a possible author of the late Rustock spam botnet – a self-described software engineer and mathematician who aspired to one day be hired by Google. Microsoft has apparently allocated significant resources to finding the author, but has not been able to locate him.

Rustock remains dead, but Microsoft is still on the hunt for the Rustock author. In its Second Status Report (PDF) filed last week with a district court in Seattle, Microsoft said it inquired with Webmoney about the owner of the account, and confirmed that it was affiliated with a man named Vladimir Alexandrovich Shergin. Microsoft also mentioned another suspect, “Cosma2k,” possibly named Dmitri A. Sergeev, Artem Sergeev, or Sergey Vladomirovich Sergeev. Microsoft said it is continuing its investigation of these names, to determine whether additional contact information can be identified and to which notice and service can be effected.

DNS Filtering Bill Riles Tech Experts, Hacktivists

May 31, 2011

33 Comments

A bill moving through the U.S. Senate that would grant the government greater power to shutter Web sites that host copyright-infringing content is under fire from security researchers, who say the legislation raises “serious technical and security concerns.” Meanwhile, hacktivists protested by attacking the Web site of the industry group that most vocally supports the proposal.

Earlier this month, the Senate Judiciary Committee passed the Protect IP Act (PDF), a bill offered by its chair, Sen. Patrick Leahy (D-Vt.) that would let the Justice Department obtain court orders requiring U.S. Internet service providers to filter customer access to domains found by courts to point to sites that are hosting infringing content. The bill envisions that ISPs would do this by filtering DNS requests for targeted domains. DNS, short for the “domain name system,” transforms computer-friendly “IP addresses (such as 94.228.133.163) into words that are easier for humans to remember (typing krebsonsecurity into a browser brings you to 94.228.133.163, and vice versa).

ChronoPay Fueling Mac Scareware Scams

May 27, 2011

47 Comments

Some of the recent scams that used bogus security alerts in a bid to frighten Mac users into purchasing worthless security software appear to have been the brainchild of ChronoPay, Russia’s largest online payment processor and something of a pioneer in the rogue anti-virus business.

Since the beginning of May, security firms have been warning Apple users to be aware of new scareware threats like MacDefender and Mac Security. The attacks began on May 2, spreading through poisoned Google Image Search results. Initially, these attacks required users to provide their passwords to install the rogue programs, but recent variants do not, according to Mac security vendor Intego.

A few days after the first attacks surfaced, experienced Mac users on an Apple support forums began reporting that new strains of the Mac malware were directing users to pay for the software via a domain called mac-defence.com. Others spotted fake Mac security software coming from macbookprotection.com. When I first took a look at the registration records for those domains, I was unsurprised to find the distinct fingerprint of ChronoPay, a Russian payment processor that I have written about time and again as the source of bogus security software.

Facebook Adds Mobile Authentication

May 23, 2011

24 Comments

Facebook has introduced a new mobile authentication feature designed to help users better protect their accounts from being hijacked by password-stealing miscreants. The opt-in feature — which requires users to share their mobile phone number — is welcome security measure, but may be a tough sell to users already wary of providing too much information to the social networking giant.

Facebook users can enable “Login Approvals” by logging in and navigating to Account, then Account Settings, and then Account Security. When I enabled this feature and provided my cell phone, it quickly sent a six character, alphanumeric code via text message, that I needed to enter on Facebook.com.

Point-of-Sale Skimmers: Robbed at the Register

May 18, 2011

38 Comments

Michaels Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced the machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. The specific device used by the criminal intruders has not been made public. But many devices and services are sold on the criminal underground to facilitate the surprisingly common fraud.