Category Archives: A Little Sunshine

Includes investigative blog posts meant to shine a light on the darker corners of the Internet.

Something Old is New Again: Mac RATs, CrimePacks, Sunspots & ZeuS Leaks

May 16, 2011

One of the biggest challenges in information security — and with security reporting in general — is separating what’s new and worth worrying about from seemingly new threats and developments that really are just old threats repackaged or stubborn facts that get rediscovered by a broader audience. This post represents my attempt to apply that sorting process to several security news headlines that readers have been forwarding my way in the past week, and to add a bit more information from my own reporting.

Anonymous Splinter Group Implicated in Game Company Hack

May 12, 2011

43 Comments

The Web sites for computer game giant Eidos Interactive and one of its biggest titles — Deus Ex– were defaced and plundered on Wednesday in what appears to have been an attack from a splinter cell of the hacktivist group Anonymous. The hack comes just days after entertainment giant Sony told Congress that Anonymous members may have been responsible for break-ins that compromised personal information on more than 100 million customers of its PlayStation Network and other services.

Breach at Michaels Stores Extends Nationwide

May 10, 2011

59 Comments

Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with point-of-sale devices at store registers as part of a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that stores all across the country have since discovered compromised payment terminals.

Scammers Swap Google Images for Malware

May 6, 2011

84 Comments

A picture may be worth a thousand words, but a single tainted digital image may be worth thousands of dollars for computer crooks who are abusing weaknesses in Google’s Image Search service to foist malicious software.

For several weeks, a number of readers have complained that clicking on Google Images search results redirected them to Web pages that pushed rogue anti-virus or “scareware” through misleading security alerts and warnings. On Wednesday, the SANS Internet Storm Center posted a blog entry saying they, too, were receiving reports of Google Image searches leading to fake anti-virus. According to SANS, the attackers have compromised an unknown number of sites with malicious scripts that create garbage Web pages filled with the top search terms from Google Trends. The malicious scripts also fetch images from third-party sites and include them in the junk pages alongside the relevant search terms, so that the automatically generated Web page contains legitimate-looking content.

RSA Among Dozens of Firms Breached by Zero-Day Attacks

May 4, 2011

46 Comments

The recent data breach at security industry giant RSA was disconcerting news to the security community: RSA claims to be “the premier provider of security, risk, and compliance solutions for business acceleration” and the “chosen security partner of more than 90 percent of the Fortune 500.”

The hackers who broke into RSA appear to have leveraged some of the very same Web sites, tools and services used in that attack to infiltrate dozens of other companies during the past year, including some of the Fortune 500 companies protected by RSA, new information suggests. What’s more, the assailants moved their operations from those sites very recently, after their locations were revealed in a report published online by the U.S. Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security.

Advanced Persistent Tweets: Zero-Day in 140 Characters

May 3, 2011

21 Comments

The unceasing barrage of targeted email attacks that leverage zero-day software flaws to steal sensitive information from companies and the U.S. government often are characterized as ultra-sophisticated, almost ninja-like in their stealth and anonymity. But according to expert analysis of several recent zero-day attacks – including the much publicized break-in at security giant RSA — the apparent Chinese developers of those attack tools left clues aplenty about their identities and locations, with one actor even Tweeting about his newly discovered vulnerability days in advance of its use in the wild.

RSA and others have labeled recent zero-day attacks as the epitome of an “advanced persistent threat” (APT), a controversial term describing the daily onslaught of digital assaults launched by attackers that are considered to be highly-skilled, determined and have a long-term perspective on their mission. Because these attacks often result in the theft of sensitive and proprietary information from the government and private industry, the details surrounding them usually become shrouded in secrecy as law enforcement and national security officials swoop in to investigate.

But an investigation of some of the open source information available on the tools used in recent attacks labeled APT indicates that some of the actors involved are doing little to cover their tracks, and that not only are they identifiable, but that they’re not particularly concerned about suffering any consequences from their actions.

Millions of Passwords, Credit Card Numbers at Risk in Breach of Sony Playstation Network

April 26, 2011

59 Comments

Sony warned today that intruders had broken into its PlayStation online game network, a breach that may have jeopardized the user names, addresses, passwords and credit card information on more than 70 million customers.

In a post to the company’s PlayStation blog, Sony spokesman Patrick Seybold said the breach occurred between April 17 and April 19, and that user information on some PlayStation Network and Qriocity music streaming accounts was compromised. The company said it had engaged an outside security firm to investigate what happened, that it was rebuilding its system to better secure account information, and that it would soon begin notifying customers about the incident by email.

SpyEye Targets Opera, Google Chrome Users

April 26, 2011

73 Comments

The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers.

The author of the SpyEye trojan formerly sold the crimeware kit on a number of online cybercrime forums, but has recently limited his showroom displays to a handful of highly vetted underground communities. KrebsOnSecurity.com recently chatted with a member of one of these communities who has purchased a new version of SpyEye. Screenshots from the package show that the latest rendition includes new “form grabbing” capabilities targeting Chrome and Opera users.

Where Did That Scammer Get Your Email Address?

April 25, 2011

53 Comments

You’ve seen the emails: They purport to have been sent by some dethroned prince in a faraway land, or from a corrupt bureaucrat in an equally corrupt government. Whatever the ruse, they always claim to need your help in spiriting away millions of dollars. These schemes, known as “419,” “advance fee” and “Nigerian letter” scams, have been around forever and are surprisingly effective at duping people. But where in the world do these scammers get their distribution lists, and how did you become a target?

Some of the bigger spammers rely on bots that crawl millions of Web sites and “scrape” addresses from pages. Others instead turn to sellers on underground cybercrime forums. But as it turns out, there are still a handful of open-air markets where lists of emails are sold by the millions. If you buy in bulk, some you can expect to pay about a penny per 1,000 addresses.

One long-running, open air bazaar for email addresses is LeadsAndMails.com, which also goes by the name BuyEmails.org. This enterprise is based out of New Delhi, India, and advertises its email lists as “100% optin and 100 percent legal to use.” I can’t vouch for the company’s claims, but one thing seems clear: A good number of its clients are from Nigeria, and many of them are fraudsters.

Are Megabreaches Out? E-Thefts Downsized in 2010

April 19, 2011

24 Comments

The number of consumer and financial records compromised as a result of data breaches in 2010 fell dramatically compared to previous years, a shift that cybercrime investigators attribute to a sea-change in the motives and tactics used by criminals to steal information. At the same time, organizations are dealing with more breaches than ever before, and most data thefts continue to result from security weaknesses that are relatively unsophisticated and easy to prevent.