A Look Inside Cybercriminal Call Centers

January 11, 2016

Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they don’t speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multi-lingual men and women who can be hired to close the deal.

Some of these call centers are Web-based, allowing customers to upload information about their targets to a service that initiates the call to a bank, credit provider, shipping company or dating scam victim (for more on the role played by call centers in dating schemes, see last week’s story, Fraudsters Automate Russian Dating Scams). Other call centers require customers to supply information about the target and the needed service via Jabber instant message. This post focuses on Web-based call services.

In the call service pictured below, we can see one user ordering a $250 radio-controlled toy Ford Mustang as a gift for someone’s kid for the holidays. The customer of the call service specifies the American Express card account to be used for the transaction, and requests that the order be expedited to a reshipping mule who will forward the goods to Russia. The status of the transaction indicates that this particular order was successfully placed on Jan. 7, 2016.

A customer of this crooked call center is ordering a holiday gift for someone's kid.

A customer of this crooked call center is ordering a holiday gift for someone’s kid.

One of the cybercrime underground’s oldest call center services — CallMeBaby — serves a variety of swindles but specializes in helping criminals cash out dating scams. It charges $10 for each call in English, and $12 for calls in German, French, Italian, Spanish, Portuguese and Polish. Here’s an ad for the four-year-old service, which features an illustration of a blonde woman chatting with President Obama:

An underground ad for a call service run by a cybercrook who uses the nickname "Sparta"

An underground ad for a call service run by a cybercrook who uses the nickname “Sparta.”

CallMeBaby advertises the availability of a male and female to impersonate anyone in the above-supported languages, and operates between the hours of 17:00 to 03:00 Moscow time (business hours in America). Continue reading

Advertisement

Fraudsters Automate Russian Dating Scams

January 4, 2016

Virtually every aspect of cybercrime has been made into a service or plug-and-play product. That includes dating scams — among the oldest and most common of online swindles. Recently, I had a chance to review a package of dating scam emails, instructions, pictures, videos and love letter templates that are sold to scammers in the underground, and was struck by how commoditized this type of fraud has become.

The dating scam package is assembled for and marketed to Russian-speaking hackers, with hundreds of email templates written in English and a variety of European languages. Many of the sample emails read a bit like Mad Libs or choose-your-own-adventure texts, featuring decision templates that include advice for ultimately tricking the mark into wiring money to the scammer.

The romance scam package is designed for fraudsters who prey on lonely men via dating Web sites and small spam campaigns. The vendor of the fraud package advertises a guaranteed response rate of at least 1.2 percent, and states that customers who average 30 scam letters per day can expect to earn roughly $2,000 a week. The proprietor also claims that his method is more than 20% effective within three replies and over 60% effective after eight.

One of hundreds of sample template files in the dating scam package.

One of hundreds of sample template files in the dating scam package.

The dating scam package advises customers to stick to a tried-and-true approach. For instance, scammers are urged to include an email from the mother of the girl in the first 10 emails between the scammer and a target. The scammer often pretends to be a young woman in an isolated or desolate region of Russia who is desperate for a new life, and the email from the girl’s supposed mother is intended to add legitimacy to the scheme.

Then there are dozens of pre-fabricated excuses for not talking on the phone, an activity reserved for the final stretch of the scam when the fraudster typically pretends to be stranded at the airport or somewhere else en route to the target’s home town.

“Working with dozens of possible outcomes, they carefully lay out every possible response, including dealing with broke guys who fell in love online,” said Alex Holden, the security expert who intercepted the romance scam package. “If the mark doesn’t have money, the package contains advice for getting him credit, telling the customer to restate his love and discuss credit options.”

A sample letter with multiple-choice options for creating unique love letter greetings.

A sample letter with multiple-choice options for creating unique love letter greetings.

Interestingly, although Russia is considered by many to be among the most hostile countries toward homosexuals, the makers of this dating scam package also include advice and templates for targeting gay men.

Also included in the dating scam tutorial is a list of email addresses and pseudonyms favored by anti-scammer vigilantes who try to waste the scammers’ time and otherwise prevent them from conning real victims. In addition, the package bundles several photos and videos of attractive Russian women, some of whom are holding up blank signs onto which the scammer can later Photoshop whatever message he wants.

Holden said that an enterprising fraudster with the right programming skills or the funds to hire a coder could easily automate the scam using bots that are programmed to respond to emails from the targets with content-specific replies.

CALL CENTERS TO CLOSE THE DEAL

The romance scam package urges customers to send at least a dozen emails to establish a rapport and relationship before even mentioning the subject of traveling to meet the target. It is in this critical, final part of the scam that the fraudster is encouraged to take advantage of criminal call centers that staff women who can be hired to play the part of the damsel in distress.

The login page for a criminal call center.

The login page for a criminal call center.

“When you get down to the final stage, there has to be a crisis, some compelling reason why the target should you send the money,” said Holden, founder of Hold Security [full disclosure: Yours Truly is an uncompensated adviser to Holden’s company]. “Usually this is something like the girl is stranded at the airport or needs money to get a travel visa. There has to be some kind of distress situation for this person to be duped into wiring money, which can be anywhere between $200 and $2,000 on average.” Continue reading

Happy 6th Birthday, KrebsOnSecurity!

December 29, 2015

You know you’re getting old when you can’t remember your own birthday (a reader tipped me off). Today is the sixth anniversary of this site’s launch! KrebsOnSecurity turns 6! I’m pretty sure that’s like middle age in Internet years.

sixfingersAbsolutely none of this would be possible without you, Dear Reader. You have supported, encouraged and inspired me in too many ways to count these past years. The community that’s sprung up around here has been a joy to watch, and essential to the site’s success. Thank you!

I tried for at least one post per weekday in 2015, and came close, publishing some 206 entries this year (not counting this one). The frequency of new posts suffered a bit from September to November, when I was on the road nearly 24/7 for a series of back-to-back speaking gigs. Fun fact: Since its inception, this site has featured some 1,200 stories that generated more than 62,000 reader comments. Continue reading

Flash Player Patch Fixes 0-Day, 18 Other Flaws

December 28, 2015

Adobe has shipped a new version of its Flash Player browser plugin to close at least 19 security holes in the program, including one that is already being exploited in active attacks.

brokenflash-aThe new Flash version, v. 20.0.0.267 for most Mac and Windows users, includes a fix for a vulnerability (CVE-2015-8651) that Adobe says is being used in “limited, targeted attacks.” If you have Flash installed, please update it.

Better yet, get rid of Flash altogether, or at least disable it until and unless you need it. Doing without Flash just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). This link should tell you whether your system has Flash and if so which version of Flash is installed in your browser.

2016 Reality: Lazy Authentication Still the Norm

December 28, 2015

My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

Junaid Hussain's Twitter profile photo.

Junaid Hussain’s Twitter profile photo.

On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

PayPal locked the account shortly after the assailant allegedly tried to send my money to the email account of the late Junaid Hussain, a 17-year-old member of the hacktivist group Team Poison. Hussain — who used the nickname “TriCk” and is believed to have been a prominent ISIS propagandist online — was reportedly killed in a U.S.-led drone strike earlier this year in Raqqa, Syria. No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists.

In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union, and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground.

I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess. Also, let’s forget for the moment that there are a half-dozen services online that let customers create fake but realistic looking scans of all types of documents, including utility bills, passports, driver’s licenses, bank statements, etc. This is the ultimate and most sophisticated customer authentication system that PayPal has: Send us a copy of your driver’s license. Continue reading

Malware-Driven Card Breach at Hyatt Hotels

December 23, 2015

Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.

hyattHyatt’s notice to customers has very few details about the investigation, such as how long the breach lasted or how many consumers may have had their card data stolen as a result. Hyatt did say that it has taken steps to strengthen its systems, and that “customers can feel confident using payment cards at Hyatt hotels worldwide.”

As of September 30, 2015, Chicago-based Hyatt’s worldwide portfolio included 627 properties in 52 countries.

Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging and the Trump Collection.

Expect Phishers to Up Their Game in 2016

December 23, 2015

Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it.

passcrackNew authentication methods now offered by Yahoo! and to a beta group of Google users let customers log in just by supplying their email address, and then responding to a notification sent to their mobile device.

According to TechCrunch, Google is giving select Gmail users a password-free means of signing in. It uses a “push” notification sent to your phone that then opens an app where you approve the log-in.

The article says the service Google is experimenting with will let users sign in without entering a password, but that people can continue to use their typed password if they choose. It also says Google may still ask for your password as an additional security measure if it notices anything unusual about a login attempt.

The new authentication feature being tested by some Gmail users comes on the heels of a similar service Yahoo! debuted in October 2015. That offering, called “on-demand passwords,” will text users a random four-character code (the ones I saw were all uppercase letters) that needs to be entered into a browser or mobile device.

yahoogetstarted

This is not Yahoo!’s first stab at two-factor authentication. Another security feature it has offered for years — called “two-step verification” — sends a security code to your phone when you log in from new devices, but only after you supply your password. Yahoo! users who wish to take advantage of the passwords-free, on-demand password feature will need to disable two-step verification for on-demand passwords to work.

Continue reading

Oracle, LifeLock Settle FTC Deception Charges

December 21, 2015

The U.S. Federal Trade Commission this past week announced it reached settlements with software giant Oracle and identity protection firm LifeLock over separate charges of allegedly deceiving users and customers about security. LifeLock agreed to pay $100 million for violating a 2010 promise to cease deceptive advertising practices. Oracle’s legal troubles with the FTC stem from its failure to fully remove older, less secure versions of Java when consumers installed the latest Java software.

javamessThe FTC sued Oracle over years of failing to remove older, more vulnerable versions of Java SE when consumers updated their systems to the newest Java software.  Java is installed on more than 850 million computers, but only recently (in Aug. 2014) did the company change its updater software to reliably remove older versions of Java during the installation process.

According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issues affecting older versions of Java SE. The FTC charges that Oracle was aware of the insufficiency of its update process.

“Internal documents stated that the ‘Java update mechanism is not aggressive enough or simply not working,’ and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers,” the FTC said “The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.” Continue reading

Password Thieves Target E-Giftcard Firm Gyft

December 18, 2015

Digital gift card retailer Gyft has forced a password reset for some of its users. The move comes in response to the theft of usernames and passwords from a subset of Gyft customers.

gyftMountain View, Calif. based Gyft lets customers buy and use gift cards entirely from their mobile devices. Acting on a tip from a trusted source in the cybercrime underground who reported that a cache of account data on Gyft customers was on offer for the right bidder, KrebsOnSecurity contacted Gyft to share intelligence and to request comment.

Gyft declined to comment on the record for this story. But company officials insist their platforms were never breached — pointing instead to an unnamed third party.

Gyft did confirm attackers were able to acquire usernames and passwords for a subset of Gyft customers, and that it had forced a password reset for those accounts.

The company has not disclosed publicly how many customers it has, but insiders said the percentage of users affected was in the “high single digits.” Two Gyft executives told KrebsOnSecurity they first learned of the issue about three weeks ago, and that all of the affected accounts were being monitored for suspicious activity.

Gyft was acquired in July 2014 by payment giant First Data, a company that has traditionally specialized in processing credit cards and managing ATMs. Continue reading