Krebs on Security

Chipotle Serves Up Chips, Guac & HR Email

November 16, 2015

The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain “chipotlehr.com” — a Web site name that the company has never owned or controlled.

Translation: Until last week, anyone could have read email destined for the company’s HR department just by registering the domain “chipotlehr.com”. Worse, Chipotle itself has inadvertently been pointing this out for months in emails to everyone who’s applied for a job via the company’s Web site.

This security oversight by Chipotle was brought to light by KrebsOnSecurity.com reader Michael Kohlman, a professional IT expert who discovered the bug after applying for a job at the food retailer.

Kohlman, who’s between jobs at the moment, said he submitted his resume and application to Chipotle’s online HR department not necessarily because he wanted to be a restaurant employee, but more to satisfy the terms of his unemployment benefits (which require him to regularly show proof that he is actively looking for work).

Kohlman said after submitting his resume and application, he received an email from Chipotle Careers that bore the return address @chipotlehr.com. The Minnesota native said he became curious about the source of the Chipotle HR email when a reply sent to that address generated an error or “bounce” message saying his missive was undeliverable.

“The canned response was very odd,” Kohlman said. “Rather than indicating the email didn’t exist, [the bounced message] just came back and said it could not resolve the DNS settings.”

A quick search for ownership records on the domain showed that it had never before been registered. So, Kohlman said, on a whim he plunked down $30 to purchase it.

The welcome message that one receives upon successfully submitting an application for a job at Chipotle discourages users from replying to the message. But Kohlman said a brief look at the incoming email associated with that domain revealed a steady stream of wayward emails to chipotlehr.com — mainly from job seekers and people seeking password assistance to the Chipotle HR portal.

Continue reading →

JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services

November 13, 2015

17 Comments

Buried in the federal indictments unsealed this week against four men accused of stealing tens of millions of consumer records from JPMorgan Chase and other brokerage firms are other unnamed companies that were similarly victimized by the accused. One of them, identified in the indictments only as “Victim #12,” is an entity that helps banks block transactions for dodgy goods advertised in spam. Turns out, the hackers targeted this company so that they could more easily push through payments for spam-advertised prescription drugs and fake antivirus schemes.

According to multiple sources, Victim #12 is none other than Bellevue, Wash. based G2 Web Services LLC, a company that helps banks figure out if a website is fraudulent or is selling contraband. G2 Web Services has not responded to multiple requests for comment.

In the final chapters of my book, Spam Nation: The Inside Story of Organized Cybercrime, I detailed the work of The International AntiCounterfeiting Coalition (IACC), a non-profit organization dedicated to combating product counterfeiting and piracy.

In 2011, G2 Web Services landed a contract to help the IACC conduct “test buys” at sites with products that were being advertised via spam. The company would identify which banks (mostly in Asia) were processing payments for these sites, and then Visa and MasterCard would rain down steep fines on the banks for violating their contracts with the credit card companies. The idea was to follow the money from schemes tied to cybercrime, deter banks from accepting funds from fraudulent transactions, and make it difficult for spammers to maintain stable credit card processing for those endeavors.

Prosecutors say the ringleader of the cybercrime gang accused of breaking into JPMC, Scottrade, E-Trade and others is 31-year-old Gery Shalon, a resident of Tel Aviv and Moscow. Investigators allege Shalon and his co-conspirators monitored credit card transactions processed through their payment processing business to attempt to discern which, if any, were undercover transactions made on behalf of credit card companies attempting to identify unlawful merchants. The government also charges that beginning in or about 2012, Shalon and his co-conspirators hacked into the computer networks of Victim-12 (G2 Web Services).

Shalon and his gang allegedly monitored Victim-12’s detection efforts, including reading emails of Victim-12 employees so they could take steps to evade detection.

“In particular, through their unlawful intrusion into Victim-12’s network, Shalon and his co-conspirators determined which credit and debit card numbers Victim-12 employees were using the make undercover purchases of illicit goods in the course of their effort to detect unlawful merchants,” Shalon’s indictment explains. “Upon identifying those credit and debit card numbers, Shalon and his co-conspirators blacklisted the numbers from their payment processing business, automatically declining any transaction for which payment was offered through one of those credit or debit card numbers.” Continue reading →

The Lingering Mess from Default Insecurity

November 12, 2015

60 Comments

The Internet of Things is fast turning into the Internet-of-Things-We-Can’t-Afford. Almost daily now we are hearing about virtual shakedowns wherein attackers demand payment in Bitcoin virtual currency from a bank, e-retailer or online service. Those who don’t pay the ransom see their sites knocked offline in coordinated cyberattacks. This story examines one contributor to the problem, and asks whether we should demand better security from ISPs, software and hardware makers.

These attacks are fueled in part by an explosion in the number of Internet-connected things that are either misconfigured or shipped in a default insecure state. In June I wrote about robot networks or “botnets” of hacked Internet routers that were all made and shipped by networking firm Ubiquiti. Attackers were able to compromise the routers because Ubiquiti shipped them with remote administration switched on by default and protected by a factory default password pair (ubnt/ubnt or no password at all).

That story followed on reports from security firm Imperva (see Lax Security Opens the Door for Mass-Scale Hijacking of SOHO Routers) which found a botnet of tens of thousands of hijacked Ubiquiti routers being used to launch massive ransom-based denial-of-service attacks. Imperva discovered that those tens of thousands of hacked devices were so easy to remotely control that each router was being exploited by several different extortion groups or individual criminal actors. The company also found those actors used the hacked routers to continuously scan the Internet for more vulnerable routers.

Last week, researchers in Vienna, Austria-based security firm SEC Consult released data suggesting that there are more than 600,000 vulnerable Ubiquiti routers in use by Internet service providers (ISPs) and their customers. All are sitting on the Internet wide open and permitting anyone to abuse them for these digital shakedowns.

These vulnerable devices tend to coalesce in distinct geographical pools with deeper pools in countries with more ISPs that shipped them direct to customers without modification. SEC Consult said it found heavy concentrations of the exposed Ubiquiti devices in Brazil (480,000), Thailand (170,000) and the United States (77,000).

SEC Consult cautions that the actual number of vulnerable Ubiquiti systems may be closer to 1.1 million. Turns out, the devices ship with a cryptographic certificate embedded in the router’s built-in software (or “firmware”) that further weakens security on the devices and makes them trivial to discover on the open Internet. Indeed, the Censys Project, a scan-driven Internet search engine that allows anyone to quickly find hosts that use that certificate, shows exactly where each exposed router resides online.

The Imperva research from May 2015 touched a nerve among some Ubiquiti customers who thought the company should be doing more to help customers secure these routers. In a May 2015 discussion thread on the company’s support site, Ubiquiti’s vice president of technology applications Matt Harding said the router maker briefly disabled remote access on new devices, only to reverse that move after pushback from ISPs and other customers who wanted the feature turned back on.

In a statement sent to KrebsOnSecurity via email, Harding said the company doesn’t market its products to home users, and that it sells its products to industry professionals and ISPs.

“Because of this we originally shipped with the products’ configurations as flexible as possible and relied on the ISPs to secure their equipment appropriately,” he said. “Some ISPs use self-built provisioning scripts and intentionally locking down devices out of the box would interfere with the provisioning workflows of many customers.”

Harding said it’s common in the networking equipment industry to ship with a default password for initial use. While this may be true, it seems far less common that networking companies ship hardware that allows remote administration over the Internet by default. He added that beginning with firmware version 5.5.2 — originally released in August 2012 — Ubiquiti devices have included very persistent messaging in the user interface to remind customers to follow best practices and change their passwords.

“Any devices shipping since then would have this reminder and users would have to intentionally ignore it to install equipment with default credentials,” he wrote. Harding noted that the company also provides a management platform that ISPs can use to change all default device passwords in bulk.

Ubiquiti’s nag screen asking users to change the default credentials. The company’s devices still ship with remote administration turned on.

Continue reading →

Critical Fixes for Windows, Adobe Flash Player

November 11, 2015

39 Comments

For the third time in a month, Adobe has issued an update to plug security holes in its Flash Player software. The update came on Patch Tuesday, when Microsoft released a dozen patches to fix dozens of vulnerabilities in Windows, Internet Explorer, Skype and other software.

One-quarter of the patches from Microsoft address flaws that the company labels “critical,” meaning they can be exploited by malware or malcontents to break into vulnerable systems with no help from users. Four of the bulletins address vulnerabilities that were publicly disclosed prior to Patch Tuesday, meaning malicious hackers had a head start in figuring out how to exploit those weaknesses.

Top of the priority list among these 12 patches should probably be the one for Internet Explorer, which fixes more than two dozen flaws in IE, nearly all of them critical, browse-to-a-hacked-site-and-get-owned flaws. Another patch, MS15-113, fixes critical bugs in Microsoft’s Edge Browser, its intended replacement for IE. Also of note is a Microsoft Office patch that addresses seven flaws.

This month also includes a patch for .NET, a program that past experience has taught me to patch separately. If you use Windows and Windows Update says you have patches available for .NET, consider unchecking those updates until you’ve applied the rest released on Tuesday. Reboot and install any available .NET updates.

Separately, Adobe issued a patch for its Flash Player software that fixes at least 17 vulnerabilities in the program and in Adobe AIR. Adobe says it is not aware of any exploits in the wild for issues addressed in this update, but readers should seriously consider whether having Flash installed and/or enabled in the browser is worth the risk. Continue reading →

Arrests in JP Morgan, eTrade, Scottrade Hacks

November 10, 2015

36 Comments

U.S. authorities today announced multiple indictments and arrests in connection with separate hacking incidents that resulted in the theft of more than 100 million customer records from some of the nation’s biggest financial institutions and brokerage firms, including JP Morgan Chase, E*Trade and Scottrade.

Prosecutors in Atlanta and New York unsealed indictments against four men and one unnamed alleged co-conspirator in connection with a complex, sprawling scheme to artificially manipulate the price of certain publicly traded U.S. stocks.

The defendants are accused of hacking into JPMorgan Chase in 2014, stealing the names, addresses, phone numbers and email addresses of the holders of some 83 million accounts at the financial institution –a breach that the Justice Department has dubbed the “largest theft of customer data from a U.S. financial institution in history.” Scottrade announced a similar breach of 4.6 million customer records in October 2015. Etrade last month warned 31,000 customers that their contact information may have been breached.

The men allegedly laundered hundreds of millions of dollars from the scheme via a vast cybercrime network that included illegal online pharmacies, fake antivirus or “scareware” schemes, Internet casinos and even a Bitcoin exchange.

Indictments from Atlanta U.S. Attorney John Horn name Gery Shalon, 31, a resident of Tel Aviv and Moscow, who was arrested by Israeli law enforcement in Savyon, Israel in July 2015 and remains in custody there pending extradition proceedings. Another man, Joshua Samuel Aaron, also 31, is a U.S. citizen and resident of Israel, but currently a fugitive. The Atlanta indictments referenced a third, as yet-unnamed accomplice.

Separately, the U.S. Attorney’s Office for the Southern District of New York unsealed its own charges against Shalon and Aaron, as well as a third Israeli citizen, 40-year-old Ziv Orenstein. In addition, prosecutors there announced indictments against Anthony R. Murgio, alleging he fraudulently operated the Florida-based Coin.mx Bitcoin exchange along with Shalon and through it further helped the conspiracy launder its illicit proceeds. Murgio was arrested in July 2015 and is facing prosecution in New York.

According to the Justice Department, between approximately 2007 and July 2015, Shalon owned and operated unlawful internet gambling businesses in the United States and abroad, and that he owned and operated multinational payment processors for illegal pharmaceutical suppliers, counterfeit and malicious software (“malware”) distributors. The government further alleges that Shalon owned and controlled Coin.mx, an illegal United States-based Bitcoin exchange that operated in violation of federal anti-money laundering laws.

“Through their criminal schemes, between in or about 2007 and in or about July 2015, Shalon and his co-conspirators earned hundreds of millions of dollars in illicit proceeds, of which Shalon concealed at least $100 million in Swiss and other bank accounts,” reads a statement issued by Preet Bharara, the United States Attorney for the Southern District of New York. Continue reading →

Ransomware Now Gunning for Your Web Sites

November 9, 2015

66 Comments

One of the more common and destructive computer crimes to emerge over the past few years involves ransomware — malicious code that quietly scrambles all of the infected user’s documents and files with very strong encryption. A ransom, to be paid in Bitcoin, is demanded in exchange for a key to unlock the files. Well, now it appears fraudsters are developing ransomware that does the same but for Web sites — essentially holding the site’s files, pages and images for ransom.

Image: Kaspersky Lab

This latest criminal innovation, innocuously dubbed “Linux.Encoder.1” by Russian antivirus and security firm Dr.Web, targets sites powered by the Linux operating system. The file currently has almost zero detection when scrutinized by antivirus products at Virustotal.com, a free tool for scanning suspicious files against dozens of popular antivirus products.

Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such as shopping cart programs. Once on a host machine, the malware will encrypt all of the files in the “home” directories on the system, as well backup directories and most of the system folders typically associated with Web site files, images, pages, code libraries and scripts.

The ransomware problem is costly, hugely disruptive, and growing. In June, the FBI said it received 992 CryptoWall-related complaints in the preceding year, with losses totaling more than $18 million. And that’s just from those victims who reported the crimes to the U.S. government; a huge percentage of cybercrimes never get reported at all.

ONE RECENT VICTIM

On Nov. 4, the Linux Website ramsomware infected a server used by professional Web site designer Daniel Macadar. The ransom message was inside a plain text file called “instructions to decrypt” that was included in every file directory with encrypted files:

“To obtain the private key and php script for this computer, which will automatically decrypt files, you need to pay 1 bitcoin(s) (~420 USD),” the warning read. “Without this key, you will never be able to get your original files back.”

Macadar said the malware struck a development Web server of his that also hosted Web sites for a couple of longtime friends. Macadar was behind on backing up the site and the server, and the attack had rendered those sites unusable. He said he had little choice but to pay the ransom. But it took him some time before he was able to figure out how to open and fund a Bitcoin account.

“I didn’t have any Bitcoins at that point, and I was never planning to do anything with Bitcoin in my life,” he said.

According to Macadar, the instructions worked as described, and about three hours later his server was fully decrypted. However, not everything worked the way it should have.

“There’s a decryption script that puts the data back, but somehow it ate some characters in a few files, adding like a comma or an extra space or something to the files,” he said.

Macadar said he hired Thomas Raef — owner of Web site security service WeWatchYourWebsite.com — to help secure his server after the attack, and to figure out how the attackers got in. Raef told me his customer’s site was infected via an unpatched vulnerability in Magento, a shopping cart software that many Web sites use to handle ecommerce payments.

CheckPoint detailed this vulnerability back in April 2015 and Magento issued a fix yet many smaller ecommerce sites fall behind on critical updates for third-party applications like shopping cart software. Also, there are likely other exploits published recently that can expose a Linux host and any associated Web services to attackers and to site-based ransomware. Continue reading →

Pointer to Reddit ‘Ask Me Anything’ Interview

November 8, 2015

26 Comments

I recently participated in an “Ask Me Anything” interview on Reddit.com about investigative reporting. I spent the better part of a day responding to readers about the challenges and rewards of independent journalism and a focus on data breaches, cybercrime and cybercriminals. It occurred to me today that I hadn’t mentioned the interview yet on this site, so here it is. The discussion is now locked, but feel free to follow-up with your own questions here in the comments, and I’ll answer the better ones as time permits.

FCC Fines Cox $595K Over Lizard Squad Hack

November 6, 2015

35 Comments

In September 2014, I penned a column called “We Take Your Privacy and Security. Seriously.” It recounted my experience receiving notice from my former Internet service provider — Cox Communications — that a customer service employee had been tricked into giving away my personal information to hackers. This week, the Federal Communications Commission (FCC) fined Cox $595,000 for the incident that affected me and 60 other customers.

I suspected, but couldn’t prove at the time, that the band of teenage cybercriminals known as the Lizard Squad was behind the attack. According to a press release issued Thursday by the FCC, the intrusion began after LizardSquad member “Evil Jordie” phoned up Cox support pretending to be from the company’s IT department, and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake, or “phishing,” website.

“With those credentials, the hacker gained unauthorized access to Cox customers’ personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver’s license numbers of Cox’s cable customers, as well as Customer Proprietary Network Information (CPNI) of the company’s telephone customers,” the FCC said. “The hacker then posted some customers’ information on social media sites, changed some customers’ account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.”

My September 2014 column took Cox to task for not requiring two-step authentication for employees: Had the company done so, this phishing attack probably would have failed. As a condition of the settlement with the FCC, the commission said Cox has agreed to adopt a comprehensive compliance plan, which establishes an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information, and the FCC will monitor Cox’s compliance with the consent decree for seven years. Continue reading →

TalkTalk, Script Kids & The Quest for ‘OG’

November 5, 2015

52 Comments

So you’ve got two-step authentication set up to harden the security of your email account (you do, right?). But when was the last time you took a good look at the security of your inbox’s recovery email address? That may well be the weakest link in your email security chain, as evidenced by the following tale of a IT professional who saw two of his linked email accounts recently hijacked in a bid to steal his Twitter identity.

Earlier this week, I heard from Chris Blake, a longtime KrebsOnSecurity reader from the United Kingdom. Blake reached out because I’d recently written about a character of interest in the breach at British phone and broadband provider TalkTalk: an individual using the Twitter handle “@Fearful“.

Blake proceeded to explain how that same Fearful account had belonged to him for some time until May 2015, when an elaborate social engineering attack on his Internet service provider (ISP) allowed the current occupant of the account to swipe it out from under him.

On May 11, Blake received a text message on his mobile stating that his Microsoft Outlook account password had been changed. A minute later, he got another text from Microsoft saying his two-factor authentication (texted login codes to his phone) had been removed. After that, he could no longer log in to his Outlook account because someone had changed his password and removed his recovery email address (changing it to a free and disposable yopmail.com account).

Minutes after that, someone tweeted out the message from his account: “This twitter account is officially operated by Elliott G.” The tweet prior to that one mentions Blake by name and is a response to an inquiry to the Microsoft Store before the account was taken. The alias on Blake’s @Fearful account was changed to “Glubz”.

Blake said it took some time to figure out how the miscreant had hijacked his Twitter and Outlook accounts. Turns out, the recovery email address that he’d supplied for his Outlook account was to an email address at his local ISP, and the attacker executed the first step in the hijack by tricking a customer service employee at the ISP into redirecting his messages.

The attacker, apparently another person with a British accent, called Blake’s ISP pretending to be Blake and said he was locked out of his inbox. Could the ISP please change the domain name system (DNS) settings on his domain and associated mail account?

According to Blake, an investigation into the incident at the ISP shows that the customer service rep asked the caller to verify any other email addresses associated with Blake’s ISP account, and after some waiting the support employee actually read off a few of them. Seconds later, the attacker sent an email to the support person that spoofed one of those email addresses. After that, Blake’s ISP complied with the request, changing the DNS settings on his account to settings that the caller supplied for an account at Namecheaphosting.com.

OG IS A THING

With all of the access to other accounts that one’s inbox affords, the attacker in this case could have done some serious damage and cost Blake a lot of money. So why was he only interested in Blake’s Twitter account?

Short usernames are something of a prestige or status symbol for many youngsters, and some are willing to pay surprising amounts of money for them. Known as “OG” (short for “original” and also “original gangster”) in certain circles online, these can be usernames for virtually any service, from email accounts at Webmail providers to social media services like Instagram, Snapchat, Twitter and Youtube. People who traffic in OG accounts prize them because they can make the account holder appear to have been a savvy, early adopter of the service before it became popular and before all of the short usernames were taken.

“I didn’t realize this was even a thing until all this happened,” Blake said of the demand for OG accounts. “It wasn’t until the day after my email accounts were hacked that I realized it was really my Twitter account he was after.”

As it happens, the guy who is currently squatting on Blake’s @Fearful Twitter account — a young wanna-be hacker who uses the nickname “Glubz” — is very publicly in the business of selling hijacked OG accounts. In the screen shot below, we can see Glubz on the script kiddie-friendly online community Hackforums promoting his “OG Store,” in which he sells “Snapchats,” Email accounts and “Youtubes” for $10-$40 apiece, payable via Bitcoin or PayPal. The bottom of the message includes a link to Glubz’s personal site — elliottg[dot]net (also hosted at Namecheaphosting.com). Continue reading →

How Carders Can Use eBay as a Virtual ATM

November 3, 2015

122 Comments

How do fraudsters “cash out” stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they don’t yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate cardholder.

So-called “triangulation fraud” — scammers using stolen cards to buy merchandise won at auction by other eBay members — is not a new scam. But it’s a crime that’s getting more sophisticated and automated, at least according to a victim retailer who reached out to KrebsOnSecurity recently after he was walloped in one such fraud scheme.

The victim company — which spoke on condition of anonymity — has a fairly strong e-commerce presence, and is growing rapidly. For the past two years, it was among the Top 500 online retailers as ranked by InternetRetailer.com.

The company was hit with over 40 orders across three weeks for products that later traced back to stolen credit card data. The victimized retailer said it was able to stop a few of the fraudulent transactions before the items shipped, but most of the sales were losses that the victim firm had to absorb.

Triangulation fraud. Image: eBay Enterprise.

The scheme works like this: An auction fraudster sets up one (or multiple) eBay accounts and sells legitimate products. A customer buys the item from the seller (fraudster) on eBay and the money gets deposited in the fraudster’s PayPal account.

The fraudster then takes the eBay order information to another online retailer which sells the same item, buys the item using stolen credit card data, and has the item shipped to the address of the eBay customer that is expecting the item. The fraudster then walks away with the money.

One reason this scheme is so sneaky is that the eBay customers are happy because they got their product, so they never complain or question the company that sent them the product. For the retailer, the order looks normal: The customer contact info in the order form is partially accurate: It has the customer’s correct shipping address and name, but may list a phone number that goes somewhere else — perhaps to a voicemail owned and controlled by the fraudster.

“For the retailer who ships thousands of orders every day, this fraudulent activity really doesn’t raise any red flags,” my source — we’ll call him “Bill,” — told me. “The only way they eventually find out is with a sophisticated fraud screening program, or when the ‘chargeback’ from Visa or MasterCard finally comes to them from the owner of the stolen card.”

In an emailed statement, eBay said the use of stolen or fraudulent credit card numbers to purchase goods on eBay is by no means unique to eBay.

“We believe collaboration and cooperation is the best way to combat fraud and organized retail crime of this nature, working in partnership with retailers and law enforcement,” wrote Ryan Moore, eBay’s senior manager of global corporate affairs. Detecting this type of fraud, Moore said, “relies heavily on the tools that merchants use themselves, which includes understanding their customers and implementing the correct credit card authorization protocols.”

Moore declined to discuss the technology and approaches the eBay uses to fight triangulation fraud — saying eBay doesn’t want tip its hand to cybercriminals. But he said the company uses internal tools and risk models to identify suspicious activity on its platform, and that it trains hundreds of retailers and law enforcement on various types of fraud, including triangulation fraud.

QUAD FRAUD?

Moore pointed to one education campaign on eBay’s site, which adds another wrinkle to this fraud scheme: Very often the people listing the item for sale on eBay are existing, long-time eBay members with good standing who get recruited to sell items via work-at-home job scams. These schemes typically advertise that the seller gets to keep a significant cut of the sale price — typically 30 percent.

A recruitment email from a work-at-home job scam that involves respondents in triangulation fraud. Source: eBay

Interesting, the guy selling carded goods stolen from Bill’s company has been on eBay for more than a decade and has a near-perfect customer feedback score. That seller is not being referenced in this story because his feedback page directly links to transactions from Bill’s company. Continue reading →

Last »