Inside the $100M ‘Business Club’ Crime Gang

August 5, 2015

New research into a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide provides an unprecedented, behind-the-scenes look at an exclusive “business club” that dabbled in cyber espionage and worked closely with phantom Chinese firms on Russia’s far eastern border.

In the summer of 2014, the U.S. Justice Department joined multiple international law enforcement agencies and security firms in taking down the Gameover ZeuS botnet, an ultra-sophisticated, global crime machine that infected upwards of a half-million PCs.

Thousands of freelance cybercrooks have used a commercially available form of the ZeuS banking malware for years to siphon funds from Western bank accounts and small businesses. Gameover ZeuS, on the other hand, was a closely-held, customized version secretly built by the ZeuS author himself (following a staged retirement) and wielded exclusively by a cadre of hackers that used the systems in countless online extortion attacks, spam and other illicit moneymaking schemes.

Last year’s takedown of the Gameover ZeuS botnet came just months after the FBI placed a $3 million bounty on the botnet malware’s alleged author — a Russian programmer named Evgeniy Mikhailovich Bogachev who used the hacker nickname “Slavik.” But despite those high-profile law enforcement actions, little has been shared about the day-to-day operations of this remarkably resourceful cybercrime gang.

That changed today with the release of a detailed report from Fox-IT, a security firm based in the Netherlands that secretly gained access to a server used by one of the group’s members. That server, which was rented for use in launching cyberattacks, included chat logs between and among the crime gang’s core leaders, and helped to shed light on the inner workings of this elite group.

The alleged ZeuS Trojan author, Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. "lucky12345", "slavik", "Pollingsoon". Source: FBI.gov "most wanted, cyber.

The alleged ZeuS Trojan author, Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. “lucky12345”, “slavik”, “Pollingsoon”. Source: FBI.gov “most wanted, cyber.

THE ‘BUSINESS CLUB’

The chat logs show that the crime gang referred to itself as the “Business Club,” and counted among its members a core group of a half-dozen people supported by a network of more than 50 individuals. In true Oceans 11 fashion, each Business Club member brought a cybercrime specialty to the table, including 24/7 tech support technicians, third-party suppliers of ancillary malicious software, as well as those engaged in recruiting “money mules” — unwitting or willing accomplices who could be trained or counted on to help launder stolen funds.

“To become a member of the business club there was typically an initial membership fee and also typically a profit sharing agreement,” Fox-IT wrote. “Note that the customer and core team relationship was entirely built on trust. As a result not every member would directly get full access, but it would take time until all the privileges of membership would become available.”

Michael Sandee, a principal security expert at Fox-IT and author of the report, said although Bogachev and several other key leaders of the group were apparently based in or around Krasnodar — a temperate area of Russia on the Black Sea — the crime gang had members that spanned most of Russia’s 11 time zones.

Geographic diversity allowed the group — which mainly worked regular 9-5 hour days Monday through Friday — to conduct their cyberheists against banks by following the rising sun across the globe — emptying accounts at Australia and Asian banks in the morning there, European banks in the afternoon, before handing the operations over to a part of the late afternoon team based in Eastern Europe that would attempt to siphon funds from banks that were just starting their business day in the United States.

“They would go along with the time zone, starting with banks in Australia, then continuing in Asia and following the business day wherever it was, ending the day with [attacks against banks in] the United States,” Sandee said.

Image: Timetemperature.com

Image: Timetemperature.com

Continue reading

Chinese VPN Service as Attack Platform?

August 4, 2015

Hardly a week goes by without a news story about state-sponsored Chinese cyberspies breaking into Fortune 500 companies to steal intellectual property, personal data and other invaluable assets. Now, researchers say they’ve unearthed evidence that some of the same Chinese hackers also have been selling access to compromised computers within those companies to help perpetrate future breaches.

The so-called “Great Firewall of China” is an effort by the Chinese government to block citizens from accessing specific content and Web sites that the government has deemed objectionable. Consequently, many Chinese seek to evade such censorship by turning to virtual private network or “VPN” services that allow users to tunnel their Internet connections to locations beyond the control of the Great Firewall.

terracottavpn

Security experts at RSA Research say they’ve identified an archipelago of Chinese-language virtual private network (VPN) services marketed to Chinese online gamers and those wishing to evade censorship, but which also appear to be used as an active platform for launching attacks on non-Chinese corporations while obscuring the origins of the attackers.

Dubbed by RSA as “Terracotta VPN” (a reference to the Chinese Terracotta Army), this satellite array of VPN services “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” the company said in a report released today.

The hacker group thought to be using Terracotta to launch and hide attacks is known by a number of code names, including the “Shell_Crew” and “Deep Panda.” Security experts have tied this Chinese espionage gang to some of the largest data breaches in U.S. history, including the recent attack on the U.S. Office of Personnel Management, as well as the breaches at U.S. healthcare insurers Anthem and Premera.

According to RSA, Terracotta VPN has more than 1,500 nodes around the world where users can pop up on the Internet. Many of those locations appear to be little more than servers at Internet service providers in the United States, Korea, Japan and elsewhere that offer cheap virtual private servers.

But RSA researchers said they discovered that many of Terracotta’s exit nodes were compromised Windows servers that were “harvested” without the victims’ knowledge or permission, including systems at a Fortune 500 hotel chain; a hi-tech manufacturer; a law firm; a doctor’s office; and a county government of a U.S. state.

The report steps through a forensics analysis that RSA conducted on one of the compromised VPN systems, tracking each step the intruders took to break into the server and ultimately enlist the system as part of the Terracotta VPN network.

“All of the compromised systems, confirmed through victim-communication by RSA Research, are Windows servers,” the company wrote. “RSA Research suspects that Terracotta is targeting vulnerable Windows servers because this platform includes VPN services that can be configured quickly (in a matter of seconds).”

RSA says suspected nation-state actors have leveraged at least 52 Terracotta VPN nodes to exploit sensitive targets among Western government and commercial organizations. The company said it received a specific report from a large defense contractor concerning 27 different Terracotta VPN node Internet addresses that were used to send phishing emails targeting users in their organization.

“Out of the thirteen different IP addresses used during this campaign against this one (APT) target, eleven (85%) were associated with Terracotta VPN nodes,” RSA wrote of one cyber espionage campaign it investigated. “Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage related network traffic can blend-in with ‘otherwise-legitimate’ VPN traffic.”

DIGGING DEEPER

RSA’s report includes a single screen shot of software used by one of the commercial VPN services marketed on Chinese sites and tied to the Terracotta network, but for me this was just a tease: I wanted a closer look at this network, yet RSA (or more likely, the company’s lawyers) carefully omitted any information in its report that would make it easy to locate the sites selling or offering the Terracotta VPN.

RSA said the Web sites advertising the VPN services are marketed on Chinese-language Web sites that are for the most part linked by common domain name registrant email addresses and are often hosted on the same infrastructure with the same basic Web content. Along those lines, the company did include one very useful tidbit in its report: A section designed to help companies detect servers that may be compromised warned that any Web servers seen phoning home to 8800free[dot]info should be considered hacked.

Continue reading

Advertisement

‘Like Cutting Off a Limb to Save the Body’

August 3, 2015

This author has spent many years chronicling the exploits of black hat spammers who use hacked computers to relay junk email. But I’ve dedicated comparatively little time delving into ways of email marketers who technically follow U.S. anti-spam laws yet nevertheless engage in spammy practices. The latter is able to ply their trade because there are thousands of Internet hosting companies operating on thin profit margins that are happy to host spammy but lucrative clients. This is the story of how one hosting company heroically kicked out all of its email marketing customers at great expense and ended up building a stronger, more profitable company in the process.

emailgraphicA serial entrepreneur as a young teenager, Peter Holden founded several online companies by the time he turned 20 and started Tulsa, Okla.-based hosting firm HostWinds. The company grew modestly but steadily — relying on more than two dozen servers and bringing in revenues of about $15,000 per month.

That is, until Holden got his first email marketing client who offered to double HostWind’s monthly income in one day.

“I remember driving down from Tulsa to Oklahoma City to visit this client,” said Holden, now 25. “It was July 2012, and it was super hot in the car because I didn’t have air conditioning. But I remember thinking it was really cool to have a client who was local and interested in using our services.”

That one client’s business would not only double HostWind’s income, but it gave the company much-needed funds to invest in building out the firm’s technical infrastructure. Good thing, too, because the email marketing client soon referred more e-mailers to HostWinds, which was forced to petition the American Registry for Internet Numbers (ARIN) for thousands of additional Internet addresses to accommodate its new clientele.

“Fast forward about two years, and we now have a lot of mailers on our network,” Holden said. “Throughout all of this, one client introduced me to another client, and another.”

All of them swore up and down that they were following U.S. anti-spam laws to the letter. The CAN-SPAM Act was intended to make it more expensive and difficult for email marketers and spammers to send unsolicited junk email, but critics say it is essentially toothless and rarely enforced. Under CAN-SPAM, commercial emails can’t be spoofed (i.e., the address in the “from;” field can’t be faked or obfuscated), and the messages must give recipients a simple way to opt-out of receiving future missives.

“Legally speaking, we didn’t have any client on our network who broke the law. My dad was a lawyer and we’d routinely terminate anyone who violated our policies,” Holden said. “Ultimately, I think the fact that these clients were able to pay their bills on time — and their bills were massive — gave them some sort of air of legitimacy.”

HOW MANY SPAMS CAN A SPAMMER SPAM IF A SPAMMER CAN-SPAM SPAMS?

From the perspective of anti-spam groups, the main problem with the CAN-SPAM act is that it doesn’t require marketers to get opt-in approval from people before spamming them. Also, many large-scale junk email operations are not too dissimilar from spam campaigns run by cybercrooks — except instead of routing the mail through PCs that have been seeded with malware, commercial emailers send email from huge numbers of distinct Internet addresses that they rent from a vast network of hosting companies. Continue reading

Windows 10 Shares Your Wi-Fi With Contacts

July 29, 2015

Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default prompt to you share access to WiFi networks to which you connect with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends.

msoptoutThis brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!).

I first read about this over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default.

“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” the FAQ reads.

The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices. But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next.

Update, July 30, 12:35 p.m. ET: Ed Bott over at ZDNet takes issue with the experience described in the stories referenced above, stating that while Wi-Fi Sense is turned on by default, users still have to explicitly choose to share a network. “When you first connect to a password-protected Wi-Fi network, you choose if you want to share access to that network with your contacts,” Bott writes. Nevertheless, many users are conditioned to click “yes” to these prompts, and shared networks will be shared to all Facebook, Outlook, and Skype contacts (users can’t pick individual contacts; the access is shared with all contacts on a social network). Updated the lead to clarify that users are prompted to share. Continue reading

The Wheels of Justice Turn Slowly

July 27, 2015

On the evening March 14, 2013, a heavily-armed police force surrounded my home in Annandale, Va., after responding to a phony hostage situation that someone had alerted authorities to at our address. I’ve recently received a notice from the U.S. Justice Department stating that one of the individuals involving in that “swatting” incident had pleaded guilty to a felony conspiracy charge.

swatnet“A federal investigation has revealed that several individuals participated in a scheme to commit swatting in the course of which these individuals committed various federal criminal offenses,” reads the DOJ letter, a portion of which is here (PDF). “You were the victim of the criminal conduct which resulted in swattings in that you were swattted.”

The letter goes on to state that one of the individuals who participated in the scheme has pleaded guilty to conspiracy charges (Title 18, Section 371) in federal court in Washington, D.C.

The notice offers little additional information about the individual who pleaded guilty or about his co-conspirators, and the case against him is sealed. It could be the individual identified at the conclusion of this story, or someone else. In any case, my own digging on this investigation suggests the government is in the process of securing charges or guilty pleas in connection with a group of young men who ran the celebrity “doxing” Web site exposed[dot]su (later renamed exposed[dot]re).

As I noted in a piece published just days after my swatting incident, the attack came not long after I wrote a story about the site, which was posting the Social Security numbers, previous addresses, phone numbers and credit reports on a slew of high-profile individuals, from the director of the FBI to Kim Kardashian, Bill Gates and First Lady Michelle Obama. Many of those individuals whose personal data were posted at the site also were the target of swatting attacks, including P. Diddy, Justin Timberlake and Ryan Seacrest.

The Web site exposed[dot]su featured the personal data of celebrities and public figures.

The Web site exposed[dot]su featured the personal data of celebrities and public figures.

Continue reading

Spike in ATM Skimming in Mexico?

July 22, 2015

Several sources in the financial industry say they are seeing a spike in fraud on customer cards used at ATMs in Mexico. The reason behind that apparent increase hopefully will be fodder for another story. In this post, we’ll take a closer look at a pair of ATM skimming devices that were found this month attached to a cash machine in Puerto Vallarta — a popular tourist destination on Mexico’s Pacific coast.

On Saturday, July 18, 2015, municipal police in Puerto Vallara arrested a man who had just replaced the battery in a pair of skimming devices he or an associate had installed at an ATM in a busy spot of the town. This skimming kit targeted certain models of cash machines made by Korean ATM manufacturer Hyosung, and included a card skimming device as well as a hidden camera to record the victim’s ATM card PIN.

Here’s a look at the hidden camera installed over the compromised card reader. Would you have noticed anything amiss here?

hyosung-frontatm
The tiny pinhole camera was hidden in a molded plastic fascia designed to fit over top of the area directly above the PIN pad. The only clue that something is wrong here is a gap of about one millimeter between the PIN capture device and the actual ATM. Check out the backside of the false front:

The backside of the false fascia shows the location of the hidden camera.

The backside of the false fascia shows the location of the hidden camera.

The left side of the false fascia (as seen from the front, installed) contains the battery units that power the video camera:

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

Swapping the batteries out got this skimmer scammer busted. No wonder they included so many!

Continue reading

Experian Hit With Class Action Over ID Theft Service

July 21, 2015

Big-three credit bureau Experian is the target of a class-action lawsuit just filed in California. The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.

experianThe lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me.

Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures — a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States, and for nearly ten months after Experian acquired Court Ventures, Ngo continued paying for his customers’ data searches via cash wire transfers from a bank in Singapore.

Ngo’s service sold access to “fullz,” the slang term for packages of consumer data that could be used to commit identity theft in victims’ names. The government says Ngo made nearly $2 million from his scheme. According to the Justice Department, the IRS has confirmed that 13,673 U.S. citizens, whose stolen personal information was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns.

The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA). The plaintiffs also want the court to force Experian to notify all consumers affected by Ngo’s service; to provide them free credit monitoring services; to disgorge all profits made from Ngo’s service; and to establish a fund (in an amount to be determined) to which victims can apply for reimbursement of the time and out-of-pocket expenses they incurred to remediate the identity theft and fraud caused by customers of Ngo’s ID theft service. Continue reading

Online Cheating Site AshleyMadison Hacked

July 19, 2015

Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”

ashleymadison

The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.

Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.

The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed. Continue reading

CVS Probes Card Breach at Online Photo Unit

July 17, 2015

Nationwide pharmacy chain CVS has taken down its online photo center CVSphoto.com, replacing it with a message warning that customer credit card data may have been compromised. The incident comes just days after Walmart Canada said it was investigating a potential breach of customer card data at its online photo processing store.

cvsphoto

“We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised,” CVS said in a statement that replaced the photo Web site’s normal homepage content. “As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience. Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com and our pharmacies. Financial transactions on CVS.com and in-store are not affected.” Continue reading

The Darkode Cybercrime Forum, Up Close

July 15, 2015

By now, many of you loyal KrebsOnSecurity readers have seen stories in the mainstream press about the coordinated global law enforcement takedown of Darkode[dot]me, an English-language cybercrime forum that served as a breeding ground for botnets, malware and just about every other form of virtual badness. This post is an attempt to distill several years’ worth of lurking on this forum into a narrative that hopefully sheds light on the individuals apprehended in this sting and the cybercrime forum scene in general.

To tell this tale completely would take a book the size of The Bible, but it’s useful to note that the history of Darkode — formerly darkode[dot]com — traces several distinct epochs that somewhat neatly track the rise and fall of the forum’s various leaders. What follows is a brief series of dossiers on those leaders, as well as a look at who these people are in real life.

ISERDO

Darkode began almost eight years ago as a pet project of Matjaz Skorjanc, a now-36-year-old Slovenian hacker best known under the hacker alisas “Iserdo.” Skorjanc was one of several individuals named in the complaints published today by the U.S. Justice Department.

Butterfly Bot customers wonder why Iserdo isn't responding to support requests. He was arrested hours before.

Butterfly Bot customers wonder why Iserdo isn’t responding to support requests. He was arrested hours before.

Iserdo was best known as the author of the ButterFly Bot, a plug-and-play malware strain that allowed even the most novice of would-be cybercriminals to set up a global cybercrime operation capable of harvesting data from thousands of infected PCs, and using the enslaved systems for crippling attacks on Web sites. Iserdo was arrested by Slovenian authorities in 2010. According to investigators, his ButterFly Bot kit sold for prices ranging from $500 to $2,000.

In May 2010, I wrote a story titled Accused Mariposa Botnet Operators Sought Jobs at Spanish Security Firm, which detailed how several of Skorjanc’s alleged associates actually applied for jobs at Panda Security, an antivirus and security firm based in Spain. At the time, Skorjanc and his buddies were already under the watchful eye of the Spanish police.

MAFI

Following Iserdo’s arrest, control of the forum fell to a hacker known variously as “Mafi,” “Crim” and “Synthet!c,” who according to the U.S. Justice Department is a 27-year-old Swedish man named Johan Anders Gudmunds. Mafi is accused of serving as the administrator of Darkode, and creating and selling malware that allowed hackers to build botnets. The Justice Department also alleges that Gudmunds operated his own botnet, “which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on approximately 200,000,000 occasions.”

Mafi was best known for creating the Crimepack exploit kit, a prepackaged bundle of commercial crimeware that attackers can use to booby-trap hacked Web sites with malicious software. Mafi’s stewardship over the forum coincided with the admittance of several high-profile Russian cybercriminals, including “Paunch,” an individual arrested in Russia in 2013 for selling a competing and far more popular exploit kit called Blackhole.

Paunch worked with another Darkode member named “J.P. Morgan,” who at one point maintained an $800,000 budget for buying so-called “zero-day vulnerabilities,” critical flaws in widely-used commercial software like Flash and Java that could be used to deploy malicious software.

Darkode admin "Mafi" explains his watermarking system.

Darkode admin “Mafi” explains his watermarking system.

Perhaps unsurprisingly, Mafi’s reign as administrator of Darkode coincided with the massive infiltration of the forum by a number of undercover law enforcement investigators, as well as several freelance security researchers (including this author).

As a result, Mafi spent much of his time devising new ways to discover which user accounts on Darkode were those used by informants, feds and researchers, and which were “legitimate” cybercriminals looking to ply their wares.

For example, in mid-2013 Mafi and his associates cooked up a scheme to create a fake sales thread for a zero-day vulnerability — all in a bid to uncover which forum participants were researchers or feds who might be lurking on the forum.

That plan, which relied on a clever watermarking scheme designed to “out” any forum members who posted screen shots of the forum online, worked well but also gave investigators key clues about the forum’s hierarchy and reporting structure.

logsruhroh

Mafi worked closely with another prominent Darkode member nicknamed “Fubar,” and together the two of them advertised sales of a botnet crimeware package called Ngrbot (according to Mafi’s private messages on the forum, this was short for “Niggerbot.” The password databases from several of Mafi’s accounts on hacked cybercrime forums included variations on the word “nigger” in some form). Mafi also advertised the sale of botnets based on “Grum” a spam botnet whose source code was leaked in 2013. Continue reading