The Darkode Cybercrime Forum, Up Close

July 15, 2015

By now, many of you loyal KrebsOnSecurity readers have seen stories in the mainstream press about the coordinated global law enforcement takedown of Darkode[dot]me, an English-language cybercrime forum that served as a breeding ground for botnets, malware and just about every other form of virtual badness. This post is an attempt to distill several years’ worth of lurking on this forum into a narrative that hopefully sheds light on the individuals apprehended in this sting and the cybercrime forum scene in general.

To tell this tale completely would take a book the size of The Bible, but it’s useful to note that the history of Darkode — formerly darkode[dot]com — traces several distinct epochs that somewhat neatly track the rise and fall of the forum’s various leaders. What follows is a brief series of dossiers on those leaders, as well as a look at who these people are in real life.

ISERDO

Darkode began almost eight years ago as a pet project of Matjaz Skorjanc, a now-36-year-old Slovenian hacker best known under the hacker alisas “Iserdo.” Skorjanc was one of several individuals named in the complaints published today by the U.S. Justice Department.

Butterfly Bot customers wonder why Iserdo isn't responding to support requests. He was arrested hours before.

Butterfly Bot customers wonder why Iserdo isn’t responding to support requests. He was arrested hours before.

Iserdo was best known as the author of the ButterFly Bot, a plug-and-play malware strain that allowed even the most novice of would-be cybercriminals to set up a global cybercrime operation capable of harvesting data from thousands of infected PCs, and using the enslaved systems for crippling attacks on Web sites. Iserdo was arrested by Slovenian authorities in 2010. According to investigators, his ButterFly Bot kit sold for prices ranging from $500 to $2,000.

In May 2010, I wrote a story titled Accused Mariposa Botnet Operators Sought Jobs at Spanish Security Firm, which detailed how several of Skorjanc’s alleged associates actually applied for jobs at Panda Security, an antivirus and security firm based in Spain. At the time, Skorjanc and his buddies were already under the watchful eye of the Spanish police.

MAFI

Following Iserdo’s arrest, control of the forum fell to a hacker known variously as “Mafi,” “Crim” and “Synthet!c,” who according to the U.S. Justice Department is a 27-year-old Swedish man named Johan Anders Gudmunds. Mafi is accused of serving as the administrator of Darkode, and creating and selling malware that allowed hackers to build botnets. The Justice Department also alleges that Gudmunds operated his own botnet, “which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on approximately 200,000,000 occasions.”

Mafi was best known for creating the Crimepack exploit kit, a prepackaged bundle of commercial crimeware that attackers can use to booby-trap hacked Web sites with malicious software. Mafi’s stewardship over the forum coincided with the admittance of several high-profile Russian cybercriminals, including “Paunch,” an individual arrested in Russia in 2013 for selling a competing and far more popular exploit kit called Blackhole.

Paunch worked with another Darkode member named “J.P. Morgan,” who at one point maintained an $800,000 budget for buying so-called “zero-day vulnerabilities,” critical flaws in widely-used commercial software like Flash and Java that could be used to deploy malicious software.

Darkode admin "Mafi" explains his watermarking system.

Darkode admin “Mafi” explains his watermarking system.

Perhaps unsurprisingly, Mafi’s reign as administrator of Darkode coincided with the massive infiltration of the forum by a number of undercover law enforcement investigators, as well as several freelance security researchers (including this author).

As a result, Mafi spent much of his time devising new ways to discover which user accounts on Darkode were those used by informants, feds and researchers, and which were “legitimate” cybercriminals looking to ply their wares.

For example, in mid-2013 Mafi and his associates cooked up a scheme to create a fake sales thread for a zero-day vulnerability — all in a bid to uncover which forum participants were researchers or feds who might be lurking on the forum.

That plan, which relied on a clever watermarking scheme designed to “out” any forum members who posted screen shots of the forum online, worked well but also gave investigators key clues about the forum’s hierarchy and reporting structure.

logsruhroh

Mafi worked closely with another prominent Darkode member nicknamed “Fubar,” and together the two of them advertised sales of a botnet crimeware package called Ngrbot (according to Mafi’s private messages on the forum, this was short for “Niggerbot.” The password databases from several of Mafi’s accounts on hacked cybercrime forums included variations on the word “nigger” in some form). Mafi also advertised the sale of botnets based on “Grum” a spam botnet whose source code was leaked in 2013. Continue reading

ID Theft Service Proprietor Gets 13 Years

July 15, 2015

A Vietnamese man who ran an online identity theft service that sold access to Social Security numbers and other personal information on more than 200 million Americans has been sentenced to 13 years in a U.S. prison.

Vietnamese national Hieu Minh Ngo was sentenced to 13 years in prison for running an identity theft service.

Vietnamese national Hieu Minh Ngo was sentenced to 13 years in prison for running an identity theft service.

Hieu Minh Ngo, 25, ran an ID theft service variously named Superget.info and findget.me. Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures, a subsidiary of the major consumer credit bureau Experian.

Ngo’s service sold access to “fullz,” the slang term for packages of consumer data that could be used to commit identity theft in victims’ names. The government says Ngo made nearly $2 million from his scheme.

The totality of damage caused by his more than 1,300 customers is unknown, but it is clear that Ngo’s service was quite popular among ID thieves involved in filing fraudulent tax refund requests with the U.S. Internal Revenue Service (IRS). According to the Justice Department, the IRS has confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns. Continue reading

Advertisement

Adobe, MS, Oracle Push Critical Security Fixes

July 14, 2015

This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java. Continue reading

Third Hacking Team Flash Zero-Day Found

July 13, 2015

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.

We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.

flashpotus

Continue reading

Hacking Team Used Spammer Tricks to Resurrect Spy Network

July 13, 2015

Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. New analysis of the leaked Hacking Team emails suggests that in 2013 the company used techniques perfected by spammers to hijack Internet address space from a spammer-friendly Internet service provider in a bid to regain control over a spy network it apparently had set up for the Italian National Military Police.

hackingteam

Hacking Team is in the business of selling exploits that allow clients to secretly deploy spyware on targeted systems. In just the past week since the Hacking Team data was leaked, for example, Adobe has fixed two previously undocumented zero-day vulnerabilities in its Flash Player software that Hacking Team had sold to clients as spyware delivery mechanisms.

The spyware deployed by Hacking Team’s exploits are essentially remote-access Trojan horse programs designed to hoover up stored data, recorded communications, keystrokes, etc. from infected devices, giving the malware’s operator full control over victim machines.

Systems infested with Hacking Team’s malware are configured to periodically check for new instructions or updates at a server controlled by Hacking Team and/or its clients. This type of setup is very similar to the way spammers and cybercriminals design “botnets,” huge collections of hacked PCs that are harvested for valuable data and used for a variety of nefarious purposes.

No surprise, then, that Hacking Team placed its control servers in this case at an ISP that was heavily favored by spammers. Leaked Hacking Team emails show that in 2013, the company set up a malware control server for the Special Operations Group of the Italian National Military Police — also known as the “Carabinieri” — an entity focused on investigating organized crime and terrorism. One or both of these organizations chose to position that control at Santrex, a notorious Web hosting provider that at the time served as a virtual haven for spammers and malicious software downloads.

But that decision backfired. As I documented in October 2013, Santrex unexpectedly shut down all of its servers, following a series of internal network issues and extensive downtime. Santrex made that decision after several months of incessant attacks, hacks and equipment failures at its facilities caused massive and costly problems for the ISP and its customers. The company’s connectivity problems essentially made it impossible for either Hacking Team or the Carabinieri to maintain control over the machines infected with the spyware.

According to research published Sunday by OpenDNS Security Labs, around that same time the Carabinieri and Hacking Team cooked up a plan to regain control over the Internet addresses abandoned by Santrex. The plan centered around a traffic redirection technique known as “BGP hijacking,” which involves one ISP fraudulently “announcing” to the rest of the world’s ISPs that it is in fact the rightful custodian of a dormant range of Internet addresses that it doesn’t actually have the right to control.

IP address hijacking is hardly a new phenomenon. Spammers sometimes hijack Internet address ranges that go unused for periods of time (see this story from 2014 and this piece I wrote in 2008 for The Washington Post for examples of spammers hijacking Internet space). Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker. Continue reading

Adobe To Fix Another Hacking Team Zero-Day

July 11, 2015

For the second time in a week, Adobe Systems Inc. says it plans fix a zero-day vulnerability in its Flash Player software that came to light after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

brokenflash-aIn an advisory published late Friday evening, Adobe said it plans to issue another Flash patch the week of July 13, 2015. “This vulnerability was reported to us following further investigation of the data published after the Hacking Team data breach,” the advisory notes.

Adobe said the flaw is present in the latest version of Flash for Windows, Mac and Linux systems, and that code showing attackers how to exploit this flaw is already available online.

There is every reason to believe this exploit will soon be folded into exploit kits, crimeware used to foist drive-by downloads when unsuspecting visitors browse to a hacked or booby-trapped site. On Wednesday, Adobe patched a different vulnerability in Flash that was exposed in the Hacking Team breach, but not before code designed to attack the flaw was folded into the Angler and Nuclear exploit kits.

If you were on the fence about removing or disabling Flash altogether, now would be a great time to reconsider. I recently blogged about my experience doing just that, and found I didn’t miss the program much at all after a month without it.

Cybercrime Kingpin Pleads Guilty

July 10, 2015

An Estonian man who ran an organized cybercrime ring that infected more than four million PCs in over 100 countries with moneymaking malware has pleaded guilty in New York to wire fraud and computer intrusion charges.

Vladimir Tsastsin, 35, ran an online Web hosting and advertising empire in Estonia called Rove Digital. From 2007 to 2011, Tsastin and six other men cooked up and executed a scheme to deploy malware that altered the domain name system (DNS) settings on infected computers (there were versions of the malware for both Mac and Windows systems).

Tsastsin. left, along with other Rove Digital men, at a hearing in Tallinn. Image: Postimees.ee.

Tsastsin. right, along with other Rove Digital men, at a 2013 hearing in Tallinn. Image: Postimees.ee.

Known as DNSChanger, the malware replaced legitimate ads in victim Web browsers with ads that rewarded Rove Digital, and hijacked referral commissions from other advertisers when victims clicked on ads. The malware also prevented infected systems from downloading software updates and visiting many security Web sites.

Following the takedown of the crime gang, the U.S. government assumed control over the DNS servers that were used by the malware, and spearheaded a global effort to clean up infected systems. U.S. authorities allege that the men made more than $14 million through click hijacking and advertisement replacement fraud.

Tsastsin and his accomplices were arrested in 2011 by Estonian authorities for their role in the scheme, but ultimately the men were acquitted. In June 2014, however, the Estonian Supreme Court revoked that decision, finding them guilty of money laundering. Tsastsin in particular was also found guilty of leading a criminal gang. All but one of the seven were later extradited to the United States, and have already pleaded guilty and/or been imprisoned.

I first encountered Tsastsin in 2008, after research and collaboration with numerous security firms and researchers led to a Washington Post series detailing how Rove Digital and its hosting business — a company called EstDomains — were hosting huge numbers of Web sites that foisted malicious software. His response at the time to assertions that he was somehow tied to Russian organized cybercrime: “Rubbish!”  Continue reading

Credit Card Breach at a Zoo Near You

July 9, 2015

Service Systems Associates, a company that serves gift shops and eateries at zoos and cultural centers across the United States, has acknowledged a breach of its credit and debit card processing systems.

ssaSeveral banking industry sources told KrebsOnSecurity they have detected a pattern of fraud on cards that were all used at zoo gift shops operated by Denver-basd SSA. On Wednesday morning, CBS Detroit moved a story citing zoo officials there saying the SSA was investigating a breach involving point-of-sale malware.

Contacted about the findings, SSA confirmed that it was the victim of a data security breach.

“The violation occurred in the point of sale systems located in the gift shops of several of our clients,” the company said in a written statement. “This means that if a guest used a credit or debit card in the gift shop at one of our partner facilities between March 23 and June 25, 2015, the information on that card may have been compromised.”

SSA said it has been working with law enforcement officials and a third-party forensic investigator, Sikich, to investigate the breach.

“Though the investigation into this attack continues, the malware that caused the breach was identified and removed,” the statement continued. “All visitors should feel confident using credit or debit cards anywhere in these facilities.” Continue reading

Finnish Decision is Win for Internet Trolls

July 8, 2015

In a win for Internet trolls and teenage cybercriminals everywhere, a Finnish court has decided not to incarcerate a 17-year-old found guilty of more than 50,000 cybercrimes, including data breaches, payment fraud, operating a huge botnet and calling in bomb threats, among other violations.

Julius "Ryan" Kivimaki.

Julius “Ryan” Kivimaki.

As the Finnish daily Helsingin Sanomat reports, Julius Kivimäki — a.k.a. “Ryan” and “Zeekill” — was given a two-year suspended sentence and ordered to forfeit EUR 6,558.

Kivimaki vaulted into the media spotlight late last year when he claimed affiliation with the Lizard Squad, a group of young hooligans who knocked offline the gaming networks of Microsoft and Sony for most of Christmas Day.

According to the BBC, evidence presented at Kivimaki’s trial showed that he compromised more than 50,000 computer servers by exploiting vulnerabilities in Adobe’s Cold Fusion web application software. Prosecutors also said Kivimaki used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.

Kivimaki allegedly also was involved in calling in multiple fake bomb threats and “swatting” incident — reporting fake hostage situations at an address to prompt a heavily armed police response to that location. DailyDot quotes Blair Strater, a victim of Kivimaki’s swatting and harassment, who expressed disgust at the Finnish ruling.

Speaking with KrebsOnSecurity, Strater called Kivimaki “a dangerous sociopath” who belongs behind bars.

Although it did not factor into his trial, sources close to the Lizard Squad investigation say Kivimaki also was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others say it started with a call from Kivimaki.

In a phone interview, Smedley said he was disappointed that the judicial system in Finland didn’t do more.

“I personally got to listen to a recording of him calling in to American Airlines, and I know it was him because I talked to him myself,” Smedley said. “He’s done all kinds of bad stuff to me, including putting all of my information out on the Internet. He even attempted to use my credit numerous times. The harassment literally just did not stop.”

In an online interview with KrebsOnSecurity, Kivimaki denied involvement with the American Airlines incident, and said he was not surprised by the leniency shown by the court in his trial.

“During the trial it became apparent that nobody suffered significant (if any) damages because of the alleged hacks,” he said.

The danger in a decision such as this is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.

Case in point: Kivimaki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimaki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.” Continue reading

Adobe to Patch Hacking Team’s Flash Zero-Day

July 7, 2015

Adobe Systems Inc. says its plans to issue a patch on Wednesday to fix a zero-day vulnerability in its Flash Player software that is reportedly being exploited in active attacks. The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

A knowledge base file stolen from Hacking Team explaining how to use the company's zero-day Flash exploit.

A knowledge base file stolen from Hacking Team explaining how to use a Flash exploit developed by the company.

In an advisory published today, Adobe said “a critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”

Update, July 8, 12:13 p.m. ET: The patch is now available in Flash Player 18.0.0.203 for Windows and Mac systems. See this advisory for more information and for links to downloads.

Original story:

Several reports on Twitter suggested the exploit could be used to bypass Google Chrome‘s protective “sandbox” technology, a security feature that forces the program to run in a heightened security mode designed to block attacks that target vulnerabilities in Flash. A spokesperson for Google confirmed that attackers could evade the Chrome sandbox by using the Flash exploit in tandem with another Windows vulnerability that appears to be unpatched at the moment. Google also says its already in the process of pushing the Flash fix out to Chrome users.

The Flash flaw was uncovered after Hacking Team’s proprietary information was posted online by hacktivists seeking to disprove the company’s claims that it does not work with repressive regimes (the leaked data suggests that Hacking Team has contracted to develop exploits for a variety of countries, including Egypt, Lebanon, Ethiopia, Sudan and Thailand). Included in the cache are several exploits for unpatched flaws, including apparently a Windows vulnerability. Continue reading