Krebs on Security

The Internet of Dangerous Things

January 29, 2015

Distributed denial-of-service (DDoS) attacks designed to silence end users and sideline Web sites grew with alarming frequency and size last year, according to new data released this week. Those findings dovetail quite closely with the attack patterns seen against this Web site over the past year.

Arbor Networks, a major provider of services to help block DDoS assaults, surveyed nearly 300 companies and found that 38% of respondents saw more than 21 DDoS attacks per month. That’s up from a quarter of all respondents reporting 21 or more DDoS attacks the year prior.

KrebsOnSecurity is squarely within that 38 percent camp: In the month of December 2014 alone, Prolexic (the Akamai-owned company that protects my site from DDoS attacks) logged 26 distinct attacks on my site. That’s almost one attack per day, but since many of the attacks spanned multiple days, the site was virtually under constant assault all month.

Source: Arbor Networks

Arbor also found that attackers continue to use reflection/amplification techniques to create gigantic attacks. The largest reported attack was 400 Gbps, with other respondents reporting attacks of 300 Gbps, 200 Gbps and 170 Gbps. Another six respondents reported events that exceeded the 100 Gbps threshold. In February 2014, I wrote about the largest attack to hit this site to date — which clocked in at just shy of 200 Gbps.

According to Arbor, the top three motivations behind attacks remain nihilism vandalism, online gaming and ideological hacktivism— all of which the company said have been in the top three for the past few years.

“Gaming has gained in percentage, which is no surprise given the number of high-profile, gaming-related attack campaigns this year,” the report concludes.

DDoS Attacks on KrebsOnSecurity.com, logged by Akamai/Prolexic between 10/17/14 – 1/26/15.

Longtime readers of this blog will probably recall that I’ve written plenty of stories in the past year about the dramatic increase in DDoS-for-hire services (a.k.a. “booters” or “stressers”). In fact, on Monday, I published Spreading the Disease and Selling the Cure, which profiled two young men who were running both multiple DDoS-for-hire services and selling services to help defend against such attacks. Continue reading →

FBI: Businesses Lost $215M to Email Scams

January 28, 2015

29 Comments

It’s time once again to update my Value of a Hacked Email Account graphic: According to a recent alert from the FBI, cyber thieves stole nearly $215 million from businesses in the last 14 months using a scam that starts when business executives or employees have their email accounts hijacked.

Federal investigators say the so-called “business email compromise” (BEC) swindle is a sophisticated and increasingly common scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.

According to new data from the Internet Crime Complaint Center (IC3) — a partnership between the National White Collar Crime Center and the FBI — the victims of BEC scams range from small to large businesses that may purchase or supply a variety of goods, such as textiles, furniture, food, and pharmaceuticals.

Image: IC3

One variation on the BEC scam, also known as “CEO fraud,” starts with the email account compromise for high-level business executives (CFO, CTO, etc). Posing as the executive, the fraudster sends a request for a wire transfer from the compromised account to a second employee within the company who is normally responsible for processing these requests.

“The requests for wire transfers are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request,” the agency warned. “In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank ‘X’ for reason ‘Y.'”

The IC3 notes that the fraudsters perpetrating these scams do their homework before targeting a business and its employees, monitoring and studying their selected victims prior to initiating the fraud. Continue reading →

Yet Another Emergency Flash Player Patch

January 27, 2015

47 Comments

For the second time in a week, Adobe has issued an emergency update to fix a critical security flaw that crooks are actively exploiting in its Flash Player software. Updates are available for Flash Player on Windows and Mac OS X.

Last week, Adobe released an out-of-band Flash Patch to fix a dangerous bug that attackers were already exploiting. In that advisory, Adobe said it was aware of yet another zero-day flaw that also was being exploited, but that last week’s patch didn’t fix that flaw.

Earlier this week, Adobe began pushing out Flash v. 16.0.0.296 to address the outstanding zero-day flaw. Adobe said users who have enabled auto-update for Flash Player will be receiving the update automatically this week. Alternatively, users can manually update by downloading the latest version from this page.

Adobe said it is working with its distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. Google Chrome version 40.0.2214.93 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Spreading the Disease and Selling the Cure

January 26, 2015

60 Comments

When Karim Rattani isn’t manning the till at the local Subway franchise in his adopted hometown of Cartersville, Ga., he’s usually tinkering with code. The 21-year-old Pakistani native is the lead programmer for two very different yet complementary online services: One lets people launch powerful attacks that can knock Web sites, businesses and other targets offline for hours at a time; the other is a Web hosting service designed to help companies weather such assaults.

Grimbooter

Rattani helps run two different “booter” or “stresser” services – grimbooter[dot]com, and restricted-stresser[dot]info. He also works on TheHosted[dot]me, a Web hosting firm marketed to Web sites looking for protection from the very attacks he helps to launch.

As part of an ongoing series on booter services, I reached out to Rattani via his Facebook account (which was replete with images linking to fake Youtube sites that foist malicious software disguised as Adobe’s Flash Player plugin). It turns out, the same Google Wallet is used to accept payment for all three services, and that wallet traced back to Rattani.

In a Facebook chat, Rattani claimed he doesn’t run the companies, but merely accepts Google Wallet payments for them and then wires the money (minus his cut) to a young man named Danial Rajput — his business partner back in Karachi. Rajput declined to be interviewed for this story.

The work that Rattani does for these booter services brings in roughly $2,500 a month — far more than he could ever hope to make in a month slinging sandwiches. Asked whether he sees a conflict of interest in his work, Rattani was ambivalent.

“It is kind of [a conflict], but if my friend won’t sell [the service], someone else will,” he said.

Rattani and his partner are among an increasing number of young men who sell legally murky DDoS-for-hire services. The proprietors of these services market them as purely for Web site administrators to “stress test” their sites to ensure they can handle high volumes of visitors.

But that argument is about as convincing as a prostitute trying to pass herself off as an escort. The owner of the attack services (the aforementioned Mr. Rajput) advertises them at hackforums[dot]net, an English language forum where tons of low-skilled hackers hang out and rent such attack services to prove their “skills” and toughness to others. Indeed, in his own first post on Hackforums in 2012, Rajput states that “my aim is to provide the best quality vps [virtual private server] for ddosing :P”. Continue reading →

Flash Patch Targets Zero-Day Exploit

January 22, 2015

59 Comments

Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update.

Early indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.

Kafeine wrote that a popular crimeware package called the Angler Exploit Kit was targeting previously undocumented vulnerability in Flash that appears to work against many different combinations of the Internet Explorer browser on Microsoft Windows systems.

Attackers may be targeting Windows and IE users for now, but the vulnerability fixed by this update also exists in versions of Flash that run on Mac and Linux as well. The Flash update brings the media player to version 16.0.0.287 on Mac and Windows systems, and 11.2.202.438 on Linux.

While Flash users should definitely update as soon as possible, there are indications that this fix may not plug all of the holes in Flash for which attackers have developed exploits. In a statement released along with the Flash update today, Adobe said its patch addresses a newly discovered vulnerability that is being actively exploited, but that there appears to be another active attack this patch doesn’t address.

“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player,” Adobe said. “Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.”

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although as of this writing it seems that the latest version of Chrome (40.0.2214.91) is still running v. 16.0.0.257. Continue reading →

Password Re-use Fuels Starwood Fraud Spike

January 22, 2015

35 Comments

Two different readers have written in this past week to complain about having their Starwood Preferred Guest loyalty accounts hijacked by scammers. The spike in fraud appears to be tied to a combination of password re-use and the release of a tool that automates the checking of account credentials at the Web site for the popular travel rewards program.

The mass compromise of Starwood accounts began in earnest less than a week ago. That roughly coincides with a Starwoods-specific account-checking tool that was released for free on Leakforums[dot]org, an English-language forum dedicated to helping (mostly low-skilled) misfits monetize compromised credentials from various online services, particularly e-retailers, cloud-based services and points or rewards accounts.

The tool is little more than a bit of code that automates the checking of account credentials stolen from other data breaches, to see if the stolen credentials also work at Starwoods.com. These types of account checking tools work because — despite constant advice to the contrary — a fair number of Internet users will rely on the same email address (username) and password pair for accounts at multiple sites.

The release of the account checking tool caused numerous Leakforums denizens to run the tool against various username and password lists stolen in previous data breaches. In less than 24 hours after its release, there were more than a half dozen Leakforums members selling compromised accounts. One seller advertised a Starwood account with 70,000 points for sale at just $3, while accounts with about 40,000 points sold for $1.50.

The release of an account checking tool for Starwood credentials has prompted dozens of miscreants to sell and cash out hijacked Starwood reward points.

According to a tutorial posted on the forum, hijacked account buyers “cash out” their purchases by creating new Starwood accounts and then forcing the hijacked account to transfer its account balance to the new account. The reward points are then exchanged for gift cards that can be used as cash.
Continue reading →

Java Patch Plugs 19 Security Holes

January 21, 2015

44 Comments

Oracle this week released its quarterly patch update for Java, a widely-installed program that for most casual users has probably introduced more vulnerability than utility. If you have Java installed and require it for some application or Web site, it’s time to update it. If you’re not sure you have Java on your computer or are unsure why you still have it, read on for advice that could save you some security headaches down the road.

Oracle’s update brings Java 7 to Update 75 and Java 8 to Update 31, and fixes at least 19 security vulnerabilities in the program. Security vendor Qualys notes that 13 of those flaws are remotely exploitable, with a CVSS score of 10 (the most severe possible score).

Java 7 users should know that Oracle plans to start using the auto-update function built into the program to migrate those users to Java 8 this week.

According to a new report (PDF) from Cisco, online attacks that exploit Java vulnerabilities have decreased by 34 percent in the past year. Cisco reckons this is thanks to security improvements in the program, and to bad guys embracing new attack vectors — such Microsoft Silverlight flaws (if you’re a Netflix subscriber, you have Silverlight installed). Nevertheless, my message about Java will remain the same: Patch it, or pitch it. Continue reading →

How Was Your Credit Card Stolen?

January 19, 2015

92 Comments

Almost once a week, I receive an email from a reader who has suffered credit card fraud and is seeking help figuring out which hacked merchant was responsible. I generally reply that this is a fruitless pursuit, and instead encourage readers to keep a close eye on their card statements and report any fraud. But it occurred to me recently that I’ve never published a primer on the types of card fraud and the likelihood with each of the cardholder ever learning how their account was compromised. This post is an effort to remedy that.

The card associations (Visa, MasterCard, et. al) very often know which merchant was compromised before even the banks or the merchant itself does. But they rarely tell banks which merchant got hacked. Rather, in response to a breach, the card associations will send each affected bank a list of card numbers that were compromised.

The bank may be able to work backwards from that list to the breached merchant if the merchant in question is not one that a majority of their cardholders shop at in a given month anyway. However, in the cases where banks do know which merchant caused a card to be compromised and/or replaced, the banks rarely share that information with their customers.

Here’s a look at some of the most common forms of credit card fraud:

Hacked main street merchant, restaurant:
Most often powered by malicious software installed on point-of-sale devices remotely.

Distinguishing characteristic: Most common and costly source of card fraud. Losses are high because crooks can take the information and produce counterfeit cards that can be used in big box stores to buy gift cards and/or expensive goods that can be easily resold for cash.

Chances of consumer learning source of fraud: Low, depending on customer card usage.

Processor breach:
A network compromise at a company that processes transactions between credit card issuing banks and merchant banks.

Distinguishing characteristic: High volume of card accounts can be stolen in a very short time.

Chances of consumer learning source of fraud: Virtually nil. Processor breaches are rare compared to retail break-ins, but it’s also difficult for banks to trace back fraud on a card to a processor. Card associations/banks generally don’t tell consumers when they do know.

Hacked point-of-sale service company/vendor:

Distinguishing characteristic: Can be time-consuming for banks and card associations to determine vendor responsible. Fraud is generally localized to a specific town or geographic region served by vendor.

Chances of consumer learning source of fraud: Low, given that compromised point-of-sale service company or vendor does not have a direct relationship with the card holder or issuing bank.

Hacked E-commerce Merchant:
A database or Web site compromise at an online merchant.

Distinguishing characteristic: Results in online fraud. Consumer likely to learn about fraud from monthly statement, incorrectly attribute fraud to merchant where unauthorized transaction occurred. Bank customer service representatives are trained not to give out information about the breached online merchant, or address information associated with the fraudulent order.

Chances of consumer learning source of fraud: Nil to low. Continue reading →

Another Lizard Arrested, Lizard Lair Hacked

January 16, 2015

105 Comments

Several media outlets are reporting that authorities in the United Kingdom early this morning arrested an 18-year-old in connection with the denial-of-service attacks on Sony Playstation and Microsoft Xbox systems over Christmas. The arrest is one of several tied to a joint U.K. and U.S. law enforcement investigation into a group calling itself the “Lizard Squad,” and comes as the group’s attack-for-hire online service was completely compromised and leaked to investigators.

A BBC story does not name the individual, saying only that the youth was arrested at an address in Southport, near Liverpool, and that he was accused of unauthorized access to computer material and knowingly providing false information to law enforcement agencies in the United States. The notice about the arrest on the Web site of the Southeast Regional Organized Crime Unit states that this individual has been actively involved in several “swatting” incidents — phoning in fake hostage situations or bomb threats to prompt a police raid at a targeted address.

U.K. police declined to publicly name the individual arrested. But according to the Daily Mail, the youth is one Jordan Lee-Bevan. Known online variously as “Jordie,” “EvilJordie” and “GDKJordie,” the young man frequently adopts the persona of an African American gang member from Chicago, as evidenced in this (extremely explicit) interview he and other Lizard Squad members gave late last year. Jordie’s Twitter account also speaks volumes, although it hasn’t been saying much for the past 13 hours.

Update: Added link to Daily Mail story identifying Jordie as Lee-Bevan.

Original post:

An individual using variations on the “Jordie” nickname was named in this FBI criminal complaint (PDF) from Sept. 2014 as one of three from the U.K. suspected in a string of swatting attacks and bomb threats to schools and universities across the United States in the past year. According to that affidavit, Jordie was a member of a group of males aged 16-18 who called themselves the “ISISGang.”

In one of their most appalling stunts from September 2014, Jordie and his ISIS pals allegedly phoned in a threat to Sandy Hook Elementary — the site of the 2012 school massacre in Newtown, Ct. in which 20 kids and 6 adults were gunned down. According to investigators, the group told the school they were coming to the building with an assault rifle to “kill all your asses.”

In an unrelated development, not long after this publication broke the news that the Lizard Squad’s attack infrastructure is built on a network of thousands of hacked home Internet routers, someone hacked LizardStresser[dot]su, the Web site the group uses to coordinate attacks and sell subscriptions to its attacks-for-hire service. As I noted in a previous story, the attacks on Microsoft and Sony were merely meant to be commercials for this very “stresser” (a.k.a. “booter”) service, which allows paying customers to knock any Web site or individual offline for a small fee.

A copy of the LizardStresser customer database obtained by KrebsOnSecurity shows that it attracted more than 14,241 registered users, but only a few hundred appear to have funded accounts at the service. Interestingly, all registered usernames and passwords were stored in plain text. Also, the database indicates that customers of the service deposited more than USD $11,000 worth of bitcoins to pay for attacks on thousands of Internet addresses and Web sites (including this one).

One page of hundreds of support ticket requests filed by LizardStresser users.

Continue reading →

Park ‘N Fly, OneStopParking Confirm Breaches

January 14, 2015

43 Comments

Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.

When contacted by this author on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected. A portion of their statement reads:

“Park ‘N Fly (“PNF”) has become aware of a security compromise involving payment card data processed through its e-commerce website. PNF has been working continuously to understand the nature and scope of the incident, and has engaged third-party data forensics experts to assist with its investigation. The data compromise has been contained. While the investigation is ongoing, it has been determined that the security of some data from certain payment cards that were used to make reservations through PNF’s e-commerce website is at risk. The data potentially at risk includes the card number, cardholder’s name and billing address, card expiration date, and CVV code. Other loyalty customer data potentially at risk includes email addresses, Park ‘N Fly passwords, and telephone numbers.”

The Park ‘N Fly homepage now includes a conspicuous notice stating that the Web site is temporarily unable to process transactions and directs customers to a 1-800 for reservations.

Reading the Park ‘N Fly disclosure made me wonder if anything had changed over at OneStopParking.com, a Florence, Ky.-based competitor that KrebsOnSecurity reported Dec. 30, 2014 as the likely source of another e-commerce breach. Reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site. Continue reading →

Last »