Krebs on Security

If It Sounds Too Good To Be True…

June 17, 2014

The old adage “If it sounds too good to be true, it probably is” no doubt is doubly so when it comes to steeply discounted brand-name stuff for sale on random Web sites, especially sports jerseys, designer shoes and handbags. A great many stores selling these goods appear to be tied to an elaborate network of phony storefronts and credit card processing sites based out of China that will happily charge your card but deliver nothing (or at best flimsy knockoffs).

Earlier this month I heard from a reader whose wife had purchased ladies clothing from bearcrs.co.uk, a site that until very recently billed itself as an official seller of Victoria Secrets goods. Most of the items for sale were roughly 60-70 percent off the retail price advertised anywhere else. The checkout process brought her to payment site called unimybill.com, which took her credit card information and said she’d been successfully charged for her purchases. The goods never arrived.

“They charged her card about $100,” said the reader, who asked to remain anonymous. “I tried to contact them, they never replied back. I started to discover similar websites by entering phrases from bearcrs.co.uk into Google. All websites have the same php engine, same phrases, registered in China, same checkout process, all they sell brand clothes for 30% of real price.”

Bearcrs.co.uk is one of hundreds of bogus storefronts that list products of well-known brands like Nike, Ray Ban, Michael Kors and others, hoping to lure bargain-hunting shoppers. Among the many fraudulent sites is michaelkorshandbags.co.uk, a site that claims to be a merchant in the United Kingdom but whose infrastructure is all Chinese.

The same network is tied to michaelkorshandbags.co.uk and hundreds of other similarly structured sites, all of which have left a trail of complaints online from customers who were charged for goods that never arrived. Order anything from this shop and you are taken to a checkout page at sslcreditpay.com, which tries to assure shoppers that the page is legitimate by posting a number of logos and trust seals from a variety of security and payment security providers such as Verisign, Symantec, Trustwave and the PCI Security Standards Council. Trouble is, none of these organizations actually authorized this payment gateway to use their seals, which are supposed to be clickable icons that provide information to help support that claim.

sslcreditpay.com uses a variety of security seals to make you feel more at ease submitting your credit card for goods you’ll never get.

A check with Trustwave showed that the seal was bogus. John Randall, senior product manager for the company, said Trustwave only issues the Trustwave seal for customers that purchase its domain validation or extended validation (EV) certificates, and that the site in question hadn’t done either.

Likewise, the PCI Security Standards Council said it doesn’t authorize the use of its logo for payment processing sites.

“As a standards setting organization we do not validate compliance with PCI Standards – this is managed separately by each payment card brand,” said Ella Nevill, vice president of stakeholder engagement at the PCI Counil. “As such, we don’t provide any sort of compliance ‘seal’ or use of our company logo. What we do provide is use of a PCI Participating Organization logo for our member organizations that pay to be PCI Participating Organizations and be involved in standards development process.”

Sslcreditpay.com is one of many apparently bogus online payment processing sites tied to this fraud network. Other phony payment portals include payitrust.com and paymentsol.com. You can’t reach the payment pages for these processors directly unless you actually check out from an associated online store. At that point, you’ll be directed to a subdomain like https://payment.payitrust.com and https://payment.paymentsol.com. Continue reading →

Ruling Raises Stakes for Cyberheist Victims

June 16, 2014

53 Comments

A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institution’s legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases.

Choice Escrow and Land Title LLC sued Tupelo, Miss. based BancorpSouth Inc., after hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.

BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

A trial court was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.

“It’s a good opinion for banks [and] it’s definitely more pro-bank than pro-consumer,” said Dan Mitchell, a lawyer who chairs the data security practice at Bernstein Shur in Portland, Maine. “The appellate court found the same thing as the basic court. The customer was offered dual controls — that two people should be required to sign off on all transactions — and they were informed that it was important for them to take advantage of this. So, when [Choice Escrow] made an informed decision in writing not to use dual controls, the bank was careful to document that.”

Perhaps most significantly, Mitchell said, the decision could be a blow to companies trying to recover cyberheist losses from their banks. Bancorp South had asserted at the trial court level that its contract with Choice Escrow indemnified it against paying legal fees in such a dispute. The trial court dismissed that claim, but the appeals court said in its decision that the bank could recover the costs from the escrow firm. Continue reading →

P.F. Chang’s Confirms Credit Card Breach

June 12, 2014

99 Comments

Nationwide restaurant chain P.F. Chang’s Chinese Bistro on Thursday confirmed news first reported on this blog: That customer credit and debit card data had been stolen in a cybercrime attack on its stores. The company had few additional details to share about the breach, other than to say that it would temporarily be switching to a manual credit card imprinting system for all P.F. Chang’s restaurants in the United States.

In statement released to this reporter this evening, P.F. Chang’s said it first learned of the breach on June 10, the same day this publication pointed to evidence that the eatery chain may have been compromised. Their complete statement is as follows: Continue reading →

Banks: Credit Card Breach at P.F. Chang’s

June 10, 2014

138 Comments

Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.

On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014.

Contacted about the banks’ claims, the Scottsdale, Arizona-based restaurant chain said it has not yet been able to confirm a card breach, but that the company “has been in communications with law enforcement authorities and banks to investigate the source.”

“P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more,” the company said in an emailed statement. “We will provide an update as soon as we have additional information.”

A spokesperson for the U.S. Secret Service, which typically investigates breaches involving counterfeit credit and debit cards, declined to comment.

It is unclear how many P.F. Chang’s locations may have been impacted. According to the company’s Wikipedia entry, as of January 2012 there were approximately 204 P.F. Chang’s restaurants in the United States, Puerto Rico, Mexico, Canada, Argentina, Chile and the Middle East. Banks contacted for this story reported cards apparently stolen from PFC locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina.

The new batch of stolen cards, dubbed “Ronald Reagan” by the card shop’s owner, is the first major glut of cards released for sale on the fraud shop since March 2014, when curators of the crime store advertised the sale of some 282,000 cards stolen from nationwide beauty store chain Sally Beauty.

The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).

The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Target, Neiman Marcus, Michaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems.

Unlike with the Target and Sally Beauty batches, however, the advertisement on Rescator’s shop for cards sold under the Ronald Reagan batch does not list the total number of cards that are for sale currently. Instead, it appears to list just the first 100 pages of results, at approximately 50 cards per page. The cards range in price from $18 to $140 per card. Many factors can influence the price of an individual card, such as whether the card is a Visa or American Express card; similarly, Platinum and Business cards tend to fetch far higher prices than Classic and Standard cards.

A new ad that debuted on June 9 for a fresh batch of cards apparently stolen from PF Chang’s China Bistro locations.

The ad for the Ronald Reagan batch of cards also includes guidance for potential customers who wish to fund their accounts via Western Union or MoneyGram wire transfers, advice that strongly suggests those involved in this apparent heist are once again from Russia and Eastern Europe: Continue reading →

Adobe, Microsoft Push Critical Security Fixes

June 10, 2014

37 Comments

Adobe and Microsoft today each released updates to fix critical security vulnerabilities in their software. Adobe issued patches for Flash Player and AIR, while Microsoft’s Patch Tuesday batch includes seven update bundles to address a whopping 66 distinct security holes in Windows and related products.

The vast majority of the vulnerabilities addressed by Microsoft today are in Internet Explorer, the default browser on Windows machines. A single patch for IE this month (MS14-035) shores up at least 59 separate security issues scattered across virtually every supported version of IE. Other patches fix flaws in Microsoft Word, as well as other components of the Windows operating system itself.

Most of the vulnerabilities Microsoft fixed today earned its “critical” rating, meaning malware or bad guys could exploit the flaws to seize control over vulnerable systems without any help from users, save perhaps for having the Windows or IE user visit a hacked or booby-trapped Web site. For more details on the individual patches, see this roundup at the Microsoft Technet blog.

Adobe’s update for Flash Player fixes at least a half-dozen bugs in the widely-used browser plugin. The Flash update brings the media player to v. 14.0.0.125 on Windows and Mac systems, and v. 11.2.202.378 for Linux users. To see which version of Flash you have installed, check this link.

Continue reading →

Backstage with the Gameover Botnet Hijackers

June 9, 2014

65 Comments

When you’re planning to rob the Russian cyber mob, you’d better make sure that you have the element of surprise, that you can make a clean getaway, and that you understand how your target is going to respond. Today’s column features an interview with two security experts who helped plan and execute last week’s global, collaborative effort to hijack the Gameover Zeus botnet, an extremely resilient and sophisticated crime machine that helped an elite group of thieves steal more than $100 million from banks, businesses and consumers worldwide.

Gameover infections on June 4, 2014. Source: Shadowserver.org

Neither expert I spoke with wished to be identified for this story, citing a lack of permission from their employers and a desire to remain off the radar of the crooks inconvenienced by the action. For obvious reasons, they were also reluctant to share details about the exact weaknesses that were used to hijack the botnet, focusing instead on the planning and and preparation that went into this effort.

GAMEOVER ZEUS PRIMER

A quick review of how Gameover works should help readers get more out of the interview. In traditional botnets, infected PCs report home to and are controlled by a central server. But this architecture leaves such botnets vulnerable to disruption or takeover if authorities or security experts can gain access to the control server.

Gameover, on the other hand, is a peer-to-peer (P2P) botnet designed as a collection of small networks that are distinct but linked up in a decentralized fashion. The individual Gameover-infected PCs are known as “peers.” Above the peers are a select number of slightly more powerful and important infected systems that are assigned roles as “proxy nodes,” meaning they were selected from the peers to serve as relay points for commands coming from the Gameover botnet operators and as conduits for encrypted data stolen from the infected systems.

The basic network structure of the Gameover botnet. Source: FBI

The Gameover botnet code also includes a failsafe mechanism that can be invoked if the botnet’s P2P communications system fails, whether the failure is the result of a faulty malware update or because of a takedown effort by researchers/law enforcement. That failsafe is a domain generation algorithm (DGA) component that generates a list of 1,000 domain names each week (gibberish domains that are essentially long jumbles of letters) combined with one of six top-level domains; .com, .net, .org, .biz, .info and .ru. In the event the infected Gameover systems can’t get new instructions from their peers, the code instructs the botted systems to seek out domains from the latest list of 1,000 domains generated by the DGA until it finds a site with new instructions.

HUNDREDS OF ‘WEB INJECTS’

The Gameover malware was designed specifically to defeat two-factor authentication used by many banks. It did so using a huge collection of custom-made scripts known as “Web injects” that can inject custom content into a Web browser when the victim browses to certain sites — such as a specific bank’s login page. Web injects also are used to prompt the victim to enter additional personal information when they log in to a trusted site. An example of this type of Web inject can be seen in the video below, which shows an inject designed for Citibank customers. Continue reading →

They Hack Because They Can

June 5, 2014

87 Comments

The Internet of Things is coming….to a highway sign near you? In the latest reminder that much of our nation’s “critical infrastructure” is held together with the Internet equivalent of spit and glue, authorities in several U.S. states are reporting that a hacker has once again broken into and defaced electronic road signs over highways in several U.S. states.

Image: WNCN.

Earlier this week, news media in North Carolina reported that at least three highway signs there had apparently been compromised and re-worded to read “Hack by Sun Hacker.” Similar incidents were reported between May 27 and June 2, 2014 in two other states, which spotted variations on that message left by the perpetrator, (including an invitation to chat with him on Twitter).

The attack was reminiscent of a series of incidents beginning two years ago in which various electronic message signs were changed to read “Warning, Zombies Ahead”.

While at least those attacks were chuckle-worthy, messing with traffic signs is no laughing matter: As a report by the Multi-State Information Sharing and Analysis Center (MS-ISAC) points out, changes to road signs create a public safety issue because instead of directing drivers through road hazards, they often result in drivers slowing or stopping to view the signs or take pictures.

That same MS-ISAC notice, obtained by KrebsOnSecurity and published here (PDF), points out that these incidents appear to be encouraged by sloppy security on the part of those responsible for maintaining these signs.

“Investigators in one state believe the compromise may be in part due to the use of weak Simple Network Management Protocol (SNMP) community strings. Investigators in another state believe the malicious actor used Telnet port 23 and a simple password cracker to gain remote access. In one state the malicious actor changed the modem passwords, forcing technicians to restore to factory default settings to regain access.”

Continue reading →

Peek Inside a Professional Carding Shop

June 4, 2014

88 Comments

Over the past year, I’ve spent a great deal of time trolling a variety of underground stores that sell “dumps” — street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. By way of explaining this bizarro world, this post takes the reader on a tour of a rather exclusive and professional dumps shop that caters to professional thieves, high-volume buyers and organized crime gangs.

The subject of this post is “McDumpals,” a leading dumps shop that first went online in late April 2013. Featuring the familiar golden arches and the bastardized logo, “i’m swipin’ it,” the site’s mascot is a gangstered-up Ronald McDonald pointing a handgun at the viewer.

Nevermind that this shop is violating a ridiculous number of McDonald’s trademarks in one fell swoop: It’s currently selling cards stolen from data breaches at main street stores in nearly every U.S. state.

Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.

I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.

This was a major innovation that we saw prominently on display in the card shop that was principally responsible for selling cards stolen in the Target and Sally Beauty retail breaches: In those cases, buyers were offered the ability to search for cards by the city, state and ZIP of the Target and Sally Beauty stores from which those cards were stolen. Experienced carders (as buyers are called) know that banks will often flag transactions as suspicious if they take place outside of the legitimate cardholder’s regular geographic purchasing patterns, and so carders tend to favor cards stolen from consumers who live nearby.

The slideshow may make more sense if readers familiarize themselves with a few terms and phrases that show up in the text:

Continue reading →

Ne’er-Do-Well News, Volume I

June 3, 2014

35 Comments

It’s been a while since a new category debuted on this blog, and it occurred to me that I didn’t have a catch-all designation for random ne’er-do-well news. Alas, the inaugural entry for Ne’er-Do-Well News looks at three recent unrelated developments: The availability of remote access iPhone apps written by a programmer perhaps best known for developing crimeware; the return to prison of a young hacker who earned notoriety after simultaneously hacking Paris Hilton’s cell phone and data broker LexisNexis; and the release of Pavel Vrublevsky from a Russian prison more than a year before his sentence was to expire.

ZeusTerm and Zeus Terminal are iPhone/iPad apps designed by the same guy who brought us the Styx-Crypt exploit kit.

A year ago, this blog featured a series of articles that sought to track down the developers of the Styx-Crypt exploit kit, a crimeware package being sold to help bad guys booby-trap compromised Web sites with malware. Earlier this week, I learned that a leading developer of Styx-Crypt — a Ukrainian man named Max Gavryuk — also is selling his own line of remote administration tools curiously called “Zeus Terminal,” available via the Apple iTunes store.

News of the app family came via a Twitter follower who asked to remain anonymous, but who said two of the apps by this author were recently pulled from Apple’s iTunes store, including Zeus Terminal and Zeus Terminal Lite. It’s unclear why the apps were yanked or by whom, but the developer appears to have two other remote access apps for sale on iTunes, including ZeusTerm and ZeusTerm HD.

Incidentally, the support page listed for these apps — zeus-terminal[dot]com — no longer appears to be active (if, indeed it ever was), but the developer lists as his other home page reality7solutions[dot]com, which as this blog has reported was intricately tied to the Styx-Crypt development team.

This wouldn’t be the first time a crimeware author segued into building apps for the iPhone and iPad: In January 2012, as part of my Pharma Wars series, I wrote about clues that strongly suggested the Srizbi/Reactor spam botnet was developed and sold by a guy who left the spam business to build OOO Gameprom, a company that has developed dozens of games available in the iTunes store.

Continue reading →

‘Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker Scourge

June 2, 2014

67 Comments

The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes.

This graphic, from 2012, shows the decentralized nature of P2P network connectivity of 23,196 PCs infected with Gameover. Image: Dell SecureWorks

The sneak attack on Gameover, dubbed “Operation Tovar,” began late last week and is a collaborative effort by investigators at the FBI, Europol, and the UK’s National Crime Agency; security firms CrowdStrike, Dell SecureWorks, Symantec, Trend Micro and McAfee; and academic researchers at VU University Amsterdam and Saarland University in Germany. News of the action first came to light in a blog post published briefly on Friday by McAfee, but that post was removed a few hours after it went online.

Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists. Unlike ZeuS — which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend — Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine.

Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service (DDoS) attacks intended to distract victims from immediately noticing the thefts. According to the Justice Department, Gameover has been implicated in the theft of more than $100 million in account takeovers.

The curators of Gameover also have reportedly loaned out sections of their botnet to vetted third-parties who have used them for a variety of purposes. One of the most popular uses of Gameover has been as a platform for seeding infected systems with CryptoLocker, a nasty strain of malware that locks your most precious files with strong encryption until you pay a ransom demand.

According to a 2012 research paper published by Dell SecureWorks, the Gameover Trojan is principally spread via Cutwail, one of the world’s largest and most notorious spam botnets (for more on Cutwail and its origins and authors, see this post). These junk emails typically spoof trusted brands, including shipping and phone companies, online retailers, social networking sites and financial institutions. The email lures bearing Gameover often come in the form of an invoice, an order confirmation, or a warning about an unpaid bill (usually with a large balance due to increase the likelihood that a victim will click the link). The links in the email have been replaced with those of compromised sites that will silently probe the visitor’s browser for outdated plugins that can be leveraged to install malware.

It will be interesting to hear how the authorities and security researchers involved in this effort managed to gain control over the Gameover botnet, which uses an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems. Continue reading →

Last »