Krebs on Security

ZeroAccess Botnet Down, But Not Out

December 5, 2013

Europol, Microsoft Kneecap Click-Fraud Botnet

Authorities in Europe joined Microsoft Corp. this week in disrupting “ZeroAccess,” a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers.

The action comes partly from Europol’s European Cybercrime Center (EC3), as well as law enforcement cybercrime units from Germany, Latvia, Switzerland and the Netherlands, countries that hosted many of the Internet servers used to control the ZeroAccess botnet.

In tandem with the law enforcement moves in Europe, Microsoft filed a civil lawsuit to unmask eight separate cybercriminals thought to be operating the giant botnet, and to block incoming and outgoing communications between infected PCs in the United States and those 18 control servers, according to a statement released by EC3.

The malware the powers the botnet, also known as “ZAccess” and “Sirefef,” is a complex threat that has evolved significantly since its inception in 2009. It began as a malware delivery platform that was used to spread other threats, such as fake antivirus software (a.k.a. “scareware”).

In recent years, however, the miscreants behind ZeroAccess rearchitected the botnet so that infected systems were forced to perpetrate a moneymaking scheme known as “click fraud” — the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site.

Maps of ZeroAccess infected PCs in Texas. Source: botnetlegalnotice.com

It remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term. Early versions of ZeroAccess relied on a series of control servers to receive updates, but recent versions of the botnet malware were designed to make the network as a whole more resilient and resistant to targeted takedowns such as the one executed this week.

Specifically, ZeroAccess employs a peer-to-peer (P2P) architecture in which new instructions and payloads are distributed from one infected host to another. P2P-based botnets are designed to eliminate a single point of failure, so that if one node used to control the botnet is knocked offline, the remainder of the botnet can still function.

The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers — including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred.

Continue reading →

How Many Zero-Days Hit You Today?

December 5, 2013

52 Comments

On any given day, nation-states and criminal hackers have access to an entire arsenal of zero-day vulnerabilities — undocumented and unpatched software flaws that can be used to silently slip past most organizations’ digital defenses, new research suggests. That sobering conclusion comes amid mounting evidence that thieves and cyberspies are ramping up spending to acquire and stockpile these digital armaments.

Security experts have long suspected that governments and cybercriminals alike are stockpiling zero-day bugs: After all, the thinking goes, if the goal is to exploit these weaknesses in future offensive online attacks, you’d better have more than a few tricks up your sleeve because it’s never clear whether or when those bugs will be independently discovered by researchers or fixed by the vendor. Those suspicions were confirmed very publicly in 2010 with the discovery of Stuxnet, a weapon apparently designed to delay Iran’s nuclear ambitions and one that relied upon at least four zero-day vulnerabilities.

Documents recently leaked by National Security Agency whistleblower Edward Snowden indicate that the NSA spent more than $25 million this year alone to acquire software vulnerabilities from vendors. But just how many software exploits does that buy, and what does that say about the number of zero-day flaws in private circulation on any given day?

These are some of the questions posed by Stefan Frei, research director for Austin, Texas-based NSS Labs. Frei pored over reports from and about some of those private vendors — including boutique exploit providers like Endgame Systems, Exodus Intelligence, Netragard, ReVuln and VUPEN — and concluded that jointly these firms alone have the capacity to sell more than 100 zero-day exploits per year.

According to Frei, if we accept that the average zero-day exploit persists for about 312 days before it is detected (an estimate made by researchers at Symantec Research Labs), this means that these firms probably provide access to at least 85 zero-day exploits on any given day of the year. These companies all say they reserve the right to restrict which organizations, individuals and nation states may purchase their products, but they all expressly do not share information about exploits and flaws with the affected software vendors.

Frei’s minimum estimate of exploits offered by boutique exploit providers each year.

KNOWN UNKNOWNS

That approach stands apart from the likes of HP TippingPoint‘s Zero-Day Initiative (ZDI) and Verisign‘s iDefense Vulnerability Contributor Program (VCP), which pay researchers in exchange for the rights to their vulnerability research. Both ZDI and iDefense also manage the communication with the affected vendors, ship stopgap protection for the vulnerabilities to their customers, and otherwise keep mum on the flaws until the vendor ships an update to fix the bugs.

Frei also took stock of the software vulnerabilities collected by these two companies, and found that between 2010 and 2012, the ZDI and VCP programs together published 1,026 flaws, of which 425 (44 percent) targeted flaws in Microsoft, Apple, Oracle, Sun and Adobe products. The average time from purchase to publication was 187 days.

“On any given day during these three years, the VCP and ZDI programs possessed 58 unpublished vulnerabilities affecting five vendors, or 152 vulnerabilities total,” Frei wrote in a research paper released today.

Frei notes that the VCP and ZDI programs use the information they purchase only for the purpose of building better protection for their customers, and since they share the information with the software vendors in order to develop and release patches, the overall risk is comparatively low. Also, the vulnerabilities collected and reported by VCP and ZDI are not technically zero-days, since one important quality of a zero-day is that it is used in-the-wild to attack targets before the responsible vendor can ship a patch to fix the problem.

In any case, Frei says his analysis clearly demonstrates that critical vulnerability information is available in significant quantities for private groups, for extended periods and at a relatively low cost.

“So everybody knows there are zero days, but when we talk to C-Level executives, very often we find that these guys don’t have a clue, because they tell us, ‘Yeah, but we’ve never been compromised’,” Frei said in an interview. “And we always ask them, ‘How do you know?'”

Continue reading →

Simple But Effective Point-of-Sale Skimmer

December 3, 2013

16 Comments

Point-of-sale (POS) skimmers — fraud devices made to siphon bank card and PIN data at the cash register — have grown in sophistication over the years: A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.

In scams, as with most things in life, there is a certain elegance in simplicity. This is doubly true with ATM and credit card skimmer scams: The more components and electronics involved, the greater the chance that the fraud devices will malfunction, lose juice, or else be detected too quickly. In fact, some of the most elegant skimming attacks I’ve seen to date never even touched the cash machine, and relied on very basic components.

Recently, I encountered a fraudster selling a remarkably simple but brilliant POS skimming device that can be installed and removed in the blink of an eye. This video, which was produced by a fraudster who sells these devices for thousands of dollars on semi-private underground forums, shows a late-model Verifone point-of-sale device retrofitted with a skimmer overlay. The underside of the device (not pictured) includes a tiny battery and flash storage card that allows the fake PIN pad to capture the key presses, and record the data stored on the magnetic stripe of each swiped card.

Such a device would be an enticing buy for a crooked employee at a retail store. It might even be installed surreptitiously by thieves posing as customers at a retail establishment. Last month, this blog featured a story about several fraudsters in Florida who did just that, installing hardware-based register skimmers at Nordstrom department stores while co-conspirators distracted sales personnel.

For more on ATM and POS skimmers, check out my series: All About Skimmers.

Important Security Update for D-Link Routers

December 2, 2013

20 Comments

D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers.

D-Link DI-524 router.

The update comes roughly seven weeks after researcher Craig Heffner discovered and blogged about a feature or bug built into at least eight different models of D-Link routers that could allow an attacker to log in as administrator and change the router’s settings. Although the router models affected are fairly old, there are almost certainly plenty of these still in operation, as routers tend to be set-it-and-forget-it devices that rarely get replaced or updated unless they stop working.

According to Heffner, an attacker who identified a vulnerable router would need merely to set his browser’s user agent string as “xmlset_roodkcableoj28840ybtide”, and he could log in to the router’s administrative interface without any authentication. Heffer later updated his blog post with a proof-of-concept illustrating how attackers also could use the bug to upload arbitrary code to the vulnerable devices.

On Nov. 28, D-Link released a series of updates to fix the problem. Updates are available for the following models:

DI-524
DI-524UP
DIR-100
DIR-120
DI-604UP
DI-604+
DI-624S
TM-G5240

Continue reading →

An Anti-Fraud Service for Fraudsters

November 26, 2013

39 Comments

Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also “test buys” from security researchers, law enforcement and other meddlers.

One anti-fraud measure commonly used in e-commerce is the address verification service (AVS), which seeks to verify the address of a person claiming to own a credit card. Some business employ additional “geo-IP” checks, which try to determine the geographical location of Website visitors based on their Internet addresses, and then match that with the billing address provided by the customer.

The trouble with these services is that they can get pricey in a hurry, and they’re often sold by the very companies that spammers are trying to outsmart. Enter services like fraudcheck[dot]cc: This service, run by an established spammer on a semi-private cybercrime forum, performs a multitude of checks on each transaction, apparently drawing on accounts from different, legitimate anti-fraud services. It accepts payment solely via WebMoney, a virtual currency that is popular in Russia and Eastern Europe.

fraudcheck[dot]cc resells bundles of anti-fraud services from legitimate providers like MaxMind.

This fraudster-friendly antifraud service does the following analysis:

Queries the geo-IP location from four distinct sources;
Calculates the billing ZIP code distance from the customer’s geo-IP coordinates;
Checks the customer’s Internet address against lists of known proxies that are used to mask an Internet user’s true location, and assigns a “risk score” of zero to 4.2 (the higher the number, the greater the certainty that the purchase was made via a proxy).
Generates a “fraud score” from 0-100 to rate the riskiness of the transaction (100 being the riskiest)

The bulk of the fraud checks appear to be conducted through [hijacked?] accounts at MaxMind.com, a Waltham, Mass. company that screens more than 45 million online transactions per month for 7,000 companies. MaxMind sells a suite of legitimate anti-fraud solutions, including two specifically called out in the screen shot above (minFraud and GeoIP).

As detailed in this white paper (PDF), MaxMind’s minFraud service checks for a number of potential risk factors, such as whether the customer is using a free Webmail account, or there is a mismatch in the shipping and billing address. It also looks to see whether the customer is paying with a card from a known bank. Failure to identify a “bank identification number” (BIN) — the first six digits of any card — may indicate the customer is paying with a prepaid card and thus trying to mask their identity or location.

Based on the combined results of these tests, MaxMind’s service will assign a “fraud score” from 0 to 100, indicating the service’s best guess about whether the transaction should be allowed or declined. In the example from the screenshot above, it’s not clear why the service assigned such a high fraud score (96.84) to the transaction in question — perhaps because the service could not identify the bank that issued the card used in the transaction and determined that it was a prepaid card.

Continue reading →

Spam-Friendly Registrar ‘Dynamic Dolphin’ Shuttered

November 25, 2013

24 Comments

The organization that oversees the Internet domain name registration industry last week revoked the charter of Dynamic Dolphin, a registrar that has long been closely associated with spam and cybercrime.

Scott Richter. Image: 4law.co.il

The move came almost five years after this reporter asked the Internet Corporation for Assigned Names and Numbers (ICANN) to investigate whether the man at the helm of this registrar was none other than Scottie Richter, an avowed spammer who has settled multi-million-dollar spam lawsuits with Facebook, Microsoft and MySpace over the past decade.

According to the contracts that ICANN requires all registrars to sign, registrars may not have anyone as an officer of the company who has been convicted of a criminal offense involving financial activities. While Richter’s spam offenses all involve civil matters, this reporter discovered several years ago that Richter had actually pleaded guilty in 2003 to a felony grand larceny charge.

Richter’s felony rap was detailed in a January 2004 story in the now-defunct Rocky Mountain News; a cached copy of that story is here. It explains that Denver police were investigating a suspected fencing operation involving the purchase and sale of stolen goods by Richter and his associates. Richter, then 32, was busted for conspiring to deal in stolen goods, including a Bobcat, a generator, laptop computers, cigarettes and tools. He later pleaded guilty to one count of grand larceny, and was ordered to pay nearly $38,000 in restitution to cover costs linked to the case.

After reading this story, I registered with the Colorado state courts Website and purchased a copy of the court record detailing Richter’s conviction — available at this link (PDF) — and shared it with ICANN. I also filed an official request with ICANN (PDF) to determine whether Richter was in fact listed as a principal in Dynamic Dolphin. ICANN responded in 2008 that it wasn’t clear whether he was in fact listed as an officer of the company.

But in a ruling issued last week, ICANN said that analysis changed after it had an opportunity to review information regarding Dynamic Dolphin’s voting shares.

“Prior to this review, ICANN had no knowledge that Scott Richter was the 100% beneficial owner of Dynamic Dolphin,” ICANN wrote. “In light of this review, ICANN initiates a review of the application for accreditation from 2011. Based on Section II. B. of the Statement of Registrar Accreditation Policy, Dynamic Dolphin did not disclose in its application for accreditation that Scott Richter was the 100% beneficial owner of Dynamic Dolphin or that Scott Richter was convicted in 2003 for a felony relating to financial activities.”

ICANN has ordered that Dynamic Dolphin be stripped of its accreditation as a registrar, and that all domains registered with Dynamic Dolphin be transferred to another registrar within 28 days. Neither Richter nor a representative for Dynamic Dolphin could be immediately reached for comment.

ICANN’s action is long overdue. Writing for The Washington Post in May 2008, this author called attention to statistics gathered by anti-spam outfit Knujon (“NOJUNK” spelled backwards), which found that more than three quarters of all Web sites advertised through spam at the time were clustered at just 10 domain name registrars. Near the top of that list was Dynamic Dolphin, a registrar owned by an entity called CPA Empire, which in turn is owned by Media Breakaway LLC — Richter’s company. Another story published around that same time by The Washington Post showed that Media Breakaway was behind the wholesale hijacking of some 65,586 Internet addresses from a San Francisco, Calif. organization that was among the early pioneers of the Internet.

Continue reading →

No Bail for Alleged Silk Road Mastermind

November 21, 2013

84 Comments

A federal judge has denied bail for Ross Ulbricht, the 29-year-old man arrested last month on suspicion of running the Silk Road, an online black market that offered everything from drugs and guns to computer hackers and hitmen for hire.

The decision came after federal prosecutors in New York dumped a virtual truckload of additional incriminating evidence supporting charges that Ulbricht was the infamous Silk Road administrator known as the “Dread Pirate Roberts” (DPR), and that he was indeed a strong flight risk. To top it off, the government also now alleges that Ulbricht orchestrated and paid for murder-for-hire schemes targeting six individuals (until today, Ulbricht was accused of plotting just two of these executions).

Fraudulent identity documents allegedly ordered by Ulbricht.

The documents released today indicate that Ulbricht was a likely flight risk; they allege that prior to his arrest, Ulbricht had researched how to buy a citizenship in Dominica. The government said that the laptop seized from Ulbricht contained reference guides for obtaining “economic citizenship” in other countries. “In particular, the computer contained an application completed by Ulbricht for citizenship in Dominica, along with reference materials explaining that Dominica’s ‘economic citizenship’ program offers ‘instant’ citizenship in exchange for a one-time ‘$75,000 donation’ to the country’s government,'”, the government’s bail submission (PDF) notes. A copy of the application for citizenship in Dominica allegedly found on Ulbricht’s laptop is here (PDF).

In addition, prosecutors unveiled a photo showing the assortment of fake IDs that Ulbricht had allegedly ordered off the Silk Road (see image above), which included identity documents bearing his picture and various pseudonyms in Australia, Canada, and the United Kingdom, among other places.

According to the Justice Department, evidence from Ulbricht’s computer also shows that he had contemplated and prepared for a life on the run.

“For example, one file found on the computer, labeled ’emergency,’ contains a list of apparent to-do items in the event that Ulbricht learned that law enforcement was closing in on him. It reads as follows:

encrypt and backup important files on laptop to memory stick:
destroy laptop hard drive and hide/dispose
destroy phone and hide/dispose
Hide memory stick
get new laptop
go to end of train
find place to live on craigslist for cash
create new identity (name, backstory)”

The prosecution also released several screenshots of Ulbricht’s computer as it was found when he was arrested at a San Francisco public library. According to investigators, Ulbricht was logged in to the Silk Road and was administering the site when he was apprehended, as indicated by this screenshot, which shows a Silk Road page titled “mastermind.” The government says this page provided an overview of transactions and money moving through the site:

Another screen shot shows the Silk Road “support” page as found logged in on the computer seized from Ulbricht:

Continue reading →

Cupid Media Hack Exposed 42M Passwords

November 20, 2013

65 Comments

An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity.

The data stolen from Southport, Australia-based niche dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), among others.

The purloined database contains more than 42 million entries in the format shown in the redacted image below. I reached out to Cupid Media on Nov. 8. Six days later, I heard back from Andrew Bolton, the company’s managing director. Bolton said the information appears to be related to a breach that occurred in January 2013.

“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Bolton said. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”

A redacted screen shot showing several of the stolen user accounts. Passwords were stored in plain text.

I couldn’t find any public record — in the media or elsewhere — about this January 2013 breach. When I told Bolton that all of the Cupid Media users I’d reached confirmed their plain text passwords as listed in the purloined directory, he suggested I might have “illegally accessed” some of the company’s member accounts. He also noted that “a large portion of the records located in the affected table related to old, inactive or deleted accounts.”

“The number of active members affected by this event is considerably less than the 42 million that you have previously quoted,” Bolton said.

The company’s Web site and Twitter feed state that Cupid Media has more than 30 million customers around the globe. Unfortunately, many companies have a habit of storing data on customers who are no longer active.

Alex Holden, chief information security officer at Hold Security LLC, said Bolton’s statement is reminiscent of the stance that software giant Adobe Systems Inc. took in the wake of its recently-disclosed breach. In that case, a database containing the email and password information on more than 150 million people was stolen and leaked online, but Adobe says it has so far only found it necessary to alert the 38 million active users in the leaked database.

“Adobe said they have 38 million users and they lost information on 150 million,” Holden said. “It comes to down to the definition of users versus individuals who entrusted their data to a service.”

34 million Cupid users registered with a Yahoo, Hotmail or Gmail address. 56 Homeland Security Dept. employees were looking for love here as well.

The danger with such a large breach is that far too many people reuse the same passwords at multiple sites, meaning a compromise like this can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user’s email address. Indeed, Facebook has been mining the leaked Adobe data for information about any of its own users who might have reused their Adobe password and inadvertently exposed their Facebook accounts to hijacking as a result of the breach.

Holden added that this database would be a gold mine for spammers, noting that Cupid’s customers are probably more primed than most to be responsive to the types of products typically advertised in spam (think male enhancement pills, dating services and diet pills).

Continue reading →

Don’t Like Spam? Complain About It.

November 19, 2013

42 Comments

Cynical security experts often dismiss anti-spam activists as grumpy idealists with a singular, Sisyphean obsession. The cynics question if it’s really worth all that time and effort to complain to ISPs and hosting providers about customers that are sending junk email? Well, according to at least one underground service designed for spammers seeking to avoid anti-spam activists, the answer is a resounding “yes!”

Until recently, this reporter was injected into one of the most active and private underground spam forums (the forum no longer exists; for better or worse, the administrator shuttered it in response to this story). Members of this spam forum sold and traded many types of services catering to the junk email industry, including comment spam tools, spam bots, malware, and “installs” — the practice of paying for the privilege of uploading your malware to machines that someone else has already infected.

But among the most consistently popular services on spammer forums are those that help junk emailers manage gigantic email address lists. More specifically, these services specialize keeping huge distribution lists “scrubbed” of inactive addresses as well as those belonging to known security firms and anti-spam activists.

Just as credit card companies have an ironic and derisive nickname for customers who pay off their balances in full each month — these undesirables are called “deadbeats” — spammers often label anti-spam activists as “abusers,” even though the spammers themselves are the true abusers. The screen shot below shows one such email list management service, which includes several large lists of email addresses for people who have explicitly opted out of receiving junk messages (people who once purchased from spam but later asked to be removed or reported the messages as spam). Note the copyright symbol next to the “Dark Side 2012” notation, which is a nice touch:

This service made for spammers helps them scrub email distribution lists of addresses for anti-spam activists and security firms.

The bottom line shows that this service also includes a list of more than 580,000 email addresses thought to be associated with anti-spam activists, security firms and other “abusers.” This list included a number of “spamtrap” addresses created specifically for collecting and reporting spam. The note in the above entry — “abusers_from_severa” — indicates that this particular list was provided by an infamous Russian spammer known as Peter Severa. This blog has featured several stories about Severa, including one that examines his possible identity and role in the development and dissemination of the Waledac and Storm worms.

Continue reading →

vBulletin Breach Prompts Password Reset

November 18, 2013

18 Comments

Forum software maker vBulletin is urging users to change their passwords following a recent breach of its networks. The attackers who claimed responsibility for the intrusion say they broke in using a zero-day flaw that is now being sold in several places online, but vBulletin maintains it is not aware of any zero-day attacks against current versions of its product.

On Thursday, Nov. 14, this publication received an email with several screen shots and a short note indicating that vBulletin had been hacked. The attackers claimed they had knowledge of a zero-day bug in versions 4.x and 5.x of vBulletin, and that they had used the same vulnerability to break into vbulletin.com and macrumors.com.

That same day, I reached out to both vBulletin and MacRumors. I heard immediately from MacRumors owner Arnold Kim, who pointed my attention to a story the publication put up last Monday acknowledging a breach. Kim said MacRumors actually runs version 3.x of vBulletin, and that the hackers appear to have broken in using a clever cross-site-scripting attack.

“In VB3, moderators can post ‘announcements’ in the forum, and by default announcements allow HTML,” Kim explained. “The hacker or hackers were able to somehow get a moderator’s login password, and used that to embed Javascript in an announcement and waited for an administrator to load that page. Once that happened, the Javascript installed a plugin in the background that allowed [the attackers] to execute PHP scripts.”

Kim said the attackers in that case even came on the MacRumors forum and posted a blow-by-blow of the attack, confirming that the cause of the breach was a compromised moderator account. Kim said the person who left the comment was using the same Internet address as the attacker who hacked his forum, and that the moderator account that got compromised on MacRumors also had an account with the same name and password on vBulletin.com.

“Stop [blaming] this on the ‘outdated vBulletin software’,” the apparent culprit wrote. ” The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about. 3.x is far more secure than the latter. Just because it’s older, it doesn’t mean it’s any worse.”

On Saturday, Nov. 16, I heard back from vBulletin, which said it had just posted a note urging users to change their passwords, and that the company was not aware of any zero day bugs in its software. vBulletin didn’t say which version of its software was attacked, only that “our staging server was running a wide variety of versions of the software.” The vBulletin homepage says the site is powered by version 5.0.5.

Continue reading →

Last »