Krebs on Security

Firm Bankrupted by Cyberheist Sues Bank

January 8, 2014

A California escrow firm that was forced out of business last year after a $1.5 million cyberheist is now suing its former bank to recoup the lost funds.

A state-appointed receiver for the now defunct Huntington Beach, Calif. based Efficient Services Escrow has filed suit against First Foundation Bank, alleging that the bank’s security procedures were not up to snuff, and that it failed to act in good faith when it processed three fraudulent international wire transfers totaling $1,558,439 between December 2012 and February 2013.

The lawsuit, filed in the Superior Court for Orange County, is the latest in a series of legal battles over whether banks can and should be held more accountable for losses stemming from account takeovers. In the United States, consumers have little to no liability if a computer infection from a banking Trojan leads to the emptying of their bank accounts — provided that victims alert their bank in a timely manner. Businesses of all sizes, however, enjoy no such protection, with many small business owners shockingly unaware of the risks of banking online.

As I wrote in an August 2013 story, the heist began in December 2012 with a $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.

This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.

Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.

Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut the company down. As a result, Efficient was forced to lay off its entire staff of nine employees.

On Dec. 6, the lawyer appointed to be Efficient’s receiver sued First Foundation in a bid to recover the outstanding $1.1 million on behalf of the firm’s former customers. The suit alleges that the bank’s security procedures were not “commercially reasonable,” and that the bank failed to act in “good faith” when it processed international wire transfers on behalf of the escrow firm.

Like most U.S. states, California has adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

As evidenced by the dozens of stories in my series, Target: Small Businesses, companies do not enjoy the same protections as consumers when banking online. If a banking Trojan infection results in cyber thieves emptying the bank accounts of a small business, that organization is essentially at the mercy of their financial institution, which very often in these situations disavows any responsibility for the breach, and may in fact stonewall the victim company as a result. That can leave victim organizations in a quandary: They can swallow their pride and chalk it up to a learning experience, or opt to sue the bank to recover their losses. Of course, suing your bank can be cost-prohibitive unless the loss is significantly larger than the amount the victim might expect to spend hiring lawyers to pursue the case on the often long road to settlement or trial.

The plaintiffs in this case allege that part of the reason the bank’s security procedures were not commercially reasonable was that one component of the bank’s core security protection — the requirement that customers enter a code generated by a customer-supplied security token that changes every 32 seconds — had failed in the days leading up to the fraudulent transfers. I would argue that security tokens are a mere security speed bump whose effectiveness is easily bypassed by today’s cyber thieves. But in any case, this lawsuit claims that rather than address that failure, the bank simply chose to disable this feature for Efficient Services.

First Foundation did not return calls seeking comment. But the bank did produce an incident report that is now public record, thanks to this lawsuit (see the “Exhibit J” section of this PDF case document). The document states that the company had previously performed international wire transfers, and so it saw nothing unusual about half-million-dollar transfers to China. According to the plaintiffs, however, Efficient escrow had merely inquired about the possibility of international wires, yet had not actually performed wire transfers outside of the United States previously.

Continue reading →

Deconstructing the $9.84 Credit Card Hustle

January 6, 2014

74 Comments

Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84. Many wondered whether this was the result of the Target breach; I suppose I asked for this, having repeatedly advised readers to keep a close eye on their bank statements for bogus transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom.

One reader said the $9.84 charge on her card came with a notation stating the site responsible was eetsac.com. I soon discovered that there are dozens of sites complaining about similar charges from similarly-constructed domains; for example, this 30-page thread at Amazon’s customer help forums includes gripes from hundreds of people taken by this scam.

I did a bit of digging into that eetsac.com domain, ordering a historic WHOIS report from domaintools.com. The report shows that the domain eetsac.com was originally registered using the email address walter.kosevo@ymail.com. Domaintools also reports that this email address was used to register more than 230 other sites; a full list is available here (CSV).

A closer look at some of those domains reveals a few interesting facts. Callscs.in, for example, is a Web site for a call center and a domain that has been associated with these $9.84 fraudulent charges. Callscs.in lists as its local phone number 43114300. That number traces back to a call center in India, Call Connect India, Inc., which registers its physical address as Plot No 82, Sector 12 A, Dwarka. New Delhi – 110075.

The next site like that one on the list — cewcs.com — references the domain insiderwebeducationpro.com, another domain on the list of sites registered to that ymail.com email address. The homepage of insiderwebeducationpro.com lists the following contact information:

Lasorea Ltd.
Site and billing supported by:cewcs.com cs@cewcs.com
Premier Business Centre 47-49 Park Royal Road
London UK NW107LQ
8555311090

A search at companieshouse.gov.uk, a government site which maintains records about companies based in the United Kingdom, turned up incorporation records (PDF) showing that Lasorea Ltd. was founded in January 2013 by Emil Darbinian, a 28-year-old self-described accountant from Nicosia, Cyprus. Other records searches on Mr. Darbinian indicate he owns at least two other companies at the same address, including Testohealth Labs. Ltd — which appears to be a software company — and a firm called Levantos Venture Ltd. Mr. Darbinian did not return messages seeking comment.

Another domain on the list — etosac.com — is listed as the support and billing site for webtutorialpro.com, a site which bills itself as an “affiliate learning system.” In fact, of the 235 domains registered to walter.kosevo@ymail.com, all seem to be either affiliate programs of one kind (diet pills, work-at-home) or support/call center sites.

Dozens of sites like this one are the apparent source of the $9.84 charges.

Webtutorialpro.com lists on its homepage a company named Lukria, Ltd., and an address at the same London business park as Mr. Darbinian’s companies. If we step through the signup process to become an affiliate at Webtutorialpro.com, we can see that everything — from the “online store in a box” to “pay per click extreme” and the tutorial on “how to get FREE web traffic — all retail for….wait for it….$9.84!

Lukria, according to incorporation documents (PDF) purchased from companieshouse.co.uk, was created on the same day as Lasorea Ltd., and lists as its director a Sergey Babayan, also from Cyprus. According to the Facebook pages of both Mr. Darbinian and Mr. Babayan, the two men are friends. Mr. Babayan has not responded to requests for comment.

Mr. Babayan’s Facebook profile says he works at a company called Prospectacy Limited, which LinkedIn says is an accounting firm in Nicosia, Cyprus. According to Prospectacy’s Web site, this company specializes in “corporate services,” including “company formation,” “banking,” and “virtual office” services. The company seems to be in the business of establishing offshore firms; according to a reverse WHOIS record lookup from domaintools.com, the email address used to register Prospectacy’s domain also was used to register at least ten other domains, including registerincyprus.com, registerinuk.com, setupincyprus.com and setupineu.com.

A number of these affiliate sites include on their home page links to credorax.com, a ~~Southborough, Mass. based acquiring bank~~ Malta-based acquiring bank that is in the business of processing credit and debit card payments for merchants. It’s not clear whether either cewcs.com or insiderwebeducationpro.com use Credorax Inc. for payment processing, but it seems to suggest that by association. I reached out to Credorax to learn whether this site (and perhaps others that are the subject of this story) are customers, and will update this story if I hear back from them.

Update, 12:43 p.m. ET: I heard from Michael Burtscher, vice president of acquiring risk and fraud management at Credorax. Burtscher clarified that his company has offices in the U.S. but is based in Malta. Burtscher confirmed that Credorax had until recently helped to process cards for the network of sites named in this story, but that the company has severed that relationship. He declined to say when exactly the relationship ended, or indeed whether my information about the client’s identities was accurate. Burtscher would only say that Credorax terminated its relationship with the client in response to consumer complaints about the fraudulent charges. “This was one of those cases where when we onboarded them it looked like a legitimate account, but when we saw there were issues we decided to take action.”

Continue reading →

Happy 4th Birthday, KrebsOnSecurity.com!

December 29, 2013

109 Comments

Dec. 29 marks the 4th anniversary of KrebsOnSecurity.com! Below are a few highlights from this past year, and a taste of what readers can look forward to here in 2014.

If there was an important data breach in 2013, chances are that news of it first broke on this blog. Among KrebsOnSecurity’s biggest scoops this year were stories about breaches at Adobe, Bit9, Experian, LexisNexis, Target and The Washington Post.

Some of these stories are ongoing and will unfurl reluctantly but gradually throughout 2014. Look for a more thorough explanation of what really happened when Experian sold more than a year’s worth of consumer credit data directly to an underground service marketed to identity thieves, for example. And of course, we will almost certainly learn more about the “how” and “who” of the massive attack on Target.

The audience for this blog has grown tremendously in the past year. The site now attracts between 10,000 and 15,000 visitors per day. For the first time in its existence, KrebsOnSecuirty is on track to exceed more than 1 million pageviews this month (fittingly, this should come to pass sometime today).

That growth would not have been possible without you, dear loyal readers. 2013 featured more blog posts and more in-depth investigations than perhaps any other year, but the real value in this site comes from the community that has sprung up around it. Readers submitted more than 10,000 comments this past year. More than two dozen of you also supported this site directly via the PayPal or Bitcoin donation links in the blog sidebar. Whichever way you supported this site in 2013, a hearty THANK YOU for your contribution and encouragement.

Who’s Selling Credit Cards from Target?

December 24, 2013

269 Comments

The previous two posts on this blog have featured stories about banks buying back credit and debit card accounts stolen in the Target hack and that ended up for sale on rescator[dot]la, a popular underground store. Today’s post looks a bit closer at open-source information on a possible real-life identity for the proprietor of that online fraud shop.

Rescator[dot]la is run by a miscreant who uses the nickname Rescator, and who is a top member of the Russian and English language crime forum Lampeduza[dot]la. He operates multiple online stores that sell stolen card data, including rescator[dot]la, kaddafi[dot]hk, octavian[dot]su and cheapdumps[dot]org. Rescator also maintains a presence on several other carding forums, most notably cpro[dot]su and vor[dot]cc.

A private message on cpro[dot]su between Rescator and a member interested in his card shop. Notice the ad for Rescator’s email flood service at the bottom; this will become important as you read on.

In an Aug. 2011 thread that has since been deleted, Rescator introduced himself to the existing members of vor[dot]cc, a fairly exclusive Russian carding forum. When new members join a carding community, it is customary for them to explain their expertise and list previous nicknames and forums on which they have established reputations.

Rescator, a.k.a. “Hel” a.k.a. “Helkern” the onetime administrator of the Darklife forum, introduces himself to vor[dot]cc crime forum members.

In the thread pictured above, we can see Rescator listing his bona fides and telling others he was “Hel,” one of three founders of darklife[dot]ws, a now-defunct hacker forum. In the screen shot below, Rescator clarifies that “Hel, in fact, is me.”

Rescator says his former nickname was “Hel,” short for Helkern, the administrator of Darklife.

The only darklife member who matched that nickname was “Helkern,” one of darklife’s three founders. Darklife administrators were all young men who fancied themselves skilled hackers, and at one point the group hacked into the venerable and closely-guarded Russian hacking forum cih[dot]ms after guessing the password of an administrator there.

Darklife admin “Helkern” brags to other members about hacking into cih[dot]ms, a more elite Russian hacking forum.

In a counterattack documented in the entertaining thread that is still posted as a trophy of sorts at cih[dot]ms/old/epicfail, hackers from cih[dot]ms hacked into the Darklife forum, and posted personal photos of Helkern and fellow Darklife leaders, including these two of Helkern:

And a self-portrait of Helkern:

So if Helkern is Rescator, who is Helkern? If we check at some of the other Russian forums that Helkern was active in at the time that Darklife was online in 2008, we can see he was a fairly frequent contributor to the now-defunct Grabberz[dot]com; in this cached post, Helkern can be seen pasting an exploit he developed for a remote SQL injection vulnerability. In it, he claims ownership of the ICQ instant messenger address 261333.

Continue reading →

Non-US Cards Used At Target Fetch Premium

December 22, 2013

91 Comments

An underground service that is selling credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.

On Dec. 20, this blog published a story about the “card shop” rescator[dot]la. That piece explained how two different banks — a small, community bank and a large, top-10 bank — had bought back their customers’ stolen cards from the fraud service and discovered that all of the purchased cards had been used at Target during the breach timeframe. The shop was selling data stolen from the magnetic stripe of each card, which thieves can re-encode onto new, counterfeit cards and use to go shopping in bricks-and-mortar stores for items than can easily be fenced or resold.

As I wrote in that story, a key feature of this particular shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle” (also an island in the Caribbean long associated with pirates). The small bank similarly found that all of the cards it purchased from the card shop also bore the Tortuga base name, and all had been used at Target.

Cards stolen from non-US customers who shopped at Target are sold under the “Barbarossa” base.

On Friday, the proprietor of this card shop announced the availability of a new base — “Barbarossa” — which consists of more than 330,000 debit and credit cards issued by banks in Europe, Asia, Latin America and Canada [side note: one Russian expert I spoke with said Barbarossa was probably a reference to Operation Barbarossa, the code name for Germany’s invasion of the Soviet Union during World War II].

According to one large bank in the U.S. that purchased a sampling of cards across several countries — all of the cards in the Barbarossa base also were used at Target during the breach timeframe.

As with cards sold under the Tortuga base, debit and credit cards for sale as part of the Barbarossa base list the country of origin for the issuing bank, and then directly underneath include the state, city and ZIP code of the Target store from which the card numbers were stolen.

When I first became aware that this card shop was selling only cards stolen from Target stores, I noticed a discussion on a related crime forum wherein customers of this shop seemed very enthusiastic about this ZIP code feature. I couldn’t figure out what the big deal was: I’d assumed the state, city and ZIP described the bank that issued the card.

Later, I learned from a fraud expert that this feature is included because it allows customers of the shop to buy cards issued to cardholders that live nearby. This lets crooks who want to use the cards for in-store fraud avoid any knee-jerk fraud defenses in which a financial institution might block transactions that occur outside the legitimate cardholder’s immediate geographic region.

Non-U.S. cards used at Target generally fetch higher prices than U.S. cards, between $67 and $100 apiece.

The cards for sale in the Barbarossa base vary widely in price from $23.62 per card to as high as $135 per card. The prices seem to be influenced by a number of factors, including the issuing bank, the type of card (debit or credit), how soon the card expires, and whether the card bears a special notation that often indicates a higher credit limit, such as a Platinum card.

Continue reading →

Cards Stolen in Target Breach Flood Underground Markets

December 20, 2013

445 Comments

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Continue reading →

Sources: Target Investigating Data Breach

December 18, 2013

620 Comments

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

Original story;

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.
Continue reading →

The Biggest Skimmers of All: Fake ATMs

December 18, 2013

42 Comments

This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top of a legitimate, existing cash machine.

On Saturday, Nov. 23, a customer at a Bank of Brazil branch in Curitiba, Brazil approached the cash machine pictured below, dipped his ATM card in the machine’s slot, and entered his PIN, hoping to get a printed statement of his bank balance.

A completely fake ATM discovered in Brazil, designed to sit directly on top of the real cash machine.

When the transaction failed, the customer became suspicious and discovered that this ATM wasn’t a cash machine at all, but a complete fake designed to be seated directly on top of the real cash machine. Here’s what the legitimate ATM that was underneath looked like.

The real ATM underneath.

When the cops arrived, they pulled the fake ATM off the real cash machine. Here is the fake ATM, set down on the floor.

Continue reading →

The Case for a Compulsory Bug Bounty

December 17, 2013

66 Comments

Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products.

Before I delve into this modest proposal, let’s postulate a few assumptions that hopefully aren’t terribly divisive:

Modern societies are becoming increasingly dependent on software and computer programs.
After decades of designing software, human beings still build imperfect, buggy, and insecure programs.
Estimates of the global damage from cybercrime ranges from the low billions to hundreds of billions of dollars annually.
The market for finding, stockpiling and hoarding (keeping secret) software flaws is expanding rapidly.
Vendor-driven “bug bounty” programs which reward researchers for reporting and coordinating the patching of flaws are expanding, but currently do not offer anywhere near the prices offered in the underground or by private buyers.
Software security is a “negative externality”: like environmental pollution, vulnerabilities in software impose costs on users and on society as a whole, while software vendors internalize profits and externalize costs. Thus, absent any demand from their shareholders or customers, profit-driven businesses tend not to invest in eliminating negative externalities.

Earlier this month, I published a piece called How Many Zero-Days Hit You Today, which examined a study by vulnerability researcher Stefan Frei about the bustling market for “zero-day” flaws — security holes in software that not even the makers of those products know about. These vulnerabilities — particularly zero-days found in widely-used software like Flash and Java — are extremely valuable because attackers can use them to slip past security defenses unnoticed.

Frei’s analysis conservatively estimated that private companies which purchase software vulnerabilities for use by nation states and other practitioners of cyber espionage provide access to at least 85 zero-day exploits on any given day of the year. That estimate doesn’t even consider the number of zero-day bugs that may be sold or traded each day in the cybercrime underground.

At the end of that post, I asked readers whether it was possible and/or desirable to create a truly global, independent bug bounty program that would help level the playing field in favor of the defenders and independent security researchers. Frei’s latest paper outlines one possible answer.

BUYING ALL BUGS AT ABOVE BLACK-MARKET PRICES

Frei proposes creating a multi-tiered, “international vulnerability purchase program” (IVPP), in which the major software vendors would be induced to purchase all of the available and known vulnerabilities at prices well above what even the black market is willing to pay for them. But more on that in a bit.

The director of research for Austin, Texas-based NSS Labs, Frei examined all of the software vulnerabilities reported in 2012, and found that the top 10 software makers were responsible for more than 30 percent of all flaws fixed. Frei estimates that if these vendors were to have purchased information on all of those flaws at a steep price of $150,000 per vulnerability — an amount that is well above what cybercriminals or vulnerability brokers typically offer for such bugs — this would still come to less than one percent of the annual revenues for these software firms.

Frei points out that the cost of purchasing all vulnerabilities for all products would be considerably lower than the savings that would occur as a result of the expected reduction in losses occurring as a result of cyber crime — even under the conservative estimate that these losses would be reduced by only 10 percent.

In the above chart, for example, we can see Oracle — the software vendor responsible for Java and a whole heap of database software code that is found in thousands of organizations — fixed more than 427 vulnerabilities last year. It also brought in more than $37 billion in revenues that year. If Oracle were to pay researchers top dollar ($150,000) for each vulnerability, that would still come to less than two-tenths of one percent of the company’s annual revenues (USD $67 million).

Frei posits that if vendors were required to internalize the cost of such a program, they would likely be far more motivated to review and/or enhance the security of their software development processes.

Likewise, Frei said, such a lucrative bug bounty system would virtually ensure that every release of commercial software products would be scrutinized by legions of security experts.

“In the short term, it would hit the vendors very badly,” Frei said in a phone interview with KrebsOnSecurity. “But in the long term, this would produce much more secure software.”

“When you look at new innovations like cars, airplanes and electricity, we see that security and reliability was enhanced tremendously with each as soon as there was independent testing,” said Frei, an experienced helicopter pilot. “I was recently reading a book about the history of aviation, and [it noted that in] the first iteration of the NTSB [National Transportation Safety Board] it was explicitly stated that when they investigate an accident, if they could not find a mechanical failure, they blamed the pilot. This is what we do now with software: We blame the user. We say, you should have installed antivirus, or done this and that.”

Continue reading →

Botnet Enlists Firefox Users to Hack Web Sites

December 16, 2013

51 Comments

An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities, an investigation by KrebsOnSecurity has discovered.

The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.

The “Advanced Power” botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases.

Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.

The fraudulent Firefox add-on.

The malicious code comes from sources referenced in this Malwr writeup and this Virustotal entry (please don’t go looking for this malware unless you really know what you’re doing). On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant” (this bogus add-on does not appear to be the same thing as this add-on by the same name). The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities.

Alex Holden, chief information security officer at Hold Security LLC, said the botnet appears to have been built to automate the tedious and sometimes blind guesswork involved in probing sites for SQL vulnerabilities.

“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” Holden said. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”

Holden said he believes the authors of this botnet may be natives of and/or reside in the Czech Republic, noting that a few transliterated text strings in the malware are auto-detected by Google Translate as Czech.

Continue reading →

Last »