Microsoft: IE Zero Day Flaw Affects All Versions

September 17, 2013

Microsoft said today that attackers are exploiting a previously unknown, unpatched vulnerability in all supported versions of its Internet Explorer Web browser. The company said it is working on an official patch to plug the security hole, but in the meantime it has released a stopgap fix to help protect affected customers.

IEwarningMicrosoft said it is aware of targeted attacks that attempt to exploit the vulnerability (CVE-2013-3893) in IE 8 and IE 9 versions of the default Windows browser. According to an advisory issued today, the flaw is a remote code bug, which means malware or miscreants could use it install malware just by coaxing IE users to browse a hacked or malicious Web site.

The Fix It solution is available from this link. To apply it, click the Fix It icon above the Fix This Problem link. Applying this solution may limit some functionalities of IE, so if you run into problems after applying this interim patch, you can click the Fix It icon to the right of that “enable” button to reverse the update.

Update: As several readers have already noted in the comments, this Fix It solution is for 32-bit versions of IE only. In 64-bit Windows, you can tell whether the browser you’re using is a 32-bit or 64-bit version by opening the Windows Task Manager (Ctrl+Shift+Esc) and clicking the Processes tab. The number that appears after the process name (in this case, iexplore.exe) indicates the version in use.

WHOIS Privacy Plan Draws Fire

September 16, 2013

Internet regulators are pushing a controversial plan to restrict public access to WHOIS Web site registration records. Proponents of the proposal say it would improve the accuracy of WHOIS data and better protect the privacy of people who register domain names. Critics argue that such a shift would be unworkable and make it more difficult to combat phishers, spammers and scammers.

ardsA working group within The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the Internet’s domain name system, has proposed scrapping the current WHOIS system — which is inconsistently managed by hundreds of domain registrars and allows anyone to query Web site registration records. To replace the current system, the group proposes creating a more centralized WHOIS lookup system that is closed by default.

According to an interim report (PDF) by the ICANN working group, the WHOIS data would be accessible only to “authenticated requestors that are held accountable for appropriate use” of the information.

“After working through a broad array of use cases, and the myriad of issues they raised, [ICANN’s working group] concluded that today’s WHOIS model—giving every user the same anonymous public access to (too often inaccurate) registration data—should be abandoned,” ICANN’s “expert working group” wrote. The group said it “recognizes the need for accuracy, along with the need to protect the privacy of those registrants who may require heightened protections of their personal information.”

The working group’s current plan envisions creating what it calls an “aggregated registration directory service” (ARDS) to serve as a clearinghouse that contains a non-authoritative copy of all of the collected data elements. The registrars and registries that operate the hundreds of different generic top-level domains (gTLDs, like dot-biz, dot-name, e.g.) would be responsible for maintaining the authoritative sources of WHOIS data for domains in their gTLDs. Those who wish to query WHOIS domain registration data from the system would have to apply for access credentials to the ARDS, which would be responsible for handling data accuracy complaints, auditing access to the system to minimize abuse, and managing the licensing arrangement for access to the WHOIS data.

The plan acknowledges that creating a “one-stop shop” for registration data also might well paint a giant target on the group for hackers, but it holds that such a system would nevertheless allow for greater accountability for validating registration data.

Unsurprisingly, the interim proposal has met with a swell of opposition from some security and technology experts who worry about the plan’s potential for harm to consumers and cybercrime investigators.

“Internet users (individuals, businesses, law enforcement, governments, journalists and others) should not be subject to barriers – including prior authorization, disclosure obligations, payment of fees, etc. – in order to gain access to information about who operates a website, with the exception of legitimate privacy protection services,” reads a letter (PDF) jointly submitted to ICANN last month by G2 Web Services, OpSec Security, LegitScript and DomainTools.

“Internet users have the right to know who is operating a website they are visiting (or, the fact that it is registered anonymously),” the letter continues. “Today, individuals review full WHOIS records and, based on any one of the fields, identify and report fraud and other abusive behaviors; journalists and academics use WHOIS data to conduct research and expose miscreant behavior; and parents use WHOIS data to better understand who they (or their children) are dealing with online. These and other uses improve the security and stability of the Internet and should be encouraged not burdened by barriers of a closed by default system.”

Continue reading

Advertisement

‘Yahoo Boys’ Have 419 Facebook Friends

September 11, 2013

Earlier this week, I wrote about an online data theft service that got hacked. That compromise exposed a user base of mostly young Nigerian men apparently engaged in an array of cybercrime activities — from online dating scams to 419 schemes. It turned out that many of these guys signed up for the data theft service using the same email address they used to register their Facebook accounts. Today’s post looks at the social networks between and among these individuals.

Of the nearly 3,000 BestRecovery users, about 280 of them had Facebook accounts tied to their BestRecovery email addresses. George Mason University associate professor Damon McCoy and several of his grad students volunteered to scrape those profiles that were open and map their social networks to see if there were any obvious or discernible patterns in the data.

The raw data itself — which ranked the BestRecovery users on number of connections they had to other users — was potentially useful, but difficult to parse into meaningful chunks. Oddly enough, as I was poring over that data I heard from Chris Ahlberg, the CEO of Recorded Future Inc., a Cambridge, Mass. software company that specializes in Web intelligence and predictive analytics. Ahlberg was writing to say that he enjoyed the blog — particularly the posts with data-intensive analyses — and that he’d be delighted to collaborate on a data-rich research project at some point. I told him his timing couldn’t have been more serendipitous.

Ahlberg and his team took the raw scraped data sets from the Facebook accounts and ran it through their cyber intelligence applications. In short order, they produced some very compelling and beautiful graphs, shown below.

Staffan Truvé, Recorded Future’s chief technology officer noted that — with few exceptions — the BestRecovery users largely appear to belong to one of two very separate social networks.

RecordedFuture's rendering of the Facebook profiles shows fairly two tight-knit social networks.

RecordedFuture’s rendering of the Facebook profiles shows fairly two tight-knit social networks.

“There appears to be two fairly separate, quite tightly knit networks, each with a few central leaders, and also with just a few individuals being the bridge between the two networks — and that those middlemen are themselves not connected,” said Staffan Truvé, Recorded Future’s chief technology officer.

I noted in my previous story that a majority of the BestRecovery keylog service users who had Facebook pages that reported a location listed either somewhere in Nigeria (usually Lagos), or Kuala Lumpur, Malaysia. Not surprisingly, those two geographic groups are generally represented by these two globs of Facebook users (with several exceptions of users who are from Nigeria but living in Kuala Lumpur and vice versa).

Here’s a closer look at the most influential/connected members at the center of Cluster 1 (upper in the diagram above)

cluster1

Continue reading

Adobe, Microsoft Push Critical Security Fixes

September 10, 2013

Adobe and Microsoft each separately released a raft of updates to fix critical security holes in their software. Adobe pushed patches to plug holes in Adobe Acrobat/Reader and its Flash and Shockwave media players. Microsoft released 14 13 patch bundles to fix at least 47 security vulnerabilities in Windows, Office, Internet Explorer and Sharepoint.

crackedwinFour of the 13 bulletins Microsoft released today earned the company’s “critical” rating, meaning that on balance they address vulnerabilities that can be exploited by miscreants or malware to break into vulnerable systems without any help from users.

For enterprises and those who need to prioritize the installation of updates, Microsoft recommends installing the Outlook, Internet Explorer and SharePoint Server fixes as soon as possible. The Sharepoint update addresses some ten vulnerabilities, including one that Microsoft says was publicly disclosed prior to today’s patch batch.

Adobe’s Flash update fixes at least four flaws in the widely-installed media player, and brings the player to version 11.8.800.168 for Mac and Windows users (users of other OSes please see the chart below). Google Chrome should auto-update itself to the latest version for Chrome (11.8.800.170 for Windows, Mac and Linux); Google says it is in the process of rolling out the update, although my test version of Chrome is still stuck at v. 11.8.800.97, even after installing updates for Chrome and restarting. Likewise, Internet Explorer 10 should auto-update to the latest version. To find out which version of Flash you have installed, see this page.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.).

Continue reading

Spy Service Exposes Nigerian ‘Yahoo Boys’

September 9, 2013

A crude but effective online service that lets users deploy keystroke logging malware and then view the stolen data remotely was hacked recently. The information leaked from that service has revealed a network of several thousand Nigerian email scammers and offers a fascinating glimpse into an entire underground economy that is seldom explored.

The login page for the BestRecovery online keylog service.

The login page for the BestRecovery online keylog service.

At issue is a service named “BestRecovery” (recently renamed PrivateRecovery). When I first became aware of this business several months ago, I had a difficult time understanding why anyone would pay the $25 to $33 per month fee to use the service, which is visually quite amateurish and kludgy (see screenshot at right).

But that was before I shared a link to the site with a grey hat hacker friend, who replied in short order with the entire username and password database of more than 3,000 paying customers.

Initially, I assumed my source had unearthed the data via an SQL injection attack or some other  database weakness. As it happens, the entire list of users is recoverable from the site using little more than a Web browser.

The first thing I noticed upon viewing the user list was that a majority of this service’s customers had signed up with yahoo.com emails, and appeared to have African-sounding usernames or email addresses. Also, running a simple online search for some of the user emails (dittoswiss@yahoo.com, for example) turned up complaints related to a variety of lottery, dating, reshipping and confidence scams.

The site was so poorly locked down that it also exposed the keylog records that customers kept on the service. Logs were indexed and archived each month, and most customers used the service to keep tabs on multiple computers in several countries. A closer look at the logs revealed that a huge number of the users appear to be Nigerian 419 scammers using computers with Internet addresses in Nigeria.

The seriously ghetto options page for BestRecovery web-based keylogger service.

The seriously ghetto options page for BestRecovery web-based keylogger service.

Also known as “advance fee” and “Nigerian letter” scams, 419 schemes have been around for many years and are surprisingly effective at duping people. The schemes themselves violate Section 419 of the Nigerian criminal code, hence the name. Nigerian romance scammers often will troll online dating sites using stolen photos and posing as attractive U.S. or U.K. residents working in Nigeria or Ghana, asking for money to further their studies, care for sick relatives, or some such sob story.

More traditionally, these miscreants pretend to be an employee at a Nigerian bank or government institution and claim to need your help in spiriting away millions of dollars. Those who fall for the ruses are strung along and milked for increasingly large money transfers, supposedly to help cover taxes, bribes and legal fees. As the FBI notes, once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances. “While such an invitation impresses most law-abiding citizens as a laughable hoax, millions of dollars in losses are caused by these schemes annually,” the FBI warns. “Some victims have been lured to Nigeria, where they have been imprisoned against their will along with losing large sums of money. The Nigerian government is not sympathetic to victims of these schemes, since the victim actually conspires to remove funds from Nigeria in a manner that is contrary to Nigerian law.”

Oddly enough, a large percentage of the keylog data stored at BestRecovery indicates that many of those keylog victims are in fact Nigerian 419 scammers themselves. One explanation is that this is the result of scammer-on-scammer attacks. According to a study of 419ers published in the Dec. 2011 edition of Cyberpsychology, Behavior, and Social Networking (available from the Library of Congress here or via this site for a fee), much of the 419 activity takes place in cybercafes, where “bulk tickets are sold for sending spam emails and some systems are dedicated to fraudsters for hacking and spamming.”

The keylog records available for the entries marked "Yahoo Boys" show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

The keylog records available for the entries marked “Yahoo Boys” show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

Perhaps some enterprising Nigerian spammers simply infected a bunch of these cybercafe machines to save themselves some work. It is also possible that vigilante groups which target 419 scammers — such as Artists Against 419 and 419eater.com — were involved, although it’s difficult to believe those guys would bother with such a rudimentary service.

BestRecovery gives customers instructions on how to use a provided tool to create a custom Windows-based keylogger and then disguise it as a legitimate screensaver application. New victims are indexed by date, time, Internet address, country, and PC name. Each keylogger instance lets the user specify a short identifier in the “note” field (failing to manually enter an identifier in the note field appears to result in that field being populated by the version number of the keylogger used). Interestingly, many of the victim PCs have a curious notation: “Yahoo Boys”.

Keylog data apparently collected from a Yahoo Boy.

Keylog data [partially redacted] that was apparently collected from a Yahoo Boy.

BLACK HAT OR BLACK MAGIC?

As noted in the above-mentioned academic paper (“Understanding Cybercrime Perpetrators and the Strategies They Employ in Nigeria”), the term “Yahoo Boys” is the nickname given to categories of young men in Nigeria who specialize in various types of cybercrime.  According to that paper, in which researchers spent time with and interviewed at least 40 active Yahoo Boys, most of the cybercrime perpetrators in Nigeria are between the age of 22 and 29, and are undergraduates who have distinct lifestyles from other youths.

“Their strategies include collaboration with security agents and bank officials, local and international networking, and the use of voodoo [emphasis added]. It was clear that most were involved in online dating and buying and selling with fake identities. The Yahoo boys usually brag, sag, do things loudly, drive flashy cars, and change cars frequently. They turn their music loud and wear expensive and latest clothes and jewelry. They also have a special way of dressing and relate, they spend lavishly, love material things, and go to clubs. They are prominent at night parties picking prostitutes at night. They also move in groups of two, three, and four when going to eateries. They speak different coded languages and use coded words such as “Mugun,” “Maga,” and “Maga don pay,” which all means “the fool (i.e., their victim) has paid.”

Continue reading

Researchers: Oracle’s Java Security Fails

September 4, 2013

Faced with an onslaught of malware attacks that leverage vulnerabilities and design weaknesses in Java, Oracle Corp. recently tweaked things so that Java now warns users about the security risks of running Java content. But new research suggests that the integrity and accuracy of these warning messages can be subverted easily in any number of ways, and that Oracle’s new security scheme actually punishes Java application developers who adhere to it.

Java's security dialog box.

Java’s security dialog box.

Running a Java applet now pops up a security dialog box that presents users with information about the name, publisher and source of the application. Oracle says this pop-up is designed to warn users of potential security risks, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.

Security experts differ over whether regular users pay any mind whatsoever to these warnings. But to make matters worse, new research suggests most of the information contained in the pop-ups can be forged by malware writers.

In a series of scathing blog posts, longtime Java developer Jerry Jongerius details the various ways that attackers can subvert the usefulness of these dialog boxes. To illustrate his point, Jongerius uses an applet obtained from Oracle’s own Web site — javadetection.jar — and shows that the information in two out of three of its file descriptors (the “Name” and “Location” fields) can be changed, even if the applet is already cryptographically signed.

“The bottom line in all of this is not the security risk of the errors but that Oracle made such incredibly basic ‘101’ type errors — in allowing ‘unsigned information’ into their security dialogs,” Jongerius wrote in an email exchange. “The magnitude of that ‘fail’ is huge.”

Jongerius presents the following scenario in which an attacker might use the dialog boxes to trick users into running unsafe applets:

“Imagine a hacker taking a real signed Java application for remote desktop control / assistance, and placing it on a gaming site, renaming it ‘Chess’. An unsuspecting end user would get a security popup from Java asking if they want to run ‘Chess’, and because they do, answer yes — but behind the scenes, the end user’s computer is now under the remote control of a hacker (and maybe to throw off suspicion, implemented a basic ‘Chess’ in HTML5 so it looks like that applet worked) — all because Oracle allowed the ‘Name’ in security dialogs to be forged to something innocent and incorrect.”

Oracle has not responded to requests for comment. But Jongerius is hardly the only software expert crying foul about the company’s security prompts. Will Dormann, writing for the Carnegie Mellon University’s Software Engineering Institute, actually warns Java developers against adopting a key tenet of Oracle’s new security guidelines.

Continue reading

Syrian Electronic Army Denies New Data Leaks

August 31, 2013

The high-profile Web site defacement and hacker group known as the Syrian Electronic Army (SEA) continues to deny that its own Web server was hacked, even as gigabytes of data apparently seized during the compromise leaked onto the Deep Web this weekend.

Screen shot from SEA site syrian-es.org, listing the nicknames and avatars of top SEA leaders. Image: HP Security Research

Screen shot from SEA site syrian-es.org, listing the nicknames and avatars of top SEA leaders. Image: HP Security Research

Following a string of high profile attacks that compromised the Web sites of The New York Times and The Washington Post among others, many publications have sought to discover and spotlight the identities of core SEA members. On Wednesday, this blog published information from a confidential source who said that the SEA’s Web site was hacked and completely compromised in April 2013. That post referenced just a snippet of name and password data allegedly taken from the SEA’s site, including several credential pairs that appeared tied to a Syrian Web developer who worked with the SEA.

The SEA — through its Twitter accounts — variously denounced claims of the hack as a fraud or as a propaganda stunt by U.S. intelligence agencies aimed at discrediting the hacker group.

“We can guarantee our website has never been hacked, those who claim to have hacked it should publish their evidence. Don’t hold your breath,” members of the group told Mashable in an interview published on Friday. “In any case we do not have any sensitive or personal data on a public server. We are a distributed group, most of what we have and need is on our own machines and we collaborate on IRC.”

In apparent response to that challenge, a huge collection of data purportedly directly taken from the SEA’s server in April 2013 — including all of the the leaked credentials I saw earlier — was leaked today to Deep Web sites on Tor, an anonymity network. Visiting the leak site, known as a “hidden service,” is not possible directly via the regular Internet, but instead requires the use of the Tor Browser.

A leaked screen shot purportedly showing the email address of the owner of SEA site syrian-es.com

A leaked screen shot purportedly showing the email address of the owner of SEA site syrian-es.com

Among the leaked screen shots at the hidden Web site include numerous apparent snapshots of the SEA’s internal blog infrastructure, the Parallels virtual private server that powered for its syrian-es[dot]com Web site, as well as what are claimed to be dozens of credential pairs for various SEA member Twitter and LinkedIn accounts.

News of the archive leak to the Deep Web was first published by the French publication reflects.info (warning: some of the images published at that link may be graphic in nature). As detailed by the French site, the leak archive includes hundreds of working usernames and passwords to various Hotmail, Outlook and Gmail accounts, as well as more than six gigabytes of email messages downloaded from those accounts.

Continue reading

Who Built the Syrian Electronic Army?

August 28, 2013

A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I’ll be taking a closer look at this organization, starting with one of the group’s core architects.

Earlier this year I reported that — in apparent observation of international trade sanctions against Syria — Network Solutions LLC. and its parent firm Web.com had seized hundreds of domains belonging to various Syrian entities. Among the domains caught in that action were several sites belonging to the SEA.

At the time, the SEA had a majority of its sites hosted at Internet addresses belonging to the Syrian Computer Society, an organization considered to have been a precursor to the SEA and one that was previously headed by Syrian President Bashar al-Assad. Following the Web.com domain seizures, the SEA was forced to find new homes for their domains. Soon enough, the group moved its domains syrianelectronicarmy.com and sea.sy to a host in Russia (no doubt adding further chill to already frigid US-Russia relations vis-a-vis Syria).

Sometime during that transition period, the SEA’s main Web site got hacked. As in…completely owned. According to one confidential source, the attacker(s) gained access to the virtual servers that hosted the SEA’s site and downloaded the entire user database for sea.sy and syrianelectronicarmy.com. Shockingly (or perhaps less so for many security researchers who’ve dismissed the SEA as mostly a group of tenacious but relatively unskilled hackers), many of the top members re-used the passwords they picked for their sea.sy accounts at their Hotmail, MSN and Outlook email accounts.

A snippet from the hacked database from syrianelectronicarmy.com

A snippet from the hacked database from syrianelectronicarmy.com. In the third column are plain-text passwords.

In nearly any dump of a Web site user database, it’s generally safe to assume that the first few users listed are founders and administrators of the site. In the hacked sea.sy database, for example, we can see that the first two usernames in the table are “admin” and “admin2.” Admin2’s email address is listed as sy34@msn.com. The last entry in the database is April 19, 2013, just a few days after Web.com began seizing domain names in its stable with the “.sy” designation.

A Google search on that email address reveals its ties to the SEA, and shows that the account was in 2010 tied to a now-abandoned hackforums.net user named “SyRiAn_34G13” (leet-speak for “Syrian Eagle”). A reverse WHOIS search at domaintools.com on the sy34@msn.com address shows that it was used in Feb. 2011 to register a site called codepassion.net.

Codepassion.net is no longer active (perhaps because it was hacked and defaced in May 2012 by other script kiddies), but thanks to the Wayback Machine at the indispensable Internet Archive, we can see the site lists as its creator a 23-year-old “virtuoso web designer” named Mohammed from Damascus, Syria. Mohammed says he is a senior front end developer at a firm in Damascus called Flex Solutions. Mohammed reveals that his last name is “Osman” when he links to his Facebook and DeviantART accounts, as well as his Gmail address (osmancode@gmail.com). That same Gmail account is also used for another account in the sea.sy database: يوزر – which Google translates to “Yoezer”  “User” and used the password “963100”.

Continue reading

Who Wrote the Pincer Android Trojan?

August 27, 2013

Stories in this blog’s Breadcrumbs series have sought to comb through clues that point to the possible location and identities of malware authors and purveyors.  But from time to time those clues lead definitively back to an individual. In today’s post, we’ll talk with the author of  the Pincer Trojan for Android — a 32-year-old programmer at a mobile app development firm in Russia.

bwshadowIn April, Finnish security firm F-Secure  first warned about Trojan:Android/Pincer.A, which comes disguised as a security certificate and is designed to surreptitiously intercept and forward text messages. As F-Secure notes, previous malicious mobile apps pretending to be certificates have been mobile components of banking Trojans aimed at defeating two-factor authentication.

F-Secure researchers observed that Pincer used the IMEI of the victim’s phone as an identifier, and that the Trojan would call home to a control server and report the device’s phone and serial numbers, phone model, carrier and OS version. They also found that Pincer checks to see if it’s being run in a virtual environment, which is a common trick designed to frustrate malware analysis tools used by security researchers.

Interestingly, F-Secure noted that the code within the trojan includes a class called “USSDDumbExtendedNetworkService” — a component that was assigned a seemingly arbitrary variable that F-Secure researchers said was probably either associated with a French Canadian concrete company or the Twitter handle of a young Russian whose Google+ page lists employment as “Android developer”.

I followed up with F-Secure about this post, and learned that the redacted portion of that post — the variable included in that first variant of the Pincer Trojan — was “senneco.com” (Virustotal’s analysis lists it as “com.senneco”). A quick search on Google turns up Twitter and Google+ accounts by this name belonging to a Yuri Shmakov from Novosibirsk, Russia. Shmakov’s Google+ page says he is a developer at Arello-Mobile, a mobile app development firm also in Novosibirsk.

Text string "senneco" inside of the Pincer Android Trojan.

Text string “senneco” inside an early sample of he Pincer Android Trojan. Source: F-Secure.

A scan of Shmakov’s accounts turned up the email address senneco@gmail.com. I sent an email to that address, explaining F-Secure’s findings and asking whether the recipient had anything to do with the Pincer Trojan. To my surprise, Shmakov promptly replied that, why yes he had indeed created it as a freelance project.

Shmakov told me that, based on the client’s specifications, he suspected it might ultimately be put to nefarious uses. Even so, he completed the job and signed his work by including his nickname in the app’s code.

Continue reading

How Not to DDoS Your Former Employer

August 20, 2013

Pro tip: If you’re planning to launch a debilitating denial-of-service attack against your former employer, try not to “like” the Facebook page of the DDoS-for-hire Web service that you intend to use in the assault.

Tell that to Kevin Courtois, a 28-year-old from Three Rivers, Quebec who was arrested earlier this year for allegedly launching a volley of cyber attacks against his former company over a nine month period beginning in May 2012. Courtois did not respond to requests for comment.

Courtois’s former employer — Concepta Inc., an information security firm based in his hometown — was not the only one suffering from attacks. The assaults — which ranged in size from a few gigabits per second to up to 10 gbps — grew so large that they began significantly affecting Concepta’s Internet service provider  — another Three Rivers company called Xittel. Eventually, the attacks shifted to targeting Xittel directly.

Xittel later hired Robert Masse, a security consultant from Montreal who spoke about the details of this case in a talk at the Black Hat security conference in Las Vegas last month. Xittel and Concepta compared notes and told Masse they’d settled on Cortois as the likely culprit. One potential clue: Cortois had left Concepta to start his own company that specialized in DDoS protection services. 

Masse said when he began his investigation he noticed that Courtois had liked the Facebook page of demolitionstresser.com, a now defunct booter site that redirected him to….wait for it…ragebooter.net. For those of you who haven’t read my story on ragebooter.net and its proprietor Justin Poland, please check it out after reading this piece. In that story, Poland claimed to have been working for the FBI, and even to have backdoored his own service so that FBI agents could snoop on user activity.

Masse said he decided to contact Poland to see what he might be willing to disclose about any ragebooter.net customer who’d been using the service to launch attacks against Concepta and Xittel. Masse said he created an account at ragebooter.net, funded it with $200 via the site’s default payment method — Paypal — and then reached out to Poland via his support handle in Skype. Would Poland be willing to sell the logs of a particular customer? Say….anyone who happened to be currently using ragebooter to attack a certain Internet address block in Three Rivers, Quebec?

MasseyStrings According to Masse, Poland initially replied that, why yes, there was an attack going on that very moment against that IP address. “For sure, this morning,” Poland wrote in a Skype chat. “First attack November 25 (2012).” Masse said Poland then pasted the account information for a user named…wait for it…”concepta2.” Concepta2 had signed up with ragebooter using the email address traverse2000@hotmail.com, according to the Ragebooter.net users database that was leaked earlier this year. A historic reverse WHOIS record lookup at domaintools.com, that email address was used to register at least 36 different Web sites, most of them originally registered to a Kevin Courtois from Quebec.

Masse said Poland quickly thought better of posting his customers’ information in a Skype chat with a stranger, and deleted the message a few seconds after he’d pasted it. But Masse was able to retrieve a copy of the message by dumping the memory cache for his Skype client on his OS X machine.

Continue reading