Krebs on Security

Carberp Code Leak Stokes Copycat Fears

June 27, 2013

The source code for “Carberp” — a botnet creation kit coded by a team of at least two dozen hackers who used it to relieve banks of an estimated $250 million — has been posted online for anyone to download. The code leak offers security experts a fascinating and somewhat rare glimpse into the malcoding economy, but many also worry that its publication will spawn new hybrid strains of sophisticated banking malware.

Carberp admin panel. Source: Xylibox.blogspot.com

The leak appears to have begun, as these things often do, with the sale of the source code in a semi-private cybercrime forum. On June 5, a member of the Lampeduza crime forum said he was selling the Carberp source to a single buyer, with a starting price of $25,000. The seller said he was helping out one of the developers of the code, who was short on cash.

By mid-June, links to download the entire Carberp archive were being posted on multiple forums, as first documented by Trusteer. Since then, experts from around the world have been tearing through the two-gigabyte archive to learn more about the code and its potential for future abuse in new and existing malware creations.

“Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory,” wrote one Ukrainian tech blogger on Livejournal.

According to Peter Kruse, a specialist with the Copenhagen-based CSIS Security Group, the package includes the Carberp bootkit; this is a component that can subvert the Patchguard protection in Windows 7 x86 and 64-bit systems so that the malware loads itself at the most basic levels of the system (Kruse said the bootkit component is incomplete and does not work against Windows 8 PCs).

Also included are components of a Trojan known as UrSnif, as well as an extremely popular and prevalent rival botnet creation kit called Citadel.

“As with the leakage of the ZeuS source code, back in May 2011, this means that criminals have every chance to modify and even add new features to the kit,” Kruse wrote, noting that the Carberp archive also contains several text files that appear to be records of private chats and various usernames and passwords.

CHEEKY CODERS

Last year, Russian and Ukrainian authorities arrested a loosely-affiliated group of hackers accused of programming and using Carberp to rob millions from bank accounts of their countrymen. According to an account of the law enforcement action in the Russian news outlet Kommersant, Carberp was coded by a team of about 20-25 people under the age of 30. Most of the men had never met face-to-face. Each worked remotely and was responsible for developing specific modules of the Carberp code, components that were then transmitted to a main development server in Odessa, Ukraine.

Some of the leaked Carberp source code archives.

Members of the coding forum kernelmode.info have been poring over comments left in the code by the Carberp developers. One set of comments, translated from Russian by a KrebsOnSecurity reader, suggests the developer was frustrated by having to program within the confines of what he considered sloppy operating system or perhaps Web browser plugin code.

“I will rip off someone’s hands for this kind of code!” the unidentified developer noted in one section of the Carberp source. “This stupid thing does God-knows-what.”

Continue reading →

How Much is Your Gmail Worth?

June 26, 2013

66 Comments

If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground.

My Gmail was priced at $28.90.

The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeper’s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure that’s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.

In a blog post earlier this month titled The Value of a Hacked Email Account, I noted that many people do not realize how much they have invested in their email account until that account is in the hands of cyber crooks. That post quoted prices from one seller in the cybercrime underground who buys compromised accounts, such as hacked iTunes accounts for $8, or credentials to Groupon.com for $5, for example.

Chris Kanich, assistant professor at UIC’s computer science department and principal organizer of the project, said Cloudsweeper’s pricing model is built on prices collected from multiple sellers across multiple underground forums and services. I ran one of my Gmail accounts through Cloudsweeper, and it determined my account would be worth approximately $28.90 to bad guys. While this is not a Gmail account I use every day, I was surprised at how many third party services I had signed up for using it over the years. According to Cloudsweeper, bad guys with access to my account could also hijack my accounts at Amazon, Apple, Groupon, Hulu, Newegg, Paypal, Skype, UPlay and Yahoo, to name a few.

Cloudsweeper uses the Open Authentication (OAuth2) protocol to connect to your Gmail account and search through messages. OAuth is an open standard for online authorization, and using it with Cloudsweeper does not require you to type in your password as long as you are already logged into the Gmail account that you’d like scanned. Cloudsweeper doesn’t keep your credentials, and it forgets about your visit and inbox after you log out of the service, or within 60 minutes of inactivity.

PLAIN TEXT OFFENDERS

Prior to performing a scan, the service asks users if they wish to participate in a study, which Kanich said gathers and securely stores non-personally identifiable information about Cloudsweeper users who opt-in. That data includes how many types of accounts each user has tied to their Gmail. The study also draws on data from the second core feature of Cloudsweeper: The ability to discover and then redact or encrypt passwords that various services may send to users in plain text.

Continue reading →

Web Badness Knows No Bounds

June 25, 2013

59 Comments

If your strategy for remaining safe and secure online is mainly to avoid visiting dodgy Web sites, it’s time to consider a new approach. Data released today by Google serves as a welcome reminder that drive-by malware attacks are far more likely to come from hacked, legitimate Web sites than from sites set up by attackers to intentionally host and distribute malicious software.

Today, Google released a truckload of data from its Safe Browsing program, which flags and warns users about more than 10,000 suspicious and malicious Web sites each day. The information clearly shows that gone are the days when folks could avoid giving their computers a nasty little rash simply by staying out of the Internet’s red-light districts (networks with large aggregations of porn and piracy sites, for example).

Hacked, malicious Web sites far exceed malware sites constructed by attackers. Source: Google

At the same time, some places on the Internet clearly are far more dangerous than others, Google’s data sets show. Have a look at the following graphic, which lists the most hostile Internet providers in the United States (the U.S. is currently responsible for just 2 percent of the world’s malicious sites, Google says).

Concentrations of hacked and malicious sites at U.S. Internet providers.Source: Google

The most malicious U.S. network listed by Google — a data center run by a company in New York called Pilosoft — is no stranger to lists charting the top sources of badness online. Pilosoft figured prominently in Operation Ghost Click, a U.S. Justice Department takedown targeting the DNS Changer botnet, which had a significant portion of its operations based at Pilosoft. Google says it has scanned 13 percent of Pilosoft’s network, and found that more than half of the sites it scanned were malicious.

Other top badness concentrations have a history of courting malware purveyors. Ask Google’s report to display the most densely malicious ISPs regardless of country and you’ll notice some interesting names float to the top of the list. Among them, Santrex Internet Services, is a well-known offshore bulletproof hosting provider based in the Seychelles.

Some networks are completely overrun with malicious sites, and some actively seek out this condition.

Of course, more mainstream networks and ISPs also are constantly battling malicious sites within their borders. It’s worth noting that 22 percent of the sites hosted at one section of the network run by major ISP Comcast (AS20214) are malicious, according to Google, although the company says it has scanned only 4 percent of this portion Comcast’s network so far. Google’s data is broken down by “autonomous system” (AS) numbers — which are basically a numerical way of keeping track of networks — and a large ISP may control numerous ASes.

Several other Comcast ASes are listed in the first few pages of Google’s index of U.S.-based badness. To be fair, Comcast is the nation’s largest cable Internet provider, so it’s perhaps unsurprising that it hosts so many compromised sites. However, Comcast’s largest competitor in the United States — Verizon — doesn’t appear until page 19 of Google’s results (with 5 percent of scanned sites malicious and 5 percent of the network scanned).

Continue reading →

Microsoft to Offer Standing Bug Bounty

June 19, 2013

19 Comments

Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000.

The bug bounty program is a remarkable shift for a company that has for the most part eschewed paying researchers for finding security vulnerabilities in its products. But unlike tech giants like Facebook, Google, Mozilla and Twitter — which have for some time now offered bounties ranging from a few hundred to several thousand dollars to researchers who report bugs in their products or Web properties — Microsoft is reserving its reward money for research on products that are still in beta.

The reward program — which officially launches June 26, 2013 — will pay up to $100,000 USD for “truly novel exploitation techniques” against protections built into the latest version of Windows — Windows 8.1 Preview. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying mitigation bypass submission,” the company said in a blog post today.

These two offers are open-ended, but for just 30 days beginning June 26, Microsoft is offering a separate bounty of up to $11,000 for critical flaws in Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

Continue reading →

Windows Security 101: EMET 4.0

June 18, 2013

96 Comments

Several years ago, Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help Windows users beef up the security of third-party applications. This week, Microsoft debuted EMET 4.0, which includes some important new security protections and compatibility fixes for this unobtrusive but effective security tool.

The main window of EMET 4.0

First, a quick overview of what EMET does. EMET allows users to force applications to use several key security defenses built into Windows — including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, you’ll need to have Microsoft’s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

However, EMET includes several important security features that can help fortify third-party applications on XP. Namely, its “Structured Exception Handler Overwrite Protection,” or SEHOP protection, which guards against the most common technique for exploiting stack overflows on Windows. Microsoft says this mitigation has shipped with Windows ever since Windows Vista Service Pack 1.

In addition to a revised user interface, EMET 4.0 includes a handful of new features that were bundled with the 3.5 tech preview version, such as novel methods of blocking an exploit technique called return-oriented programming (ROP). Attackers can leverage ROP to bypass DEP protections by using snippets of code that are already present in the targeted application.

One of the much-hyped new capabilities of EMET 4.0 is its “certificate trust” feature, which is designed to block so-called “man-in-the-middle” attacks that leverage counterfeit SSL certificates in the browser. The past few years saw several attacks that impersonated Webmail providers and other top Internet destinations using fraudulent digital certificates obtained by certificate authorities, including Comodo, DigitNotar and Turktrust. This feature is a nice idea, but it seems somewhat clunky to implement, and only works to protect users who browse the Web with Internet Explorer. For tips on configuring and using this feature of EMET, check out this post.

Continue reading →

Double Cashing With Mobile Banking

June 17, 2013

55 Comments

The case of a Kentucky man arrested this month for using mobile banking to steal thousands of dollars from a local supermarket chain highlights the security loopholes that thieves can exploit in mobile check deposit schemes being deployed by financial institutions across the country.

Source: Mybanktracker.com

Louisville, Ky. based news station WDRB Inc. carried a story last week about a local man who was arrested after allegedly using mobile banking to steal more than $12,000 from multiple Kroger stores.

“Police say 34-year-old Boma Robert Spero-Jack went into several different Kroger stores and purchased at least 32 Western Union money orders. Each money order was issued for an amount between $195 and $500, according to an arrest report. Police say he would then leave the store and deposit the money order into his Bank of America checking or savings account, via a mobile deposit. Spero-Jack would then go back into the Kroger and ‘cash’ the same money order, according to the arrest report. Later, police say he would withdraw the amount of the money order from his bank account.”

The technology that Spero-Jack is accused of exploiting — known as mobile remote deposit capture (mRDC) — allows banking customers to deposit a check by taking a picture of it with a cellphone. The risk for financial institutions that allow mRDC is that the customer retains the paper check, and can potentially deposit it again and again at other institutions.

Robert McGarvey, a reporter who wrote about the Kentucky incident for Credit Union Times, said paranoids in the banking business have long fretted about this ever since MRDC started to roll out a few years ago.

“Frankly, there have been few reported cases — there have been more accidental double deposits than criminal,” McGarvey said. “But now I am hearing about small time gangs doing this.”

McGarvey and others say this is an area that is ripe for exploitation by far more organized operations — the kind of criminal gangs recently busted for extracting tens of millions from ATM cashout schemes, or from account takeovers involving fraudulently-obtained prepaid debit cards. Those schemes involved transferring funds from compromised accounts and did not require the attackers to put up 50 percent of the cost of the fraud to start with, as was the case with the Kentucky crimes.

“The key is to open an account with fake ID, then buy a throwaway phone at WalMart,” McGarvey said. “You are then in business and very, very unlikely to get arrested. Most banks set a low limit – maybe $3,000 per day on MRDC – which also tells the crook he can get $2,999 with no sweat.”

Julie Conroy, a research director with the retail banking practice of Aite Group, a Boston-based research and advisory firm, said banks are not seeing a lot of losses due to this type of fraud…yet.

“But I think ‘yet’ is the operative word there,” Conroy said. “The product is still fairly new, with many banks just rolling out their offering in the last year or so. Most banks are protecting the product through a combination of rules and velocities, and due to this approach, and the fact that the product is relatively new and doesn’t have a ton of volume yet, this has worked fairly well so far. However, the service is popular with customers, and as this report shows, the bad guys are finding it too.”

Continue reading →

Iranian Elections Bring Lull in Bank Attacks

June 14, 2013

20 Comments

For nearly nine months, hacker groups thought to be based in Iran have been launching large-scale cyberattacks designed to knock U.S. bank Websites offline. But those assaults have subsided over the past few weeks as Iranian hacker groups have begun turning their attention toward domestic targets, launching sophisticated phishing attacks against fellow citizens leading up to today’s presidential election there.

Phishing email targeting Iranians. Source: Google.

Since September 2012, nearly 50 U.S. financial institutions have been targeted in over 200 distributed denial of service (DDoS) attacks, according to the U.S. Department of Homeland Security. A Middle Eastern hacking collective known as the Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the assaults, and U.S. intelligence officials have repeatedly blamed the attacks on hacker groups backed by the Iranian government.

But roughly three weeks ago, experts began noticing that the attacks had mysteriously stopped.

“We haven’t seen anything for about three weeks now,” said Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry coalition that disseminates data about cyber threats to member financial institutions. “It’s not clear why [the attacks stopped], but there are a lot of things going on in Iran right now, particularly the presidential elections.”

Meanwhile, data collected by Google suggests that the attackers are focusing their skills and firepower internally, perhaps to gather intelligence about groups and individuals supporting specific candidates running for Iran’s presidential seat. In a blog post published this week, Google said that it is tracking a “significant jump” in the overall volume of phishing activity in and around Iran.

Continue reading →

MtGox Phishing Campaign Hits Bing, Yahoo!

June 13, 2013

23 Comments

An active phishing campaign targeting account holders at popular Bitcoin exchange MtGox.com has hijacked the top search results at Bing and Yahoo.com, redirecting unwary clickers to mtpox.com, a look-alike domain and Web site that was registered on June 12, 2013, less than 24 hours ago.

Check out the video I recorded of this phish in action (turn down in the sound if you hated the Iron Man soundtrack):

Update, June 17, 3:07 p.m: Google’s Youtube team has inexplicably removed my video, calling it a violation of YouTube’s policy on the depiction of harmful activities. 8:09 p.m.: YouTube has restored the video.

Hover over the search links returned in Yahoo.com after searching for “Mtgox” and you’ll see what appears to be a paid or perhaps sponsored search ad that lists a result for mtgox.com, although hovering over the link displays a long “yahoo.com” URL. The same is true when you currently search for “mtgox” on Bing.com: hovering over the returned link shows a bing.com address.

In the video above, entering any credentials at the fake “mtpox.com” site caused a site error, but when I tried it again a moment later, I was redirected to the real Mtgox.com.

Interestingly, it appears the phisher in this case simply copied and pasted the code from Mtgox.com; as shown in the video, hovering over either the username or password field on mtpox.com produces the same warning present on mtgox.com — a message advising visitors to check for the green “extended validation” or EV browser certificate in the URL address bar.

This attack, while not particularly unusual, is a good reminder that relying on trusted bookmarks is among the safest ways to navigate to sites that hold your personal and financial information. Using a search engine to find these sites is better than direct navigation (in which a fat-fingered key can lead to a phishing site), but as this phish illustrates, it’s always a good idea to double check the URL in the address bar.

Hat tip to Twitter follower Ryan Mattinson.

Adobe, Microsoft Patch Flash, Windows

June 11, 2013

56 Comments

Patch Tuesday is again upon us: Adobe today issued updates for Flash Player and AIR, fixing the same critical vulnerability in both products. Microsoft‘s patch bundle of five updates addresses 23 vulnerabilities in Windows, Internet Explorer, and Office, including one bug that is already being actively exploited.

A majority of the vulnerabilities fixed in Microsoft’s June patch batch — 19 of them — are addressed in a cumulative update for Internet Explorer (MS13-047). The other fix that Microsoft called specific attention to is MS13-051, which tackles a flaw in Office that “could allow remote code execution if a user opens a specially crafted Office document..or previews or opens a specially crafted email message in Outlook while using Microsoft Word as the email reader.”

This Office flaw, which is present in the latest versions of Office 2003 and Microsoft Office for Mac 2011, is already being exploited in targeted attacks, Microsoft said. According to the company’s advisory, this vulnerability was reported by Google. These attacks fit the profile of previous zer0-day incidents, which use targeted email lures and previously unknown vulnerabilities to break into high-value targets.

“When Google encounters flaws that exploit users’ computers, even when the flaws are in other companies’ software, we take strong action to mitigate those attacks,” a Google spokesperson said in response to a request for comment. “Based on the exploit and the way it has been utilized by attackers, we strongly believe the attacks to be associated with a nation-state organization.”

Adobe’s Flash and AIR updates also fix a critical bug that was reported by Google’s security team, although Adobe says it is not aware of any exploits or attacks in the wild against the vulnerability address in its update. The latest Flash version is 11.7.700.224 for Windows and 11.7.700.225 for Mac OS X. This link will tell you which version of Flash your browser has installed. IE10 and Chrome should auto-update their versions of Flash. If your version of Chrome is not yet updated to v. 11.7.700.225, you may just need to restart the browser.

Continue reading →

Last »