Krebs on Security

DHS: ‘OpUSA’ May Be More Bark Than Bite

May 2, 2013

The U.S. Department of Homeland Security is warning that a group of mostly Middle East- and North Africa-based criminal hackers are preparing to launch a cyber attack campaign next week known as “OpUSA” against websites of high-profile US government agencies, financial institutions, and commercial entities. But security experts remain undecided on whether this latest round of promised attacks will amount to anything more than a public nuisance.

A confidential alert, produced by DHS on May 1 and obtained by KrebsOnSecurity, predicts that the attacks “likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation. Independent of the success of the attacks, the criminal hackers likely will leverage press coverage and social media to propagate an anti-US message.”

The DHS alert is in response to chest-thumping declarations from anonymous hackers who have promised to team up and launch a volley of online attacks against a range of U.S. targets beginning May 7. “Anonymous will make sure that’s this May 7th will be a day to remember,” reads a rambling, profane manifesto posted Apr. 21 to Pastebin by a group calling itself N4M3LE55 CR3W.

“On that day anonymous will start phase one of operation USA. America you have committed multiple war crimes in Iraq, Afghanistan, Pakistan, and recently you have committed war crimes in your own country,” the hackers wrote. “We will now wipe you off the cyber map. Do not take this as a warning. You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs.”

Ronen Kenig, director of security solutions at Tel Aviv-based network security firm Radware, said the impact of the attack campaign will be entirely dependent on which hacking groups join the fray. He noted that a recent campaign called “OpIsrael” that similarly promised to wipe Israel off the cyber map fizzled spectacularly.

“There were some Web site defacements, but OpIsrael was not successful from the attackers point-of-view,” Kenig said. “The main reason was the fact that the groups that initiated the attack were not able to recruit a massive botnet. Lacking that, they depended on human supporters, and those attacks from individuals were not very massive.”

But Rodney Joffe, senior vice president at Sterling, Va. based security and intelligence firm Neustar, said all bets are off if the campaign is joined by the likes of the Izz ad-Din al-Qassam Cyber Fighters, a hacker group that has been disrupting consumer-facing Web sites for U.S. financial institutions since last fall. The hacker group has said its attacks will continue until copies of the controversial film Innocence of Muslims movie are removed from Youtube.

Joffe said it’s easy to dismiss a hacker manifesto full of swear words and leetspeak as the ramblings of script kiddies and impressionable, wannabe hackers who are just begging for attention. But when that talk is backed by real firepower, the attacks tend to speak for themselves.

“I think we learned our lesson with the al-Qassam Cyber Fighters,” Joffe said. “The damage they’re capable of doing may be out of proportion with their skills, but that’s been going on for seven months and it’s been brutally damaging.”

According to the DHS alert, 46 U.S. financial institutions have been targeted with DDoS attacks since September 2012 — with various degrees of impact — in over 200 separate DDoS attacks.

“These attacks have utilized high bandwidth webservers with vulnerable content management systems,” the agency alert states. “Typically a customer account is compromised and attack scripts are then uploaded to a hidden directory on the customer website. To date the botnets have been identified as ‘Brobot’ and ‘Kamikaze/Toxin.’”

In an interview with Softpedia, representatives of Izz ad-Din al-Qassam said they do indeed plan to lend their firepower to the OpUSA attack campaign.

Continue reading →

Wash. Hospital Hit By $1.03 Million Cyberheist

April 30, 2013

13 Comments

Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.

Last Friday, The Wenatchatee World broke the news of the heist, which struck Chelan County Public Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.

On Wednesday of last week, I began alerting the hospital that it had apparently been breached. Neither the hospital nor the staff at Cascade Medical returned repeated calls. I reached out to the two entities because I’d spoken with two unwitting accomplices who were used in the scam, and who reported helping to launder more than $14,000 siphoned from the hospital’s accounts.

Jesus Contreras, a 31-year-old from San Bernadino, Calif., had been out of work for more than two months when he received an email from a company calling itself Best Inc. and supposedly located in Melbourne, Australia. Best Inc. presented itself as a software development firm, and told Contreras it’d found his resume on Careerbuilders.com. Contreras said the firm told him that he’d qualified for a work-at-home job that involved forwarding payments to software developers who worked for the company’s overseas partners.

Could he start right away? All he needed was a home computer. He could keep eight percent of any transfers he made on behalf of the company. Contreras said he was desperate to find work since he got laid off in February from his previous job, which was doing inventory for an airplane parts company.

Best Inc. Website

His boss at Best Inc., a woman with a European accent who went by the name Erin Foster, called Contreras and conducted a phone interview in which she asked about his prior experience and work-life balance expectations. In short order, he was hired. His first assignment: To produce a report on the commercial real estate market in Southern California. Contreras said Ms. Foster told him that their employer was thinking of opening up an office in the area.

On Monday, Apr. 22 — shortly after he turned in his research assignment — Contreras received his first (and last) task from his employer: Take the $9,180 just deposited into his account and send nearly equal parts via Western Union and Moneygram to four individuals, two who were located in Russia and the other pair in Ukraine. After the wire fees — which were to come out of his commission — Contreras said he had about $100 left over.

“I’m asking myself how I fell for this because the money seemed too good to be true,” Contreras said. “But we’ve got bills piling up, and my dad has hospital bills. I didn’t have much money in my account, so I figured what did I have to lose? I had no idea I would be a part of something like this.”

A small, but significant part, as it happens. Contreras never got to use any of his meager earnings: His financial institution, Bank of America, froze his account and seized what little funds he had in it.

Meanwhile, the Chelan County treasurer’s office is struggling to claw back the fraudulent transfers. According to press reports, roughly $133,000 of the lost funds have been recovered so far, and it may take at least 30 days to learn how much was actually lost.

Continue reading →

Dutchman Arrested in Spamhaus DDoS

April 26, 2013

70 Comments

A 35-year-old Dutchman thought to be responsible for launching what’s been called “the largest publicly announced online attack in the history of the Internet” was arrested in Barcelona on Thursday by Spanish authorities. The man, identified by Dutch prosecutors only as “SK,” was being held after a European warrant was issued for his arrest in connection with a series of massive online attacks last month against Spamhaus, an anti-spam organization.

Facebook profile picture of Sven Olaf Kamphuis

According to a press release issued by the Public Prosecutor Service in The Netherlands, the National Prosecutor in Barcelona ordered SK’s arrest and the seizure of computers and mobile phones from the accused’s residence there. The arrest is being billed as a collaboration of a unit called Eurojust, the European Union’s Judicial Cooperation Unit.

The dispute began late last year, when Spamhaus added to its blacklist several Internet address ranges in the Netherlands. Those addresses belong to a Dutch company called “Cyberbunker,” so named because the organization is housed in a five-story NATO bunker, and has advertised its services as a bulletproof hosting provider.

“A year ago, we started seeing pharma and botnet controllers at Cyberbunker’s address ranges, so we started to list them,” said a Spamhaus member who asked to remain anonymous. “”We got a rude reply back, and he made claims about being his own independent country in the Republic of Cyberbunker, and said he was not bound by any laws and whatnot. He also would sign his emails ‘Prince of Cyberbunker Republic.” On Facebook, he even claimed that he had diplomatic immunity.”

Cyberbunker’s IP ranges. Its WHOIS records put the organization in Antarctica.

Spamhaus took its complaint to the upstream Internet providers that connected Cyberbunker to the larger Internet. According to Spamhaus, those providers one by one severed their connections with Cyberbunker’s Internet addresses. Just hours after the last ISP dropped Cyberbunker, Spamhaus found itself the target of an enormous amount of attack traffic designed to knock its operations offline.

It is not clear who SK is, but according to multiple sources, the man identified as SK is likely one Sven Olaf Kamphuis. The attack on Spamhaus was the subject of a New York Times article on Mar. 26, 2013, which quoted Mr. Kamphuis as a representative of Cyberbunker and saying, “We are aware that this is one of the largest DDoS attacks the world had publicly seen.” Kamphuis also reportedly told The Times that Cyberbunker was retaliating against Spamhaus for “abusing their influence.”

Also, a Facebook profile by that same name identifies its account holder as living in Barcelona and a native of Amsterdam, as well as affiliated with “Republic Cyberbunker.”

Mr. Kamphuis could not be immediately reached for comment.

How Not to Install an ATM Skimmer

April 24, 2013

27 Comments

Experts in the United States and Europe are tracking a marked increase in ATM skimmer scams. But let’s hope that at least some of that is the result of newbie crooks who fail as hard as the thief who tried to tamper with a Bank of America ATM earlier this week in Nashville.

Nashville police released a series of still photos (which I made into a slideshow, below) that show a man attaching a card skimming device to a local ATM, and then affixing a false panel above the PIN pad that includes a tiny video camera to record victims entering their PINs. According to Nashville NBC affiliate WSMV.com, this scammer’s scheme didn’t work as planned: The card skimmer overlay came off of the ATM in the hands of the first customer who tried to use it.

As you can see in the image montage, the first would-be victim arrives less than seven minutes after the thief installs the skimmer. The story doesn’t state this, but the customer who accidentally pulled the card skimmer off of the ATM actually drove off with the device. Interestingly, the fraudster returns a few minutes later to salvage what’s left of his kit (and perhaps his pride).

As lame as this ATM skimming attempt was, a few aspects of this crime are worth highlighting because they show up repeatedly in skimming attacks. One is that the vast majority of skimming devices are installed on Saturdays and Sundays, when the crooks know the banks will be closed for at least a day. As a result, you have a much higher chance of encountering a skimmer if you regularly use ATMs on a weekend.

Second, the thieves who install these fraud devices very often are lurking somewhere nearby — to better keep an eye on their investments. If you ever happen to discover a skimming device attached to an ATM, just remember that while walking or driving off with the thing might seem like a good idea at the time, the miscreant who put it there may be watching or following you as you depart the ATM area.

Once or twice a month I am interviewed by various news outlets about ATM skimming attacks, and I’m nearly always asked for recent figures on the incident and cost of these crimes. Those stats are hard to come by; I believe the last time the U.S. Secret Service released figures about the crime, it estimated that annual losses from ATM fraud totaled about $1 billion, but that was for 2008.

Source: Verizon

Today’s figures are almost certainly higher. On Tuesday, Verizon Enterprise Solutions released its annual data breach investigations report, a deep dive into more than 620 data breaches from the past year. Interestingly, this year’s report shows that of the Top 20 Threat Actions the company tracked across all of the breaches from 2012, physical tampering was the most frequent cause — present in more than 30 percent of all incidents detailed in the report.

“Physical tampering is our way of categorizing the installation of a skimming device, and that was the number one threat action out of everything we looked at,” said Wade Baker, managing principal of RISK intelligence at Verizon. “If you look at the last two [Verizon annual] reports, a large majority of the data set was the point-of-sale intrusions at small organizations such as retail establishments and restaurants, and those are actually a much smaller portion of our data set this time.”

Continue reading →

Sources: Tea Leaves Say Breach at Teavana

April 22, 2013

31 Comments

Multiple sources in law enforcement and the financial community are warning about a possible credit and debit card breach at Teavana, a nationwide tea products retailer. Seattle-based coffee giant Starbucks, which acquired Teavana late last year, declined to confirm a breach at Teavana, saying only that the company is currently responding to inquiries from card-issuing banks and credit card brands.

Over the weekend, KrebsOnSecurity received a tip from an anonymous reader who said Teavana had suffered a data breach that exposed credit and debit card information. A source at a major U.S. credit card issuer confirmed that the card brand has seen fraud rates indicative of a breach emanating from virtually the entire Teavana franchise, which spans more than 280 stores nationwide. Separately, a federal law enforcement official who asked not to be named said agents were indeed investigating a possible breach at Teavana.

On Sunday, I sent an inquiry to Teavana’s public relations folks. Today, I heard back from Starbucks spokeswoman Jaime Riley, who said Starbucks “takes its obligation to protect customers’ financial information very seriously,” and that the company “has safeguards in place to constantly monitor for any suspicious activity.” But she said the company doesn’t comment on ongoing investigations.

“In the normal course of business, we are contacted by card brands and bank partners to participate in requests to ensure the integrity of all systems, and we participate fully in these requests,” Riley said. “If and when issues are ever substantiated, we will take action to notify and support customers in the most appropriate way possible.”

A source at yet another big debit and credit card issuer said his fraud team became aware of the problem in early March 2013, when the financial institution began seeing a spike in fraudulent charges via counterfeit cards that were being used to buy high-dollar gift cards at Target retail locations.

Continue reading →

Bank Sues Cyberheist Victim to Recover Funds

April 19, 2013

21 Comments

A bank that gave a business customer a short term loan to cover $336,000 stolen in a 2012 cyberheist is now suing that customer to recover the fronted funds, after the victim company refused to repay or even acknowledge the loan.

On May 9, 2012, cyber crooks hit Wallace & Pittman PLLC, a Charlotte, N.C. based law firm that specializes in handling escrow and other real-estate legal services. The firm had just finished a real estate closing that morning, initiating a wire of $386,600.61 to a bank in Virginia Beach, Virginia. Hours later, the thieves put through their own fraudulent wire transfer, for exactly $50,000 less.

At around 3 p.m. that day, the firm’s bank — Charlotte, N.C. based Park Sterling Bank (PSB)– received a wire transfer order from the law firm for $336,600.61. According to the bank, the request was sent using the firm’s legitimate user name, password, PIN code, and challenge/response questions. PSB processed the wire transfer, which was sent to an intermediary bank — JP Morgan Chase in New York City — before being forwarded on to a bank in Moscow.

Later that day, after the law firm received an electronic confirmation of the wire transfer, the firm called the bank to say the wire transfer was unauthorized, and that there had been an electronic intrusion into the firm’s computers that resulted in the installation of an unspecified strain of keystroke-logging malware. The law firm believes the malware was embedded in a phishing email made to look like it was sent by the National Automated Clearing House Association (NACHA), a legitimate network for a wide variety of financial transactions in the United States.

As some banks do in such cases, Park Sterling provided a provisional credit to the firm for the amount of the fraudulent transfer so that it would avoid an overdraft of its trust account (money that it was holding for a real estate client) and to allow a period of time for the possible return of the wire transfer funds. PSB said it informed Wallace & Pittman that the credit would need to be repaid by the end of that month.

But on May 30, 2012 — the day before the bank was set to debit the loan amount against the firm’s trust account — Wallace & Pittman filed a complaint against the bank in court, and obtained a temporary restraining order that prevented the bank from debiting any money from its accounts. The next month, the law firm drained all funds from all three of its accounts at the bank, and the complaint against the bank was dismissed.

Park Sterling Bank is now suing its former client, seeking repayment of the loan, plus interest. Wallace & Pittman declined to comment on the ongoing litigation, but in their response to PSB’s claims, the defendants claim that at no time prior to the return of the funds did the bank specify that it was providing a provisional credit in the amount of the fraudulent transfer. Wallace & Pittman said the bank didn’t start calling it a provisional credit until nearly 10 days after it credited the law firm’s account; to backstop its claim, the firm produced an online ledger transaction that purports to show that the return of $336,600.61 to the firm’s accounts was initially classified as a “reverse previous wire entry.”

Continue reading →

SWATting Incidents Tied to ID Theft Sites?

April 17, 2013

31 Comments

Many readers have been asking for an update on the “SWATting” incident at my home last month, in which someone claiming to be me fraudulently reported a home invasion in progress at my address, prompting a heavily armed police response. There are two incremental developments on this story. The first is I’ve learned more about how the hoax was perpetrated. The second is that new clues suggest that the same individual(s) responsible also have been SWATting Hollywood celebrities and posting their personal information on site called exposed.re.

The day before my SWATting, I wrote a story about a site called exposed.su, which was posting the Social Security numbers, previous addresses, phone numbers and other sensitive information on a slew of high-profile individuals, from the director of the FBI to Kim Kardashian, Bill Gates and First Lady Michelle Obama. I wrote about the site by way of explaining that — as painful as it may be to admit — this information should no longer be considered private, because it is available quite cheaply via a number of shady services advertised in underground cybercrime forums.

[Swatted] notations were added to celebrity names after Exposed.su became Exposed.re

To illustrate this reality, I pointed to one underground site in particular — the now-defunct ssndob.ru (it is now at another domain) — that could be used to pull all of this information on just about anyone, including all of those whose information was listed at the time on exposed.su. In a follow-up investigation I posted on Mar. 18, 2013, I cited sources who claimed that the DDoS against my site and the simultaneous SWATting attack on my home was in retaliation for my writing about ssndob.ru, which allegedly some of those involved in the attacks prized and did not wish to see shuttered.

Specifically, two different sources placed blame for the attacks on a young hacker named “Phobia,” who they said was part of a group of Xbox gaming enthusiasts who used ssndob.ru to look up Social Security numbers belonging to high-value Xbox account holders — particularly those belonging to Microsoft Xbox Live employees. Armed with that information, and some social engineering skills, the hackers could apparently trick Microsoft’s tech support folks into transferring control over the accounts to the hackers. “I heard he got pissed that you released the site he uses,” one of the sources told me, explaining why he thought Phobia was involved.

Incidentally, two days after my story ran, several news outlets reported that Microsoft had confirmed it is investigating the hacking of Xbox Live accounts belonging to some “high-profile” Microsoft employees, and that it is actively working with law enforcement on the matter.

A little digging suggested that Phobia was a 20-year-old Ryan Stevenson from in Milford, Ct. In that Mar. 18 story, I interviewed Phobia, who confessed to being the hacker who broke into and deleted the Apple iCloud account of wired.com reporter Mat Honan. In subsequent postings on Twitter, Honan expressed surprise that no one else had drawn the connections between Phobia and Stevenson earlier, based on the amount of open source information linking the two identities. In his own reporting on the attack that wiped his iCloud data, Honan had agreed not to name Phobia in return for an explanation of how the hack was carried out.

Geographic distribution of servers observed in Mar. 14, 2013 attack on KrebsOnSecurity. Source: Prolexic

The week after my story ran, I heard from someone who lives in Stevenson’s neighborhood and who watched federal agents and police descend on Stevenson’s home on Mar. 20. I was later able to corroborate that information with a police officer in Connecticut, who confirmed that authorities had seized several boxes of items from the Stevenson residence that day.

If Stevenson was as involved as his erstwhile gaming buddies claim, I can’t say that I’m sad to learn that he got his own police raid. However, I do not believe he was the one responsible for sending the emergency response team to my home. I believe that the person or persons responsible is/are still at large, and that Stevenson was merely thrown under the bus as a convenient diversion. But more on that at another time.

At the end of March, exposed.su was shut down, and the content there was migrated over to a new domain — exposed.re. The curator(s) of this site has been adding more celebrities and public figures, but there is another, far more curious, notation on some of the listings at the new version of the site: Several of those named have the designation [Swatted] next to them, including P. Diddy, Justin Timberlake and Ryan Seacrest (see the collage above). It’s worth noting that not all of those listed on exposed.re who were SWATted recently are designated as such on the site.

Continue reading →

Java Update Plugs 42 Security Holes

April 16, 2013

22 Comments

Oracle Corp. today released an update for its Java SE software that fixes at least 42 security flaws in the widely-installed program and associated browser plugin. The Java update also introduces new features designed to alert users about the security risks of running certain Java content.

Java 7 Update 21 contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities. According to Oracle, “39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password” [emphasis mine].

There does not appear to be any update for Java 6. Oracle was to stop shipping security fixes for Java 6 in February, but it broke from that schedule last month when it shipped an emergency update for Java 6 to fix a flaw that was being used in active attacks. When I updated a machine running the latest Java 6 version (Update 43) it prompted me to install Java 7 Update 21. Update, 5:42 p.m. ET: Twitter follower @DonaldOJDK notes that Java 6 Update 45 is indeed available here.

Java 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plugin). Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.

Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future. Java applications considered to be higher risk — such as those that use an untrusted or expired certificate — will be accompanied by a prompt with a yellow exclamation point in a yellow warning triangle.

Continue reading →

Brute Force Attacks Build WordPress Botnet

April 12, 2013

68 Comments

Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.

Source: Cloudflare.com

Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).

According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress.

Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms.

“It’s hurting the service providers the most, not just with incoming traffic,” Gaffan said. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.”

Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

Continue reading →

Microsoft: Hold Off Installing MS13-036

April 12, 2013

39 Comments

Microsoft is urging users to who haven’t installed it yet to hold off on MS13-036, a security update that the company released earlier this week to fix a dangerous security bug in its Windows operating system. The advice comes in response to a spike in complaints from Windows users who found their machines unbootable after applying the update.

The MS13-036 update, first released on Tuesday, fixes four vulnerabilities in the Windows kernel-mode driver. In an advisory released April 9, the company said it had removed the download links to the patch while it investigates the source of the problem:

“Microsoft is investigating behavior wherein systems may fail to recover from a reboot or applications fails to load after security update 2823324 is applied. Microsoft recommends that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2823324 update while we investigate.”

The problems with the patch appear to be centered around Windows 7 and certain applications on Windows 7, such as Kaspersky Anti-Virus. Microsoft has issued instructions on how to uninstall this update in the “resolution” section of this advisory.

Update, Apr. 23: Microsoft has re-released the problematic security update to address the problems that some Windows users were experiencing with the MS13-036 patch. The new update, KB62840149, replaces the faulty one, which was KB2823324.

Last »