Critical Update Plugs 40 Security Holes in Java

June 18, 2013

Oracle today released a critical patch update for its Java software that fixes at least 40 security vulnerabilities in this widely deployed program and browser plugin. Updates are available for Java 7 on both Mac and Windows.

javamessThe latest patch brings Java 7 to Update 25 (looks like Oracle has finally followed through on its promise to stop shipping updates for Java 6). In its accompanying advisory, Oracle notes that 37 of the 40 vulnerabilities fixed in this update may be remotely exploitable without authentication — that is, they can be exploited over a network without the need for a username and password.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Continue reading

Windows Security 101: EMET 4.0

June 18, 2013

Several years ago, Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help Windows users beef up the security of third-party applications. This week, Microsoft debuted EMET 4.0, which includes some important new security protections and compatibility fixes for this unobtrusive but effective security tool.

EMET's main window.

The main window of EMET 4.0

First, a quick overview of what EMET does. EMET allows users to force applications to use several key security defenses built into Windows — including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, you’ll need to have Microsoft’s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

However, EMET includes several important security features that can help fortify third-party applications on XP. Namely, its “Structured Exception Handler Overwrite Protection,” or SEHOP protection, which guards against the most common technique for exploiting stack overflows on Windows. Microsoft says this mitigation has shipped with Windows ever since Windows Vista Service Pack 1.

In addition to a revised user interface, EMET 4.0 includes a handful of new features that were bundled with the 3.5 tech preview version, such as novel methods of blocking an exploit technique called return-oriented programming (ROP). Attackers can leverage ROP to bypass DEP protections by using snippets of code that are already present in the targeted application.  

One of the much-hyped new capabilities of EMET 4.0 is its “certificate trust” feature, which is designed to block so-called “man-in-the-middle” attacks that leverage counterfeit SSL certificates in the browser. The past few years saw several attacks that impersonated Webmail providers and other top Internet destinations using fraudulent digital certificates obtained by certificate authorities, including Comodo, DigitNotar and Turktrust. This feature is a nice idea, but it seems somewhat clunky to implement, and only works to protect users who browse the Web with Internet Explorer. For tips on configuring and using this feature of EMET, check out this post.

Continue reading

Advertisement

Double Cashing With Mobile Banking

June 17, 2013

The case of a Kentucky man arrested this month for using mobile banking to steal thousands of dollars from a local supermarket chain highlights the security loopholes that thieves can exploit in mobile check deposit schemes being deployed by financial institutions across the country.

Source: Mybanktracker.com

Source: Mybanktracker.com

Louisville, Ky. based news station WDRB Inc. carried a story last week about a local man who was arrested after allegedly using mobile banking to steal more than $12,000 from multiple Kroger stores.

“Police say 34-year-old Boma Robert Spero-Jack went into several different Kroger stores and purchased at least 32 Western Union money orders. Each money order was issued for an amount between $195 and $500, according to an arrest report. Police say he would then leave the store and deposit the money order into his Bank of America checking or savings account, via a mobile deposit. Spero-Jack would then go back into the Kroger and ‘cash’ the same money order, according to the arrest report. Later, police say he would withdraw the amount of the money order from his bank account.”

The technology that Spero-Jack is accused of exploiting — known as mobile remote deposit capture (mRDC) — allows banking customers to deposit a check by taking a picture of it with a cellphone. The risk for financial institutions that allow mRDC is that the customer retains the paper check, and can potentially deposit it again and again at other institutions.

Robert McGarvey, a reporter who wrote about the Kentucky incident for Credit Union Times, said paranoids in the banking business have long fretted about this ever since MRDC started to roll out a few years ago.

“Frankly, there have been few reported cases — there have been more accidental double deposits than criminal,” McGarvey said. “But now I am hearing about small time gangs doing this.”

McGarvey and others say this is an area that is ripe for exploitation by far more organized operations — the kind of criminal gangs recently busted for extracting tens of millions from ATM cashout schemes, or from account takeovers involving fraudulently-obtained prepaid debit cards. Those schemes involved transferring funds from compromised accounts and did not require the attackers to put up 50 percent of the cost of the fraud to start with, as was the case with the Kentucky crimes.

“The key is to open an account with fake ID, then buy a throwaway phone at WalMart,” McGarvey said. “You are then in business and very, very unlikely to get arrested. Most banks set a low limit – maybe $3,000 per day on MRDC – which also tells the crook he can get $2,999 with no sweat.”

Julie Conroy, a research director with the retail banking practice of Aite Group, a Boston-based research and advisory firm, said banks are not seeing a lot of losses due to this type of fraud…yet.

“But I think ‘yet’ is the operative word there,” Conroy said. “The product is still fairly new, with many banks just rolling out their offering in the last year or so.  Most banks are protecting the product through a combination of rules and velocities, and due to this approach, and the fact that the product is relatively new and doesn’t have a ton of volume yet, this has worked fairly well so far.  However, the service is popular with customers, and as this report shows, the bad guys are finding it too.”

Continue reading

Iranian Elections Bring Lull in Bank Attacks

June 14, 2013

For nearly nine months, hacker groups thought to be based in Iran have been launching large-scale cyberattacks designed to knock U.S. bank Websites offline. But those assaults have subsided over the past few weeks as Iranian hacker groups have begun turning their attention toward domestic targets, launching sophisticated phishing attacks against fellow citizens leading up to today’s presidential election there.

Phishing email targeting Iranians. Source: Google.

Phishing email targeting Iranians. Source: Google.

Since September 2012, nearly 50 U.S. financial institutions have been targeted in over 200 distributed denial of service (DDoS) attacks, according to the U.S. Department of Homeland Security. A Middle Eastern hacking collective known as the Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the assaults, and U.S. intelligence officials have repeatedly blamed the attacks on hacker groups backed by the Iranian government.

But roughly three weeks ago, experts began noticing that the attacks had mysteriously stopped.

“We haven’t seen anything for about three weeks now,” said Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry coalition that disseminates data about cyber threats to member financial institutions. “It’s not clear why [the attacks stopped], but there are a lot of things going on in Iran right now, particularly the presidential elections.”

Meanwhile, data collected by Google suggests that the attackers are focusing their skills and firepower internally, perhaps to gather intelligence about groups and individuals supporting specific candidates running for Iran’s presidential seat. In a blog post published this week, Google said that it is tracking a “significant jump” in the overall volume of phishing activity in and around Iran.

Continue reading

MtGox Phishing Campaign Hits Bing, Yahoo!

June 13, 2013

An active phishing campaign targeting account holders at popular Bitcoin exchange MtGox.com has hijacked the top search results at Bing and Yahoo.com, redirecting unwary clickers to mtpox.com, a look-alike domain and Web site that was registered on June 12, 2013, less than 24 hours ago.

Check out the video I recorded of this phish in action (turn down in the sound if you hated the Iron Man soundtrack):

Update, June 17, 3:07 p.m: Google’s Youtube team has inexplicably removed my video, calling it a violation of YouTube’s policy on the depiction of harmful activities. 8:09 p.m.: YouTube has restored the video.

Hover over the search links returned in Yahoo.com after searching for “Mtgox” and you’ll see what appears to be a paid or perhaps sponsored search ad that lists a result for mtgox.com, although hovering over the link displays a long “yahoo.com” URL. The same is true when you currently search for “mtgox” on Bing.com: hovering over the returned link shows a bing.com address.

In the video above, entering any credentials at the fake “mtpox.com” site caused a site error, but when I tried it again a moment later, I was redirected to the real Mtgox.com.

Interestingly, it appears the phisher in this case simply copied and pasted the code from Mtgox.com; as shown in the video, hovering over either the username or password field on mtpox.com produces the same warning present on mtgox.com — a message advising visitors to check for the green “extended validation” or EV browser certificate in the URL address bar.

mtpoxphish

This attack, while not particularly unusual, is a good reminder that relying on trusted bookmarks is among the safest ways to navigate to sites that hold your personal and financial information. Using a search engine to find these sites is better than direct navigation (in which a fat-fingered key can lead to a phishing site), but as this phish illustrates, it’s always a good idea to double check the URL in the address bar.

Hat tip to Twitter follower Ryan Mattinson.

Adobe, Microsoft Patch Flash, Windows

June 11, 2013

Patch Tuesday is again upon us: Adobe today issued updates for Flash Player and AIR, fixing the same critical vulnerability in both products. Microsoft‘s patch bundle of five updates addresses 23 vulnerabilities in Windows, Internet Explorer, and Office, including one bug that is already being actively exploited.

crackedwinA majority of the vulnerabilities fixed in Microsoft’s June patch batch — 19 of them — are addressed in a cumulative update for Internet Explorer (MS13-047). The other fix that Microsoft called specific attention to is MS13-051, which tackles a flaw in Office that “could allow remote code execution if a user opens a specially crafted Office document..or previews or opens a specially crafted email message in Outlook while using Microsoft Word as the email reader.”

This Office flaw, which is present in the latest versions of Office 2003 and Microsoft Office for Mac 2011, is already being exploited in targeted attacks, Microsoft said. According to the company’s advisory, this vulnerability was reported by Google. These attacks fit the profile of previous zer0-day incidents, which use targeted email lures and previously unknown vulnerabilities to break into high-value targets.

“When Google encounters flaws that exploit users’ computers, even when the flaws are in other companies’ software, we take strong action to mitigate those attacks,” a Google spokesperson said in response to a request for comment. “Based on the exploit and the way it has been utilized by attackers, we strongly believe the attacks to be associated with a nation-state organization.”

Adobe’s Flash and AIR updates also fix a critical bug that was reported by Google’s security team, although Adobe says it is not aware of any exploits or attacks in the wild against the vulnerability address in its update. The latest Flash version is 11.7.700.224 for Windows and 11.7.700.225 for Mac OS X.  This link will tell you which version of Flash your browser has installed. IE10 and Chrome should auto-update their versions of Flash. If your version of Chrome is not yet updated to v. 11.7.700.225, you may just need to restart the browser.

Continue reading

Vrublevsky Arrested for Witness Intimidation

June 5, 2013

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was arrested today in Moscow for witness intimidation in his ongoing trial for allegedly hiring hackers to attack against Assist, a top ChronoPay competitor.

Pavel Vrublevsky's Facebook profile photo.

Pavel Vrublevsky’s Facebook profile photo.

Vrublevsky is on trial for allegedly hiring two brothers — Igor and Dmitri Artimovich — to use their Festi spam botnet to attack Assist, a competing payments processor. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company at least USD $1 million.

Vrublevsky was imprisoned for six months in 2011 pending his trial, but was released at the end of that year after admitting to his role in the attack. Later, he recanted his jailhouse admission of guilt. Today, he was re-arrested after admitting to phoning a witness in his ongoing trial and offering “financial assistance.” The witness told prosecutors he felt pressured and threatened by the offer.

Two months ago, I signed a book deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

I found this development noteworthy because I, too, was offered financial assistance by Vrublevsky, an offer that very much seemed to me like a threat. In mid-2010, after thousands of emails, documents and hundreds of hours of recorded phonecalls from ChronoPay were leaked to  this author, Vrublevsky began calling me at least once a day from his offices in Moscow. This continued for more than six months. In one conversation from May 2010 , Vrublevsky offered to fly me to Moscow so that I could see firsthand that he had “only a very remote relationship with this case.”

Continue reading

FDIC: 2011 FIS Breach Worse Than Reported

June 4, 2013

A 2011 hacker break-in at banking industry behemoth Fidelity National Information Services (FIS) was far more extensive and serious than the company disclosed in public reports, banking regulators warned FIS customers last month. The disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.

fisJacksonville, Fla. based FIS is one of the largest information processors for the banking industry today, handling a range of services from check and credit card processing to core banking functions for more than 14,000 financial institutions in over 100 countries.

The company came under heavy scrutiny from banking industry regulators in the first quarter of 2011, when hackers who had broken into its networks used that access to orchestrate a carefully-timed, multi-million dollar ATM heist. In that attack, the hackers raised or eliminated the daily withdrawal limits for 22 debit cards they’d obtained from FIS’s prepaid card network. The fraudsters then cloned the cards and distributed them to co-conspirators who used them to pull $13 million in cash from FIS via ATMs in several major cities across Europe, Russia and Ukraine.

FIS first publicly reported broad outlines of the breach in a May 3, 2011 filing with the Securities and Exchange Commission (SEC), stating that it had identified “7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities.” FIS told the SEC it worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. “The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter,” it declared in its filing.

FIS’s disclosure to investors cast the breach as limited in scope, saying the break-in was restricted to unauthorized activity at a portion of its network belonging to a small prepaid debit card provider that it acquired in 2007.  But bank examiners at the Federal Deposit Insurance Corp. (FDIC) who audited FIS’s operations in the months following the 2011 breach and again in October 2012 came to a very different conclusion: According to a report that the FDIC sent May 24, 2013 to hundreds of FIS’s customer banks and obtained by KrebsOnSecurity, the 2011 breach was much larger than previously reported.

“The initial findings have identified many additional servers exposed by the attackers; and many more instances of the malware exploits utilized in the network intrusions of 2011, which were never properly identified or assessed,”  the FDIC examiners wrote in a report from October 2012. “As a result, FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network intrusion.”

Indeed, the FDIC’s examiners found that there was scarcely a portion of the FIS network that the hackers did not touch.

“From review of the previous investigation reports, along with other documentation provided by FIS, examiners and payment card industry experts identified over 2,000 touch points that indicated a broad exposure of internal FIS systems and client related data,” the report notes. “These systems include, but are not limited to, the The New York Currency Exchange ATM network, prime core application systems, and various Internet banking, ACH, and wire transfer systems. These touch points also indicated approximately 100 client financial institutions, which appear to have had sensitive data exposed by the attackers.”

fdicsnip

A screen shot of an excerpt from the FDIC report on security lapses at FIS.

In an emailed statement, FIS maintained that “no client of FIS suffered any monetary loss as a result of the incident, and stressed that the report is based upon a review that was completed in October 2012.

“Since that time, FIS has continued to strengthen its information security and risk position, including investments over two years of $100 million or more, as part of our goal to provide best-in-class information security and risk management to each of our 14,000-plus clients. We have openly and regularly communicated these initiatives, our progress and results to our clients and shareholders through meetings, monthly updates, quarterly public disclosures, Board materials, educational webinars, and more.”

WHAT DOES $100 MILLION BUY?

Nevertheless, investors may be less than pleased about how FIS is spending its security dollars. The FDIC found that even though FIS has hired a number of incident response firms and has spent more than $100 million responding to the 2011 breach, the company failed to enact some very basic security mechanisms. For example, the FDIC noted that FIS routinely uses blank or default passwords on numerous production systems and network devices, even though these were some of the same weaknesses that “contributed to the speed and ease with which attackers transgressed and exposed FIS systems during the 2011 network intrusion.”

“Many FIS systems remain configured with default passwords, no passwords, non-complex passwords, and non-expiring passwords,” the FDIC wrote. “Enterprise vulnerability scans in November 2012, noted over 10,000 instances of default passwords in use within the FIS environment.”

The bank auditors also found “a high number of unresolved network and application vulnerabilities remain throughout the enterprise.

“The Executive Summary Scan reports from November 2012 show 18,747 network vulnerabilities and over 291 application vulnerabilities as past due,” the report charges.

What’s more, investigators probing the breach at FIS may have been denied key clues about the source of the intrusion because FIS incident response personnel wiped many of the compromised systems and put them back on the network before the machines could be properly examined.

“Many systems were re-constituted and introduced back into the production environment before data preservation techniques were applied,” the report notes. “Additionally, poor forensic preservation techniques led to numerous servers being re-imaged before analysis was completed and significant logging data was inadvertently destroyed. Several servers, key to the investigation process, were re-introduced into the production environment and subsequently re-compromised due to misconfigured baselines and inadequate security testing outside of corporate policy.”

Continue reading

Cashout Service for Ransomware Scammers

June 3, 2013

There are 1,001 ways to swindle people online, but the hardest part for crooks is converting those ill-gotten gains into cash. A new service catering to purveyors of ransomware — malware that hijacks PCs until victims pay a ransom – levees a hefty fee for laundering funds from these scams, and it does so by abusing a legitimate Web site that allows betting on dog and horse races in the United States.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes. Source: botnets.fr

Ransomware is most often distributed via hacked or malicious sites that exploit browser vulnerabilities.  Typically, these scams impersonate the Department of Homeland Security or the FBI (or the equivalent federal investigative authority in the victim’s country) and try to frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content.

Ransomware locks the victim’s PC until he either pays the ransom or finds a way to remove the malware. Victims are instructed to pay the ransom by purchasing a prepaid MoneyPak card, sold at everything from Walgreens to Wal-Mart (some scams tell victims to pay using a PaySafe or Ukash card). Victims are then told to send the attackers a 14-digit voucher code that allows the bad guys to redeem those MoneyPak vouchers for cash.

Trouble is, taking funds off of a MoneyPak requires either spending it at stores that accept it, or hooking it up to a U.S. bank account, to PayPal, or to a prepaid Visa or Mastercard. What’s more, most miscreants who are even halfway competent at spreading ransomware can expect to collect dozens of MoneyPak codes per day, so cashing out via the above-mentioned methods simply does not scale well for successful bad guys (particularly those who live outside of the United States).

Last week, I stumbled on a ransomware cashout service hosted in Minsk, Belarus that helps simplify the process. It checks the balances of MoneyPak codes by abusing a feature built into betamerica.com, a legitimate and legal site where gamblers can go to bet on dog and horse races in the United States.  Specifically, the ransomware cashout service queries a page at betamerica.com that lets customers fund their betting accounts using MoneyPak.

I reached out to Betamerica.com’s operations team and spoke with a woman who would only give her name as “Leslie.” Leslie said the company had already flagged the account that was being used to check the MoneyPak voucher codes.

“This account was already flagged as some type of bot or compromise, and was set to non-wagering,” she said, explaining that this status prevents customer accounts from placing bets on races. Leslie said Betamerica scrutinizes the Moneypak activity because fraudsters have tried to use the codes to launder money.

“We are pretty diligent, because in the past we have had [individuals who] will try to do a Moneypak deposit and then do a withdrawal, basically trying to launder it. Bottom line is that money has to be wagered. It’s not going to be returned to you in another form.”

When I first encountered this ransomware cashout service and discovered the connection to Betamerica, I was sure the miscreants were trying to launder money through the betting site. But after my conversation with Leslie, the true scope of this ransomware operation began to come into focus. It appears to involve the cooperation of several sets of actors:

MoneyPak cashout scheme.

Scheme to cash out $300 MoneyPak vouchers obtained from ransomware victims.

Continue reading