Vrublevsky Arrested for Witness Intimidation

June 5, 2013

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was arrested today in Moscow for witness intimidation in his ongoing trial for allegedly hiring hackers to attack against Assist, a top ChronoPay competitor.

Pavel Vrublevsky's Facebook profile photo.

Pavel Vrublevsky’s Facebook profile photo.

Vrublevsky is on trial for allegedly hiring two brothers — Igor and Dmitri Artimovich — to use their Festi spam botnet to attack Assist, a competing payments processor. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company at least USD $1 million.

Vrublevsky was imprisoned for six months in 2011 pending his trial, but was released at the end of that year after admitting to his role in the attack. Later, he recanted his jailhouse admission of guilt. Today, he was re-arrested after admitting to phoning a witness in his ongoing trial and offering “financial assistance.” The witness told prosecutors he felt pressured and threatened by the offer.

Two months ago, I signed a book deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

I found this development noteworthy because I, too, was offered financial assistance by Vrublevsky, an offer that very much seemed to me like a threat. In mid-2010, after thousands of emails, documents and hundreds of hours of recorded phonecalls from ChronoPay were leaked to  this author, Vrublevsky began calling me at least once a day from his offices in Moscow. This continued for more than six months. In one conversation from May 2010 , Vrublevsky offered to fly me to Moscow so that I could see firsthand that he had “only a very remote relationship with this case.”

Continue reading

FDIC: 2011 FIS Breach Worse Than Reported

June 4, 2013

A 2011 hacker break-in at banking industry behemoth Fidelity National Information Services (FIS) was far more extensive and serious than the company disclosed in public reports, banking regulators warned FIS customers last month. The disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.

fisJacksonville, Fla. based FIS is one of the largest information processors for the banking industry today, handling a range of services from check and credit card processing to core banking functions for more than 14,000 financial institutions in over 100 countries.

The company came under heavy scrutiny from banking industry regulators in the first quarter of 2011, when hackers who had broken into its networks used that access to orchestrate a carefully-timed, multi-million dollar ATM heist. In that attack, the hackers raised or eliminated the daily withdrawal limits for 22 debit cards they’d obtained from FIS’s prepaid card network. The fraudsters then cloned the cards and distributed them to co-conspirators who used them to pull $13 million in cash from FIS via ATMs in several major cities across Europe, Russia and Ukraine.

FIS first publicly reported broad outlines of the breach in a May 3, 2011 filing with the Securities and Exchange Commission (SEC), stating that it had identified “7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities.” FIS told the SEC it worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. “The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter,” it declared in its filing.

FIS’s disclosure to investors cast the breach as limited in scope, saying the break-in was restricted to unauthorized activity at a portion of its network belonging to a small prepaid debit card provider that it acquired in 2007.  But bank examiners at the Federal Deposit Insurance Corp. (FDIC) who audited FIS’s operations in the months following the 2011 breach and again in October 2012 came to a very different conclusion: According to a report that the FDIC sent May 24, 2013 to hundreds of FIS’s customer banks and obtained by KrebsOnSecurity, the 2011 breach was much larger than previously reported.

“The initial findings have identified many additional servers exposed by the attackers; and many more instances of the malware exploits utilized in the network intrusions of 2011, which were never properly identified or assessed,”  the FDIC examiners wrote in a report from October 2012. “As a result, FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network intrusion.”

Indeed, the FDIC’s examiners found that there was scarcely a portion of the FIS network that the hackers did not touch.

“From review of the previous investigation reports, along with other documentation provided by FIS, examiners and payment card industry experts identified over 2,000 touch points that indicated a broad exposure of internal FIS systems and client related data,” the report notes. “These systems include, but are not limited to, the The New York Currency Exchange ATM network, prime core application systems, and various Internet banking, ACH, and wire transfer systems. These touch points also indicated approximately 100 client financial institutions, which appear to have had sensitive data exposed by the attackers.”

fdicsnip

A screen shot of an excerpt from the FDIC report on security lapses at FIS.

In an emailed statement, FIS maintained that “no client of FIS suffered any monetary loss as a result of the incident, and stressed that the report is based upon a review that was completed in October 2012.

“Since that time, FIS has continued to strengthen its information security and risk position, including investments over two years of $100 million or more, as part of our goal to provide best-in-class information security and risk management to each of our 14,000-plus clients. We have openly and regularly communicated these initiatives, our progress and results to our clients and shareholders through meetings, monthly updates, quarterly public disclosures, Board materials, educational webinars, and more.”

WHAT DOES $100 MILLION BUY?

Nevertheless, investors may be less than pleased about how FIS is spending its security dollars. The FDIC found that even though FIS has hired a number of incident response firms and has spent more than $100 million responding to the 2011 breach, the company failed to enact some very basic security mechanisms. For example, the FDIC noted that FIS routinely uses blank or default passwords on numerous production systems and network devices, even though these were some of the same weaknesses that “contributed to the speed and ease with which attackers transgressed and exposed FIS systems during the 2011 network intrusion.”

“Many FIS systems remain configured with default passwords, no passwords, non-complex passwords, and non-expiring passwords,” the FDIC wrote. “Enterprise vulnerability scans in November 2012, noted over 10,000 instances of default passwords in use within the FIS environment.”

The bank auditors also found “a high number of unresolved network and application vulnerabilities remain throughout the enterprise.

“The Executive Summary Scan reports from November 2012 show 18,747 network vulnerabilities and over 291 application vulnerabilities as past due,” the report charges.

What’s more, investigators probing the breach at FIS may have been denied key clues about the source of the intrusion because FIS incident response personnel wiped many of the compromised systems and put them back on the network before the machines could be properly examined.

“Many systems were re-constituted and introduced back into the production environment before data preservation techniques were applied,” the report notes. “Additionally, poor forensic preservation techniques led to numerous servers being re-imaged before analysis was completed and significant logging data was inadvertently destroyed. Several servers, key to the investigation process, were re-introduced into the production environment and subsequently re-compromised due to misconfigured baselines and inadequate security testing outside of corporate policy.”

Continue reading

Advertisement

Cashout Service for Ransomware Scammers

June 3, 2013

There are 1,001 ways to swindle people online, but the hardest part for crooks is converting those ill-gotten gains into cash. A new service catering to purveyors of ransomware — malware that hijacks PCs until victims pay a ransom – levees a hefty fee for laundering funds from these scams, and it does so by abusing a legitimate Web site that allows betting on dog and horse races in the United States.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes. Source: botnets.fr

Ransomware is most often distributed via hacked or malicious sites that exploit browser vulnerabilities.  Typically, these scams impersonate the Department of Homeland Security or the FBI (or the equivalent federal investigative authority in the victim’s country) and try to frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content.

Ransomware locks the victim’s PC until he either pays the ransom or finds a way to remove the malware. Victims are instructed to pay the ransom by purchasing a prepaid MoneyPak card, sold at everything from Walgreens to Wal-Mart (some scams tell victims to pay using a PaySafe or Ukash card). Victims are then told to send the attackers a 14-digit voucher code that allows the bad guys to redeem those MoneyPak vouchers for cash.

Trouble is, taking funds off of a MoneyPak requires either spending it at stores that accept it, or hooking it up to a U.S. bank account, to PayPal, or to a prepaid Visa or Mastercard. What’s more, most miscreants who are even halfway competent at spreading ransomware can expect to collect dozens of MoneyPak codes per day, so cashing out via the above-mentioned methods simply does not scale well for successful bad guys (particularly those who live outside of the United States).

Last week, I stumbled on a ransomware cashout service hosted in Minsk, Belarus that helps simplify the process. It checks the balances of MoneyPak codes by abusing a feature built into betamerica.com, a legitimate and legal site where gamblers can go to bet on dog and horse races in the United States.  Specifically, the ransomware cashout service queries a page at betamerica.com that lets customers fund their betting accounts using MoneyPak.

I reached out to Betamerica.com’s operations team and spoke with a woman who would only give her name as “Leslie.” Leslie said the company had already flagged the account that was being used to check the MoneyPak voucher codes.

“This account was already flagged as some type of bot or compromise, and was set to non-wagering,” she said, explaining that this status prevents customer accounts from placing bets on races. Leslie said Betamerica scrutinizes the Moneypak activity because fraudsters have tried to use the codes to launder money.

“We are pretty diligent, because in the past we have had [individuals who] will try to do a Moneypak deposit and then do a withdrawal, basically trying to launder it. Bottom line is that money has to be wagered. It’s not going to be returned to you in another form.”

When I first encountered this ransomware cashout service and discovered the connection to Betamerica, I was sure the miscreants were trying to launder money through the betting site. But after my conversation with Leslie, the true scope of this ransomware operation began to come into focus. It appears to involve the cooperation of several sets of actors:

MoneyPak cashout scheme.

Scheme to cash out $300 MoneyPak vouchers obtained from ransomware victims.

Continue reading

Underweb Payments, Post-Liberty Reserve

May 30, 2013

Following the U.S. government’s seizure this week of virtual currency Liberty Reserve, denizens of the cybercrime underground collectively have been progressing through the classic stages of grief, from denial to anger and bargaining, and now grudging acceptance that any funds they had stashed in the e-currency system are likely gone forever. Over the past few days, the top discussion on many cybercrime forums has been which virtual currency will be the safest bet going forward?

As I mentioned in an appearance today on NPR’s show On Point, the predictable refrain from many in the underground community has been that the demise of Costa Rica-based Liberty Reserve — and of eGold, eBullion, StormPay and a host of other virtual currencies before it — is the death knell of centrally-managed e-currencies. Just as the entertainment industry’s crackdown on music file-sharing network Napster in the late 1990s spawned a plethora of decentralized peer-to-peer (P2P) file-sharing networks, the argument goes, so too does the U.S. government’s action against centrally-managed digital currencies herald the ascendancy of P2P currencies — particularly Bitcoin.

Fluctuation in BTC values. Source: Bitcoincharts.com

Fluctuation in BTC values. Source: Bitcoincharts.com

This knee-jerk reaction is understandable, given that private crime forums are now replete with postings from members who reported losing tens of thousands of LR dollars this week. But as some of the more seasoned and reasoned members of these communities point out, there are several aspects of Bitcoin that make it especially unsuited for everyday criminal commerce.

For one thing, Bitcoin’s conversion rate fluctuates far too wildly for communities accustomed to virtual currencies that are tied to the US Dollar: In both Liberty Reserve and WebMoney — a digital currency founded in Russia — one LR or WMZ (the “Z” designation is added to all purses kept in US currency) has always equaled $1 USD.

The following hypothetical scenario, outlined by one member of an exclusive crime forum, illustrates how Bitcoin’s price volatility could turn an otherwise simple transaction into an ugly mess for both parties.

“Say I pay you $1k today for a project, and its late, and you decide to withdraw tomorrow. You wake up and the $1k I just sent you in Bitcoins is now worth just $600. It’s not yet stable to be used in such a way.”

Another forum member agreed: “BTC on large scale or saving big amounts is a mess because the price changes. Maybe it’s only good cashing out,” noting WebMoney now allows users to convert Bitcoins into a new unit called WMX.

Others compared Bitcoin to a fashionable high-yield investment program (HYIP), a Ponzi-scheme investment scam that promises unsustainably high return on investment by paying previous investors with the money invested by new investors.  As the U.S. government’s complaint alleges, dozens of HYIP schemes had a significant amount of funds wrapped up in Liberty Reserve.

“Bitcoin is a trendy HYIP. There are far more stable and attractive currencies to invest in, if you are willing to take the risk,” wrote “Off-Sho.re,” a bulletproof hosting provider I profiled in an interview earlier this month. “In the legit ‘real products’ area, which I represent, a very small niche of businesses are willing to accept this form of payment. I understand the drug dealers on Tor sites, since this is pretty much the only thing they can receive without concerns about their identities, but if you sell anything illegal, WMZ should be the choice.”

What’s more, MtGox — Bitcoin’s biggest exchanger and the primary method that users get money into and out of the P2P currency — today posted a note saying that it will now be requiring ID verification from anyone who wants to deposit money with it in order to buy Bitcoins.

A logo from perfectmoney.com

A logo from perfectmoney.com

Perhaps the closest competitor to Liberty Reserve and WebMoney — a Panamanian e-currency known as Perfect Money (or just “PM” to many) — appears to have been busy over the past few days seizing and closing accounts of some of its more active users, according to the dozens of complaints I saw on several different crime forums. Perfect Money also announced on Saturday, May 25 that it would no longer accept new account registrations from U.S. citizens or companies.

For now, it seems the primary beneficiary of the Liberty Reserve takedown will be WebMoney. This virtual currency also has barred U.S. citizens from creating new accounts (it did so in March 2013, in apparent response to the U.S. Treasury Department’s new regulations on virtual currencies.) Still, WebMoney has been around for so long — and its logo is about as ubiquitous on Underweb stores as the Visa and MasterCard logos are at legitimate Web storefronts — that most miscreants and n’er-do-wells in the underground already have accounts there.

But not everyone in the underground who got burned by Liberty Reserve is ready to place his trust in yet another virtual currency. The curmudgeon-in-chief on this point is a hacker nicknamed “Ninja,” the administrator of Carder.pro — a crime forum with thousands of active members from around the world. Ninja was among the most vocal and prominent doubters that Liberty Reserve had been seized, even after the company’s homepage featured seizure warnings from a trio of U.S. federal law enforcement agencies. Ninja so adamantly believed this that, prior to the official press announcements from the U.S. Justice Department on Tuesday, he offered a standing bet of $1,000 to any takers on the forum that Liberty Reserve would return. Only two forum members took him up on the wager.

Now, Ninja says, he’s ready to pay up, but he’s not interested in buying into yet another virtual currency. Instead, he says he’s planning to create a new “carding payment system,” one that will serve forum members and be housed at Internet servers in North Korea, or perhaps Iran (really, any country that has declared the United States a sworn enemy would do).

ninjapost

Continue reading

U.S. Government Seizes LibertyReserve.com

May 28, 2013

Indictment, arrest of virtual currency founder targets alleged “financial hub of the cybercrime world.”

U.S. federal law enforcement agencies on Tuesday announced the closure and seizure of Liberty Reserve, an online, virtual currency that the U.S. government alleges acted as “a financial hub of the cyber-crime world” and processed more more than $6 billion in criminal proceeds over the past seven years.

After being unreachable for four days, Libertyreserve.com's homepage now includes this seizure notice.

After being unreachable for four days, Libertyreserve.com now includes this seizure notice.

The news comes four days after libertyreserve.com inexplicably went offline and newspapers in Costa Rica began reporting the arrest in Spain of the company’s founder Arthur Budovsky, 39-year-old Ukrainian native who moved to Costa Rica to start the business.

According to an indictment (PDF) filed in the U.S. District Court for the Southern District of New York, Budovsky and five alleged co-conspirators designed and operated Liberty Reserve as “a financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.”

The U.S. government alleges that Liberty Reserve processed more than 12 million financial transactions annually, with a combined value of more than $1.4 billion. “Overall, from 2006 to May 2013, Liberty Reserve processed an estimated 55 million separate financial transactions and is believed to have laundered more than $6  billion in criminal proceeds,” the government’s indictment reads. Liberty Reserve “deliberately attracted and maintained a customer base of criminals by making financial activity on Liberty Reserve anonymous and untraceable.”

Despite the government’s claims, certainly not everyone using Liberty Reserve was involved in shady or criminal activity. As noted by the BBC, many users — principally those outside the United States — simply viewed the currency as cheaper, more secure and private alternative to PayPal. The company charged a one percent fee for each transaction, plus a 75 cent “privacy fee” according to court documents.

“It had allowed users to open accounts and transfer money, only requiring them to provide a name, date of birth and an email address,”  BBC wrote. “Cash could be put into the service using a credit card, bank wire, postal money order or other money transfer service. It was then “converted” into one of the firm’s own currencies – mirroring either the Euro or US dollar – at which point it could be transferred to another account holder who could then extract the funds.”

But according to the Justice Department, one of the ways that Liberty Reserve enabled the use of its services for criminal activity was by offering a shopping cart interface that merchant Web sites could use to accept Liberty Reserve as a form of payment (I’ve written numerous stories about many such services).

“The ‘merchants’ who accepted LR currency were overwhelmingly criminal in nature,” the government’s indictment alleges. “They included, for example, traffickers of stolen credit card data and personal identity information; peddlers of various types of online Ponzi and get-rich-quick schemes; computer hackers for hire; unregulated gambling enterprises; and underground drug-dealing websites.”

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

It remains unclear how much money is still tied up in Liberty Reserve, and whether existing customers will be afforded access to their funds. At a press conference today on the indictments, representatives from the Justice Department said the Liberty Reserve accounts are frozen. In a press release, the agency didn’t exactly address this question, saying: “If you believe you were a victim of a crime and were defrauded of funds through the use of Liberty Reserve, and you wish to provide information to law enforcement and/or receive notice of future developments in the case or additional information, please contact (888) 238- 0696 or (212) 637-1583.”

Continue reading

Reports: Liberty Reserve Founder Arrested, Site Shuttered

May 25, 2013

The founder of Liberty Reserve, a digital currency that has evolved as perhaps the most popular form of payment in the cybercrime underground, was reportedly arrested in Spain this week on suspicion of money laundering. News of the law enforcement action may help explain an ongoing three-day outage at libertyreserve.com: On Friday, the domain registration records for that site and for several other digital currency exchanges began pointing to Shadowserver.org, a volunteer organization dedicated to combating global computer crime.

lriconAccording to separate reports in The Tico Times and La Nacion, two Costa Rican daily newspapers, police in Spain arrested Arthur Budovsky Belanchuk, 39, as part of a money laundering investigation jointly run by authorities in New York and Costa Rica.

Update, May 28, 9:11 a.m. ET: Libertyreserve.com is now resolving again, but its homepage has been replaced by a notice saying “THIS DOMAIN NAME HAS BEEN SEIZED,” and features badges from the U.S. Treasury Dept., U.S. Secret Service, and the DHS.

Original story:

The papers cited Costa Rican prosecutor José Pablo González saying that Budovsky, a Costa Rican citizen of Ukrainian origin, has been under investigation since 2011 for money laundering using Liberty Reserve, a company he created in Costa Rica. “Local investigations began after a request from a prosecutor’s office in New York,” Tico Times reporter L. Arias wrote. “On Friday, San José prosecutors conducted raids in Budovsky’s house and offices in Escazá, Santa Ana, southwest of San José, and in the province of Heredia, north of the capital. Budovsky’s businesses in Costa Rica apparently were financed by using money from child pornography websites and drug trafficking.”

For those Spanish-speaking readers out there, Gonzalez can be seen announcing the raids in a news conference documented in this youtube.com video (the subtitles option for English do a decent job of translation as well).

Liberty Reserve is a largely unregulated money transfer business that allows customers to open accounts using little more than a valid email address, and this relative anonymity has attracted a huge number of customers from underground economies, particularly cybercrime.

In a now 10-page thread on this crime forum, many members are facing steep losses.

In a now 10-page thread on this crime forum, many members are facing steep losses.

The trouble started on Thursday, when libertyreserve.com inexplicably went offline. The outage set off increasingly anxious discussions on several major cybercrime forums online, as many that work and ply their trade in malicious software and banking fraud found themselves unable to access their funds. For example, a bulletproof hosting provider on Darkode.com known as “off-sho.re” (a hacker profiled in this blog last week) said he stood to lose $25,000, and that the Liberty Reserve shutdown “could be the most massive ownage in the history of e-currency.”

That concern turned to dread for some after it became apparent that this was no ordinary outage. On Friday, the domain name servers for Libertyreserve.com were changed and pointed to ns1.sinkhole.shadowserver.org and ns2.sinkhole.shadowserver.org. Shadowserver is an all-volunteer nonprofit organization that works to help Internet service providers and hosting firms eradicate malware infections and botnets located on their servers.

In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. In its 2011 takedown of the Coreflood botnet, for example, the U.S. Justice Department relied on sinkholes maintained by the nonprofit Internet Systems Consortium (ISC). Sinkholes are most often used to seize control of botnets, by interrupting the DNS names the botnet is programmed to use. Ironically, as of this writing Shadowserver.org is not resolving, possibly because the Web site is under a botnet attack (hackers from at least one forum threatened to attack Shadowserver.org in retaliation for losing access to their funds).

Reached via Twitter, a representative from Shadowserver declined to comment on the outage or about Liberty Reserve, saying “We are not able to provide public comment at this time.” I could find no official statement from the U.S. Justice Department on this matter either.

Libertyreserve.com is not the only virtual currency exchange that has been redirected to Shadowserver’s DNS servers. According to passive DNS data collected by the ISC, at least five digital currency exchanges —milenia-finance.comasianagold.comexchangezone.commoneycentralmarket.com and swiftexchanger.com — also went offline this week, their DNS records changed to the same sinkhole entries at shadowserver.org.

Continue reading

Skype Beta Plugs IP Resolver Privacy Leak

May 24, 2013

A few months ago, I warned readers that a glaring privacy weakness in voice-over-IP telephony service Skype allows anyone using the network to quickly learn the Internet address of any other Skype user. A new beta version of the popular Microsoft program appears to have nixed that privacy leak with a setting that restricts this capability to connections in your Skype contacts only.

A new privacy feature in Skype Beta 6.5 for Windows and Mac 6.4

A new privacy feature in Skype Beta 6.5 for Windows and Mac 6.4

As I wrote on March 21, 2013,  number of services have emerged to help snoops and ne’er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for “skype resolver” returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target’s Skype account name.

The resolvers can look up the IP address of any Skype user — whether or not that user is in your contacts list or even online at the time of the lookup. What’s more, resolver services frequently are offered in tandem with “booter” or “stresser” services, essentially sites that will launch denial-of-service attacks against a target of your choosing.

Apparently in response to this problem, Microsoft has added a new option to its Skype 6.5 Beta, released April 30, that allows users to allow direct connections to your contacts only. The information tab on this option, found under Skype->Options->Connection, says “When you call someone who isn’t a contact, we’ll keep your IP address hidden.”

Continue reading

NC Fuel Distributor Hit by $800,000 Cyberheist

May 23, 2013

A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter.

jtaOrganized cyber thieves began siphoning cash from Mooresville, N.C. based J.T. Alexander & Son Inc. on the morning of May 1, sending money in sub-$5,000 and sub-$10,000 chunks to about a dozen “money mules,” people hired through work-at-home job scams to help the crooks launder the stolen money. The mules were paid via automated clearing house (ACH) payment batches that were deducted from J.T. Alexander’s payroll account.

The attackers would repeat this process five more times, sending stolen funds via ACH to more than 60 money mules. Some of those mules were recruited by an Eastern European crime gang in Ukraine and Russia that I like to call the “Backoffice Group.” This same group has been involved in nearly every other cyberheist I have written about over the past four years, including last month’s $1.03 million theft from a nonprofit hospital in Washington state.

David Alexander, J.T. Alexander & Son’s president, called the loss “pretty substantial” and “painful,” and said his firm was evaluating its options for recouping some of the loss. The company has just 15 employees that get paid by ACH payroll transactions every two weeks. At most, J.T. Alexander’s usual payroll batch is around $30,000. But in just five days, the thieves managed to steal more than a year’s worth of employee salaries.

The company may be able to recoup some of the loss through insurance: J.T. Alexander & Son Inc.’s policy with Employer’s Mutual Casualty Company (EMC) includes a component that covers cyber fraud losses, but the coverage amount is far less than what the victim firm lost.

Continue reading

Krebs, KrebsOnSecurity, As Malware Memes

May 22, 2013

Hardly a week goes by when I don’t hear from some malware researcher or reader who’s discovered what appears to be a new sample of malicious software or nasty link that invokes this author’s name or the name of this blog. I’ve compiled this post to document a few of these examples, some of which are quite funny.

loginbetabot1

Source: Exposedbotnets.com

Take, for example, the login panel for “Betabot“: Attempt to log in to this malware control panel with credentials that don’t work and you’ll be greeted with a picture of this author, accompanied by the following warning: “Enter the correct password or I will write a 3-part article on this failed login attempt.”

The coders behind Betabot evidently have several versions of this login panel warning: According to a threat intelligence report being released tomorrow by RSA, the latest iteration of this kit uses the mugshot from my accounts at Twtter (follow me!) and Facebook (like it!).

As first detailed by Sophos’s award-winning Naked Security blog, the code inside recent versions of the Redkit exploit kit includes what appears to be a message blaming me for…well, something. The message reads: “Crebs, its [sic] your fault.”

sophosredkit

Text string inside of the Redkit exploit kit. Source: Sophos

The one I probably hear about most from researchers is a text string that is built into Citadel (PDF), an offshoot of the ZeuS banking trojan botnet kit that includes the following reference: “Coded by BRIAN KREBS for personal use only. I love my job and my wife.”

A text string inside of the Citadel trojan. Source: AhnLab

A text string within the code of the Citadel trojan. Source: AhnLab

Those are just the most visible examples. More commonly, if Yours Truly is invoked in the name of cybercrime, it tends to show up in malicious links that lead to malware. Here are a few just from the past couple of weeks:

Continue reading

Conversations with a Bulletproof Hoster

May 20, 2013

Criminal commerce on the Internet would mostly grind to a halt were it not for the protection offered by so-called “bulletproof hosting” providers — the online equivalent of offshore havens where shady dealings go ignored. Last month I had an opportunity to interview a provider of bulletproof services for one of the Web’s most notorious cybercrime forums, and who appears to have been at least partly responsible for launching what’s been called the largest cyber attack the Internet has ever seen.

Off-Sho.re's intro to Darkode

Off-Sho.re’s intro post to Darkode

Earlier this year, the closely-guarded English-language crime forum darkode.com was compromised and came under a series of heavy distributed denial-of-service (DDoS) attacks aimed at keeping it offline. Around that same time, darkode.com welcomed a new member — a bulletproof hosting broker aptly named “Off-sho.re” — who promised to defend the site from future DDoS attacks.

Off-sho.re also said he could offer more robust and crime-friendly hosting services than darkode’s previous provider — Santrex, literally an offshore hosting facility located in the Seychelles, a 115-island country that spans an archipelago in the Indian Ocean. Off-sho.re’s timing was perfect: Darkode desperately needed both, and Off-sho.re seemed to know his stuff, so he was admitted to the forum and given stewardship of the site’s defense and hosting.

Off-sho.re recruits Stophaus members on darkode.

Off-sho.re recruits Stophaus members on darkode.

STOPHAUS V. SPAMHAUS

Of course, to successfully defend a network against DDoS attacks one must know a great deal about how to launch such assaults. Indeed, Off-sho.re was an integral member of Stophaus, an upstart group of bulletproof hosters that banded together in March to launch a massive Internet attack against anti-spam group Spamhaus.org.

Hundreds of ISPs route or deny traffic based in part on Spamhaus’s blacklists of known, cybercrime-friendly ISPs, and Stophaus formed in response to Spamhaus’s listing of bulletproof hosting provider in particular: A network known alternatively as CB3ROB, a.k.a. “Cyberbunker” because it operated from a heavily fortified NATO bunker in The Netherlands.

Off-sho.re is moderator of the Stophaus forum, and not long after joining darkode.com, he was recruiting fellow darkode members for the Stophaus cause. Stophaus’s records show that another core member was “0ptik,” a competing bulletproof hosting provider. Spamhaus had listed dozens of Optik’s domains, as well as virtually all of the IP address ranges Off-sho.re had rented at abuse-friendly Romanian hosting provider Voxility. It was payback time.

In late March, Spamhaus became the target of what experts called one of the largest computer attacks on the Internet. The method of attack — a DNS amplification attack — was similar to that first seen used in attacks more than a decade ago that targeted the heart of the Internet’s routing system, except that it was by most accounts much larger.

Off-sho.re calls Spamhaus assault "our prank."

Off-sho.re calls Spamhaus assault “our prank.”

“DNS amplification attacks can bring up to 140 Gbps to a single resource from a single controller,” Off-sho.re wrote in a darkode.com posting less than 24 hours after the attack on Spamhaus began. “The beauty of it [is] that the ‘bots’ are just open DNS resolvers in the world.” Linking to a writeup from Cloudflare.com about the attack, Off-sho.re stated that “Some BP hosters were lately united, check out our latest prank.”

Last month, authorities in Spain arrested Sven Kamphuis, a 35-year-old Dutch man, thought to be responsible for coordinating the unprecedented attack on Spamhaus. According to Spamhaus, Kamphuis made claims about being his own independent country in the Republic of Cyberbunker. But according to Off-Sho.re, Kamphuis was just the public face of the movement. “Sven didn’t attack anyone,” Off-Sho.re wrote in an online chat with KrebsOnSecurity.

If Kamphuis was just a mouthpiece, who was responsible for the attack? What is interesting about the Stophaus movement is that Off-sho.re very well may have prompted Spamhaus to finally place CB3ROB/Cyberbunker at the top of its World’s Worst Spam-Support ISPs list, a move that helped to precipitate this conflict.

According to Spamhaus, while Cyberbunker and Spamhaus certainly have a bit of a history together, Cyberbunker wasn’t really a focus of Spamhaus’s blocking efforts until the fall of 2012. That’s when Spamhaus began noticing a large number of malware and botnet control servers being stood up inside of Cyberbunker’s Internet address ranges.

“We didn’t really notice these guys at CB3ROB much until last fall, when they started hosting botnet controllers, malware droppers and a lot of pharma spam stuff,” said a Spamhaus member who would only give his name as “Barry.” “Before that, it was mainly routing for some Chinese guys — Vincent Chan — fake Chinese products.”

Off-sho.re sells BP hosting out of Cyberbunker

Off-sho.re selling BP hosting out of Cyberbunker

Oddly enough, this coincides with Off-sho.re’s entrance on the bulletproof hosting scene (at least as advertised on crime forums). In his introduction post to Darkode, Off-sho.re  referenced his bulletproof hosting sales threads at two Russian-language forums — expoit.in and damagelab.org. In these threads, which began in Sept. 2012, Off-sho.re advertised the ability to host ZeuS and SpyEye botnet command and control networks for between $99 and $199 per month, and bulletproof domain registration from $30 per month. More importantly, Off-sho.re proudly announced that he was offering a premiere BP hosting service for $400 a month that was housed in an old NATO bunker in Holland and that used IP addresses assigned to CB3ROB (see screenshot to left).

Continue reading