Krebs on Security

Crooks Net Millions in Coordinated ATM Heists

February 6, 2013

Organized cyber criminals stole almost $11 million in two highly coordinated ATM heists in the final days of 2012, KrebsOnSecurity has learned. The events prompted Visa to warn U.S. payment card issuers to be on high-alert for additional ATM cash-out fraud schemes in the New Year.

According to sources in the financial industry and in law enforcement, the thieves first struck on Christmas Eve 2012. Using a small number of re-loadable prepaid debit cards tied to accounts that they controlled, scammers began pulling cash out of ATMs in at least a dozen countries. Within hours, the perpetrators had stolen approximately $9 million.

Then, just prior to New Year’s Eve, the fraudsters struck again, this time attacking a card network in India and making off with slightly less than $2 million, investigators say.

The accounts that the perpetrators used to withdraw money from ATMs were tied to re-loadable prepaid debit cards, which can be replenished with additional funds once depleted. Prepaid card networks generally enforce low-dollar limits that restrict the amounts customers can withdraw from associated accounts in a 24 hour period. But in both ATM heists, sources said, the crooks were able to increase or eliminate the withdrawal limits for the prepaid accounts they controlled.

Shortly after the second heist, Visa released a private alert to payment card issuers, warning them to be on the lookout for additional ATM mega-heists over the New Years holiday. Sources say Visa’s alert was indeed prompted by the multi-million dollar heists at the end of December.

The Visa alert (PDF), sent to card issuers at the beginning of January 2013, warns:

“Visa has been alerted to new cases where ATM Cash-Out frauds have been attempted and successfully completed by organized criminal groups across the globe. In a recently reported case, criminals used a small number of cards to conduct 1000’s of ATM withdrawals in multiple countries around the world in one weekend.”

“These attacks result from hackers gaining access to issuer authorization systems and card parameter information. Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards. In some instances over $500K USD has been withdrawn on a single card in less than 24 hours.”

Continue reading →

Flaw Flood Busts Bug Bank

February 4, 2013

12 Comments

The Common Vulnerability & Exposures (CVE) index, the industry standard for cataloging software security flaws, is growing so rapidly that it will soon be adding a few more notches to its belt: The CVE said it plans to allow for up to 100 times more individual vulnerabilities to be indexed each year to accommodate an increasing number of software flaw reports.

Currently, when a vulnerability is reported or discovered, it is assigned a CVE number that corresponds to the year it was reported, followed by a unique 4-digit number. For example, a recent zero-day Java flaw discovered earlier this year was assigned the identifier CVE-2013-0422. But in a recent publication, The MITRE Corp., the organization that maintains the index, said it wanted to hear feedback on several proposed changes, such as modifying the CVE to allow for up to 999,999 vulnerabilities to be cataloged annually.

“Due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year,” CVE Project announced last month. “The current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year.”

It’s not clear if this shift means software is getting buggier or if simply more people are looking for flaws in more places (probably both), but new research released today suggests that bug finders have more incentive than ever to discover — and potentially get paid handsomely for — new security holes.

For example, one of the hottest areas of vulnerability research right now centers on the industrial control system space — the computers and networks that manage critical infrastructure systems which support everything from the power grid to water purification, manufacturing and transportation systems. In a report released today, Austin, Texas based security firm NSS Labs said the number of reported vulnerabilities in these critical systems has grown by 600 percent in 2010 and nearly doubled from 2011 to 2012 alone.

NSS’s Stefan Frei found that 2012 reversed a long running trend of decreasing vulnerability disclosures each year. At the same time, NSS tracked a decline in vulnerabilities being reported by perhaps the top two organizations that pay researchers to find bugs. For example, Frei noted, iDefense‘s Vulnerability Contributor Program (VCP) and HP Tipping Point‘s Zero Day Initiative (ZDI) each reversed their five-year-long rise in vulnerability reports with a reduction of more than 50 percent in 2012.

Frei suggests one major reason for the decline in bugs reported by ZDI and the VCP: researchers looking to sell vulnerability discoveries today have many more options that at any time in the past.

Continue reading →

Critical Java Update Fixes 50 Security Holes

February 3, 2013

56 Comments

Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild.

The original Critical Patch Update for Java SE – February 2013 had been scheduled to be released on February 19th, but Oracle said it decided to accelerate the release of this update because of active exploitation in the wild of one of the vulnerabilities.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply…fixes as soon as possible,” the company wrote in an advisory.

I couldn’t find a definitive account of which zero-day vulnerability in Java had caused Oracle to move up its patch schedule, but recently researchers have uncovered flaws in a mechanism that the company shipped with the previous version of Java that was designed to thwart attacks on the program. With Java 7 Update 10, Oracle introduced a mechanism that would require users to manually allow the execution of Java code not digitally signed by a trusted authority. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java, but researchers have shown that the new feature can be easily bypassed.

Continue reading →

Source: Washington Post Also Broadly Infiltrated By Chinese Hackers in 2012

February 1, 2013

70 Comments

The Washington Post was among several major U.S. newspapers that spent much of 2012 trying to untangle its newsroom computer networks from a Web of malicious software thought to have been planted by Chinese cyberspies, according to a former information technology employee at the paper.

On Jan. 30, The New York Times disclosed that Chinese hackers had persistently attacked the Gray Lady, infiltrating its computer systems and getting passwords for its reporters and other employees. The Times said that the timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

The following day, The Wall Street Journal ran a story documenting similar incursions on their network. Now, a former Post employee is coming forward with information suggesting that Chinese hacker groups had broadly compromised computer systems within the Post’s newsroom and other operations throughout 2012.

According to a former Washington Post information technology employee who helped respond to the break-in, attackers compromised at least three servers and a multitude of desktops, installing malicious software that allowed the perpetrators to maintain access to the machines and the network.

“They transmitted all domain information (usernames and passwords),” the former Post employee said on condition of anonymity. ” We spent the better half of 2012 chasing down compromised PCs and servers. [It] all pointed to being hacked by the Chinese. They had the ability to get around to different servers and hide their tracks. They seemed to have the ability to do anything they wanted on the network.”

The Post has declined to comment on the source’s claims, saying through a spokesman that “we have nothing to share at this time.” But according to my source, the paper brought in several computer forensics firms – led by Alexandria, Va. based Mandiant – to help diagnose the extent of the compromises and to evict the intruders from the network. Mandiant declined to comment for this story.

Update, Feb. 2, 7:42 a.m. ET: The Post has published its own story confirming my source’s claims.

Continue reading →

Pro-Grade Point-of-Sale Skimmer

February 1, 2013

39 Comments

Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.

This point-of-sale device was one of several found in an as-yet undisclosed merchant breach.

In October 2012, forensics experts with Trustwave Spiderlabs were called in to examine the handiwork of several Bluetooth based point-of-sale skimmers found at a major U.S. retailer. The skimmers described and pictured in this blog post were retrieved from a retail breach that has not yet been disclosed, said Jonathan Spruill, a security consultant at Trustwave.

Spruill said the card-skimming devices that had been added to the small point-of-sale machines was beyond anything he’d encountered in skimmer technology to date.

“The stuff we’ve been seeing lately is a leap forward in these types of crimes,” said Spruill, a former special agent with the U.S. Secret Service. “You hate to say you admire the work, but at some point you say, ‘Wow, that’s pretty clever.’ From a technical and hardware standpoint, this was really well thought-out.”

Spruill declined to name the breached merchant, and said it was unclear how long the devices had been in place prior to their discovery, or how they were introduced into the stores. But the incident is the latest in a string of breaches involving bricks-and-mortar merchants discovering compromised point-of-sale devices at their retail stores. Late last year, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide.

The picture below shows the card skimmer in more detail. The entire green square circuit board with the grey square heat shield and the blue element to the left are the brains of the device. The eight-legged black component in the upper right is the memory module that stored stolen credit and debit card and PIN data from unwitting store customers.

Beneath the large grey heat shield in the center of the circuit board are the chips that control the Bluetooth radio. That entire component is soldered to the base of the board. The blue and white wires leading from the skimming device connect the skimming module to the card reader on the point-of-sale device, while the group of eight orange wires that come out of the bottom connect directly to the device’s PIN pad.

The Bluetooth point-of-sale skimmer, up close.

The image below shows the eight orange wires from the skimmer soldered to the POS device. Spruill said the quality of the soldering job indicates this was not made by some kid in his mom’s basement.

“One of the reasons suggesting that the attacker was fairly accomplished is the quality of the solder done with those very small connections to the PIN pad,” he said.

Continue reading →

Big Bank Mules Target Small Bank Businesses

January 28, 2013

29 Comments

A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.

I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.

The attack on Niles Nursing Inc. provides a textbook example. On Monday, Dec. 17, 2012, computer crooks logged into the company’s online banking accounts using the controller’s credentials and tunneling their connection through his hacked PC. At the beginning of the heist, the miscreants added 11 money mules to Niles’ payroll, sending them automated clearing house (ACH) payments totaling more than $58,000, asking each mule to withdraw their transfers in cash and wire the money to individuals in Ukraine and Russia.

Niles’ financial institution — Ft. Lauderdale, Fla. based Optimum Bank — evidently saw nothing suspicious about 11 new employees scattered across five states being added to its customer’s payroll overnight. From the bank’s perspective, the user submitting the payroll batch logged in to the account with the proper credentials and with the same PC that was typically used to administer the account. The thieves would put through another two fraudulent payment batches over next two days (the bank blocked the last batch on the 19th).

In total, the attackers appear to have recruited at least two dozen money mules to help haul the stolen loot. All but two of the mules used or opened accounts at four out of five of the nation’s top U.S. banks, including Bank of America, Chase, Citibank, and Wells Fargo. No doubt these institutions together account for a huge percentage of the retail banking accounts in America today, but interviews with mules recruited by this crime gang indicate that they were instructed to open accounts at these institutions if they did not already have them.

ANALYSIS

I’ve spoken at numerous financial industry conferences over the past three years to talk about these cyberheists, and one question I am almost always asked is, “Is it safer for businesses to bank at larger institutions?” This is a tricky question to answer because banking online remains a legally and financially risky affair for any business, regardless of which bank it uses. Businesses do not enjoy the same fraud protections as consumers; if a Trojan lets the bad guys siphon an organization’s online accounts, that victim organization is legally responsible for the loss. The financial institution may decide to reimburse the victim for some or all of the costs of the fraud, but that is entirely up to the bank.

What’s more, it is likely that fewer cyberheists involving customers of Top 5 banks ever see the light of day, principally because the larger banks are in a better financial position to assume responsibility for some or all of the loss (provided, of course, that the victim in return agrees not to sue the bank or disclose the breach publicly).

I prefer to answer the question as if I were a modern cyberthief in charge of selecting targets. The organized crooks behind these attacks blast out tens of millions of booby-trapped emails daily, and undoubtedly have thousands of stolen online banking credentials to use at any one time. There are more than 7,000 financial institutions in the United States…should I choose a target at one of the top 10 banks? These institutions hold a majority of the financial industry’s assets, and they’re accustomed to moving huge sums of money around each day.

On the other hand, their potential for fraud is almost certainly orders of magnitude greater than at smaller institutions. That would suggest that it may be easier for these larger institutions to justify antifraud expenditures. That incentive to enact antifraud protections is even greater because these institutions have huge numbers of retail customers, a channel in which they legally eat the loss from unauthorized account activity.

Continue reading →

Inside the Gozi Bulletproof Hosting Facility

January 25, 2013

13 Comments

Nate Anderson at Ars Technica has a good story about how investigators tracked down “Virus,” the nickname allegedly used by a Romanian man accused by the U.S. Justice Department of running the Web hosting operations for a group that created and marketed the Gozi banking Trojan. Turns out, I’ve been sitting on some fascinating details about this hosting provider for many months without fully realizing what I had.

On Wednesday, federal prosecutors unveiled criminal charges against three men who allegedly created and distributed Gozi. Among them was Mihai Ionut Paunescu, a 28-year-old Romanian national accused of providing the gang “bulletproof hosting” services. Bulletproof hosting is an Underweb term for a hosting provider that will host virtually any content, from phishing and carding sites to botnet command centers and browser exploit kits. After I read the Ars story, I took a closer look at the Paunescu complaint (PDF), and several details immediately caught my eye.

For one thing, the feds say Paunescu was an administrator of powerhost.ro (virus@powerhost.ro). In December 2011, a source shared with KrebsOnSecurity several massive database dumps from that server, which had apparently been hacked. Included in that archive was a screenshot of the administration panel for the powerhost.ro server. It visually depicts many of the details described in the government’s indictment and complaint against Paunescu, such as how the BP provider was home to more than 130 servers, and that it charged exorbitant prices — sometimes more than 1,000 euros per month for a single server.

The above screenshot (which is a snippet taken from this full-screen version) shows that this server was used for projects that were “50%SBL,” meaning that about half of the properties on it were listed on the Spamhaus Block List (SBL), which flags Web sites that participate in malicious activity online, particularly sending or benefiting from spam and hosting malware. Some of the names chosen for the servers are fairly telling, such as “darkdeeds1,” “darkdeeds2,” “phreak-bots” and “phis1.” The data dump from powerhost.ro included multiple “drop” sites, where ZeuS and SpyEye botnets would deposit passwords, bank account information and other data stolen from tens of thousands of victim PCs.

Continue reading →

Backdoors Found in Barracuda Networks Gear

January 24, 2013

32 Comments

A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. based Barracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners.

Barracuda’s hardware devices are broadly deployed in corporate environments, including the Barracuda Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPN. Stefan Viehböck, a security researcher at Vienna, Austria-based SEC Consult Vulnerability Lab., discovered in November 2012 that these devices all included undocumented operating system accounts that could be used to access the appliances remotely over the Internet via secure shell (SSH).

Viehböck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort.

Viehböck said he soon found that these devices all were configured out-of-the-box to listen for incoming SSH connections on those undocumented accounts, but that the devices were set to accept connection attempts only from Internet address ranges occupied by Barracuda Networks. Unfortunately, Barracuda is not the only occupant of these ranges. Indeed, a cursory lookup of the address ranges at network mapping site Robtex.com shows there are potentially hundreds of other companies running Web sites and other online operations in the same space.

Continue reading →

Three Charged in Connection with ‘Gozi’ Trojan

January 23, 2013

21 Comments

Federal prosecutors today announced criminal charges against three men alleged to be responsible for creating and distributing the Gozi Trojan, an extremely sophisticated strain of malicious software that was sold to cyber crooks and was tailor-made to attack specific financial institutions targeted by each buyer.

According to charging documents filed in the U.S. District Court for the Southern District of New York, authorities believe Gozi was the creation of Nikita Kuzmin, a 25-year-old Russian national. Authorities say Kuzmin was aided by 27-year-old Latvian resident Deniss “Miami” Calovskis, and Mihai Ionut Paunescu, a 28-year-0ld Romanian national who allegedly used the screen name “Virus”.

A press conference announcement sent to reporters today by the office of New York U.S. Attorney Preet Bharara states that Gozi infected more than one million computers — at least 40,000 of which were in the United States — and caused millions of dollars in losses. Bharara’s office called Gozi “one of the most financially destructive computer viruses in history.”

The charges include bank-fraud conspiracy, conspiracy to commit computer intrusion, wire-fraud conspiracy. Kuzmin was arrested in California in Nov. 2010; Calovskis was arrested in Latvia in Nov. 2012; Paunescu was arrested in last month in Romania.

76Service login page

First discovered in early 2007, the Gozi Trojan is a stealthy cybertheft tool that typically evades anti-virus detection for weeks — sometimes months — at a time. Cyber forensics experts say Gozi has remained a potent threat, mainly because its author has been very selective in choosing new customers and fastidious in creating custom, undetectable versions of the malware.

For all the Trojan’s sophistication, however, investigators say it was merely the delivery vehicle for the author’s real moneymaking machine: A software-as-a-service fraud scheme called “76 Service.” According to authorities, Kuzmin marketed the service on highly-vetted cyber criminal forums online, offering customers a soup-to-nuts crime machine that automated the processes of robbing online banking customers. Incredibly, this turnkey system even automated the ready supply of so-called “money mules,” willing or unwitting individuals recruited through work-at-home job scams to help thieves launder stolen funds.

Continue reading →

Polish Takedown Targets ‘Virut’ Botnet

January 18, 2013

12 Comments

Security experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals.

Source: Symantec

NASK, the domain registrar that operates the “.pl” Polish top-level domain registry, said that on Thursday it began assuming control over 23 .pl domains that were being used to operate the Virut network. The company has redirected traffic from those domains to sinkhole.cert.pl, a domain controlled by CERT Polska — an incident response team run by NASK. The company says it will be working with Internet service providers and security firms to help alert and clean up affected users.

“Since 2006, Virut has been one of the most disturbing threats active on the Internet,” CERT Polska wrote. “The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut.”

Some of the domains identified in the takedown effort — including ircgalaxy.pl and zief.pl — have been used as controllers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent threats. Security giant Symantec recently estimated Virut’s size at 300,000 machines; Russian security firm Kaspersky said Virut was responsible for 5.5 percent of malware infections in the third quarter of 2012.

The action against Virut comes just days after Symantec warned that Virut had been used to redeploy Waledac, a spam botnet that was targeted in a high-profile botnet takedown by Microsoft in 2010.

SELF-PERPETUATING CRIME MACHINE

A file-infecting virus that has long been used to steal information from infected PCs, Virut is often transmitted via removable drives and file-sharing networks. But in recent years, it has become one of the most reliable engines behind massive malware deployment systems known as pay-per-install (PPI) networks. One such example was “exerevenue.com,” a popular PPI network that once shared Internet resources with the aforementioned .pl domains.

PPI networks attract entrepreneurial malware distributors, hackers who are given custom “installer” programs that bundle malware and adware. In return, the distributors are paid a set amount for each 1,000 times their installer programs are run on new PCs. Access to the PPI networks is sold to miscreants in the underground, particularly spammers who are looking to increase the size of their spam botnets. Those clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges varying rates per thousand successful installations, depending on the requested geographic location of the desired victims.

The Exerevenue.com PPI program died off in 2010, but cached copies of the site offer a fascinating glimpse into the Virut business model. The following snippet of text was taken from Exerevenue’s software end-user license agreement (EULA, and yes, this malware had a EULA). It aptly described how Virut worked: As a file-infecting virus that injected copies of itself into all .EXE and .HTML files found on victim PCs. According to the Exerevenue administrators, the program’s installer relied on a trademarked “QuickBundle™” technology that bundled adware with other programs.

“3) The software will especially target .EXE and .HTML files in the process of bundling. Other types of files may also be affected. HTML files are bundled with adware indirectly, through Internet links, and it relies upon certain features of Web browsers that are often considered undesired. Therefore, you agree you will not deliver your bundled files to anyone who can be offended by the QuickBundle technology described earlier. In order to prevent a file from being bundled with adware, you can change its name to begin with PSTO or WINC (in case of .EXE and .SCR files) or change its extension (in case of .HTM(heart), .ASP, and .PHP files), for example to .TXT. Apart from enriching your files with ad-supported content, your Windows HOSTS file will be modified to block certain domains used for adware loading automatization.”

Continue reading →

Last »