Espionage Attacks Against Ruskies?

December 10, 2012
13 Comments

Hardly a week goes by without news of a cyber espionage attack emanating from China that is focused on extracting sensitive data from corporations and research centers in the United States. But analysis of a recent malware campaign suggests that cyberspies in that region may be just as interested in siphoning secrets from Russian targets.

The Cyrillic text used in the decoy document.

Researchers at Milpitas, Calif. based security firm FireEye say they spotted an email attack of apparent Chinese origin that used Russian language lures to steal data from mostly Russian victims. The email malware campaign embedded a Microsoft Word exploit that displayed a decoy document containing news about a meeting of ASEAN, the Association of Southeast Asian Nations.

According to FireEye’s Alex Lanstein, this campaign had its control infrastructure in Korea and Japan, but clues point to Chinese design and operation. The malicious Word document sample that kicked this off was authored from a Microsoft Windows system that was set to use the language pack “Windows Simplified Chinese (PRC, Singapore). The researchers also say they were able to gain access to the control server used in the attack, which revealed systems logging in from China to check on new victims.

Update, 1:05 p.m. ET: FireEye just published a blog post about this research, which indicates they now believe the likely source of this attack was Korea, not China. The headline to this story has been modified..

Continue reading

ATM Thieves Swap Security Camera for Keyboard

December 4, 2012
25 Comments

This blog has featured stories about a vast array of impressive, high-tech devices used to steal money from automated teller machines (ATMs). But every so often thieves think up an innovation that makes all of the current ATM skimmers look like child’s play. Case in point: Authorities in Brazil have arrested a man who allegedly stole more than USD $41,000 from an ATM after swapping its security camera with a portable keyboard that let him hack the cash machine.

Photo: TV Bahia

The story comes from O Estado de S. Paulo (“The State of São Paulo“), a daily newspaper in Brazil’s largest city. According to the paper, late last month a crook approached an ATM at the Bank of Brazil and somehow removed the security camera from the machine. Apparently, the camera was a USB-based device, because the thief then was able to insert his own USB stick into the slot previously occupied by the camera. As you can imagine, a scene straight out of Terminator 2 ensued.

The attacker was then able to connect a folding keyboard to the ATM’s computer and restart the machine. The newspaper story isn’t crystal clear on the role of the USB device — whether it served as a replacement operating system or merely served to connect the keyboard to the machine (it’s not hard to imagine why this would be so easy, since most ATMs run on some version of Microsoft Windows, which automatically installs drivers for most USB-based input devices).

At any rate, after the thief rebooted the ATM’s computer, he was reportedly able to type the value of the currency notes that he intended to withdraw. According to the story, the thief started by removing all of the R $100 bills, and then moved on to the R $50 notes, and so on.

A crude skimming device removed from an Inova Hospital in Fairfax, Va. last month.

A crude skimming device removed from an Inova Hospital in Fairfax, Va. last month.

As clever as this hack was, the crook didn’t get away: The police were alerted by the central bank’s security team, and caught the thief in the process of withdrawing the funds. Brazilian authorities said they believe the man was being coached via phone, but that the guy they apprehended refused to give up the identity of his accomplice. My guess is the one coaching the thief had inside knowledge about how these machines operated, and perhaps even worked at a financial institution at one point.

These kinds of attacks make traditional ATM skimmer scams look positively prehistoric by comparison. But the sad part is that even really crude skimming devices can be very lucrative and go undetected for months. I was reminded of this last week, when, for the third time in as many months, authorities discovered ATM skimmers at hospitals within a few miles of here. Local police believe the same thieves are responsible for planting all of the fraud devices, which are relatively unsophisticated but nonetheless enabled the theft of thousands of dollars over a period of several weeks.

Continue reading

Advertisement

Vrublevsky Sues Kaspersky

December 3, 2012
34 Comments

The co-founder and owner of ChronoPay, one of Russia’s largest e-payment providers, is suing Russian security firm Kaspersky Lab, alleging that the latter published defamatory blog posts about him in connection with his ongoing cybercrime trial.

ChronoPay founder Pavel Vrublevsky, at his office in Moscow

Pavel O. Vrublevsky, is on trial in Moscow for allegedly hiring the curator of the Festi spam botnet to attack one of ChronoPay’s rival payment processors. He spent six months in prison last year after admitting to his part in the attack on Assist, a company that processed payments for Russian airline Aeroflot.

The events leading up to that crime are the subject of my Pharma Wars series, which documents an expensive and labyrinthine grudge match between Vrublevsky and the other co-founder of ChronoPay: Igor Gusevthe alleged proprietor of GlavMed and SpamIt, sister organizations that until recently were the largest sources of spam touting rogue Internet pharmacies. For his part, Vrublevsky has been identified as the co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion. 

Kaspersky blogger Tatyana Nikitina has covered Vrublevsky’s trial, which has been marked by prosecutorial miscues, allegations of official corruption, and the passage of new Russian laws that actually reduce the penalties for some of Vrublevsky’s alleged offenses. In her latest blog post, “The Vrublevsky Case is Ruined,” Nikitina laments yet another regressive milestone in the trial: The dismissal of claims by Aeroflot that it suffered almost $5 million losses as a result of the cyberattack.

Late last month, Vrublevsky’s lawyers fired back, filing a $5 million defamation lawsuit against Kaspersky Lab, charging that its publications contained untrue and defamatory information. In the suit, Vrublevsky argues that Kaspersky is not only trying to discredit him and influence the judicial process, but that Kaspersky is hardly a disinterested party. He noted that Assist was using Kaspersky’s DDoS protection services at the time of the attack, which Assist said took its services offline for a week.

Continue reading

Online Service Offers Bank Robbers for Hire

November 29, 2012
47 Comments

An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise.

The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York. These associates are not mere “money mules,” unwitting and inexperienced Americans tricked and cajoled into laundering money after being hired for bogus work-at-home jobs. Rather, as the title of the ad for this service makes clear, the “foreign agents” available through this network are aware that they will be assisting in illegal activity (the ad refers to them as неразводные “nerazvodni” or “not deceived”). Put simply: These are mules that can be counted on not to freak out or disappear with the cash.

These complicit “foreign agents” in the U.S. can be hired to launder funds stolen through cyberheists and tax fraud.

The rest of the ad reads:

“We provide convenient service to our partners:

  • Unique administrative interface – fast response
  • We will react momentarily to any new task
  • Adapt every action of a money mule to client’s requirements
  • Timely payments via WebMoney/Liberty Reserve/Western Union, cash conversion with WU/MG
  • Cashout of tax return, D + P (dump & PIN, cashout of debit cards stolen via skimming)
  • Receive over mail or expensive merchandise pick up in a store
  • Mules are available for other interesting transactions

We work only by reference.”

The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow-up Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees).

Continue reading

All Banks Should Display A Warning Like This

November 27, 2012
24 Comments

One of my Twitter account followers whose tweets I also follow  — @spacerog — shared with me the following image, which he recently snapped with his phone while waiting in line at the Philadelphia Federal Credit Union. It’s an excellent public awareness campaign, and one that I’d like to see replicated at bank branches throughout the country.

An anti-fraud awareness campaign by the PFCU.

Java Zero-Day Exploit on Sale for ‘Five Digits’

November 27, 2012
18 Comments

Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program, KrebsOnSecurity has learned.

The flaw, currently being sold by an established member of an invite-only Underweb forum, targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java (the seller says this flaw does not exist in Java 6 or earlier versions).

According to the vendor, the weakness resides within the Java class “MidiDevice.Info,” a component of Java that handles audio input and output. “Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,” the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. “I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.”

The seller was not terribly specific on the price he is asking for this exploit, but set the expected offer at “five digits.” The price of any exploit is ultimately whatever the market will bear, but this is roughly in line with the last Java zero-day exploit that was being traded and sold on the underground. In August, I wrote about a newly discovered Java exploit being folded into the BlackHole exploit kit, quoting the author of that crimeware tool as saying that “the price of such an exploit if it were sold privately would be about $100,000.”

Continue reading

Yahoo Email-Stealing Exploit Fetches $700

November 23, 2012
21 Comments

A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

The hacker posted the following video to demonstrate the exploit for potential buyers. I’ve reproduced it and published it to youtube.

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

Continue reading

Beware Card- and Cash-Trapping at the ATM

November 20, 2012
17 Comments

Many security-savvy readers of this blog have learned to be vigilant against ATM card skimmers and hidden devices that can record you entering your PIN at the cash machine. But experts say an increasing form of ATM fraud involves the use of simple devices capable of snatching cash and ATM cards from unsuspected users.

Security experts with the European ATM Security Team (EAST) say five countries in the region this year have reported card trapping incidents. Such attacks involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.

These devices were made to capture the ATM user’s card after the user withdrawals cash. Credit: EAST.

“Spring traps are still being widely used,” EAST wrote in its most recently European Fraud Update. “Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country – despite warning messages that appear on the ATM screen or are displayed on the ATM fascia – customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale
transactions.”

According to EAST, most card trapping incidents take place outside normal banking hours with initial fraudulent usage taking place within 10 minutes of the card capture (balance inquiry and cash withdrawal at a nearby ATM), followed by point-of-sale transactions.

A twist on this attack involves “cash traps,” often claw-like contraptions that thieves insert into the cash-dispensing slot which are capable of capturing or skimming some of the dispensed bills. Here are a few pictures of a cash-trapping device from an EAST report released earlier this year.

Claw-like cash trap devices found inserted into ATMs in Europe. Source: EAST.

Continue reading

MoneyGram Fined $100 Million for Wire Fraud

November 19, 2012
19 Comments

A week ago Friday, the U.S. Justice Department announced that MoneyGram International had agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. Loyal readers of this blog no doubt recognize the crucial role that MoneyGram and its competitors play in the siphoning of millions of dollars annually from hacked small- to mid-sized business, but incredibly this settlement appears to be unrelated to these cyber heists.

According to the DOJ, the scams – which generally targeted the elderly and other vulnerable groups – included posing as victims’ relatives in urgent need of money and falsely promising victims large cash prizes, various high-ticket items for sale over the Internet at deeply discounted prices or employment opportunities as ‘secret shoppers.’  In each case, the perpetrators required the victims to send them funds through MoneyGram’s money transfer system.”

The government found that the heart of the problems at MoneyGram stemmed from the age-old conflict between the security staff and the folks in sales & marketing (oh, and willful neglect of employee fraud).

“Despite thousands of complaints by customers who were victims of fraud, MoneyGram failed to terminate agents that it knew were involved in scams.  As early as 2003, MoneyGram’s fraud department would identify specific MoneyGram agents believed to be involved in fraud schemes and recommended termination of those agents to senior management.  These termination recommendations were rarely accepted because they were not approved by executives in the sales department and, as a result, fraudulent activity grew from 1,575 reported instances of fraud by customers in the United States and Canada in 2004 to 19,614 reported instances in 2008.  Cumulatively, from 2004 through 2009, MoneyGram customers reported instances of fraud totaling at least $100 million…To date, the U.S. Attorney’s Office for the Middle District of Pennsylvania has brought conspiracy, fraud and money laundering charges against 28 former MoneyGram agents.”

$100 million may seem like a painful fine, unless you take a look at MoneyGram’s company facts page, which states some fairly staggering figures: “MoneyGram has 293,000 agent locations in 197 countries and territories,” or, to put it another way, “more than twice the locations of McDonald’s, Starbucks, Subway and Wal-Mart combined.”

The company doesn’t say how much money it moved last year, but an older version of that page said that in 2010, approximately $19 billion was sent around the world using MoneyGram transfer services. The same page notes that MoneyGram is the second-largest money transfer company in the world. Second only to Western Union, no doubt, which has long struggled with many of the same anti-money laundering problems.

Each week, I reach out to or am contacted by organizations that are losing hundreds of thousands of dollars via cyber heists. In nearly every case, the sequence of events is virtually the same: The organization’s controller opens a malware-laced email attachment, and infects his or her PC with a Trojan that lets the attackers control the system from afar. The attackers then log in to the victim’s bank accounts, check the account balances – and assuming there are funds to be plundered — add dozens of money mules to the victim organization’s payroll. The money mules are then instructed to visit their banks and withdraw the fraudulent transfers in cash, and wire the money in smaller chunks via a combination of nearby MoneyGram and Western Union locations.

The latest example: On Nov. 16, 2012, attackers logged into accounts at Performance Autoplex II Ltd., a Honda dealer based in Midland, Texas, and began adding money mules to the company’s payroll. The thieves added at least nine mules, sending each a little more than $9,000. One of the mules used in this attack — a Louisa Lies (no kidding, that’s her real last name) — got two transfers totaling $9,220.58. She was instructed to visit two different Western Union locations, sending a total of $3,844 to two different recipients (one in Russia, the other Ukraine); Lies sent another pair of transfers (again, to two different people in Russia and Ukraine) totaling just over $5,000, via two separate MoneyGram locations. Lies said she paid $155 in fees to Western Union, and $136 in MoneyGram charges.
Continue reading

Infamous Hacker Heading Chinese Antivirus Firm?

November 14, 2012
71 Comments

What does a young Chinese hacker do once he’s achieved legendary status for developing Microsoft Office zero-day exploits and using them to hoover up piles of sensitive data from U.S. Defense Department contractors? Would you believe: Start an antivirus firm?

That appears to be what’s happened at Anvisoft, a Chinese antivirus startup that is being somewhat cagey about its origins and leadership. I stumbled across a discussion on the informative Malwarebytes user forum, in which forum regulars were scratching their heads over whether this was a legitimate antivirus vendor. Anvisoft had already been whitelisted by several other antivirus and security products (including Comodo), but the discussion thread on Malwarebytes about who was running this company was inconclusive, prompting me to dig deeper.

I turned to Anvisoft’s own user forum, and found that I wasn’t the only one hungry for answers. This guy asked a similar question back in April 2012, and was answered by an Anvisoft staff member named “Ivy,” who said Anvisoft was “a new company with no past records, and we located in Canada.” Follow-up questions to the Anvisoft forum admins about the names of company executives produced this response, again from Ivy:

“The person who runs anvisoft company is not worth mentioning because he is unknown to you.  Yes, the company is located at Canada. 5334 Yonge Street, Suite 141, Toronto, Ontario M2N 6V1, Canada.”

A quick review of the Web site registration records for anvisoft.com indicated the company was located in Freemont, Calif. And a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu, a city in the Sichuan Province of China.

Urged on by these apparent inconsistencies, I decided to take a look back at the site’s original WHOIS records, using the historical WHOIS database maintained by domaintools.com. For many months, the domain’s registration records were hidden behind paid WHOIS record privacy protection services. But in late November 2011 — just prior to Anvisoft’s official launch — that WHOIS privacy veil was briefly lowered, revealing this record:

Registrant:
   wth rose
   Moor Building  ST Fremont. U.S.A
   Fremont, California 94538
   United States
Administrative Contact:
      rose, wth  wthrose@gmail.com
      Moor Building  ST Fremont. U.S.A
      Fremont, California 94538
      United States
      (510) 783-9288

A few days later, the “wth rose” registrant name was replaced with “Anvisoft Technology,” and the wthrose@gmail.com address usurped by “anvisoftceo@gmail.com” (emails to both addresses went unanswered). But this only made me more curious, so I had a look at the Web server where anvisoft.com is hosted.

The current Internet address of anvisoft.com is 184.173.181.194, and a reverse DNS lookup on this IP address tells me that there are at least three other domain names hosted at this address: nxee.com, oyeah.com, and coversite.com. The latter forwards to a domain parking service and its WHOIS information is shielded.

But both oyeah.com and nxee.com also were originally registered to wth rose and wthrose@gmail.com. And their WHOIS records history went back even further, revealing a more fascinating detail: Prior to being updated with Anvisoft’s corporate information, they also were registered to a user named “tandailin” in Gaoxingu, China, with the email address tandailin@163.com.

Continue reading