Exploring the Market for Stolen Passwords

December 26, 2012

Not long ago, PCs compromised by malware were put to a limited number of fraudulent uses, including spam, click fraud and denial-of-service attacks. These days, computer crooks are extracting and selling a much broader array of data stolen from hacked systems, including passwords and associated email credentials tied to a variety of online retailers.

This shop sells credentials to active accounts at dozens of leading e-retailers.

This shop sells credentials to active accounts at dozens of leading e-retailers.

At the forefront of this trend are the botnet creation kits like Citadel, ZeuS and SpyEye, which make it simple for miscreants to assemble collections of compromised machines. By default, most bot malware will extract any passwords stored in the victim PC’s browser, and will intercept and record any credentials submitted in Web forms, such as when a user enters his credit card number, address, etc. at an online retail shop.

Some of the most valuable data extracted from hacked PCs is bank login information. But non-financial logins also have value, particularly for shady online shops that collect and resell this information.

Logins for everything from Amazon.com to Walmart.com often are resold — either in bulk, or separately by retailer name — on underground crime forums. A miscreant who operates a Citadel botnet of respectable size (a few thousand bots, e.g.) can expect to quickly accumulate huge volumes of “logs,” records of user credentials and browsing history from victim PCs. Without even looking that hard, I found several individuals on Underweb forums selling bulk access to their botnet logs; for example, one Andromeda bot user was selling access to 6 gigabytes of bot logs for a flat rate of $150.

The "Freshotools" service sells a variety of hacked e-retailer credentials.

The “Freshotools” service sells a variety of hacked e-retailer credentials.

Increasingly, miscreants are setting up their own storefronts to sell stolen credentials for an entire shopping mall of online retail establishments. Freshtools, for example, sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $2 each. The site also sells fedex.com and ups.com accounts for $5 a pop, no doubt to enable fraudulent reshipping schemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.

Continue reading

Shocking Delay in Fixing Adobe Shockwave Bug

December 19, 2012

The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) is warning about a dangerous security hole in Adobe’s Shockwave Player that could be used to silently install malicious code. The truly shocking aspect of this bug? U.S. CERT first warned Adobe about the vulnerability in October 2010, and Adobe says it won’t be fixing it until February 2013.

shockwaveShockwave is a browser plug-in that some sites require. At issue is a feature of Adobe Shockwave that allows the installation of “Xtras,” downloadable components meant to interact with the media player. According to an advisory from US-CERT the problem is that Shockwave installs Xtras that are signed by Adobe or Macromedia without prompting, which can allow an attacker to target vulnerabilities in older Xtras.

From the advisory:

When a Shockwave movie attempts to use an Xtra, it will download and install it as necessary. If the Xtra is signed by Adobe or Macromedia, it will be installed automatically without any user interaction. Because the location from which Shockwave downloads the Xtra is stored in the Shockwave movie itself, this can allow an attacker to host old, vulnerable Xtras that can be installed and exploited automatically when a Shockwave movie is played.

US-CERT warned that by convincing a user to view a specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.

Reached via email, an Adobe spokeswoman confirmed that US-CERT had alerted the company about the flaw in October 2010, but said Adobe is not aware of any active exploits or attacks in the wild using this vulnerability.

“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” Adobe’s Wiebke Lips wrote.

Continue reading

Advertisement

Point-of-Sale Skimmers: No Charge…Yet

December 18, 2012

If you hand your credit or debit card to a merchant who is using a wireless point-of-sale (POS) device, you may want to later verify that the charge actually went through. A top vendor of POS skimmers ships devices that will print out “transaction approved” receipts, even though the machine is offline and is merely recording the customer’s card data and PIN for future fraudulent use.

This skimmer seller is a major vendor on one of the Underweb’s most active fraud forums. Being a “verified” vendor on this fraud forum — which comes with the stamp of approval from the forum administrators, thus, enhancing the seller’s reputation — costs $5,000 annually. But this seller can make back his investment with just two sales, and judging from the volume of communications he receives from forum members, business is brisk.

This miscreant sells two classes of pre-hacked wireless Verifone POS devices: The Verifone vx670, which he sells for $2,900 plus shipping, and a Verifone vx510, which can be had for $2,500. Below is a video he posted to youtube.com showing a hacked version of the vx510 printing out a fake transaction approval receipt.

From the seller’s pitch: “POS is ‘fake’ and stores D+P [card data and PIN], prints out approved receipt or can be setup for connection error. Software to decrypt the data is provided. It keeps d+p inside memory for manual retrieval via USB cable.”

These types of hacked POS systems, known as “offline POS skimmers” in the Underweb, are marketed for suggested use by miscreants employed in seasonal or temporary work, such as in restaurants, bars or retail establishments.

Continue reading

LogMeIn, DocuSign Investigate Breach Claims

December 14, 2012

Customers of remote PC administration service Logmein.com and electronic signature provider Docusign.com are complaining of a possible breach of customer information after receiving malware-laced emails to accounts they registered exclusively for use with those companies. Both companies say they are investigating the incidents, but so far have found no evidence of a security breach.

Continue reading

New Findings Lend Credence to Project Blitzkrieg

December 12, 2012

“Project Blitzkrieg,” a brazen Underweb plan for hiring 100 botmasters to fuel a blaze of ebanking heists against 30 U.S. financial institutions in the Spring of 2013, was met with skepticism from some in the security community after news of the scheme came to light in October. Many assumed it was a law enforcement sting, or merely the ramblings of a wannabe criminal mastermind. But new research suggests the crooks who hatched the plan were serious and have painstakingly built up a formidable crime machine in preparation for the project.

McAfee says it tracked hundreds of infections from Gozi Prinimalka since Project Blitzkrieg was announced in early September.

The miscreant who posted the call-to-arms — a bald, stocky guy using the nickname vorVzakone (literally, “thief in law”) — also posted a number of screen shots that he said were taken from a working control panel for the botnet he was building. Those images contained several Internet addresses of PCs that were allegedly part of his botnet. According to RSA Security, the botnet consisted of systems infected with Gozi Prinimalka, a closely-held, custom version of the powerful password-stealing Gozi banking Trojan.

In an analysis (PDF) to be published Dec. 13, security vendor McAfee said it was able to combine the data in those screen shots with malware detections on its own network to correlate both victim PCs and the location of the control server. It found that the version of the Prinimalka Trojan used in the attack has two unique identifiers (“Campaign ID” and “Bot ID”) that identify what variant is being deployed on infected computers. McAfee said that all of the systems it identified from the screen shots posted by vorVzakone carried the Campaign ID 064004, which was discovered in the wild on April 14, 2012.

Ryan Sherstobitoff, a threat researcher at McAfee, said the company’s analysis indicates that Project Blitzkrieg is a credible threat to the financial industry and appears to be moving forward.

“There is much speculation whether Project Blitzkrieg is real or simply a creation of Russian law enforcement as a sting operation. Our analysis suggests it is authentic, though the timing of the fraudulent activity is unknown,” Sherstobitoff said.. “We do know that the thieves have had an active system since April 2012, with at least 500 victims who can be linked to vorVzakone.”

Continue reading

Critical Updates for Flash Player, Microsoft Windows

December 11, 2012

Adobe and Microsoft have each released security updates to fix critical security flaws in their software. Microsoft issued seven update bundles to fix at least 10 vulnerabilities in Windows and other software. Separately, Adobe pushed out a fix for its Flash Player and AIR software that address at least three critical vulnerabilities in these programs.

A majority of the bugs quashed in Microsoft’s patch batch are critical security holes, meaning that malware or miscreants could exploit them to seize control over vulnerable systems with little or no help from users. Among the critical patches is an update for Internet Explorer versions 9 and 10 (Redmond says these flaws are not present in earlier versions of IE).

Other critical patches address issues with the Windows kernel, Microsoft Word, and Microsoft Exchange Server. The final critical bug is a file handling vulnerability in Windows XP, Vista and 7 that Microsoft said could allow remote code execution if a user browses to a folder that contains a file or subfolder with a specially crafted name. Yikes. Updates are available through Windows Update or via Automatic Updates.

Continue reading

A Closer Look at Two Bigtime Botmasters

December 11, 2012

Over the past 18 months, I’ve published a series of posts that provide clues about the possible real-life identities of the men responsible for building some of the largest and most disruptive spam botnets on the planet. I’ve since done a bit more digging into the backgrounds of the individuals thought to be responsible for the Rustock and Waledac spam botnets, which has produced some additional fascinating and corroborating details about these two characters.

In March 2011, KrebsOnSecurity featured never-before-published details about the financial accounts and nicknames used by the Rustock botmaster. That story was based on information leaked from SpamIt, a cybercrime business that paid spammers to promote rogue Internet pharmacies (think Viagra spam). In a follow-up post, I wrote that the Rustock botmaster’s personal email account was tied to a domain name ger-mes.ru, which at one time featured a résumé of a young man named Dmitri A. Sergeev.

Then, on Jan. 26. 2012, I ran a story featuring a trail of evidence suggesting a possible identity of “Severa (a.k.a. “Peter Severa”), another SpamIt affiliate who is widely considered the author of the Waledac botnet (and likely the Storm Worm). In that story, I included several screen shots of Severa chatting on Spamdot.biz, an extremely secretive Russian forum dedicated to those involved in the spam business. In one of the screen shots, Severa laments the arrest of Alan Ralsky, a convicted American spam kingpin who specialized in stock spam and who — according to the U.S. Justice Department – was partnered with Severa. Anti-spam activists at Spamhaus.org maintain that Peter Severa’s real name is Peter Levashov (although the evidence I gathered also turned up another name, Viktor Sergeevich Ivashov).

It looks now like Spamhaus’s conclusion on Severa was closer to the truth. More on that in a second. I was able to feature the Spamdot discussions because I’d obtained a backup copy of the forum. But somehow in all of my earlier investigations I overlooked a handful of private messages between Severa and the Rustock botmaster, who used the nickname “Tarelka” on Spamdot. Apparently, the two worked together on the same kind of pump-and-dump stock spam schemes, but also knew each other intimately enough to be on a first-name basis.

Spamdot.biz chat between Tarelka and Severa

The following is from a series of private Spamdot message exchanged between Tarelka and Severa on May 25 and May 26, 2010. In it, Severa refers to Tarelka as “Dimas,” a familiar form of “Dmitri.” Likewise, Tarelka addresses Severa as “Petka,” a common Russian diminutive of “Peter.” They discuss a mysterious mutual friend named John, who apparently used the nickname “Apple.”

Continue reading

Espionage Attacks Against Ruskies?

December 10, 2012

Hardly a week goes by without news of a cyber espionage attack emanating from China that is focused on extracting sensitive data from corporations and research centers in the United States. But analysis of a recent malware campaign suggests that cyberspies in that region may be just as interested in siphoning secrets from Russian targets.

The Cyrillic text used in the decoy document.

Researchers at Milpitas, Calif. based security firm FireEye say they spotted an email attack of apparent Chinese origin that used Russian language lures to steal data from mostly Russian victims. The email malware campaign embedded a Microsoft Word exploit that displayed a decoy document containing news about a meeting of ASEAN, the Association of Southeast Asian Nations.

According to FireEye’s Alex Lanstein, this campaign had its control infrastructure in Korea and Japan, but clues point to Chinese design and operation. The malicious Word document sample that kicked this off was authored from a Microsoft Windows system that was set to use the language pack “Windows Simplified Chinese (PRC, Singapore). The researchers also say they were able to gain access to the control server used in the attack, which revealed systems logging in from China to check on new victims.

Update, 1:05 p.m. ET: FireEye just published a blog post about this research, which indicates they now believe the likely source of this attack was Korea, not China. The headline to this story has been modified..

Continue reading

ATM Thieves Swap Security Camera for Keyboard

December 4, 2012

This blog has featured stories about a vast array of impressive, high-tech devices used to steal money from automated teller machines (ATMs). But every so often thieves think up an innovation that makes all of the current ATM skimmers look like child’s play. Case in point: Authorities in Brazil have arrested a man who allegedly stole more than USD $41,000 from an ATM after swapping its security camera with a portable keyboard that let him hack the cash machine.

Photo: TV Bahia

The story comes from O Estado de S. Paulo (“The State of São Paulo“), a daily newspaper in Brazil’s largest city. According to the paper, late last month a crook approached an ATM at the Bank of Brazil and somehow removed the security camera from the machine. Apparently, the camera was a USB-based device, because the thief then was able to insert his own USB stick into the slot previously occupied by the camera. As you can imagine, a scene straight out of Terminator 2 ensued.

The attacker was then able to connect a folding keyboard to the ATM’s computer and restart the machine. The newspaper story isn’t crystal clear on the role of the USB device — whether it served as a replacement operating system or merely served to connect the keyboard to the machine (it’s not hard to imagine why this would be so easy, since most ATMs run on some version of Microsoft Windows, which automatically installs drivers for most USB-based input devices).

At any rate, after the thief rebooted the ATM’s computer, he was reportedly able to type the value of the currency notes that he intended to withdraw. According to the story, the thief started by removing all of the R $100 bills, and then moved on to the R $50 notes, and so on.

A crude skimming device removed from an Inova Hospital in Fairfax, Va. last month.

A crude skimming device removed from an Inova Hospital in Fairfax, Va. last month.

As clever as this hack was, the crook didn’t get away: The police were alerted by the central bank’s security team, and caught the thief in the process of withdrawing the funds. Brazilian authorities said they believe the man was being coached via phone, but that the guy they apprehended refused to give up the identity of his accomplice. My guess is the one coaching the thief had inside knowledge about how these machines operated, and perhaps even worked at a financial institution at one point.

These kinds of attacks make traditional ATM skimmer scams look positively prehistoric by comparison. But the sad part is that even really crude skimming devices can be very lucrative and go undetected for months. I was reminded of this last week, when, for the third time in as many months, authorities discovered ATM skimmers at hospitals within a few miles of here. Local police believe the same thieves are responsible for planting all of the fraud devices, which are relatively unsophisticated but nonetheless enabled the theft of thousands of dollars over a period of several weeks.

Continue reading

Vrublevsky Sues Kaspersky

December 3, 2012

The co-founder and owner of ChronoPay, one of Russia’s largest e-payment providers, is suing Russian security firm Kaspersky Lab, alleging that the latter published defamatory blog posts about him in connection with his ongoing cybercrime trial.

ChronoPay founder Pavel Vrublevsky, at his office in Moscow

Pavel O. Vrublevsky, is on trial in Moscow for allegedly hiring the curator of the Festi spam botnet to attack one of ChronoPay’s rival payment processors. He spent six months in prison last year after admitting to his part in the attack on Assist, a company that processed payments for Russian airline Aeroflot.

The events leading up to that crime are the subject of my Pharma Wars series, which documents an expensive and labyrinthine grudge match between Vrublevsky and the other co-founder of ChronoPay: Igor Gusevthe alleged proprietor of GlavMed and SpamIt, sister organizations that until recently were the largest sources of spam touting rogue Internet pharmacies. For his part, Vrublevsky has been identified as the co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion. 

Kaspersky blogger Tatyana Nikitina has covered Vrublevsky’s trial, which has been marked by prosecutorial miscues, allegations of official corruption, and the passage of new Russian laws that actually reduce the penalties for some of Vrublevsky’s alleged offenses. In her latest blog post, “The Vrublevsky Case is Ruined,” Nikitina laments yet another regressive milestone in the trial: The dismissal of claims by Aeroflot that it suffered almost $5 million losses as a result of the cyberattack.

Late last month, Vrublevsky’s lawyers fired back, filing a $5 million defamation lawsuit against Kaspersky Lab, charging that its publications contained untrue and defamatory information. In the suit, Vrublevsky argues that Kaspersky is not only trying to discredit him and influence the judicial process, but that Kaspersky is hardly a disinterested party. He noted that Assist was using Kaspersky’s DDoS protection services at the time of the attack, which Assist said took its services offline for a week.

Continue reading