Yahoo Email-Stealing Exploit Fetches $700

November 23, 2012

A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

The hacker posted the following video to demonstrate the exploit for potential buyers. I’ve reproduced it and published it to youtube.

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

Continue reading

Beware Card- and Cash-Trapping at the ATM

November 20, 2012

Many security-savvy readers of this blog have learned to be vigilant against ATM card skimmers and hidden devices that can record you entering your PIN at the cash machine. But experts say an increasing form of ATM fraud involves the use of simple devices capable of snatching cash and ATM cards from unsuspected users.

Security experts with the European ATM Security Team (EAST) say five countries in the region this year have reported card trapping incidents. Such attacks involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.

These devices were made to capture the ATM user’s card after the user withdrawals cash. Credit: EAST.

“Spring traps are still being widely used,” EAST wrote in its most recently European Fraud Update. “Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country – despite warning messages that appear on the ATM screen or are displayed on the ATM fascia – customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale
transactions.”

According to EAST, most card trapping incidents take place outside normal banking hours with initial fraudulent usage taking place within 10 minutes of the card capture (balance inquiry and cash withdrawal at a nearby ATM), followed by point-of-sale transactions.

A twist on this attack involves “cash traps,” often claw-like contraptions that thieves insert into the cash-dispensing slot which are capable of capturing or skimming some of the dispensed bills. Here are a few pictures of a cash-trapping device from an EAST report released earlier this year.

Claw-like cash trap devices found inserted into ATMs in Europe. Source: EAST.

Continue reading

Advertisement

MoneyGram Fined $100 Million for Wire Fraud

November 19, 2012

A week ago Friday, the U.S. Justice Department announced that MoneyGram International had agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. Loyal readers of this blog no doubt recognize the crucial role that MoneyGram and its competitors play in the siphoning of millions of dollars annually from hacked small- to mid-sized business, but incredibly this settlement appears to be unrelated to these cyber heists.

According to the DOJ, the scams – which generally targeted the elderly and other vulnerable groups – included posing as victims’ relatives in urgent need of money and falsely promising victims large cash prizes, various high-ticket items for sale over the Internet at deeply discounted prices or employment opportunities as ‘secret shoppers.’  In each case, the perpetrators required the victims to send them funds through MoneyGram’s money transfer system.”

The government found that the heart of the problems at MoneyGram stemmed from the age-old conflict between the security staff and the folks in sales & marketing (oh, and willful neglect of employee fraud).

“Despite thousands of complaints by customers who were victims of fraud, MoneyGram failed to terminate agents that it knew were involved in scams.  As early as 2003, MoneyGram’s fraud department would identify specific MoneyGram agents believed to be involved in fraud schemes and recommended termination of those agents to senior management.  These termination recommendations were rarely accepted because they were not approved by executives in the sales department and, as a result, fraudulent activity grew from 1,575 reported instances of fraud by customers in the United States and Canada in 2004 to 19,614 reported instances in 2008.  Cumulatively, from 2004 through 2009, MoneyGram customers reported instances of fraud totaling at least $100 million…To date, the U.S. Attorney’s Office for the Middle District of Pennsylvania has brought conspiracy, fraud and money laundering charges against 28 former MoneyGram agents.”

$100 million may seem like a painful fine, unless you take a look at MoneyGram’s company facts page, which states some fairly staggering figures: “MoneyGram has 293,000 agent locations in 197 countries and territories,” or, to put it another way, “more than twice the locations of McDonald’s, Starbucks, Subway and Wal-Mart combined.”

The company doesn’t say how much money it moved last year, but an older version of that page said that in 2010, approximately $19 billion was sent around the world using MoneyGram transfer services. The same page notes that MoneyGram is the second-largest money transfer company in the world. Second only to Western Union, no doubt, which has long struggled with many of the same anti-money laundering problems.

Each week, I reach out to or am contacted by organizations that are losing hundreds of thousands of dollars via cyber heists. In nearly every case, the sequence of events is virtually the same: The organization’s controller opens a malware-laced email attachment, and infects his or her PC with a Trojan that lets the attackers control the system from afar. The attackers then log in to the victim’s bank accounts, check the account balances – and assuming there are funds to be plundered — add dozens of money mules to the victim organization’s payroll. The money mules are then instructed to visit their banks and withdraw the fraudulent transfers in cash, and wire the money in smaller chunks via a combination of nearby MoneyGram and Western Union locations.

The latest example: On Nov. 16, 2012, attackers logged into accounts at Performance Autoplex II Ltd., a Honda dealer based in Midland, Texas, and began adding money mules to the company’s payroll. The thieves added at least nine mules, sending each a little more than $9,000. One of the mules used in this attack — a Louisa Lies (no kidding, that’s her real last name) — got two transfers totaling $9,220.58. She was instructed to visit two different Western Union locations, sending a total of $3,844 to two different recipients (one in Russia, the other Ukraine); Lies sent another pair of transfers (again, to two different people in Russia and Ukraine) totaling just over $5,000, via two separate MoneyGram locations. Lies said she paid $155 in fees to Western Union, and $136 in MoneyGram charges.
Continue reading

Infamous Hacker Heading Chinese Antivirus Firm?

November 14, 2012

What does a young Chinese hacker do once he’s achieved legendary status for developing Microsoft Office zero-day exploits and using them to hoover up piles of sensitive data from U.S. Defense Department contractors? Would you believe: Start an antivirus firm?

That appears to be what’s happened at Anvisoft, a Chinese antivirus startup that is being somewhat cagey about its origins and leadership. I stumbled across a discussion on the informative Malwarebytes user forum, in which forum regulars were scratching their heads over whether this was a legitimate antivirus vendor. Anvisoft had already been whitelisted by several other antivirus and security products (including Comodo), but the discussion thread on Malwarebytes about who was running this company was inconclusive, prompting me to dig deeper.

I turned to Anvisoft’s own user forum, and found that I wasn’t the only one hungry for answers. This guy asked a similar question back in April 2012, and was answered by an Anvisoft staff member named “Ivy,” who said Anvisoft was “a new company with no past records, and we located in Canada.” Follow-up questions to the Anvisoft forum admins about the names of company executives produced this response, again from Ivy:

“The person who runs anvisoft company is not worth mentioning because he is unknown to you.  Yes, the company is located at Canada. 5334 Yonge Street, Suite 141, Toronto, Ontario M2N 6V1, Canada.”

A quick review of the Web site registration records for anvisoft.com indicated the company was located in Freemont, Calif. And a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu, a city in the Sichuan Province of China.

Urged on by these apparent inconsistencies, I decided to take a look back at the site’s original WHOIS records, using the historical WHOIS database maintained by domaintools.com. For many months, the domain’s registration records were hidden behind paid WHOIS record privacy protection services. But in late November 2011 — just prior to Anvisoft’s official launch — that WHOIS privacy veil was briefly lowered, revealing this record:

Registrant:
   wth rose
   Moor Building  ST Fremont. U.S.A
   Fremont, California 94538
   United States
Administrative Contact:
      rose, wth  wthrose@gmail.com
      Moor Building  ST Fremont. U.S.A
      Fremont, California 94538
      United States
      (510) 783-9288

A few days later, the “wth rose” registrant name was replaced with “Anvisoft Technology,” and the wthrose@gmail.com address usurped by “anvisoftceo@gmail.com” (emails to both addresses went unanswered). But this only made me more curious, so I had a look at the Web server where anvisoft.com is hosted.

The current Internet address of anvisoft.com is 184.173.181.194, and a reverse DNS lookup on this IP address tells me that there are at least three other domain names hosted at this address: nxee.com, oyeah.com, and coversite.com. The latter forwards to a domain parking service and its WHOIS information is shielded.

But both oyeah.com and nxee.com also were originally registered to wth rose and wthrose@gmail.com. And their WHOIS records history went back even further, revealing a more fascinating detail: Prior to being updated with Anvisoft’s corporate information, they also were registered to a user named “tandailin” in Gaoxingu, China, with the email address tandailin@163.com.

Continue reading

Microsoft Patches 19 Security Holes

November 13, 2012

Microsoft today issued six software updates to fix at least 19 security holes in Windows and other Microsoft products. Thirteen of those vulnerabilities earned a “critical” rating, which means miscreants or malicious code could leverage them to break into vulnerable systems without any help from users.

Of note in these patches is a critical update for Internet Explorer 9 that fixes three flaws in IE (these bugs do not exist in older versions of IE, according to Microsoft). Other critical updates address extremely dangerous flaws in core Windows components, such as the Windows shell and Windows Kernel; these vulnerabilities are present in nearly all supported versions of Windows.

All of the critical updates earned the most dire marks on Microsoft’s “exploitability index,” which tries assess the likelihood that attackers will devise remote code execution attacks and denial of service exploits within 30 days of a security bulletin release.

Also included among the critical patches is an update for Microsoft’s .NET Framework. I mention this one separately because in the few times I’ve had troubles after applying Windows security updates, a .NET Framework patch has always been part of the mix. My update this time around went fine (albeit a tad slowly) on a Windows 7 system, but if you experience any issues applying these patches, please leave a note in the comments section below.

Other vulnerabilities addressed in today’s update batch include flaws in Microsoft Excel and Microsoft Internet Information Services (IIS). A summary of the bulletins released today is available at this link. Wolfgang Kandek, chief technology officer at Qualys, has put together a readable blog post with some additional thoughts on the severity and relative urgency of today’s patches.

Update, 8:34 p.m.. ET: Several readers have pointed my attention to problems with a non-security update released with today’s batch: KB2750841. According to this thread, KB2750841 seems to be causing issues for users of OpenDNS. This workaround from OpenDNS forum user “gotroot” appears to have worked for most users experiencing problems.

Malware Spy Network Targeted Israelis, Palestinians

November 12, 2012

Researchers in Norway have uncovered evidence of a vast Middle Eastern espionage network that for the past year has deployed malicious software to spy on Israeli and Palestinian targets.

The discovery, by Oslo-based antivirus and security firm Norman ASA, is the latest in a series of revelations involving digital surveillance activity of unknown origin that appears designed to gather intelligence from specific targets in the Middle East.

Norman’s experts say the true extent of the spy network came into focus after news of a cyber attack in late October 2012 that caused Israeli authorities to shut down Internet access for its police force. According to press reports, that incursion was spearheaded by a booby-trapped email that was made to look as if it was sent by Benny Gantz, the chief of general staff of the Israel Defense Forces.

Security vendor Trend Micro suggested that the initial target of that attack were systems within the Israeli Customs agency, and said the malware deployed was a version of Xtreme RAT, a Remote Access Trojan that can be used to steal information and receive commands from a remote attacker. According to Trend, the latest iterations of Xtreme Rat have Windows 8 compatibility, improved Chrome and Firefox password grabbing, and improved audio and desktop capture capabilities features.

All of the malware files Fagerland discovered as part of this campaign were signed with this phony Microsoft certificate.

Snorre Fagerland, a senior virus researcher at Norman, said he examined a sample of the Trojan used to deploy the malware in that attack, and found that it included a rather telltale trait: It was signed with a digital certificate that was spoofed to appear as though it had been digitally signed by Microsoft.

The faked digital certificate would not stand up to validation by Windows— or anyone who cared to verify it with the trusted root certificates shipped with Windows PCs. But it proved to be a convenient marker for Fagerland, who’s been scouring malware databases for other samples that used the same phony certificate ever since. So far, he’s mapped out an expanding network of malware and control servers that have been used in dozens of targeted email attacks (see graphic below).

“These malwares are set up to use the same framework, talk to same control servers, and have same spoofed digital certificate,” Fagerland said in an interview with KrebsOnSecurity. “In my view, they are same attackers.”

Fagerland discovered a vast network of command and control servers (yellow) that all bore the same forged Microsoft certificate and powered malware that targeted Israeli and Palestinian users.

Fagerland found that the oldest of the malicious files bearing the forged Microsoft certificate were created back in October 2011, and that the Arabic language email lures used in tandem with those samples highlighted Palestinian news issues. He observed that the attackers used dynamic DNS providers to periodically shift the Internet addresses of their control networks, but that those addresses nearly always traced back to networks in Gaza assigned to a hosting provider in Ramallah in the West Bank.

After about eight months of this activity, the focus of the malware operation pivoted to attacking Israeli targets, Fagerland discovered. When that happened, the attackers shifted the location of their control servers to networks in the United States.

Continue reading

Experts Warn of Zero-Day Exploit for Adobe Reader

November 7, 2012

Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground.

The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they’ve discovered that a new exploit capable of compromising the security of computers running Adobe X and XI  (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X— Adobe introduced a “sandbox” feature  aimed at blocking the exploitation of previously unidentified security holes in its software, and so far that protection has held its ground.

But according to Andrey Komarov, Group-IB’s head of international projects, this vulnerability allows attackers to sidestep Reader’s sandbox protection. Komarov said the finding is significant because “in the past there was no documented method of how to bypass” Adobe Reader X’s sandbox to run code of the attacker’s choice on the target’s computer. The Russian firm produced the following video which they say demonstrates a sanitized version of the attack.

The exploit does have some limitations, Komarov said. For example, it can’t be fully executed until the user closes his Web browser (or Reader). And so far, they have only seen the attack work against Microsoft Windows installations of Adobe Reader.

Adobe spokeswoman Wiebke Lips said the company was not contacted by Group-IB, and is unable to verify their claims, given the limited amount of information currently available.

“Adobe will reach out to Group-IB,” Lips said. “But without additional details, there is nothing we can do, unfortunately— beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

Continue reading

Adobe Ships Election Day Security Update for Flash

November 6, 2012

Adobe has released a critical security update for its Flash Player and Adobe AIR software that fixes at least seven dangerous vulnerabilities in these products. Updates are available for Windows, Mac, Linux and Android systems.

Today’s update, part of Adobe’s regularly scheduled patch cycle for Flash, brings Flash Player to version 11.5.502.110 on Windows and Mac systems (other OS users see graphic below). Adobe urges users to grab the latest updates from its Flash Player Download Center, but that option pushes junk add-ons like McAfee VirusScan. Instead, download the appropriate version for your system from Adobe’s Flash Player Distribution page. Most users can find out what version of Flash they have installed by visiting this link.

The Flash Player installed with Google Chrome should soon be automatically updated to the latest Google Chrome version, which will include Flash Player 11.5.31.2 for Windows, Macintosh and Linux. Note that Windows users who browse the Web with Internet Explorer and another browser will need to apply the Flash update twice, once using IE and again with the other browser. Internet Explorer 10 users on Windows 8 can grab the update via Windows Update or from Microsoft’s site, or wait for the browser to auto-update the plugin.

Adobe’s advisory about this update is available here, including links to update AIR if you have that installed. An Adobe spokesperson said the company is not aware of any active attacks or exploits in the wild for any of the issues patched in this release. Nevertheless, it’s a bad idea to delay Flash updates; the software’s ubiquity makes it a primary target of malware and miscreants alike.

Cyberheists ‘A Helluva Wake-up Call’ to Small Biz

November 6, 2012

The $180,000 robbery took the building security and maintenance system installer Primary Systems Inc. by complete surprise. More than two-dozen people helped to steal funds from the company’s coffers in an overnight heist in May 2012, but none of the perpetrators were ever caught on video. Rather, a single virus-laden email that an employee clicked on let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers.

The St. Louis, Missouri-based firm first learned that things weren’t quite right on Wednesday, May 30, 2012, when the company’s payroll manager logged into her account at the local bank and discovered that an oversized payroll batch for approximately $180,000 had been sent through late Tuesday evening.

The money had been pushed out of Primary Systems’ bank accounts in amounts between $5,000 and $9,000 to 26 individuals throughout the United States who had no prior interaction with the firm, and who had been added to the firm’s payroll that very same day. The 26 were “money mules,” willing or unwitting participants who are hired through work-at-home job schemes to help cyber thieves move money abroad. Most of the mules hired in this attack were instructed to send the company’s funds to recipients in Ukraine.

“The payroll manager contacted me at 8:00 a.m. that day to ask if I’d authorized the payroll batch, and I said no, it must have been a bank error,” said Jim Faber, Primary Systems’ chief financial officer. “I called the bank and said they said no, they did not make an error. That was a helluva wake-up call.”

The company’s financial institution, St. Louis-based Enterprise Bank & Trust, declined to comment. But of course, mistakes were made all around. Primary Systems’ employees failed to be wary of virus-laden email attachments, and relied too heavily on its firewalls and antivirus software to block attacks. The bank failed to bat an eyelash before processing a $180,000 transfer marked as “payroll” on a Tuesday, even though the company has always processed its payroll batch on Friday mornings. It also failed to flag as strange the overnight addition to Primary’s payroll of 26 new employees located in nearly as many states, even though almost all of the victim firm’s legitimate employees are based in Missouri.

The only parties to this crime who didn’t make missteps were the thieves. According to Faber, investigators believe the crooks cased the joint virtually before launching the heist, which came in just below the $200,000 threshold that would have prompted the bank to obtain verbal permission from Primary Systems for the transfer.

“If it was over $200k, [the bank] wouldn’t have allowed the transfer to happen without confirming it with us,” Faber said. “But this just flew right under that kickout. Our payroll is a lot less than that. This was six times our normal payroll and was in mid-week.”

Continue reading

DHS Warns of ‘Hacktivist’ Threat Against Industrial Control Systems

October 26, 2012

The U.S. Department of Homeland Security is warning that a witches brew of recent events make it increasingly likely that politically or ideologically motivated hackers may launch digital attacks against industrial control systems. The alert was issued the same day that security researchers published information about an undocumented software backdoor in industrial control systems sold by hundreds different manufacturers and widely used in power plants, military environments and nautical ships.

The information about the backdoor was published by industrial control systems (ICS) security vendor Digital Bond, which detailed how a component used in industrial control systems sold by 261 manufacturers contains a functionality that will grant remote access to anyone who knows the proper command syntax and inner workings of the device, leaving systems that are connected to the public open to malicious tampering.

In an interview with Ars Technica, Reid Wightman, a researcher formerly with Digital Bond and now at security firm ioActive, said there was “absolutely no authentication needed to perform this privileged command.” Of the two specific programmable logic controllers (PLCs) Wightman tested, both allowed him to issue commands that halted the devices’ process control.

“Imagine if your laptop had a service that accepted an unauthenticated ‘shutdown’ command, and if someone sent it your laptop [would] shut off and you [would lose] all your work,” Wightman told Ars. “Anybody on the network could shut off your laptop without needing your password. That would suck. And that’s the case here.”

Potentially aiding would-be attackers are specialized search engines like Shodan and the Every Routable IP Project, which were designed specifically to locate online devices that may be overlooked or ignored by regular search engines. Indeed, according to Wightman, a quick search using Shodan revealed 117 vulnerable devices directly connected to the Internet, although Wightman said he suspected the computer location service could turn up far more with a more targeted search. To complicate matters further, Wightman said tools for automating the exploitation of the backdoor will soon be made available for Metasploit, a penetration testing tool used by hackers and security professionals alike.

In an alert (PDF) issued Thursday, DHS warned that these search engines are being actively used to identify and access control systems over the Internet, and that combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before.

“Multiple threat elements are combining to significantly increase the ICSs threat landscape,” DHS warned. “Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses. Asset owners should take these changes in threat landscape seriously…and should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.”

But according to Digital Bond, asset owners — such as power utilities, water treatment facilities — aren’t moving fast enough to take such steps. Indeed, this is the driving premise behind “Project Basecamp,” the company’s endeavor to publish and expose control systems vulnerabilities: Only when control system operators begin to see how these vulnerabilities could be used to disrupt their operations will they be motivated enough to demand that ICS hardware and software vendors make security a priority.

“The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end,” the company explained on its blog. “Everyone knows PLC’s are vulnerable — or so we have heard for ten years now since the 9/11 attacks…Not only do they lack basic security features, they are also fragile. Warnings abound about the dangers of even running a port scan on a PLC. Yet even though “everyone knows” there has been little or no progress on developing even the option of purchasing a secure and robust PLC.”

The homepage of the Shodan search engine.

Continue reading