The $180,000 robbery took the building security and maintenance system installer Primary Systems Inc. by complete surprise. More than two-dozen people helped to steal funds from the company’s coffers in an overnight heist in May 2012, but none of the perpetrators were ever caught on video. Rather, a single virus-laden email that an employee clicked on let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers.
The St. Louis, Missouri-based firm first learned that things weren’t quite right on Wednesday, May 30, 2012, when the company’s payroll manager logged into her account at the local bank and discovered that an oversized payroll batch for approximately $180,000 had been sent through late Tuesday evening.
The money had been pushed out of Primary Systems’ bank accounts in amounts between $5,000 and $9,000 to 26 individuals throughout the United States who had no prior interaction with the firm, and who had been added to the firm’s payroll that very same day. The 26 were “money mules,” willing or unwitting participants who are hired through work-at-home job schemes to help cyber thieves move money abroad. Most of the mules hired in this attack were instructed to send the company’s funds to recipients in Ukraine.
“The payroll manager contacted me at 8:00 a.m. that day to ask if I’d authorized the payroll batch, and I said no, it must have been a bank error,” said Jim Faber, Primary Systems’ chief financial officer. “I called the bank and said they said no, they did not make an error. That was a helluva wake-up call.”
The company’s financial institution, St. Louis-based Enterprise Bank & Trust, declined to comment. But of course, mistakes were made all around. Primary Systems’ employees failed to be wary of virus-laden email attachments, and relied too heavily on its firewalls and antivirus software to block attacks. The bank failed to bat an eyelash before processing a $180,000 transfer marked as “payroll” on a Tuesday, even though the company has always processed its payroll batch on Friday mornings. It also failed to flag as strange the overnight addition to Primary’s payroll of 26 new employees located in nearly as many states, even though almost all of the victim firm’s legitimate employees are based in Missouri.
The only parties to this crime who didn’t make missteps were the thieves. According to Faber, investigators believe the crooks cased the joint virtually before launching the heist, which came in just below the $200,000 threshold that would have prompted the bank to obtain verbal permission from Primary Systems for the transfer.
“If it was over $200k, [the bank] wouldn’t have allowed the transfer to happen without confirming it with us,” Faber said. “But this just flew right under that kickout. Our payroll is a lot less than that. This was six times our normal payroll and was in mid-week.”
The U.S.Department of Homeland Security is warning that a witches brew of recent events make it increasingly likely that politically or ideologically motivated hackers may launch digital attacks against industrial control systems. The alert was issued the same day that security researchers published information about an undocumented software backdoor in industrial control systems sold by hundreds different manufacturers and widely used in power plants, military environments and nautical ships.
The information about the backdoor was published by industrial control systems (ICS) security vendor Digital Bond, which detailed how a component used in industrial control systems sold by 261 manufacturers contains a functionality that will grant remote access to anyone who knows the proper command syntax and inner workings of the device, leaving systems that are connected to the public open to malicious tampering.
In an interview with Ars Technica, Reid Wightman, a researcher formerly with Digital Bond and now at security firm ioActive, said there was “absolutely no authentication needed to perform this privileged command.” Of the two specific programmable logic controllers (PLCs) Wightman tested, both allowed him to issue commands that halted the devices’ process control.
“Imagine if your laptop had a service that accepted an unauthenticated ‘shutdown’ command, and if someone sent it your laptop [would] shut off and you [would lose] all your work,” Wightman told Ars. “Anybody on the network could shut off your laptop without needing your password. That would suck. And that’s the case here.”
Potentially aiding would-be attackers are specialized search engines like Shodan and the Every Routable IP Project, which were designed specifically to locate online devices that may be overlooked or ignored by regular search engines. Indeed, according to Wightman, a quick search using Shodan revealed 117 vulnerable devices directly connected to the Internet, although Wightman said he suspected the computer location service could turn up far more with a more targeted search. To complicate matters further, Wightman said tools for automating the exploitation of the backdoor will soon be made available for Metasploit, a penetration testing tool used by hackers and security professionals alike.
In an alert (PDF) issued Thursday, DHS warned that these search engines are being actively used to identify and access control systems over the Internet, and that combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before.
“Multiple threat elements are combining to significantly increase the ICSs threat landscape,” DHS warned. “Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses. Asset owners should take these changes in threat landscape seriously…and should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.”
But according to Digital Bond, asset owners — such as power utilities, water treatment facilities — aren’t moving fast enough to take such steps. Indeed, this is the driving premise behind “Project Basecamp,” the company’s endeavor to publish and expose control systems vulnerabilities: Only when control system operators begin to see how these vulnerabilities could be used to disrupt their operations will they be motivated enough to demand that ICS hardware and software vendors make security a priority.
“The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end,” the company explained on its blog. “Everyone knows PLC’s are vulnerable — or so we have heard for ten years now since the 9/11 attacks…Not only do they lack basic security features, they are also fragile. Warnings abound about the dangers of even running a port scan on a PLC. Yet even though “everyone knows” there has been little or no progress on developing even the option of purchasing a secure and robust PLC.”
Adobe has released a critical security update that plugs at least a half-dozen security holes in its Shockwave media player software.
Adobe recommends users of Adobe Shockwave Player 11.6.7.637 and earlier versions update to the newest version 11.6.8.638, available here. Updates are available for Windows and Mac systems. In its advisory on this update, Adobe says it is not aware of any active attacks against these flaws.
Before you try to update Shockwave, you should check to see if your system even has it installed. If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. If you update or install Shockwave, be on the lookout for pre-checked “extras”; my test installation of this update tried to foist a 30-day trial of Norton Internet Security.
Note that while Shockwave and Flash Player are both Adobe products, they are two separate things (Flash is far more abundant on the Web). I mention this because Flash Player still shows up as “Shockwave Flash” in Mozilla Firefox’s plugins listing. Incidentally, if you haven’t updated Flash Player to the latest version, you’ll want to take care of that now: The latest Flash Player update, released Oct. 8, fixes at least 25 security holes.
An increasing number of services offered in the cybercrime underground allow miscreants to purchase access to hacked computers at specific organizations. For just a few dollars, these services offer the ability to buy your way inside of Fortune 500 company networks.
The service I examined for this post currently is renting access to nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this service since its inception in early 2010. All of the machines for sale have been set up by their legitimate owners to accept incoming connections via the Internet, using the Remote Desktop Protocol (RDP), a service built into Microsoft Windows machines that gives the user graphical access to the host PC’s desktop. Businesses often turn on RDP for server and desktop systems that they wish to use remotely, but if they do so using a username and password that is easily guessed, those systems will soon wind up for sale on services like this one.
Pitching its wares with the slogan, “The whole world in one service,” Dedicatexpress.com advertises hacked RDP servers on several cybercrime forums. Access is granted to new customers who contact the service’s owner via instant message and pay a $20 registration fee via WebMoney, a virtual currency. The price of any hacked server is calculated based on several qualities, including the speed of its processor and the number of processor cores, the machine’s download and upload speeds, and the length of time that the hacked RDP server has been continuously available online (its “uptime”).
Though it is not marketed this way, the service allows users to search for hacked RDP servers by entering an Internet address range, an option that comes in handy if you are looking for computers inside of specific organizations. For instance, I relied on a list of the IP address ranges assigned to the companies in the current Fortune 500 listing (special thanks to online banking security vendor Greenway Solutions for their help on this front).
I made it about halfway through the list of companies in the Fortune 100 with names beginning in “C” when I found a hit: A hacked RDP server at Internet address space assigned to networking giant Cisco Systems Inc. The machine was a Windows Server 2003 system in San Jose, Calif., being sold for $4.55 (see screenshot below). You’ll never guess the credentials assigned to this box: Username: “Cisco,”; password: “Cisco”. Small wonder that it was available for sale via this service. A contact at Cisco’s security team confirmed that the hacked RDP server was inside of Cisco’s network; the source said that it was a “bad lab machine,” but declined to offer more details.
A hacked Win 2003 Server installation at Cisco Systems was on sale for $4.55.
New research suggests that companies behind some of America’s best known consumer brands may be far more effective at fighting cybercrime than any efforts to enact more stringent computer security and anti-piracy laws.
Recent legislative proposals in the United States — such as the Stop Online Piracy Act — have sought to combat online trafficking in copyrighted intellectual property and counterfeit goods by granting Internet service providers and authorities broader powers to prosecute offenders, and by imposing stronger criminal penalties for such activity. But recent data collected by academic researchers suggests that brand holders already have the tools to quash much of this activity.
Over the past two years, a team of academic researchers made hundreds of “test buys” at Web sites from 40 different shady businesses peddling knockoff prescription drugs, counterfeit software and fake antivirus products. The researchers, from George Mason University, the International Computer Science Institute, and the University of California, San Diego, posed as buyers for these products, which tend to be promoted primarily via hacked Web sites, junk email and computer viruses.
Test buys showed relationships between 40 affiliate programs and 25 banks, although a majority of the transactions filtered through a handful of banks in Azerbaijan, China, Georgia, Latvia, and Mauritius.
The test buys were intended to reveal relationships between the shadowy merchants and the banks that process credit and debit card transactions for these businesses. Following the money trail showed that a majority of the purchases were processed by just 12 banks in a handful of countries, including Azerbaijan, China, Georgia, Latvia, and Mauritius.
The researchers said they submitted the test buy results to a database run by the International AntiCounterfeiting Coalition, (IACC), a Washington, D.C.-based non-profit organization devoted to combating product counterfeiting and piracy. Several pharmacy and software vendors and IACC members whose trademarks were infringed in those transactions (the researchers said non-disclosure agreements prohibit them from naming the brands) used the data to lodge complaints with Visa (only Visa-branded debit cards were used to make the test buys).
Contracts between the banks and Visa and MasterCard stipulate that merchants are prohibiting from selling goods and services that are illegal in the country into which those goods or services are being sold. The credit card associations have a standard process for accepting complaints about such transactions, in which they warn the online merchant’s bank (including a notice of potential fines for noncompliance). After a complaint about such activity, the merchant’s bank conducts its investigation, and may choose to contest the issue if they believe it is in error. But if the bank decides not to challenge the complaint, then they will need to take action to prevent future such transactions, or else face an escalating series of fines from the card associations.
The researchers noticed that in case after case, merchant accounts that were used in fraudulent activity for some extended period of time before they filed a complaint with the IACC generally stopped being used within one month after a complaint was lodged. Neither Visa nor the IACC responded to requests for comment on this story.
Stefan Savage, a professor at UCSD’s Department of Computer Science and Engineering, said the data suggests that the private sector can have a major impact on cybercrime merely by going after the funding for these operations.
“It doesn’t require a judge, a law-enforcement officer or even much in the way of sophisticated security capabilities. If you can purchase a product, then there’s a record of it and that record points back to the merchant account getting the money,” Savage said. “Visa and MasterCard frown on sales of illegal purchases made on their networks and will act appropriately on complaints from brandholders based on undercover purchases.”
Savage said it doesn’t take concerted action by all of the affected brands to have a major impact on the rogue businesses that incentivize this type of commerce. On the contrary, he said one software brandholder pursued the merchant banks tied to all of the group’s test buys for its products with such a ferocity and swiftness that it virtually shut down the market for pirated brand name software [a.k.a “OEM”] overnight.
“This vendor went after everything. They did it so quickly — and not only for their own products — that it all but shut down the entire OEM ecosystem,” Savage said. “A couple of [OEM affiliate programs] survived by getting rid of that company’s brand, but in the beginning, when people had no clue what’s going on, it shut down the entire business for everyone.”
FINES ‘RAINING DOWN ON MERCHANTS’
The researchers note that in mid-2011, Visa made a series of changes to their operating regulations that seem designed to specifically target on-line pharmacies and sellers of counterfeit goods. First, sales of goods categorized as pharmaceutical-related were explicitly classified as “high risk” (along with gambling and various kinds of direct marketing services), and acquirers issuing new contracts for high-risk e-commerce merchants required significantly more due diligence (including $100M in equity capital and good standing in risk management programs). Also, the new documents explicitly call out examples of illegal transactions including “Unlawful sale of prescription drugs,” and “Sale of counterfeit or trademark-infringing products or services,” among others. Finally, these changes include more aggressive fine schedules for noncompliance.
Some of the best evidence of the success of the test buys+complaints strategy comes directly from the folks operating the affiliate programs that reward spammers and miscreants for promoting fake antivirus, pirated software and dodgy pill sites. In June 2012, a leader of one popular pharmacy affiliate program posted a lengthy message to gofuckbiz.com, a Russian language forum that caters to a variety of such affiliate programs. In that discussion thread, which is now some 234 pages long, the affiliate program manager explains to a number of mystified forum members why the pharmacy programs have had so much trouble maintaining reliable credit card processing. Continue reading →
Oracle on Tuesday pushed out a bevy of security patches for its products, including an update to Java that remedies at least 30 vulnerabilities in the widely-used program.
The latest versions, Java 7 Update 9 and Java 6 Update 37, are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java homepage.
Applemaintains supplies its own version of Java. Given the rapidity with which they have followed Oracle’s Java updates (ever since April 2012, when the Flashback worm used an unpatched Java flaw to infect more than 650,000 Macs), I would expect Apple to have an update ready soon. Update: Apple did release an update for Java, one that sees the Java plugin removed from all Mac-compatible browsers installed on the system.
A few years back, when I was a reporter at The Washington Post, I put together a chart listing the various ways that miscreants can monetize hacked PCs. The project was designed to explain simply and visually to the sort of computer user who can’t begin to fathom why miscreants would want to hack into his PC. “I don’t bank online, I don’t store sensitive information on my machine! I only use it to check email. What could hackers possibly want with this hunk of junk?,” are all common refrains from this type of user.
I recently updated the graphic (below) to include some of the increasingly prevalent malicious uses for hacked PCs, including hostage attacks — such as ransomware — and reputation hijacking on social networking forums.
Next time someone asks why miscreants might want to hack his PC, show him this diagram.
One of the ideas I tried to get across with this image is that nearly every aspect of a hacked computer and a user’s online life can be and has been commoditized. If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetize it. I haven’t yet found an exception to this rule.
Microsoft today pushed out seven updates to fix a variety of security issues in Windows, Microsoft Office and other software. If you’re using Windows, take a moment to check with Windows Update or Automatic Update to see if new security patches are available.
Most of the vulnerabilities addressed in this month’s patch batch apply to business applications, such as Microsoft Sharepoint, Microsoft SQLServer and Fast Search Server. The lone “critical” update (MS12-064) plugs two security holes in Microsoft Word, and applies to all versions of Microsoft Office. Another patch (MS12-069) fixes a denial-of-service vulnerability in Windows 7 and Windows 2008.
In addition, Microsoft also has shipped an update (KB2758994) for the version of Adobe‘s Flash Player plugin that comes bundled with Windows 8 and Windows 2012 Server.
Adobe has issued an update for its Flash Player software that fixes at least 25 separate security vulnerabilities in the widely-installed program. The company also pushed out a security patch for its Adobe AIR software.
The chart below shows the newest patch version numbers released today. Updates are available for Windows, Mac, Linux and Android systems. Windows and Mac users can grab the latest updates from the Flash Player Download Center, but be on the lookout for bloatware toolbar add-ons that come pre-checked (like McAfee VirusScan). Other OS users should consult the Adobe security bulletin. Internet Explorer 10 users on Windows 8 can grab the update via Windows Update or from Microsoft’s site.
Note that Windows users who browse the Web with Internet Explorer and another browser will need to apply the Flash update twice, once using IE and again with the other browser.
Last week, security firm RSA detailed a new cybecriminal project aimed at recruiting 100 botmasters to help launch a series of lucrative online heists targeting 30 U.S. banks. RSA’s advisory focused primarily on helping financial institutions prepare for an onslaught of more sophisticated e-banking attacks, and has already received plenty of media attention. I’m weighing in on the topic because their analysis seemed to merely scratch the surface of a larger enterprise that speaks volumes about why online attacks are becoming bolder and more brash toward Western targets.
RSA wasn’t specific about where it got its intelligence, but the report’s finding appear tied to a series of communications posted to exclusive Underweb forums by a Russian hacker who uses the nickname “vorVzakone,” which translates to “thief in law.” This is an expression in Russia and Eastern Europe that refers to an entire subculture of elite criminal gangs that operate beyond the reach of traditional law enforcement. The term is sometimes also used to refer to a single criminal kingpin.
A screen shot posted by vorVzakone, showing his Project Blitzkrieg malware server listing the number of online victims by bank.
In early September, vorVzakone posted a lengthy message announcing the beginning stages of a campaign he dubbed “Project Blitzkrieg.” This was envisioned as a collaborative effort designed to exploit the U.S. banking industry’s lack of anti-fraud mechanisms relative to European financial institutions, which generally require two-factor authentication for all wire transfers.
The campaign, purportedly to be rolled out between now and the Spring of 2013, proposes organizing hacker cells throughout the cybercriminal community to collaborate in exploiting these authentication weaknesses before U.S. banks erect more stringent controls. “The goal – together, en-masse and simultaneously process large amount of the given material before anti-fraud measures are increased,” vorVzakon wrote. A professionally translated version of his entire post is available here.
RSA said the project is being powered by a version of the Gozi Trojan called “Gozi Prinimalka.” The company believes this Trojan is part of family of malware used by a tight-knit crime gang that has stolen at least $5 million from banks already. From its analysis:
“In a boot camp-style process, accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims’ accounts into mule accounts controlled by the gang. To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits. The gang and a long list of other accomplices will also reap their share of the spoils, including the money-mule herder and malware developers.
While the campaign is not revolutionary in technical terms, it will supposedly sport several noteworthy features. A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website.”
vorVzakone also says the operation will flood cyberheist victim phone lines while the victims are being robbed, in a bid to prevent account holders from receiving confirmation calls or text messages from their banks (I’ve covered this diversionary tactic in at least a couple ofstories). Interestingly, this hacker started discussion threads on different forums in which he posts a video of this service in action. The video shows racks of centrally-managed notebook computers that are each running an installation of Skype. While there are simpler, cheaper and less resource-intensive ways of tying up a target’s phone line, causing all of these systems to call a single number simultaneously would probably achieve the same result. If you don’t see English subtitles when you play the video below, click the “cc” icon in the player to enable them:
THE FIRST RULE OF PROJECT BLITZKRIEG…
vorVzakone’s post has been met with a flurry of curiosity, enthusiasm and skepticism from members of the underground. The skepticism appears to stem from some related postings in which he brags about and calls attention to his credentials/criminal connections, an activity which tends to raise red flags in a community that generally prefers to keep a low profile.
In the following introductory snippet from a homemade movie he posted to youtube.com, vorVzakone introduces himself as “Sergey,” the stocky bald guy in the sunglasses. He also introduces a hacker who needs little introduction in the Russian underground — a well-known individual who used the nickname “NSD” [an abbreviation for the Russian term несанкционированный доступ, or “unauthorized access”] in the mid-2000s, when he claims to have exited the hacking scene.
“Good day to everybody, evening or night, depends on when you are watching me,” the hacker begins, standing in front of a Toyota Land Cruiser. “My name is Serega, you all know me by my nickname “vor v zakone” on the forum. This is my brother, my offline representative – Oleg ‘NSD’. So, what? I decided to meet you, let’s say ‘remotely.’ Without really meeting, right? Now you will see how I live. Let’s go, I will show you something.”
A still shot from a video posted by hacker “vorVzakone”, foreground.
And he proceeds to show viewers around what he claims is his home. But many in the underground community found it difficult to take seriously someone who would be so cavalier about his personal safety, anonymity and security. “This guy’s language and demeanor is that of street corner drug dealer or a night club bouncer, and not of someone who can comprehend what ‘backconnect socks’ or GeoIP is,” remarked one Russian expert who helped translate some of the documentation included in this blog post.
But soon enough, hackers on the forums in which vorVzakone had posted his videos began checking the story, digging up records from Russian motor vehicle agencies indicating that the license plates on the Toyota and other cars in video were registered to a 27-year-old Oleg Vsevolodovich Tolstykh from Moscow. Further, they pointed out, the videos were posted by a youtube user named 01NSD, who also had previously posted Finnish and Russian television interviews with NSD describing various facets of the hacker underground. Indeed, if you pause this 2007 video 22 seconds in, you can see on NSD’s screen that he’s in the midst of a chat conversation with a hacker named vorVzakone.
In response to taunts and ridicule from some in the underground, vorVzakone posted this message on Oct. 6 to a prominent crime forum explaining why he doesn’t worry about going public with his business. Continue reading →