DoItQuick: Fast Domains for Dirty Deeds

July 23, 2012
19 Comments

A new service offered in the cybercriminal underground is geared toward spammers, scammers and malware purveyors interested in mass-registering dozens of dodgy domains in one go.

DoItQuick offers mass registration of malware domains.

The service — doitquick.net — will auto-register up to 15 domains simultaneously, choosing randomly named domains unless the customer specifies otherwise. DoItQuick sells two classes of domains: “white” domains that are “guaranteed” to stay registered for at least a year; and “black” domains that customers can use for illicit purposes and expect to last between 2 and 30 days before they are canceled.

This service makes it quite clear why customers might prefer the “black” domain registration service: “Domains for black deeds – these domains are registered for limited terms, from 2 to 30 days (average duration is about a week). Such domains are used for black and gray deeds. Low prices, fast registration! It is ideal for redirects, exploit packs, traffic, flood, botnets and other similar stuff. Domain names are checked for getting into blacklists, trackers and Spamhaus.”

Continue reading

Top Spam Botnet, “Grum,” Unplugged

July 19, 2012
31 Comments

Nearly four years after it burst onto the malware scene, the notorious Grum spam botnet has been disconnected from the Internet. Grum has consistently been among the top three biggest spewers of junk email, a crime machine capable of blasting 18 billion messages per day and responsible for sending about one-third of all spam.

Source: Symantec Message Labs

The takedown, while long overdue, is another welcome example of what the security industry can accomplish cooperatively and without the aid of law enforcement officials. Early press coverage of this event erroneously attributed part of the takedown to Dutch authorities, but police in the Netherlands said they were not involved in this industry-led effort.

The Grum ambush began in earnest several weeks ago at the beginning of July, following an analysis published by security firm FireEye, a Milpitas, Calif. based company that has played a big role in previous botnet takedowns, including Mega-D/Ozdok, Rustock, Srizbi.

Atif Mushtaq, senior staff scientist at FireEye, said the company had some initial success in notifying ISPs that were hosting control networks for Grum: The Dutch ISP Ecatel responded favorably, yanking the plug on two control servers. But Mushtaq said the ISPs where Grum hosted its other control servers — networks in Russia and Panama — proved harder to convince.

Continue reading

Advertisement

Cyberheist Smokescreen: Email, Phone, SMS Floods

July 18, 2012
35 Comments

It was early October 2011, and I was on the treadmill checking email from my phone when I noticed several hundred new messages had arrived since I last looked at my Gmail inbox just 20 minutes earlier. I didn’t know it at the time, but my account was being used to beta test a private service now offered openly in the criminal underground that can be hired to create highly disruptive floods of junk email, text messages and phone calls.

Many businesses request some kind of confirmation from their bank whenever high-dollar transfers are initiated. These confirmations may be sent via text message or email, or the business may ask their bank to call them to verify requested transfers. The attack that hit my inbox was part of an offering that crooks can hire to flood each medium of communication, thereby preventing a targeted business from ever receiving or finding alerts from their bank.

Shortly after the email barrage began, I fired off a note to Google‘s public relations folks, asking for advice and assistance. Thankfully, my phone line was not a subject of the attack, and I was able to communicate what I was seeing to Google’s team. They worked to fight the attack for the better part of that day, during which time my inbox received tens of thousands of emails, burying hundreds of legitimate emails in page after page of junk messages (in the screen shot above, the note to Google spokesman Jay Nancarrow is at the top of the junk message pile).

What was most surprising about these messages was that many of them contained fairly spammy subject lines that should have been easily caught by Google’s junk mail filters. Each junk message contained nothing but pages full of garbled letters and numbers; the text of each missive resembled an encrypted message.

Google’s engineers managed to block a majority of the junk messages after about six hours, but the company declined to talk about what caused the attack to succeed. It took many more hours to sift through the junk messages to fish out the ones I wanted.

“This isn’t about a hole in Gmail or an exploit — it’s more a matter of spam dynamics and what may be able to get through more easily under certain circumstances,” Nancarrow said. “As a result, we can’t provide specifics that could aid spammers in trying new campaigns.”

Continue reading

Spammers Target Dropbox Users

July 17, 2012
16 Comments

“Always have your stuff when you need it with Dropbox.” That’s the marketing line for the online file storage service, but today users have had difficulty logging into the service. The outages came amid reports that many European Dropbox users were being blasted with spam for online casinos, suggesting some kind of leak of Dropbox user email addresses.

The trouble began earlier today, when users on the Dropbox support forums began complaining of suddenly receiving spam at email addresses they’d created specifically for use with Dropbox. Various users in Germany, the Netherlands and United Kingdom reported receiving junk email touting online gambling sites.

Dropbox did not respond to emails seeking comment, but a forum user who self-identified as a company employee said Dropbox was investigating the reports.

At around 3 p.m. ET, the company’s service went down in a rare outage, blocking users from logging into and accessing their files and displaying an error message on dropbox.com. I will update this post in the event that the company responds to my requests or provides some explanation of what caused today’s outage and the spam.

The outage and strange spam runs follow a week of high profile password and data breaches. Yahoo! acknowledged that more than 400,000 user names and passwords to Yahoo and other companies were stolen last Wednesday. Formspring, a social question-and-answer site, reset all user passwords after it discovered that approximately 420,000 password hashes from its servers had been posted to an online forum last Monday. Androidforums.com and Billabong International also disclosed password breaches last week.

Continue reading

How to Break Into Security, Bejtlich Edition

July 17, 2012
10 Comments

For this fourth installment of advice columns aimed at people who are interested in learning more about security as a craft or profession, I reached out to Richard Bejtlich, a prominent security blogger who last year moved from a job as director of incident response at General Electric to chief security officer at security forensics firm Mandiant.

Bejtlich responded with a practical how-to for a security novice looking to try on both attacker and defender hats. Without further ado…

Bejtlich: Providing advice on “getting started in digital security” is similar to providing advice on “getting started in medicine.” If you ask a neurosurgeon he or she may propose some sort of experiment with dead frog legs and batteries. If you ask a dermatologist you might get advice on protection from the sun whenever you go outside. Asking a “security person” will likewise result in many different responses, depending on the individual’s background and tastes.

Rather than try to devise a thorough curriculum that provides balanced coverage of the dozen or more distinct disciplines that one might call “digital security,” this article covers one aspect: magic. More specifically, this advice strives to dispel the notion that digital security is a realm where only magicians can perform superhuman feats involving computers and data. Rather, the point is to provide a way for beginners to get a feel for convincing a computer to take actions probably not expected by its original programmers. For those with a more technical inclination, the article provides a means to watch what is happening at the network level.

Continue reading

Spy Software Aims to Corral Money Mules

July 16, 2012
26 Comments

Borrowing from the playbook of corporations seeking better ways to track employee productivity, some cybercriminal gangs are investing in technologies that help them keep closer tabs on their most prized assets: “Money mules,” individuals willingly or unwittingly recruited to help fraudsters launder stolen funds. It seems that at least one mule recruitment gang employs custom software to spy on new recruits.

Last month, I heard from a reader in North Carolina named John who’d been roped into working for a company that claimed to be in the digital concierge and outsourcing business. John became suspicious that he was involved in something shady when they told him he should expect a transfer of nearly $10,000 to the personal bank account that he’d provided to his erstwhile employer in order to eventually receive a paycheck.

The software stole this glimpse of my test machine’s desktop.

The firm that hired John, a fictitious company called VIP One, recruits mules to help process fraudulent transfers from businesses victimized by account takeovers. Prior to sending its mules money, VIP One has prospective mules spend several weeks doing relatively meaningless busy work, for which they are promised payment at the end of the month.

VIP One requires all new recruits to install a “time tracking” application, basically a digital stopwatch that employees are expected to use to keep track of their time “on the job.” John was kind enough to let me take a peek inside his account at VIP One, and to download the time tracking software. It’s safe to say that time is certainly not the only thing being tracked by this program.

I installed the application in a Window XP virtual machine equipped with Wireshark, a free program that lets you inspect the data packets going in and out of a host machine. I pressed start and left the software alone for a few hours. A review of the Wireshark logs showed that the time tracking tool periodically and surreptitiously took screenshots of my system, uploading them to a site called gyazo.com. This Web site appears to be associated with a legitimate screen-grabbing application that automates the grabbing and posting online of screen captures.

My test machine also had several peripherals plugged into it, including a Webcam. To my surprise, further review of the logs showed that the time tracking tool hijacked my machine’s Web cam and took several pictures, also posting them to gyazo.com.

Continue reading

Banking on a Live CD

July 12, 2012
133 Comments

An investigative series I’ve been writing over the past three years about organized cyber crime gangs using malware to steal millions of dollars from small to mid-sized organizations has generated more than a few responses from business owners concerned about how best to protect themselves from this type of fraud.

I said this nearly three years ago, and it remains true: The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online. All of the malware used in the attacks I’ve written about is built for Windows. That’s not to say bad guys behind these online heists won’t get around to targeting Mac OS X, or users of other operating systems. Right now, there are no indications that they are doing this.

What the Puppy desktop looks like.

The quickest way to temporarily convert your Windows PC into a Linux system is to use a Live CD. This involves burning an downloadable image file to a CD, inserting the disc into your computer, and rebooting. If this sounds difficult, don’t worry, it’s not.

Here’s a step-by-step guide that should get you up and running in no time flat, with Puppy Linux, an extremely lightweight and fast version of Linux. If you’d prefer to try another distribution, there are dozens to choose from.

Continue reading

EU to Banks: Assume All PCs Are Infected

July 12, 2012
26 Comments

An agency of the European Union created to improve network and data security is offering some blunt, timely and refreshing advice for financial institutions as they try to secure the online banking channel: “Assume all PCs are infected.”

Source: zeustracker.abuse.ch

The unusually frank perspective comes from the European Network and Information Security Agency, in response to a recent “High Roller” report (PDF) by McAfee and Guardian Analytics on sophisticated, automated malicious software strains that are increasingly targeting high-balance bank accounts. The report detailed how thieves using custom versions of the ZeuS and SpyEye Trojans have built automated, cloud-based systems capable of defeating multiple layers of security, including hardware tokens, one-time transaction codes, even smartcard readers. These malware variants can be set up to automatically initiate transfers to vetted money mule or prepaid accounts, just as soon as the victim logs in to his account.

“Many online banking systems….work based on the assumption that the customer’s PC is not infected,” ENISA wrote in an advisory issued on Thursday. “Given the current state of PC security, this assumption is dangerous. Banks should instead assume that PCs are infected, and still take steps to protect customers from fraudulent transactions.”

Continue reading

Microsoft Patches Zero-Day Bug & 15 Other Flaws

July 10, 2012
19 Comments

Microsoft today issued a security patch to fix a zero-day vulnerability in Windows that hackers have been exploiting to break into vulnerable systems. The company also addressed at least 15 other flaws in its software, and urged customers to quit using the desktop Sidebar and Gadget capabilities offered in Windows 7 and Windows Vista.

By far the most urgent of the updates is MS12-043, which fixes a critical vulnerability in Microsoft XML Core Services that miscreants and malware alike have been using to break into vulnerable systems. Microsoft had already warned about limited, targeted attacks using this flaw, but late last month an exploit built to attack the XML bug was added to the BlackHole Exploit Kit, an automated browser exploit tool that is very popular in the criminal underground right now.

Other critical patch bundles include a fix for a dangerous flaw in the Microsoft Data Access Components (MDAC) of Windows, and an update to address a pair of vulnerabilities in Internet Explorer. Continue reading

Plesk 0Day For Sale As Thousands of Sites Hacked

July 10, 2012
46 Comments

Hackers in the criminal underground are selling an exploit that extracts the master password needed to control Parallels’ Plesk Panel, a software suite used to remotely administer hosted servers at a large number of Internet hosting firms. The attack comes amid reports from multiple sources indicating a spike in Web site compromises that appear to trace back to  Plesk installations.

A hacker selling access to a Plesk exploit.

A miscreant on one very exclusive cybercrime forum has been selling the ability to hack any site running Plesk Panel version 10.4.4 and earlier. The hacker, a longtime member of the forum who has a history of selling reliable software exploits, has even developed a point-and-click tool that he claims can recover the admin password from a vulnerable Plesk installation, as well as read and write files to the Plesk Panel (see screen shot at right).

The exploit is being sold for $8,000 a pop, and according to the seller the vulnerability it targets remains unpatched. Multiple other members appear to have used it and vouched for its value.

It’s unclear whether this claimed exploit is related to a rash of recent attacks against Plesk installations. Sucuri Malware Labs, a company that tracks mass Web site compromises, told SC Magazine that some 50,000 sites have recently been compromised as part of a sustained malware injection attack, and that a majority of the hacked sites involved Plesk installations.

Continue reading