Attackers Hit Weak Spots in 2-Factor Authentication

June 5, 2012

An attack late last week that compromised the personal and business Gmail accounts of Matthew Prince, chief executive of Web content delivery system CloudFlare, revealed a subtle but dangerous security flaw in the 2-factor authentication process used in Google Apps for business customers. Google has since fixed the glitch, but the incident offers a timely reminder that two-factor authentication schemes are only as secure as their weakest component.

In a blog post on Friday, Prince wrote about a complicated attack in which miscreants were able to access a customer’s account on CloudFlare and change the customer’s DNS records. The attack succeeded, Prince said, in part because the perpetrators exploited a weakness in Google’s account recovery process to hijack his CloudFlare.com email address, which runs on Google Apps.

A Google spokesperson confirmed that the company “fixed a flaw that, under very specific conditions, existed in the account recovery process for Google Apps for Business customers.”

“If an administrator account that was configured to send password reset instructions to a registered secondary email address was successfully recovered, 2-step verification would have been disabled in the process,” the company said. “This could have led to abuse if their secondary email account was compromised through some other means. We resolved the issue last week to prevent further abuse.”

Prince acknowledged that the attackers also leveraged the fact that his recovery email address — his personal Gmail account — was not taking advantage of Google’s free 2-factor authentication offering. Prince claims that the final stage of the attack succeeded because the miscreants were able to trick his mobile phone provider — AT&T — into forwarding his voicemail to another account.

In a phone interview Monday, Prince said he received a phone call at 11:39 a.m. on Friday from a phone number in Chico, Calif. Not knowing anyone from that area, he let the call go to voicemail. Two minutes later, he received a voicemail that was a recorded message from Google saying that his personal Gmail account password had been changed. Prince said he then initiated the account recovery process himself and changed his password back, and that the hacker(s) and he continued to ping pong for control over the Gmail account, exchanging control 10 times in 15 minutes.

“The calls were being forwarded, because phone calls still came to me,” Prince said. “I didn’t realize my voicemail had been compromised until that evening when someone called me and soon after got a text message saying, ‘Hey, something is weird with your voicemail.'”

Gmail constantly nags users to tie a mobile phone number to their account, ostensibly so that those who forget their passwords or get locked out can have an automated, out-of-band way to receive a password reset code (Google also gets another way to link real-life identities connected to cell phone records with Gmail accounts that may not be so obviously tied to a specific identity). The default method of sending a reset code is via text message, but users can also select to receive the prompt via a phone call from Google.

The trouble is, Gmail users who haven’t availed themselves of Google’s 2-factor authentication offering (Google calls it “2-step verification”) are most likely at the mercy of the security of their mobile provider. For example, AT&T users who have not assigned a PIN to their voicemail accounts are vulnerable to outsiders listening to their voice messages, simply by spoofing the caller ID so that it matches the target’s own phone number. Prince said his AT&T PIN was a completely random 24-digit combination (and here I thought I was paranoid with a 12-digit PIN).

“Working with Google we believe we have discovered the vulnerability that allowed the hacker to access my personal Gmail account, which was what began the chain of events,” Prince wrote in an update to the blog post about the attack. “It appears to have involved a breach of AT&T’s systems that compromised the out-of-band verification. The upshot is that if an attacker knows your phone number and your phone number is listed as a possible recovery method for your Google account then, at best, your Google account may only be as secure as your voicemail PIN.”

AT&T officials did not respond to requests for comment.

Continue reading

‘Flame’ Malware Prompts Microsoft Patch

June 4, 2012

Microsoft has issued an emergency security update to block an avenue of attack first seen in “Flame,” a newly-discovered, sophisticated malware strain that experts believe was designed to steal data specifically from computers in Iran and the Middle East.

According to Microsoft, Flame tries to blend in with legitimate Microsoft applications by cloaking itself with an older cryptography algorithm that Microsoft used to digitally sign programs.

“Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” the company said in a blog posting today.

Mike Reavey, senior director for the Microsoft Security Response Center, said Microsoft isn’t so concerned about Flame, which is now well detected (finally) by antivirus programs, and appears to have spread to a very small number of select systems. Rather, the company is worried that other attackers and malware might leverage the same method to aid in phishing attacks and other schemes that impersonate Microsoft to gain user trust.

The update released this week (KB2718704) blocks software signed by these Terminal Server License Service certificates. Updates are available for virtually all supported versions of Microsoft Windows. The patch is currently being pushed out through Windows Update and Automatic Update.

Advertisement

House Committee to Probe e-Banking Heists

May 31, 2012

The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. It’s too bad the committee has already finalized its witness list: It likely would be shocked to hear the story of Tennessee Electric Company Inc., a firm that lost $328,000 earlier this month in an account takeover that defeated multiple security measures commonly used by commercial banks to stop cyber thieves.

Executives at the Kingsport, Tenn. based construction and maintenance contractor thought that the security procedures employed by their bank — one-time tokens and verbal approval for all transactions — would deter attackers. But they recently discovered how deftly today’s e-thieves can bypass such defenses.

The attack began sometime before May 9, when thieves stole the online banking credentials for Tennessee Electric, presumably with some type of malicious software such as the ZeuS Trojan. That morning, the company’s controller Jenni Smith logged into the firm’s account at the Web site of Tri-Summit Bank, entering her password and a one-time password generated by a key fob supplied by the bank. After Smith entered the information, however, her browser was redirected to a Web page stating that the bank’s site was down for maintenance and would be offline for about an hour.

But the thieves lurking on Smith’s PC intercepted that one-time password, used her connection to log on to the bank’s site, and redirected her browser to the fake maintenance page. Meanwhile, the attackers used that browser session to put through a batch of fraudulent payroll payments to at least 50 “money mules,” willing or unwitting individuals scattered throughout the United States who were recruited to help the crooks funnel the funds out of the country.

Continue reading

White House Aims to Stoke Botnet Fight

May 29, 2012

The Obama administration will hold a public meeting at the White House on Wednesday to discuss industry and government efforts to combat botnet activity. Among those is a pilot program to share information about botnet victims between banks and Internet service providers, according to sources familiar with the event.

The gathering will draw officials from The White House, US Department of Commerce and Department of Homeland Security, as well as private-sector executives from an entity formed in February called the Industry Botnet Group. The IBG counts among its members trade associations, companies and privacy organizations that are working to create a voluntary model that ISPs can use to notify customers with infected computers.

Although a number of ISPs already notify customers of bot infections, there is no uniform method for reporting these events. Attendees at Wednesday’s meeting are expected to announce — among other things — an information sharing pilot between ISPs and financial institutions that are part of the Financial Services Information Sharing and Analysis Center, an industry consortium dedicated to disseminating data on cyber threats facing banks.

The pilot to be announced this week will draw on a nascent extension of IODEF, an Internet standard developed by the Anti-Phishing Working Group to share data about phishing attacks in a common format that can be processed automatically and across multiple languages. Continue reading

WHMCS Breach May Be Only Tip of the Trouble

May 24, 2012

A recent breach at billing and support software provider WHMCS that exposed a half million customer usernames, passwords — and in some cases credit cards — may turn out to be the least of the company’s worries. According to information obtained by KrebsOnSecurity.com, for the past four months hackers have been selling an exclusive zero-day flaw that they claim lets intruders break into Web hosting firms that rely on the software.

WHMCS is a suite of billing and support software used mainly by Web hosting providers. Following an extended period of downtime on Monday, the privately-owned British software firm disclosed that hackers had broken in and stolen 1.7 gigabytes worth of customer data, and deleted a backlog of orders, tickets and other files from the firm’s server.

The company’s founder, Matt Pugh, posted a statement saying the firm had fallen victim to a social engineering attack in which a miscreant was able to impersonate Pugh to WHMCS’s own Web hosting provider, and trick the provider into giving up the WHMCS’s administrative credentials.

“Following an initial investigation I can report that what occurred today was the result of a social engineering attack,” Pugh wrote. “The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.”

Meanwhile, WHMCS’s user forums have been and remain under a constant denial-of-service attack, and the company is urging customers to change their passwords.

As bad as things are right now for WHMCS, this rather public incident may be only part of the company’s security woes. For several years, I have been an unwelcome guest on an exclusive underground forum that I consider one of the few remaining and clueful hacking forums on the Underweb today. I’ve been kicked out of it several times, which is why I’m not posting any forum screenshots here.

Update, May 29, 12:35 p.m. ET: WHMCS just issued a patch to fix an SQL injection vulnerability that may be related to this 0day. See this thread from Pugh for more information.

Original post:

In February, a trusted and verified member of that forum posted a thread titled,” WHMCS 0-day,” saying he was selling a previously undocumented and unfixed critical security vulnerability in all version of WHMCS that provides direct access to the administrator’s password. From that hacker’s sales thread [link added]:

Continue reading

Google to Warn 500,000+ of DNS Changer Infections

May 22, 2012

Google plans today to begin warning Internet users if their computers show telltale signs of being infected with the DNSChanger Trojan. The company estimates that more than 500,000 systems remain infected with the malware, despite a looming deadline that threatens to quarantine the sick computers from the rest of the Internet.

Security experts won court approval last year to seize control of the infrastucture that powered the search-hijacking Trojan in a bid to help users clean up infections. But a court-imposed deadline to power down that infrastructure will sever Internet access for PCs that are not rid of the malware before July 9, 2012.

Google plans to serve this warning to more than 500,000 users to warn them of infections from the DNSChanger Trojan

The company said the warning (pictured above) will appear only when a user with an infected system visits a Google search results property (google.com, google.co.uk, etc.), and will include the message, “Your computer appears to be infected.” Google security engineer Damian Menscher said the company expects to notify approximately a half-million users in the first week of the notices.

“In general we want to notify users [of malware infections] anytime we are capable of doing so, but the fact that we don’t do this more often is really just because it’s hard to come across cases where we can do it this accurately,” Menscher said.  “In many cases we only have maybe a 90 percent confidence that someone is infected, and the false positive rate of 10 percent is simply too high to be feasible. But in this case we can be essentially certain that someone is infected.”

Continue reading

Adware Stages Comeback Via Browser Extensions

May 21, 2012

The Wikimedia Foundation last week warned that readers who are seeing ads on Wikipedia articles are likely using a Web browser that has been infected with malware. The warning points to an apparent resurgence in adware and spyware that is being delivered via cleverly disguised browser extensions designed to run across multiple Web browsers and operating systems.

An ad served by IWantThis! browser extension. Source: Wikimedia

In a posting on its blog, Wikimedia noted that although the nonprofit organization is funded by more than a million donors and does not run ads, some users were complaining of seeing ads on Wikipedia entries. “If you’re seeing advertisements for a for-profit industry (see screenshot below for an example) or anything but our fundraiser, then your web browser has likely been infected with malware,” reads a blog post co-written by Philippe Beaudette, director of community advocacy at the Wikimedia Foundation.

The blog post named one example of a browser extension called “IWantThis!,” which is essentially spyware masquerading as adware. The description at the IWantThis! Web site makes it sound like a harmless plugin that occasionally overlays ads on third-party Web sites and helps users share product or online shopping wish lists with others. As I was researching this extension, I came across this helpful description of it at the DeleteMalware Blog, which points to the broad privacy policy that ships with this extension:

Examples of the information we may collect and analyze when you use our website include the IP address used to connect your computer to the Internet; login; e-mail address; password; computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform; the full Uniform Resource Locator (URL) clickstream to, through, and from the Site, including date and time; cookie; web pages you viewed or searched for; and the phone number you used to call us. Continue reading

Global Payments Breach Now Dates Back to Jan. 2011

May 17, 2012

The data breach at Atlanta-based credit and debit card processor Global Payments just keeps getting bigger. Earlier this month, I reported that Visa and MasterCard were alerting banks that the breach extended back to June 2011. Now it appears the breach jeopardized cards processed by Global as far back as January 2011.

The latest disclosure, detailed in a story at BankInfoSecurity.com, now aligns with the timeline outlined by anonymous hackers who reached out to me after I broke the story on this breach back at the end of March. Global has disclosed relatively little about the breach, and has sought to downplay the severity of it. Initial reports suggested that more than 10 million card accounts were compromised in the breach, yet Global insists fewer than 1.5 million were taken. Recent reports by The Wall Street Journal put that figure closer to 7 million stolen card accounts.

Shortly after the breach, Global executives were complaining about “rumor and innuendo” in press reports about the incident. I borrowed that quote for the title of a follow-up blog post, which included claims from a hacker who told me he was reaching out because he felt Global was hiding the true extent of the breach. He told me that he was part of a group that had been inside of Global since just after the new year in 2011. From that story:

The hacker said the company’s network was under full criminal control from that time until March 26, 2012. “The data and quantities that was gathered [was] much more than they writed [sic]. They finished End2End encryption, but E2E not a full solution; it only defend [sic] from outside threats.” He went on to claim that hackers had been capturing data from the company’s network for the past 13 months — collecting the data monthly — gathering data on a total of 24 million unique transactions before they were shut out.

Global has refused to comment further on the incident, referring people to a Web site with a series of Q&As for various parties potentially impacted by the breach. I guess only time will tell whether the hackers were right about the number of compromised transactions as well.

Facebook Takes Aim at Cross-Browser ‘LilyJade’ Worm

May 17, 2012

Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software.

At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google ChromeInternet Explorer, and Mozilla Firefox.  The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.

The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as Facebook.com, Yahoo.com, Youtube.com, Bing.com, Google.com and MSN.com. In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.

I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from hackforums.net. This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.

It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user is required to agree to before installing it.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview.  “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff claims his software is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites. Continue reading

Multiple Human Rights, Foreign Policy Sites Hacked

May 15, 2012

A rash of recent and ongoing targeted attacks involving compromises at high-profile Web sites should serve as a sobering reminder of the need to be vigilant about applying browser updates. Hackers have hit a number of prominent foreign policy and human rights group Web sites, configuring them to serve spyware by exploiting newly patched flaws in widely used software from Adobe and Oracle.

The latest reports of this apparent cyberspy activity come from security experts at Shadowserver.org, a nonprofit that tracks malware attacks typically associated with so-called “advanced persistent threat” (APT) actors. APT is a controversial term that means many things to different folks, but even detractors of the acronym’s overuse acknowledge that it has become a useful shorthand for “We’re pretty sure it came from China.”

A diagram depicting the (since-cleaned) attack on the Website of the Center for Defense Information.

One look at the list of the sites found to be currently serving an exploit to attack a newly-patched Adobe Flash Player vulnerability (CVE-2012-0779) shows how that shorthand is earned. Shadowserver uncovered Flash exploits waiting for visitors of the Web sites for Amnesty International Hong Kong and the Center for Defense Information, a Washington, D.C. think-tank. The home page for the International Institute for Counter-Terrorism was found to be serving up malware via a recent Oracle Java vulnerability (CVE-2012-0507), while the Cambodian Ministry of Foreign Affairs site was pointing to both Flash and Java exploits.

“In recent months we have continued to observe 0-day vulnerabilities emerging following discovery of their use in the wild to conduct cyber espionage attacks,” wrote Shadowserver volunteers Steven Adair and Ned Moran, in a blog post about the attacks, which they dubbed “strategic Web compromises.”

“Frequently by the time a patch is released for the vulnerabilities, the exploit has already been the wild for multiple weeks or months — giving the attackers a very large leg up,” they wrote. “The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in.”

The discoveries come just days after security vendor Websense found that the site for Amnesty International United Kingdom (AIUK)  was hosting the same Java exploit. According to Shadowserver, other sites that were compromised by remarkably similar attacks but since cleaned include those belonging to the American Research Center in Egypt, the Institute for National Security Studies, and the Center for European Policy Studies.

Continue reading