New Java Exploit to Debut in BlackHole Exploit Kits

July 5, 2012
44 Comments

Malicious computer code that leverages a newly-patched security flaw in Oracle’s Java software is set to be deployed later this week to cybercriminal operations powered by the BlackHole exploit pack. The addition of a new weapon to this malware arsenal will almost certainly lead to a spike in compromised PCs, as more than 3 billion devices run Java and many of these installations are months out of date.

I first learned about the new exploit from a KrebsOnSecurity reader named Dean who works in incident response for a financial firm. Dean was trying to trace the source of an infected computer in his network; he discovered the culprit appeared to be a malicious “.jar” file. A scan of the jar file at Virustotal.com showed that it was detected by just one antivirus product (Avira), which flagged it as “Java/Dldr.Lamar.BD”. The description of that threat says it targets a Javas vulnerability tagged as CVE-2012-1723, a critical bug fixed in Java 6 Update 33 and Java 7 Update 5.

The attack may be related to an exploit published for CVE-2012-1723 in mid-June by Michael ‘mihi’ Schierl. But according to the current vendor of the BlackHole exploit pack, the exact exploit for this vulnerability has only been shared and used privately to date. Reached via instant message, the BlackHole author said the new Java attack will be rolled into a software update to be made available on July 8 to all paying and licensed users of BlackHole.

Continue reading

Who Says Email Is Eating at Postal Revenues?

July 3, 2012
19 Comments

Shadowy online businesses that sell knockoff prescription drugs through spam and other dodgy advertising practices have begun relying more heavily on the U.S. Postal Service to deliver prescription drugs to buyers in the United States direct from warehouses or mules within the U.S. The shift comes as rogue online pill shops are seeking ways to lower shipping costs, a major loss leader for most of these operations.

An ad for Rx-Parners pill shop that ships from the US.

Traditionally, a majority of the counterfeit pills advertised and sold to Americans online have shipped from India. But the process of getting the pills from India to customers in the United States is so expensive and fraught with complications that it has proved to be a big cost center for the largest rogue pharmaceutical operations, according to a study I wrote about last month.

“One of the surprising things we found was that shipping dominates program costs,” said Stefan Savage, one of the lead authors on the study, and a professor in the systems and networking group at the University of California San Diego.

The researchers discovered that most rogue pharmacy operations spend between 11 to 12 percent of their annual revenue on shipping costs. Part of the reason for the high cost is that pill shipments from India and elsewhere outside of the United States frequently get delayed or confiscated by U.S. Customs officials. This forces the rogue pharmacies to either refund the customer’s money, or to eat the costs of re-shipping the pills.

Increasingly, however, some of the largest spam affiliate programs are delivering some of their most popular drugs — including erectile dysfunction pills and everything from Accutane to Cipro and Diflucan and Plavix — direct to U.S. buyers from shipping locations within the United States.

“This is why you see pharmacy outfits like RX-Partners, Mailien and Stimulcash picking the most popular drugs and warehousing them in the United States so they can do USPS shipping through mules,” Savage said.

Continue reading

Advertisement

How to Break Into Security, Schneier Edition

July 2, 2012
41 Comments

Last month, I published the first in a series of advice columns for people who are interested in learning more about security as a craft or profession. In this second installment, I asked noted cryptographer, author and security rock star Bruce Schneier for his thoughts.

Schneier: I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice.

First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don’t have to be a coder to be a security expert.

In general, though, I have three pieces of advice to anyone who wants to learn computer security:

  • Study: Studying can take many forms. It can be classwork, either at universities or at training conferences like SANS and Offensive Security. (These are good self-starter resources.) It can be reading; there are a lot of excellent books out there — and blogs — that teach different aspects of computer security. Don’t limit yourself to computer science, either. You can learn a lot by studying other areas of security, and soft sciences like economics, psychology, and sociology.
  • Do: Computer security is fundamentally a practitioner’s art, and that requires practice. This means using what you’ve learned to configure security systems, design new security systems, and — yes — break existing security systems. This is why many courses have strong hands-on components; you won’t learn much without it.
  • Show: It doesn’t matter what you know or what you can do if you can’t demonstrate it to someone who might want to hire you. This doesn’t just mean sounding good in an interview. It means sounding good on mailing lists and in blog comments. You can show your expertise by making podcasts and writing your own blog. You can teach seminars at your local user group meetings. You can write papers for conferences, or books.

Continue reading

Secunia’s Auto-patching Tool Gets Makeover

June 29, 2012
54 Comments

Vulnerability management firm Secunia has shipped a new version of its auto-patching tool — Personal Software Inspector 3.0 – a program for Windows users that can drastically simplify the process of keeping up-to-date with security patches for third-party software applications.

The final release of PSI 3.0 supports programs from more than 3,000 software vendors, and includes some key changes that address shortcomings identified in the beta version that I highlighted back in February.

The 3.0 version of PSI still keeps auto-patching on by default at installation, although users can uncheck this box and choose to manually install all available updates for third-party programs. Unlike the beta version — which was radically devoid of tweakable options and settings — the version released this week provides a more configurable interface that should be more appealing to longtime users of this tool.

Users also can review the history of installed updates, and select which hard drives should be scanned, options absent from the beta release. PSI 3.0 also lets users create rules that tell the software to ignore updates for particular programs.

Overall, the new PSI strikes a fair balance between configurability and ease-of-use, and is a notable improvement over the beta version. However, I had trouble with the program after installing it on my test machine — a Windows 7 64-bit machine with 8 GB of memory. The program seemed to get stuck on scanning for updates, and for an excruciating eight minutes or so the software sucked up most of my machine’s available memory and processing power. The only way I could get my system back to normal was to reboot the system.

Continue reading

DNSChanger Trojan Still in 12% of Fortune 500

June 28, 2012
15 Comments

In about two weeks, hundreds of thousands of computer users are going to learn the hard way that failing to keep a clean machine comes with consequences. On July 9, 2012, any systems still infected with the DNSChanger Trojan will be summarily disconnected from the rest of the Internet, and the latest reports indicate this malware is still resident on systems at 12 percent of Fortune 500 companies, and roughly four percent of U.S. federal agencies.

DNChanger chronology. Source: InternetIdentity

In a bid to help users clean up infections, security experts won court approval last year to seize control of the infrastructure that powered the search-hijacking Trojan. But a court-imposed deadline to power down that infrastructure will sever Internet access for PCs that are not rid of the malware before July 9, 2012.

According to Internet Identity, 12 percent of all Fortune 500 companies and four percent of “major” U.S. federal agencies are still infected (a link to Internet Identity’s full infographic is here). The latest stats from the DNSChanger Working Group, an industry consortium working to eradicate the malware, more than 300,000 systems are still infected.

That number is likely conservative: The DCWG measures infections by Internet protocol (IP) addresses, not unique systems. Because many systems that are on the same local network often share the same IP address, the actual number of DNSChanger-infected machines is probably quite a bit higher than 300,000.

Continue reading

‘Carderprofit’ Forum Sting Nets 26 Arrests

June 26, 2012
21 Comments

The U.S. Justice Department today unveiled the results of a two-year international cybercrime sting that culminated in the arrest of 26 people accused of trafficking in hundreds of thousands of stolen credit and debit card accounts. Among those arrested was an alleged core member of “UGNazi,” a malicious hacking group that has claimed responsibility for a flood of recent attacks on Internet businesses.

The carding forum Carderprofit.cc was an FBI sting operation.

Federal officials are calling the operation the largest coordinated international law enforcement action in history directed at “carding” crimes, in which the Internet is used to traffic in and exploit the stolen credit card, bank account and other personal information of hundreds of thousands of victims.

According to documents released by the Justice Department, the sting — dubbed “Operation Card Shop” — began in June 2010, when the FBI established an undercover carding forum called “CarderProfit” (carderprofit.cc) to identify users who were buying and selling stolen credit card accounts and goods purchased with stolen accounts.

The FBI kept track of Internet addresses used by forum members, and used members’ login information to gather additional information about registered users. The agency tightened the noose in May 2012, when it began imposing new membership requirements to restrict site membership to individuals with established knowledge of carding techniques or interest in criminal activity.

“For example, at times, new users were prevented from joining the site unless they were recommended by two existing users who had registered with the site, or unless they paid a registration fee,” the government said in a statement about today’s arrests. “New users registering with the [undercover] site were required to provide a valid e- mail address as part of the registration process. The e-mail addresses entered by registered members of the site were collected by the FBI.”

Carderprofit.cc as it appears now.

Meanwhile, the feds were collecting stolen credit and debit card accounts that were being traded by forum members, and feeding the information back to issuing banks. The Justice Department said it contacted affected financial institutions regarding more than 411,000 compromised credit and debit cards, and notified 47 companies, government entities, and educational institutions of the breach of their networks.

Continue reading

Bank Settles With Calif. Cyberheist Victim

June 26, 2012
20 Comments

A California escrow firm that sued its bank last year after losing nearly $400,000 in a 2010 cyberheist has secured a settlement that covers the loss and the company’s attorneys fees. The settlement is notable because such cases typically favor the banks, and litigating them is often prohibitively expensive for small- to mid-sized businesses victimized by these crimes.

In March 2010, organized computer crooks stole $465,000 from Redondo Beach, Calif. based Village View Escrow Inc., sending 26 consecutive wire transfers from Village View’s accounts to 20 individuals around the world who had no legitimate or previous business with the firm. The escrow firm clawed back some of the stolen funds — $72,000 — but that still left Village View with a $393,000 loss, forcing the company’s owner to take out a personal loan at 12 percent interest to cover the loss of customer funds).

In June 2011, Village View sued its financial institutionProfessional Business Bank — arguing that the bank was negligent because it protected customer accounts solely with usernames and passwords. Last week, Village View announced that it had reached a settlement with its bank to recover more than just the full amount of the funds taken from the account plus interest for Village View Escrow.

Kim Dincel, a shareholder at Silicon Valley Law Group, which represented the plaintiffs, said the Uniform Commercial Code and its corresponding California Commercial Code limits the damages resulting from wire transfer fraud to only the actual amount of money lost plus interest – nothing more.  Common law claims such as negligence, breach of contract and fraud, and the damages that attached to them, are generally precluded from being asserted by a victim of wire transfer fraud in a lawsuit involving wire transfer fraud, he added.

“Banks typically deny liability for the cyber-theft which forces small businesses to spend money they do not have on legal fees and regulatory expenses in order to recover a limited and defined set of damages under the Uniform Commercial Code (UCC),” Dincel said in a prepared statement released Monday.

The Bank of Manhattan, which acquired Professional Business Bank last month, did not return calls seeking comment.

Continue reading

How to Break Into Security, Ptacek Edition

June 25, 2012
58 Comments

At least once a month, sometimes more, readers write in to ask how they can break into the field of computer security. Some of the emails are from people in jobs that have nothing to do with security, but who are fascinated enough by the field to contemplate a career change. Others are already in an information technology position but are itching to segue into security. I always respond with my own set of stock answers, but each time I do this, I can’t help but feel my advice is incomplete, or at least not terribly well-rounded.

I decided to ask some of the brightest minds in the security industry today what advice they’d give. Almost everyone I asked said they, too, frequently get asked the very same question, but each had surprisingly different takes on the subject. Today is the first installment in a series of responses to this question. When the last of the advice columns have run, I’ll create an archive of them all that will be anchored somewhere prominently on the home page. That way, the next time someone asks how they can break into security, I’ll have more to offer than just my admittedly narrow perspectives on the matter.

Last month, I interviewed Thomas Ptacek, founder of Matasano Security, about how companies could beef up password security in the wake of a week full of news about password leaks at LinkedIn and other online businesses. Ptacek’s provocative advice generated such a huge amount of reader interest and further discussion that I thought it made sense to begin this series with his thoughts:

Ptacek: “Information security is one of the most interesting, challenging, and, if you do it carefully, rewarding fields in the technology industry. It’s one of the few technology jobs where the most fun roles are well compensated. If you grew up dreaming of developing games, the laws of supply and demand teach a harsh lesson early in your career: game development jobs are often tedious and usually pay badly. But if you watched “Sneakers” and ideated a life spent breaking or defending software, great news: infosec can be more fun in real life, and it’s fairly lucrative. Continue reading

PharmaLeaks: Rogue Pharmacy Economics 101

June 22, 2012
39 Comments

Consumer demand for cheap prescription drugs sold through spam-advertised Web sites shows no sign of abating, according to a new analysis of bookkeeping records maintained by three of the world’s largest rogue pharmacy operations.

Researchers at the University of California, San Diego, the International Computer Science Institute and George Mason University examined caches of data tracking the day-to-day finances of GlavMed, SpamIt, and Rx-Promotion, shadowy affiliate programs that over a four-year period processed more than $170 million worth of orders from customers seeking cheaper, more accessible and more discretely available drugs. The result is perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day.

Their conclusion? Spam — and all of its attendant ills — will remain a prevalent and pestilent problem because consumer demand for the products most frequently advertised through junk email remains constant.

“The market for spam-advertised drugs is not even close to being saturated,” said Stefan Savage, a lead researcher in the study, due to be presented early next month at the 21st USENIX security conference in Bellevue, Wash. “The number of new customers these programs got each day explains why people spam: Because sending spam to everyone on the planet gets you new customers on an ongoing basis, so it’s not going away.”

The researchers found that repeat customers are critical to making any rogue pharmacy business profitable. Repeat orders constituted 27% and 38% of average program revenue for GlavMed and SpamIt, respectively; for Rx-Promotion, revenue from repeat orders was between 9% and 23% of overall revenue.

“This says a number of things, and one is that a lot of people who bought from these programs were satisfied,” Savage said. “Maybe the drugs they bought had a great placebo effect, but my guess is these are satisfied customers and they came back because of that.”

Whether the placebo effect is something that often applies with the consumption of erectile dysfunction drugs is not covered in this research paper, but ED drugs were by far the largest category of pills ordered by customers of all three pharmacy programs.

One interesting pattern that trickled out of the Rx-Promotion data underscores what made this pharmacy affiliate unique and popular among repeat buyers: A major portion of its revenues was generated through the sale of drugs that have a high potential for abuse and are thus tightly controlled in the United States, including opiates and painkillers like Oxycodone, Hydrocodone, and mental health pills such as Adderall and Ritalin. The researchers noticed that although pills in this class of drugs — known as Schedule II in U.S. drug control parlance — comprised just 14 percent of orders for Rx-Promotion, they accounted for nearly a third of program revenue, with the Schedule II opiates accounting for a quarter of revenue.

“The fact that such drugs are over-represented in repeat orders as well (roughly 50 percent more prevalent in both Rx-Promotion and, for drugs like Soma and Tramadol, in SpamIt) reinforces the hypothesis that abuse may be a substantial driver for this component of demand,” the researchers wrote.

Continue reading

A Closer Look: Email-Based Malware Attacks

June 21, 2012
88 Comments

Nearly every time I write about a small- to mid-sized business that has lost hundreds of thousands of dollars after falling victim to a malicious software attack, readers want to know how the perpetrators broke through the victim organization’s defenses, and which type of malware paved the way. Normally, victim companies don’t know or disclose that information, so to get a better idea, I’ve put together a profile of the top email-based malware attacks for each day over the past month.

Top malware email attacks in past 30 days. Source: UAB

This data draws from daily reports compiled by the computer forensics and security management students at the University of Alabama at Birmingham, a school I visited last week to give a guest lecture and to gather reporting for a bigger project I’m chasing. The UAB reports track the top email-based threats from each day, and include information about the spoofed brand or lure, the method of delivering the malware, and links to Virustotal.com, which show the percentage of antivirus products that detected the malware as hostile.

As the chart I compiled above indicates, attackers are switching the lure or spoofed brand quite often, but popular choices include Amazon.com, the Better Business Bureau, DHL, Facebook, LinkedIn, PayPal, Twitter and Verizon Wireless.

Also noticeable is the lack of antivirus detection on most of these password stealing and remote control Trojans. The average detection rate for these samples was 24.47 percent, while the median detection rate was just 19 percent. This means that if you click a malicious link or open an attachment in one of these emails, there is less than a one-in-five chance your antivirus software will detect it as bad.

Continue reading