Flying the Fraudster Skies

January 11, 2012

Given the heightened security surrounding air travel these days, it may be hard to believe that fraudsters would try to board a plane using stolen tickets. But incredibly, there are a number of criminal travel agencies doing business in the underground, and judging from the positive feedback left by patrons, business appears to be booming.

Ad above says: Maldives Turkey Goa Bora-Bora, Carribes, Any country, any hotels and resorts of the world.

The tickets often are purchased at the last minute and placed under the criminal buyer’s real name. The reservations are made using either stolen credit cards or hijacked accounts belonging to independent contractors in the travel industry.  Customers are charged a fraction of the cost of the tickets and/or reservations, typically between 25 and 35 percent of the actual cost.

Criminal travel services are contributing to a recent spike in airline ticket fraud. In December, the Airlines Reporting Corporation, an industry clearinghouse, said it was seeing a marked increase in unauthorized tickets issued. Between August and November of last year, 113 incidents of fraudulently booked tickets were reported to ARC, up from just 18 such incidents reported in all of 2010. The aggregate face value of the unauthorized tickets in 2011 was more than $1 million. The ARC believes the increase in fraud is mainly due to an surge in phishing emails targeting travel agency employees and contractors.

Some of the travel agencies in the criminal underground are full-service, pitching package deals that  include airfare, car rentals and even hotel stays. A hacker using the nickname “Yoshimo” on one prominent fraudster forum offers “80-95 percent working flight tickets in most countries (some restrictions apply),” for 25 percent of the original price, and 40 percent of the price for carded hotel stays and car rentals. He has been offering this service for more than two years, and has at least 275 positive reviews from current and former customers.

Continue reading

Adobe, Microsoft Issue Critical Security Fixes

January 10, 2012

Adobe and Microsoft today each issued software fixes to tackle dangerous security flaws in their  products. If you use Acrobat, Adobe Reader or Windows, it’s time to patch.

Microsoft released seven security bulletins addressing at least eight vulnerabilities in Windows. The lone “critical” Microsoft patch addresses a pair of bugs in Windows Media Player. Microsoft warns that attackers could exploit these flaws to break into Windows systems without any help from users; the vulnerability could be triggered just by browsing to a site that hosts specially crafted video content.

Continue reading

Advertisement

Virtual Sweatshops Defeat Bot-or-Not Tests

January 9, 2012

Jobs in the hi-tech sector can be hard to find, but employers in one corner of the industry are creating hundreds of full-time positions, offering workers on-the-job training and the freedom to work from home. The catch? Employees will likely toil for cybercrooks, and their weekly paychecks may barely cover the cost of a McDonald’s Happy Meal.

Kolotibablo.com home page

The abundance of these low-skilled, low-paying jobs is coming from firms that specialize in the shadowy market of mass-solving CAPTCHAs, those blurry and squiggly words that some websites force you to retype. One big player in this industry is KolotiBablo.com, a service that appeals to spammers and exploits low cost labor in China, India, Pakistan, and Vietnam.

KolotiBablo, which means “earn money” in transliterated Russian, helps clients automate the solving of puzzles designed to prevent automated activity by bots, such as leaving spammy comments or mass-registering accounts at Webmail providers and social networking sites. The service offers an application programming interface (API) that allows clients to feed kolotibablo.com CAPTCHAs served in real time by various sites, which are then solved by KolotiBablo workers and fed back to the client’s system.

Paying clients interface with the service at antigate.com, a site hosted on the same server as kolotibablo.com. Antigate charges clients 70 cents to $1 for each batch of 1,000 CAPTCHAs solved, with the price influenced heavily by volume. KolotiBablo says employees can expect to earn between $0.35 to $1 for every thousand CAPTCHAs they solve.

The twin operations say they do not condone the use of their services to promote spam, or “all those related things that generate butthurt for the ‘big guys,'” mostly likely a reference to big free Webmail providers like Google and Microsoft. Still, both services can be found heavily advertised and recommended in several underground forums that cater to spammers and scam artists.

Registered antigate.com users can read more about why customers typically purchase the service, and how KolotiBablo is run. From the description:

“All CAPTCHAs in our service are completely solved by real humans, there are usually 500-1000 (and growing) workers online from all the world. That’s why we can process any CAPTCHAs at any volume for a fixed price $1 per 1000 CAPTCHAs.

You may probably think that using human resource inappropriate or inhumane. However, keep in mind that we pay the most of collected money to our workers who sit in the poorest corners of our planet and this work gives them a stable ability to buy food, clothes for themselves and their families. Most of our staff is from China, India, Pakistan and Vietnam.”

Continue reading

Pharma Wars: Mr. Srizbi vs. Mr. Cutwail

January 5, 2012

The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.

Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.

Reactor Mailer Terms of Service, 2005

Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”

This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by  “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).

That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.

BOTMASTER BATTLE

SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.

Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.

The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.

Continue reading

Pharma Wars: ‘Google,’ the Cutwail Botmaster

January 1, 2012

Previous stories in my Pharma Wars series have identified top kingpins behind the some of the biggest spam botnets. Today’s post does that and more, including never-before-published information on “Google,” the lead hacker behind the world’s busiest spam botnet — Cutwail.

December 2011 spam stats from M86Security

For many years, Cutwail has been among the top three most prolific spam botnets. With the recent takedown of the Rustock botnet, Cutwail now is the top spam bot; according to M86 Security, versions of Cutwail are responsible for about 22 percent of the daily spam volumes worldwide.

Security researchers have extensively dissected the technical machinery that powers Cutwail (a.k.a. “Pushdo” and “Pandex”), but until now little has been published about the brains behind it. Krebs On Security has learned that the individual principally responsible for developing and renting this crime machine to other miscreants was a top moneymaker for SpamIt, until recently the world’s largest rogue Internet pharmacy affiliate program.

By the time he joined SpamIt in early 2007, the hacker named Google had already spent several years fine-tuning his spam botnet. Just months prior to its closure in Oct. 2010, SpamIt was hacked, and its customer and affiliate data leaked online. The data shows that Google used close to a dozen affiliate accounts at SpamIt, and made nearly $175,000 in commissions advertising SpamIt’s rogue online pharmacies with the help of Cutwail.

But Google would make far more money renting his botnet to other spammers, and SpamIt affiliates quickly became his biggest client base. Interestingly, the proprietors of SpamIt initially asked for Google’s help not to spam rogue pharmacies, but to jump-start a new affiliate program called Warezcash to sell “OEM” software — mostly pirated copies of Microsoft Windows and other high-priced software titles.

That relationship is evident from hundreds of chat logs between Google and SpamIt co-founder Dmitry “Saintd” Stupin. The conversations were part of thousands of hours of logs obtained by Russian cybercrime investigators who examined Stupin’s computer. The chats were later leaked online, and provide a rare glimpse into the day-to-day operations of Cutwail from the botmaster’s perspective. They also provide tantalizing clues as to the real-life identity of Google and his co-workers. Snippets of those conversations appear below, translated from their original Russian into English by native Russian speakers.

THE CUTWAIL MACHINE

Some of the best techical analysis of Cutwail came earlier this year in a paper from researchers at the University of California, Santa Barbara and Ruhr-University Bochum, which described in detail how the Cutwail botnet was operated, rented and promoted on the exclusive SpamIt forums. From their paper (PDF):

“The Cutwail spam engine is known in spam forums by the name 0bulk Psyche Evolution, where it is rented to a community of spam affiliates. These affiliates pay a fee to Cutwail botmasters in order to use their botnet infrastructure. In return, the clients are provided with access to a Web interface (available in Russian or English language) that simplifies the process of creating and managing spam campaigns…”

SpamIt affiliate records show that Google registered with the program using the email address psyche.evolution@gmail.com (according to historical WHOIS records, the domain name psyche-evolution.com was registered in 2005 by that same email address, to an organizations called “0bulk corp.” in Moscow).

In several chats with Stupin, Google describes how he and his pals switched to pharmacy spamming when promoting stocks via spam became less lucrative. In a discussion on Feb. 25, 2007, Google said he was “renting software for spam,” to competing spam affiliate programs “Mailien,” “Bulker,” and “Aff Connection,” and that all of his clients had great success converting traffic into sales. “We have been spamming stocks, however now stocks started converting badly, so we decided to spam in parallel with some affiliate programs. We organized people, gave them tasks to do. We’ve been spamming them for a week only, but I think we’ll do good.”

Continue reading

New Tools Bypass Wireless Router Security

December 29, 2011

Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.

At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”

Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.

Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.

But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device.

One way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts. Stefan Viehböck, a freelance information security researcher, said some wireless access point makers implemented such an approach. The problem, he said, is that most of the vendors did so in ways that make brute-force attacks slower, but still feasible.

Earlier today, Viehböck released on his site a free tool that he said can be used to duplicate his research and findings, detailed in this paper (PDF). He said his tool took about four hours to test all possible combinations on TP-Link and D-Link routers he examined, and less than 24 hours against a Netgear router.

“The Wi-Fi alliance members were clearly opting for usability” over security, Viehböck said in a instant message conversation with KrebsOnSecurity.com. “It is very unlikely that nobody noticed that the way they designed the protocol makes a brute force attack easier than it ever should.”

Continue reading

Happy 2nd Birthday, KrebsOnSecurity.com!

December 29, 2011

I’m taking a short break from some year-end downtime to observe that KrebsOnSecurity.com turns two years old today!

This past year, KrebsOnSecurity.com has featured more than 200 blog posts, and attracted 5,000+ reader comments. It has been humbling to watch the audience here steadily grow and mature into a community. The expertise and conversations offered by readers in the blog comments have added immeasurably to the value and usefulness of this site.

My research and reporting involved more than a dozen public speaking events around the globe in 2011. The highlights of my work-related travel included trips to Austria, Canada, Poland, Russia, and The Netherlands. 2012 promises more interesting destinations.

When I founded Krebs On Security LLC in late 2009, I had no idea if it would work out. This past year, I’ve respectfully turned down some very flattering offers to work at important publications. The money and (apparent) stability those opportunities held out were certainly enticing, but I’m having way too much fun on my own, and today I can scarcely imagine doing anything else.

I look forward to continuing my investigative reporting on cybercrime, cybersecurity, and the underground economy. Most of all, I look forward to your continued readership and support. Thank you.

In case you missed them, here are some of the most-read investigative stories on KrebsOnsecurity.com from 2011:

Russian Cops Crash Pill Pusher Party

SpamIt, Glavmed Pharmacy Networks Exposed

Is Your Computer Listed “For Rent”?

Rent-a-Bot Networks Tied to TDSS Botnet

Who’s Behind the TDSS Botnet?

Gang Used 3D Printers for ATM Skimmers

Digital Hit Men for Hire

Beware of Juice-Jacking

Coordinated ATM Heists Net Thieves $13 Million

Rustock Botnet Suspect Sought Job at Google

Apple Took 3+ Years to Fix FinFisher Trojan Hole

Advanced Persistent Tweets: Zero-Day in 140 Characters

Pro-Grade (3D-Printer Made?) ATM Skimmer

How Much is Your Identity Worth?

Amnesty International Site Serving Java Exploit

December 22, 2011

Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers.

The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil.  The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw that I’ve warned about several times this past month. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.

A woman who answered the phone this morning at Amnesty International’s research and policy branch in the U.K. declined to give her name, but said she would pass on the information about the break-in. The site remains compromised.

This is hardly the first time Amnesty International’s sites have been hacked to serve up malware. The organization’s site was hacked in April 2011 with a drive-by attack.  In November 2010, security firm Websense warned Amnesty International’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown Internet Explorer vulnerability.  Continue reading

Busy Signal Service Targets Cyberheist Victims

December 20, 2011

A new service on the cyber criminal underground can be hired to tie up the phone lines of any targeted mobile or land line around the world. The service is marketed as a diversionary tactic to assist e-thieves in robbing commercial customers of banks that routinely call customers to verify large financial transfers.

For just $5 an hour, or $40 per day, you can keep anyone’s phone so tied up with incoming junk calls that the number is unable to receive legitimate calls.

The seller offers discounts for frequent buyers of his service, and promises that each call to the targeted number will appear to come from a unique phone number, thereby foiling any efforts to block the bogus calls by caller ID. The vendor also is offering this service under escrow payment, which many fraud forums use to ensure both parties to a transaction are happy before payment is rendered.

The FBI first warned about these attacks in June 2010, advising that that receiving rapid-fire “dead air” calls could be a sign that your bank account is being emptied. From that advisory:

“Denial-of-service attacks, by themselves, are nothing new—computer hackers use them to take down websites by flooding them with large amounts of traffic.”

“In a recent twist, criminals have transferred this activity to telephones, using automated dialing programs and multiple accounts to overwhelm the phone lines of unsuspecting citizens.”

“Why are they doing it? Turns out the calls are simply a diversionary tactic: while the lines are tied up, the criminals—masquerading as the victims themselves—are raiding the victims’ bank accounts and online trading or other money management accounts.”

Continue reading

NY ID Theft Ring Used Insiders, Gang Members

December 16, 2011

Authorities in Manhattan today unsealed indictments against 55 people suspected of operating an identity theft and financial fraud ring, including a number of insiders at banks and companies throughout New York who allegedly helped to steal more than $2 million from hundreds of customers and clients.

Prosecutors say the 18-month-long investigation is notable because it underscores the ways in which traditional street crooks are moving their activity online: New York authorities maintain that more than a dozen of the defendants have violent criminal records and belong to different street gangs in Brooklyn.

At the center of the alleged conspiracy are employees at New York institutions that had access to large amounts of sensitive consumer and business data. Among those being arraigned today in a New York state court are JP Morgan Chase employees Karen Chance, Mercy Adebandjo and Joanna Gierczack; Tracey Nelson, an employee of the United Jewish Appeal-Federation; Roberto “Robbie” Millar, a car salesman for Open Road-Audi in Brooklyn; and Nicola Bennett, a compliance officer employed by AKAM Associates Inc., a residential property management company.

“These insiders used their positions to gain access to client data, and then sold that data to make money for themselves and their accomplices,” District Attorney Cyrus Vance Jr. said in a written statement. “We will continue to work with our partners to build significant cases to disrupt identity theft and dismantle these criminal organizations.”

The indictments allege that middlemen named in the conspiracy purchased personal information on customers and donors from Nelson and Millar, and then either re-sold the data or used it themselves to commit fraudulent financial transactions.

Prosecutors also charge that the Chase employees abused their access to steal personal data on account holders, and sold the information to counterfeit check makers and to individuals who specialized in setting up and executing fraudulent bank transfers.

Some of the defendants are alleged to have recruited other indicted members for the purpose of using their bank accounts to conduct fraudulent transactions. Prosecutors say the recruiters played a dual role: trafficking in stolen personal information bought from others, and recruiting people to provide bank accounts through which they could commit fraud.

These so-called “collusive account holders” — effectively complicit money mules — make up the bulk of the individuals named in the indictments. New York authorities charge that when defendants wanted to withdraw money quickly from collusive accounts, they purchased US Postal Service money orders with the debit cards linked to the accounts.

The indictments state that some the defendants arraigned today used automated systems set up by Citibank and TD Bank to change the personal information on ID theft victims’ bank records, including the victims’ contact address, phone numbers and email addresses.

For example, prosecutor alleged that one of the defendants,  Josiah “Pespi” Boatwains, would request that stolen credit cards be mailed to an address where a co-conspirator Richard Ramos, an employee at United Parcel Service (UPS) would intercept the cards on Boatwain’s behalf in exchange for money.

Boatwains and two other defendants allegedly then used those stolen cards to purchase luxury items that other defendants sold to co-conspirators named in the indictments. Other defendants allegedly used hijacked credit card account numbers to make online purchases buying airline tickets, movie ticket, credit reports, pizza and iTunes products.

A statement of facts filed with the New York State Supreme Court notes that there is a large amount of violent activity that surrounds the defendants in this case. The statement reads:

“During the course of our investigation 2 targets of the investigation were murdered. One of the deceased was brutally murdered. When his body was found by the police, they recovered personal identifying information of victims linked to our case. Specifically, on his person, a copy of a check was found that was from one of our identity theft victims that had donated to the United Jewish Appeal.” Continue reading