Are You on the Pwnedlist?

November 2, 2011
36 Comments

2011 has been called the year of the data breach, with hacker groups publishing huge troves of stolen data online almost daily. Now a new site called pwnedlist.com lets users check to see if their email address or username and associated information may have been compromised.

Pwnedlist.com is the creation of Alen Puzic and Jasiel Spelman, two security researchers from DVLabs, a division of HP/TippingPoint. Enter a username or email address into the site’s search box, and it will check to see if the information was found in any of these recent public data dumps.

Puzic said the project stemmed from an effort to harvest mounds of data being leaked or deposited daily to sites like Pastebin and torrent trackers.

“I was trying to harvest as much data as I could, to see how many passwords I could possibly find, and it just happened to be that within two hours, I found about 30,000 usernames and passwords,” Puzic said. “That kind of got me thinking that I could do this every day, and if I could find over one million then maybe I could create a site that would help the everyday user find if they were compromised.”

Pwnedlist.com currently allows users to search through nearly five million emails and usernames that have been dumped online. The site also frequently receives large caches of account data that people directly submit to its database. Puzic said it is growing at a rate of about 40,000 new compromised accounts each week.

Puzic said information contained in these data donations often make it simple to learn which organization lost the information.

“Usually, somewhere in the dump files there’s a readme.txt file or there’s some type of header made by hacker who caused the breach, and there’s an advertisement about who did the hack and which company was compromised,” Puzic said. “Other times it’s really obvious because all of the emails come from the same domain.”

Puzic said Pwnedlist.com doesn’t store the username, email address and password data itself; instead, it records a cryptographic hash of the information and then discards the plaintext data. As a result, a “hit” on any searched email or username only produces a binary “yes” or “no” answer about whether any hashes matching that data were found. It won’t return the associated password, nor does it offer any clues about from where the data was leaked.

Continue reading

Jailed ChronoPay Co-Founder Denied Bail

November 1, 2011
13 Comments

A Moscow court on Monday denied bail for Pavel Vrublevsky, a Russian businessman who was charged earlier this year with hiring hackers to launch costly online attacks against his rivals. The denial came even after Vrublevsky apparently admitted his role in the attacks, according to Russian news outlets.

Vrublevsky in 2004

Vrublevsky, 32, is probably best known as the co-founder of ChronoPay, a large online payment processor in Russia. He was arrested in June after Russian investigators secured the confession of a man who said he was hired by Vrublevsky to launch a debilitating cyber attack against Assist, a top ChronoPay competitor. The former ChronoPay executive reportedly wanted to sideline rival payment processing firms who were competing for a lucrative contract to process payments for Aeroflot, Russia’s largest airline. Aeroflot’s processing systems faltered for several days in the face of the attack, an outage that Aeroflot says cost the company about a million dollars a day.

Vrublevsky’s lawyers asked the court to release him pending a trial in December — offering to pay 30 million rubles (~ USD $1 million) — but the court denied the request.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay last year indicate Vrublevsky co-ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

Vrublevsky and Gusev have been locked in an increasingly heated and public battle to ruin the others’ business, a saga that I have chronicled in an ongoing series: Pharma Wars.

Continue reading

Advertisement

Turning Hot Credit Cards into Hot Stuff

October 31, 2011
12 Comments

Would that all cybercriminal operations presented such a tidy spreadsheet of the victim and perpetrator data as comprehensively as profsoyuz.biz, one of the longest-running criminal reshipping programs on the Internet.

Launched in 2006 under a slightly different domain name, profsoyuz.biz is marketed on invite-only forums to help credit card thieves “cash out” compromised credit and debit card accounts by purchasing and selling merchandise online. Most Western businesses will not ship to Russia and Eastern Europe due to high fraud rates in those areas. Underground businesses like Profsoyuz hire Americans to receive stolen merchandise and reship it to those embargoed regions. Then they charge vetted customers for access to those reshipping services.

Below is a screen shot of the administrative interface for Profsoyuz, which shows why its niche business is often called “Drops for Stuff” on the underground. The “Дроп” or “Drop” column lists Americans who are currently reshipping packages for the crime gang; the “Стафф” or “Stuff” column shows the items that are being purchased and reshipped with stolen credit card numbers.

Profsoyuz reshipping service admin panel.

The column marked “Холдер” or “Holder” indicates the cardholder — the name on the stolen credit card account that was used to purchase the stuff being sent to the drops. I rang Laura Kowaleski, listed as the person whose credit card was fraudulently used on Oct. 11, 2011 to buy a Star Wars Lego set for $189, plus $56 in shipping. She told me I reached her while she was in the process of filing a police report online, after reporting the unauthorized charge to her credit card company.

The Lego set was sent via FedEx to Oscar Padilla, a 37-year-old from Los Angeles. Padilla said he believed he was working for Transit Air Cargo Inc. (transitair.com), a legitimate shipping company in Santa Ana, Calif., and that he got hired in his current position after responding to a job offer on careerbuilder.com. However, the Web site used by the company that recruited him was transitac.com.

Continue reading

Chasing APT: Persistence Pays Off

October 27, 2011
30 Comments

The IT director for an international hedge fund received the bad news in a phone call from a stranger: Chinese hackers were running amok on the fund’s network. Not seeing evidence of the claimed intrusion, and unsure about the credibility of the caller, the IT director fired off an email to a reporter.

“So do you think this is legit, or is the guy trying to scare us?” the IT director asked in an email to KrebsOnSecurity.com, agreeing to discuss the incident if he and his company were not named. “He has sent me the logs for the connections to the infected server. I checked the firewall and am not seeing any active connections.”

The call, from Hermes Bojaxhi of Columbia, Md. based threat intelligence firm Cyber Engineering Services Inc. (CyberESI), was indeed legit, and a follow-up investigation by the hedge fund revealed that at least 15 PCs within the financial services company were compromised and were sending proprietary information to the attackers.

CyberESI knew about the incident because it was monitoring several hacked, legitimate servers that the attackers were using to siphon data from multiple victims. Bojaxhi said the hedge fund notification was one of several he made that week to Fortune 500 companies that also had been hacked and were communicating with the same compromised servers.

And it wasn’t his first call to the hedge fund.

“On that particular victim, I tried to reach out to them a month prior, but I was handed off to an administrative assistant,” Bojaxhi said. “We had 25 [victim organizations] to call that day. But when they popped back up on the radar a month later, I tried again.”

The hedge fund incident illustrates the complexities of defending against and detecting targeted attacks, even when victims are alerted to the problem by an outside party.

Joe Drissel, founder and CEO for CyberESI, said too many companies think of cyberattacks as automated threats that can be blocked with the proper mix of hardware and software.

“So many firms are stuck in a paradigm of drive-bys, not targeted attacks,” Drissel said. “There seems to be a real disconnect with what’s really happening on a daily basis. We’re trying to fight an asymmetrical war in a symmetrical way, sort of like we’re British soldiers [in Revolutionary War], all walking in line and they’re picking us off one by one. By the time we turn around and aim, they’re already gone.”

None of the first three Trojans installed on the hedge fund’s computers were initially detected by any of the 42 anti-virus products bundled into the scanning tools at Virustotal.com.

Drissel said victims that his company notifies sometimes mistakenly think his firm is involved in the attack, or that they’re somehow joking.

“One guy laughed and said, ‘Thank you for watching out for our company,’ but he didn’t call us back,” Drissel said of a conversation with a victim earlier this year, declining to name the victim. “We watched [the attackers] exfiltrate weapons systems data for the Defense Department out of their systems, and ended up having to text the same guy a file stolen off their servers. Fifteen minutes later, we got a call back from him, and they unplugged their entire corporate network.”

Some say that the attacks CyberESI notifies companies about — often referred to as the advanced persistent threat (APT) —  are over-hyped, and that the malware and exploits used in these incursions usually aren’t that sophisticated. APT attacks also are frequently associated with targets in the U.S. government and companies in the defense industry.

But most APT attackers tend to be only as sophisticated as they need to be, which often isn’t too sophisticated, said Gavin Reid, senior manager of Cisco’s computer security incident response team. Speaking at a conference in Warsaw, Poland this week, Reid said successful APT attacks need not use zero-day software flaws.

“People will say, ‘Well, this attack wasn’t very advanced, so it can’t be APT’, but I will tell you the folks who are behind some of this stuff are not going to use cool zero-day stuff if they can go in the underground economy and say, ‘Hey, I need [access to] an infected machine in this organization,’ and pay $50 in Paypal in order to get that,” Reid said.

Continue reading

Who Else Was Hit by the RSA Attackers?

October 24, 2011
94 Comments

The data breach disclosed in March by security firm RSA received worldwide attention because it highlighted the challenges that organizations face in detecting and blocking intrusions from targeted cyber attacks. The subtext of the story was that if this could happen to one of the largest and most integral security firms, what hope was there for organizations that aren’t focused on security?

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure. But so far, no one has been willing to talk publicly about which other companies may have been hit.  Today’s post features a never-before-published list of those victim organizations. The information suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.

Since the RSA incident was disclosed, lawmakers in the U.S. Congress have taken a renewed interest in so-called “advanced persistent threat” or APT attacks. Some of the industry’s top security experts have been summoned to Capitol Hill to brief lawmakers and staff about the extent of the damage. The information below was shared with congressional staff.

Below is a list of companies whose networks were shown to have been phoning home to some of the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010.

A few caveats are in order here. First, many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit. Second, it is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims. Finally, some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.

Among the more interesting names on the list are Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS), the Massachusetts Institute of Technology, Motorola Inc., Northrop Grumman, Novell, Perot Systems, PriceWaterhouseCoopers LLP, Research in Motion (RIM) Ltd., Seagate Technology, Thomson Financial, Unisys Corp., USAA, Verisign, VMWare, Wachovia Corp., and Wells Fargo & Co.

At the end of the victim list is a pie chart that shows the geographic distribution of the command and control networks used to coordinate the attacks. The chart indicates that the overwhelming majority of the C&Cs are located in or around Beijing, China.

302-DIRECT-MEDIA-ASN
8e6 Technologies, Inc.
AAPT AAPT Limited
ABBOTT Abbot Labs
ABOVENET-CUSTOMER – Abovenet Communications, Inc
ACCNETWORKS – Advanced Computer Connections
ACEDATACENTERS-AS-1 – Ace Data Centers, Inc.
ACSEAST – ACS Inc.
ACS-INTERNET – Affiliated Computer Services
ACS-INTERNET – Armstrong Cable Services
ADELPHIA-AS – Road Runner HoldCo LLC
Administracion Nacional de Telecomunicaciones
AERO-NET – The Aerospace Corporation
AHP – WYETH-AYERST/AMERICAN HOME PRODUCTS
AIRLOGIC – Digital Magicians, Inc.
AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
AIS-WEST – American Internet Services, LLC.
AKADO-STOLITSA-AS _AKADO-Stolitsa_ JSC
ALCANET Corporate ALCANET Access
ALCANET-DE-AS Alcanet International Deutschland GmbH
ALCATEL-NA – Alcanet International NA
ALCHEMYNET – Alchemy Communications, Inc.
Alestra, S. de R.L. de C.V.
ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd.,Alliance Gateway AS,Broadband Services Provider,Kolkata,India
ALMAZAYA Almazaya gateway L.L.C
AMAZON-AES – Amazon.com, Inc.
AMERITECH-AS – AT&T Services, Inc.
AMNET-AU-AP Amnet IT Services Pty Ltd
ANITEX-AS Anitex Autonomus System
AOL-ATDN – AOL Transit Data Network
API-DIGITAL – API Digital Communications Group, LLC
APOLLO-AS LATTELEKOM-APOLLO
APOLLO-GROUP-INC – University of Phoenix
APT-AP AS
ARLINGTONVA – Arlington County Government

Continue reading

Critical Java Update Fixes 20 Flaws

October 20, 2011
29 Comments

Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software. Nearly all of the Java vulnerabilities can be exploited remotely to compromise vulnerable systems with little or no help from users.

If you use Java, take some time to update the program now. According to a report released this month by Microsoft, the most commonly observed exploits in the first half of 2011 were those targeting Java flaws. The report also notes that Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.

Methods for exploiting one of the flaws fixed by this update were detailed at a recent security conference in Buenos Aires, where researchers demonstrated a method for intercepting encrypted SSL and TLS traffic.

Continue reading

Software Pirate Cracks Cybercriminal Wares

October 17, 2011
25 Comments

Make enough friends in the Internet security community and it becomes clear that many of the folks involved in defending computers and networks against malicious hackers got started in security by engaging in online illegal activity of one sort or another. These gradual mindset shifts are sometimes motivated by ethical, karmic or personal safety reasons, but just as often grey- and black hat hackers gravitate toward the defensive side simply because it is more intellectually challenging.

I first encountered 20-year-old French hacker Steven K. a few months ago while working on a series about the fake antivirus industry. I spent several hours reading accounts of his efforts to frustrate and highlight cybercriminal activity, and took time to follow the many links on his blog, XyliBox, a variant of his hacker alias, “Xylitol.” It turns out that Xylitol, currently unemployed and living with his parents, is something of a major player in the software piracy or “warez” scene, which seeks to crack the copy protection technology built into many computer games and commercial software programs.

As a founding member of redcrew.astalavista.ms (this site may be flagged by some antivirus software as malicious), Xylitol spent several years devising and releasing “cracks,” software patches that allow people to use popular commercial software titles without paying for a license. Cracks are frequently bundled with backdoors, Trojans and other nasties, but Xylitol claims his group never tainted its releases; he says this malicious activity is most often carried out by those who re-purpose and redistribute the pristine patches for their own (commercial and criminal) uses.

But about a year ago, Xylitol began shifting his focus to reverse engineering malware creation kits being marketed and sold on underground cybercrime forums. In October 2010, he began releasing cracked copies of the the bot builder for the SpyEye Trojan, a crimeware kit that sells for several thousand dollars. Each time the SpyEye author released an update, Xylitol would crack it and re-release a free version. This continued for at least a dozen updates in the past year.

The cracked SpyEye releases have been met with a mix of praise and scorn from the security industry; the free releases no doubt frustrated the moneymaking capabilities of the SpyEye author, but they also led to the public distribution of a malware kit that had previously been much harder to come by.

In an instant message chat, Xylitol said he still cracks the occasional commercial software title, just for old time’s sake.

“Sometimes for the old memories, but I’m more into malware cracking now,” he wrote. “It’s more fun.”

Since Nov. 2010, Xylitol and some of his associates have been locked in a daily battle with Russian scareware and ransomware gangs. Scareware programs hijack PCs with incessant and misleading security warnings in a bid to frighten users into paying for the worthless software. Paying customers are given a license key eliminates the annoying security warnings. Ransomware is even more devious: It encrypts the victim’s personal files — pictures, documents, movies and music files — with a custom encryption key. Victims who want their files back usually have little recourse but to pay a fee via text message to receive a code that unlocks the encrypted files.

Xylitol and his pals have been busy over the past year cracking and publishing the license keys needed to free computers snared by scareware and ransomware. For months, these guys have been taking on a Russian ransomeware group called the WinAd gang, releasing the ransomware codes on a daily basis, often just hours after the WinAd gang began pushing out new ransomware variants.

Continue reading

ATM Skimmer Powered by MP3 Player

October 13, 2011
7 Comments

Almost a year ago, I wrote about ATM skimmers made of parts from old MP3 players. Since then, I’ve noticed quite a few more ads for these MP3-powered skimmers in the criminal underground, perhaps because audio skimmers allow fraudsters to sell lucrative service contracts along with their theft devices.

Using audio to capture credit and debit card data is not a new technique, but it is becoming vogue: Square, an increasingly popular credit card reader built for the iPhone, works by plugging into the headphone jack on the iPhone and converting credit card data stored on the card into audio files.

An audio skimmer for a Diebold ATM.

The device pictured here is a card skimmer designed to fit over the card acceptance slot on a Diebold Opteva 760, one of the most common ATMs around. The green circuit board on the left was taken from an MP3 player (no idea which make or model). When a card is slid past the magnetic reader (the small black rectangle at the end of the black and red wires near the center of the picture), the MP3 player “hears” the data stored on the card’s magnetic stripe, and records it as an audio file to a tiny embedded flash memory device.

Continue reading

Shady Reshipping Centers Exposed, Part I

October 12, 2011
50 Comments

Last week, authorities in New York indicted more than 100 people suspected of being part of a crime ring that used forged credit cards to buy and resell an estimated $13 million worth of Apple products and other electronics overseas. In this post, I offer readers a behind-the-scenes look at a somewhat smaller but similar organized crime operation that uses stolen credit card numbers to purchase and launder high-end electronics.

One of the simplest ways to extract cash from stolen credit card accounts is to buy pricey consumer goods online and resell them on the black market. Most online retailers grew wise to these scams years ago and stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. But these restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.

There are dozens of businesses in the criminal underground engaged in merchandise laundering, known as “Drops for stuff” on cybercrime forums. The “drops” are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and cash bonuses. But the crooks almost always sever communications with drops just before the first payday, usually about a month after the drop ships their first package.

Dropforrent.net account for manager Dick Martin.

A typical drop will receive and reship between two and four packages per day.  The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.

One drops operation, dropforrent.net, allows “clients” to “rent” drops who have signed up for reshipping jobs. “Managers,” those who facilitate drop recruitment scams, can earn money by purchasing merchandise that the reshipping operation can quickly resell. Most reshipping operations seek consumer electronics that can be easily sold for cash, including laptop computers, cameras, smart phones and parts for sports cars. Dropforrent.com pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products.

The phony storefront for a drops recruitment scheme.

Drops also can be used to reship virtually anything else that the client or manager would like to use or consume themselves, such as clothes, jewelry, and candy. For this service, clients and managers pay a flat rate of 50 percent of the value of the goods to have the items reshipped abroad.

The dropforrent.com managers recruit new hires by posing as legitimate businesses. One manager who uses the name Dick Martin operates a dummy business called applestore-direct.com, and actively recruits drops via ads on craigslist.com. Recruited drops are given a login to applestore-direct.com where they receive daily updates about pending shipments. Drops also are required to use this Web-based interface to notify their managers of received and reshipped items.

Kent Tribbett, a 24-year-old from West Berlin, New Jersey, has been reshipping for applestore-direct.com for almost three weeks. He was hired by Martin via an ad on craigslist.com and was given an account at applestore-direct, where he was instructed to log in daily to receive and transmit information about packages arriving at his home. A screen shot of his user account is below.

According to Dick Martin’s account at dropforrent, at least 10 clients were using Tribbett as a drop. Those same records show that Tribbett was one of 60 different drops recruited by Martin in the past 10 months.

I spoke with Tribbett briefly by phone; he denied receiving or reshipping packages for applestore-direct.com, and then hung up. But the numerous USPS tracking numbers and Express Mail bills attached to the past shipments in his account at the site suggest otherwise.

Continue reading

Critical Security Updates from Microsoft, Apple

October 11, 2011
0 Comments

Microsoft and Apple today released security updates to fix a slew of critical security problems in their software. Microsoft’s patch batch fixes at least 23 vulnerabilities in Windows and other Microsoft products. Apple’s update addresses more than 75 security flaws in the Windows versions of iTunes.

Nine of the 23 flaws Microsoft fixed with patches today are rated “critical,” meaning attackers could exploit them to break into vulnerable systems with little or no help from users. Eight of the nine critical bugs are in Internet Explorer. The remaining critical flaw is corrected in an update for the .NET Framework. Three of the vulnerabilities fixed with these updates were disclosed publicly prior to today, including a flaw in Windows Media Center that Microsoft believes crooks are likely to soon figure out how to reliably exploit.

The iTunes update brings the music player software to version 10.5, and is available for Microsoft systems running Windows 7, Vista, XP SP2 and later. Two new features of iTunes deserve mentioning: Apple says iPhone and iPad users who upgrade to iOS 5 when it is released later this week will be able to sync with iTunes wirelessly. More importantly from an update perspective, Apple has at long last untethered iTunes from QuickTime.

Continue reading