Coordinated ATM Heist Nets Thieves $13M

August 26, 2011
37 Comments

An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards, KrebsOnSecurity has learned.

Jacksonville based Fidelity National Information Services Inc. (FIS) bills itself as the world’s largest processor of prepaid debit cards; FIS claims to process more than 775 million transactions annually. The company disclosed the breach in its first quarter earnings statement issued May 3, 2011. But details of the attack remained shrouded in secrecy as the FBI and forensic investigators probed one of the biggest and most complex banking heists of its kind.

FIS said it had incurred a loss of approximately $13 million related to unauthorized activities involving one client and 22 prepaid cards on its Sunrise, Fla. based eFunds Prepaid Solutions, formerly WildCard Systems Inc., which was acquired by FIS in 2007.

FIS stated: “The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities. FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.” The disclosure was scarcely noted by news media.

KrebsOnSecurity recently discovered previously undisclosed details of the successful escapade. According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform’s “open-loop” prepaid debit cards. The balances on these prepaid cards aren’t stored on the cards themselves; rather, the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack can be replenished by adding funds. Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period.

Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.

Continue reading

Hybrid Hydras and Green Stealing Machines

August 24, 2011
8 Comments

Hybrids seem to be all the rage in the automobile industry, so it’s unsurprising that hybrid threats are the new thing in another industry that reliably ships updated product lines: The computer crime world. The public release of the source code for the infamous ZeuS Trojan earlier this year is spawning novel attack tools. And just as hybrid cars hold the promise of greater fuel efficiency, these nascent threats show the potential of the ZeuS source code leak for morphing ordinary, run-of-the-mill malware into far more efficient data-stealing machines.

Researchers at Trusteer have unearthed evidence that portions of the leaked ZeuS source code have been fused with recent versions of Ramnit, a computer worm first spotted in January 2010. Amid thousands of other password-stealing, file-infecting worms  capable of spreading via networked drives, Ramnit is unremarkable except in one respect: It is hugely prolific. According to a report (PDF) from Symantec, Ramnit accounted for 17.3 percent of all malicious software that the company detected in July 2011.

Continue reading

Advertisement

Flashy Cars Got Spam Kingpin Mugged

August 22, 2011
18 Comments

A Russian spammer suspected of maintaining the infamous Rustock spam botnet earned millions of dollars blasting junk email for counterfeit Internet pharmacies. Those ill-gotten riches let him buy flashy sports cars, but new information suggests that this attracted the attention of common street thugs who targeted and ultimately mugged the spammer, stealing two of his prized rides.

BMW 530xi

In March, I published a story linking the Rustock botnet to a spammer who used the nickname Cosma2k. This individual was consistently one of the top five moneymakers for SpamIt, which, until its closure last fall, paid spammers millions of dollars a year and was the world’s largest distributor of junk mail.

Earlier this month, someone leaked thousands of online chat logs taken from Dmitry “SaintD” Stupin, a Russian who allegedly ran the day-to-day operations of SpamIt. Those records include numerous chat conversations allegedly between Stupin and a SpamIt affiliate named Cosma.

In several chats, Cosma muses on what he should do with tens of thousands of compromised but otherwise idle PCs under his control. Throughout the discussions between Stupin and Cosma, it is clear Cosma had access to internal SpamIt resources that other spammers did not, and that he had at least some say in the direction of the business.

Porsche Cayenne

In one conversation, dated Oct. 14, 2008, Cosma allegedly tells Stupin that he’s dialed back his public image a few notches, after attracting unwanted attention from other crooks. The conversation below, translated from Russian into English, begins with a request from Cosma to withdraw funds from a SpamIt operating account.

Cosma: Hey. May I withdraw some money from the account?

Stupin: Surely you may.

Stupin: Sorry, I was picking up my car from the service shop.

Cosma: What got broken?

Stupin: Someone threw a stone, when the car was parked near home.

Cosma: Damn. What kind of car?

Stupin: Volvo.

Cosma: Fond of safety?

Stupin: Yes, and I am at ease when I am driving it. It’s a huge difference after Honda 🙂

Cosma: I also had enough of expensive rigs. =) They are getting stolen all the time and everyone is looking at you, estimating the score, and then rob you =) I have had such experience =)

Continue reading

Pharma Wars, Part II

August 19, 2011
25 Comments

Earlier this year, Russian police arrested Dmitry Stupin, a man known in hacker circles as “SaintD.” Stupin was long rumored to be the right-hand man of Igor Gusev, the alleged proprietor of GlavMed and SpamIt, two shadowy sister organizations that until this time last year were the largest sources of spam touting rogue Internet pharmacies.

According to several sources who are familiar with the matter, Russian police pulled Stupin off of a plane before it left Moscow. The police also reportedly took Stupin’s MacBook and copied its contents. The police detained Stupin as part of an investigation into Gusev launched nearly a year ago. Gusev fled his native Moscow last year and has not returned.

Sometime in the past few days, more than four years’ worth of chat conversations — apparently between Stupin, Gusev and dozens of other GlavMed employees — were leaked. Those conversations offer a fascinating glimpse into the day-to-day operations one of the world’s largest cyber criminal organizations.

The chat logs also catalog the long-running turf battle between Gusev and his former business partner, Pavel Vrublevsky. The two men were co-founders of ChronoPay, one of Russia’s largest online payments processor. Vrublevsky is now in jail awaiting trial on charges of hiring a hacker to attack his company’s rivals. He also has been identified as a co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion.

I have had numerous interviews with both Gusev and Vrublevsky, both of whom accuse one another of bribing Russian law enforcement officials and politicians to initiate criminal proceedings against each other.

While there is no direct evidence Vrublevsky paid for a prosecution of Gusev, documents stolen from ChronoPay last year by hackers indicate that the company arranged to pay the salaries of several people on the Russian Association of Electronic Communications (RAEC). Those same documents show that Vrublevsky and RAEC members were closely involved in the investigation into Gusev the months and weeks leading up to the official charges against him.

The chat records between Stupin and Gusev, a tiny sliver of which is translated here from Russian into English, suggest that the two men paid authorities for protection. Contacted via email, Gusev declined to say whether the chats logs were legitimate or comment further, explaining that he was still reviewing the documents.

“If at least some of these logs are legit, then it means that I was telling the truth about paid criminal case against me initiated by Pavel and his constant connection with investigators,” Gusev said. “I know for sure that Pavel had access to evidences which were gathered by the investigators while he shouldn’t have such access. Before I just didn’t have any proof for this. Now I have.”

The latest leaked archive contains more than 166 megabytes of chat logs, allegedly between Stupin, Gusev and others. The following chat log is dated Aug. 28, 2010, just days after Vrublevsky leaked the SpamIt and GlavMed affiliate and customer data to U.S. law enforcement agencies. In this conversation, Stupin and Gusev allegedly discuss whether to close SpamIt (SpamIt would be closed a month later). “Red” in the first sentence is a reference to Vrublevsky, well known to use the hacker alias “RedEye.”

Gusev: It looks like I am in deep shit.  Red gave our database to Americans.

Dmitriy Stupin

Stupin: To which Americans?

Gusev: I can’t tell exactly, yet. Probably to FBI or Secret Service. Have you read on Krebs’ blog about meeting at White House regarding illegal pharmacy problems on the Internet?

Stupin: No.

Gusev: http://krebsonsecurity.com/2010/08/white-house-calls-meeting-on-rogue-online-pharmacies

Stupin: Maybe you return back to Russia?

Gusev: I am planning to do that. I am really worried now 🙁

Stupin: What about Red? For that money. May be let’s close down everything?

Gusev: In any case, he will be squished to the end. Everything is done pretty properly. Chronology: – He got thrown out from major banks (Masterbank, Bank Standard and almost from UCS. Too many clients left him. Investigations have been made on data regarding processing. Major issue now – close down the channel via Azerbaijan  (the only place where he can do his own processing and processing for his clients). We need him have an acute issue with money, otherwise he is going to slow down the investigation as much as he can.

Gusev: Do you think “closing down” will help? Just realize: they have our ENTIRE database… there are 900,000 records. What are we going to do with those? For conviction and 5-year jail time it is only necessary to prove 1 transaction! What is the worst? They combine the sentences and it is possible to get 5 life sentences.

Stupin: I think yes, we will receive lower priority.

Gusev: And who is considered a high priority? I am trying to figure out how he gave us up, and do the same for him. There will be 2 cases instead of one.

Continue reading

Beware of Juice-Jacking

August 17, 2011
53 Comments

You’re out and about, and your smartphone’s battery is about to die. Maybe you’re at an airport, hotel, or shopping mall. You don’t have the power cable needed to charge the device, but you do have a USB cord that can supply the needed juice. Then you spot an oasis: A free charging kiosk. Do you hesitate before connecting your phone to this unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware?

A DefCon attendee using the charging kiosk.

The answer, for most folks, is probably not. The few people I’ve asked while researching this story said they use these charging kiosks all the time (usually while on travel), but then said they’d think twice next time after I mentioned the possible security ramifications of doing so. Everyone I asked was a security professional.

Granted, a charging kiosk at an airport may be less suspect than, say, a slightly sketchy-looking tower of power stationed at DefCon, a massive hacker conference held each year in Las Vegas. At a conference where attendees are warned to stay off the wireless networks and avoid using the local ATMs, one might expect that security experts and enthusiasts would avoid using random power stations.

But some people will brave nearly any risk to power up their mobiles. In the three and a half days of this year’s DefCon, at least 360 attendees plugged their smartphones into the charging kiosk built by the same guys who run the infamous Wall of Sheep, a public shaming exercise at DefCon aimed at educating people about the dangers of sending email and other online communications over open wireless networks.

Brian Markus, president of Aires Security, said he and fellow researchers Joseph Mlodzianowski and Robert Rowley built the charging kiosk to educate attendees about the potential perils of juicing up at random power stations. Markus explains the motivation behind the experiment:

“We’d been talking about how dangerous these charging stations could be. Most smartphones are configured to just connect and dump off data,” Markus said. “Anyone who had an inclination to could put a system inside of one of these kiosks that when someone connects their phone can suck down all of the photos and data, or write malware to the device.”

Continue reading

eThieves Steal $217k from Arena Firm

August 16, 2011
40 Comments

Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.

Lea French, MECA’s chief financial officer, said the trouble began when an employee with access to the organization’s online accounts opened a booby-trapped email attachment containing password-stealing malware.

The attackers used MECA’s online banking credentials to add at least six people to the payroll who had no prior business with the organization. Those individuals, known as “money mules,” received fraudulent transfers from MECA’s bank account and willingly or unwittingly helped the fraudsters launder the money.

French said the attackers appeared to be familiar with the payroll system, and wasted no time setting up a batch of fraudulent transfers.

“They knew exactly what they were doing, knew how to create a batch, enter it in, release it,” she said. “They appear to be very good at what they do.”

Prior to the heist, MECA refused many of the security options offered by its financial institution, First National Bank of Omaha, including a requirement that two employees sign off on every transfer.

“We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,” French said. “We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.”

MECA was able to reverse an unauthorized wire transfer for $147,000 that was destined for a company called Utopia Funding U.S.A. The organization was not as lucky with the remaining transfers.

The funds stolen from MECA were sent to money mules recruited through fraudulent work-at-home job offers from a mule recruitment gang that I call the “Back Office Group.” This gang is one of several money mule recruitment outfits, and they appear to be among the most active. Like many other mule gangs, they tend to re-use the same format and content for their Web sites, but change their company names whenever the major search engines start to index them with enough negative comments to make mule recruitment difficult.

The mules used in the MECA heist were recruited through a Back Office Group front company named AV Company. Mules were told they were helping the company’s overseas software engineers get paid for the work they were doing for American companies. In reality, the mules were being sent payments to transfer that were drawn on hacked accounts from victims like MECA.

More than $9,000 of MECA’s money was sent to Erik Rhoden, a resident of Fleming Island, Fla. Rhoden was recruited in June by the Back Office Group. Rhoden successfully transferred the funds to three individuals in Eastern Europe, but says he didn’t profit from the work. His story matches that of other mules recently recruited by Back Office, and indicates a devious shift in tactics which ensures that mules never receive a payment for their work.

Continue reading

Vendor of Stolen Bank Cards Hacked

August 12, 2011
20 Comments

I recently wrote about an online service that was selling access to stolen credit and debit card data. That post received a lot of attention, but criminal bazaars are a dime a dozen. The real news is that few of these fraud shops are secure enough to keep their stock of stolen data from being pilfered by thieves.

Card shopping options at mn0g0.su

A prime example is the shop mn0g0.su (“mnogo” is a transliteration of много, which means “many” in Russian). This online store, launched in January 2011, lets customers shop for stolen card data by bank issuer, victim ZIP code, and card type. A source who enjoys ruining criminal projects said he stumbled upon mn0g0.su’s back-end database by accident; the site was backing up its cache of stolen card data to a third party server that was wide open and unencrypted.

Included in the database are more than 81,000 sets of credit and debit card numbers, along with their associated expiration dates and card security code. Each listing also includes the owner’s name, address and phone number and/or email address. The Social Security number, mother’s maiden name and date of birth are available for some cardholders. The site does not accept credit card payments; shopper accounts are funded by deposits from “virtual currencies,” such as WebMoney and LibertyReserve.

It’s not clear how or when these card numbers were stolen. Fraudulent card shops purchase data in bulk from multiple suppliers, most likely from small-time fraudsters who use automated tools to hack e-commerce stores. The data is inserted into the database in varying formats. For example, one batch of card information for sale includes email addresses in lieu of phone numbers, and all of the victim cardholders from that batch have physical addresses in the United Kingdom.

Just for amusement, I searched for my last name, and was surprised to find four people with the last name “Krebs” whose card information was included in the database (none are known relatives).

Not only did mn0g0.su leak all of the credit and debit cards it had for sale, but it also spilled its own “customer” list: The email addresses, IP addresses, ICQ numbers, usernames and passwords of more than 4,300 mn0g0.su shoppers were included in the exposed database backup. The customer passwords were better protected than the credit card numbers. The passwords are encrypted with a salted SHA256 hash, although a decent set of password-cracking tools could probably decipher 50-75 percent of the hashed passwords if given enough time.

Continue reading

Updates for Adobe Flash, Shockwave, AIR

August 10, 2011
14 Comments

Adobe has shipped patches to fix a slew of critical security flaws in its products, including Flash, Shockwave Player and Adobe AIR.

The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for Windows, Mac, Linux and Solaris machines (the bugs exist in Flash versions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2.

To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.

Continue reading

22 Reasons to Patch Your Windows PC

August 9, 2011
31 Comments

Microsoft today released 13 software updates to fix at least 22 security flaws in its Windows operating systems and other software. Two of the flaws addressed in the August patch batch earned Microsoft’s most dire “critical” rating, meaning that attackers can exploit them to break into systems without any help from users.

Among the critical updates is a cumulative patch for Internet Explorer that plugs at least five security holes in the browser. The update is considered critical for IE versions 7, 8 and 9 (oddly enough, it earned an overall “important” rating on the insecure IE6).

The other critical patch fixes a serious problem with the DNS server built into Windows Server 2003 and Windows Server 2008 systems (consumer systems such as Windows XP, Vista and Windows 7 are not affected by the flaw). Although the DNS bug is rated critical, Microsoft considers it unlikely that attackers will develop functioning code to exploit the flaw.

Nine other flaws earned Microsoft’s important rating, and six of those ranked high on Microsoft’s exploitability index, meaning the company believes it is likely that attackers will develop code designed to exploit them to break into Windows PC

As always, if you experience any issues during or after applying the updates, please leave a note in the comment section about it. A summary of all patches released today is available at this link.

Judge Nixes Patco’s eBanking Fraud Case

August 8, 2011
56 Comments

A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines.

Sanford, Maine based Patco Construction sued Ocean Bank in 2009, alleging poor security after a $588,000 cyber heist. Patco sued to recover its losses, arguing in part that the bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Patco’s motion for summary judgment and granting the bank’s motion.

On Thursday, the judge presiding over the lawsuit affirmed that recommended decision (PDF), ruling that no further proceedings were necessary. Patco’s attorney Dan Mitchell said the company has 30 days to file an appeal, but that it hasn’t yet decided whether to challenge the decision. Continue reading