Beware of Juice-Jacking

August 17, 2011
53 Comments

You’re out and about, and your smartphone’s battery is about to die. Maybe you’re at an airport, hotel, or shopping mall. You don’t have the power cable needed to charge the device, but you do have a USB cord that can supply the needed juice. Then you spot an oasis: A free charging kiosk. Do you hesitate before connecting your phone to this unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware?

A DefCon attendee using the charging kiosk.

The answer, for most folks, is probably not. The few people I’ve asked while researching this story said they use these charging kiosks all the time (usually while on travel), but then said they’d think twice next time after I mentioned the possible security ramifications of doing so. Everyone I asked was a security professional.

Granted, a charging kiosk at an airport may be less suspect than, say, a slightly sketchy-looking tower of power stationed at DefCon, a massive hacker conference held each year in Las Vegas. At a conference where attendees are warned to stay off the wireless networks and avoid using the local ATMs, one might expect that security experts and enthusiasts would avoid using random power stations.

But some people will brave nearly any risk to power up their mobiles. In the three and a half days of this year’s DefCon, at least 360 attendees plugged their smartphones into the charging kiosk built by the same guys who run the infamous Wall of Sheep, a public shaming exercise at DefCon aimed at educating people about the dangers of sending email and other online communications over open wireless networks.

Brian Markus, president of Aires Security, said he and fellow researchers Joseph Mlodzianowski and Robert Rowley built the charging kiosk to educate attendees about the potential perils of juicing up at random power stations. Markus explains the motivation behind the experiment:

“We’d been talking about how dangerous these charging stations could be. Most smartphones are configured to just connect and dump off data,” Markus said. “Anyone who had an inclination to could put a system inside of one of these kiosks that when someone connects their phone can suck down all of the photos and data, or write malware to the device.”

Continue reading

eThieves Steal $217k from Arena Firm

August 16, 2011
40 Comments

Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.

Lea French, MECA’s chief financial officer, said the trouble began when an employee with access to the organization’s online accounts opened a booby-trapped email attachment containing password-stealing malware.

The attackers used MECA’s online banking credentials to add at least six people to the payroll who had no prior business with the organization. Those individuals, known as “money mules,” received fraudulent transfers from MECA’s bank account and willingly or unwittingly helped the fraudsters launder the money.

French said the attackers appeared to be familiar with the payroll system, and wasted no time setting up a batch of fraudulent transfers.

“They knew exactly what they were doing, knew how to create a batch, enter it in, release it,” she said. “They appear to be very good at what they do.”

Prior to the heist, MECA refused many of the security options offered by its financial institution, First National Bank of Omaha, including a requirement that two employees sign off on every transfer.

“We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,” French said. “We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.”

MECA was able to reverse an unauthorized wire transfer for $147,000 that was destined for a company called Utopia Funding U.S.A. The organization was not as lucky with the remaining transfers.

The funds stolen from MECA were sent to money mules recruited through fraudulent work-at-home job offers from a mule recruitment gang that I call the “Back Office Group.” This gang is one of several money mule recruitment outfits, and they appear to be among the most active. Like many other mule gangs, they tend to re-use the same format and content for their Web sites, but change their company names whenever the major search engines start to index them with enough negative comments to make mule recruitment difficult.

The mules used in the MECA heist were recruited through a Back Office Group front company named AV Company. Mules were told they were helping the company’s overseas software engineers get paid for the work they were doing for American companies. In reality, the mules were being sent payments to transfer that were drawn on hacked accounts from victims like MECA.

More than $9,000 of MECA’s money was sent to Erik Rhoden, a resident of Fleming Island, Fla. Rhoden was recruited in June by the Back Office Group. Rhoden successfully transferred the funds to three individuals in Eastern Europe, but says he didn’t profit from the work. His story matches that of other mules recently recruited by Back Office, and indicates a devious shift in tactics which ensures that mules never receive a payment for their work.

Continue reading

Advertisement

Vendor of Stolen Bank Cards Hacked

August 12, 2011
20 Comments

I recently wrote about an online service that was selling access to stolen credit and debit card data. That post received a lot of attention, but criminal bazaars are a dime a dozen. The real news is that few of these fraud shops are secure enough to keep their stock of stolen data from being pilfered by thieves.

Card shopping options at mn0g0.su

A prime example is the shop mn0g0.su (“mnogo” is a transliteration of много, which means “many” in Russian). This online store, launched in January 2011, lets customers shop for stolen card data by bank issuer, victim ZIP code, and card type. A source who enjoys ruining criminal projects said he stumbled upon mn0g0.su’s back-end database by accident; the site was backing up its cache of stolen card data to a third party server that was wide open and unencrypted.

Included in the database are more than 81,000 sets of credit and debit card numbers, along with their associated expiration dates and card security code. Each listing also includes the owner’s name, address and phone number and/or email address. The Social Security number, mother’s maiden name and date of birth are available for some cardholders. The site does not accept credit card payments; shopper accounts are funded by deposits from “virtual currencies,” such as WebMoney and LibertyReserve.

It’s not clear how or when these card numbers were stolen. Fraudulent card shops purchase data in bulk from multiple suppliers, most likely from small-time fraudsters who use automated tools to hack e-commerce stores. The data is inserted into the database in varying formats. For example, one batch of card information for sale includes email addresses in lieu of phone numbers, and all of the victim cardholders from that batch have physical addresses in the United Kingdom.

Just for amusement, I searched for my last name, and was surprised to find four people with the last name “Krebs” whose card information was included in the database (none are known relatives).

Not only did mn0g0.su leak all of the credit and debit cards it had for sale, but it also spilled its own “customer” list: The email addresses, IP addresses, ICQ numbers, usernames and passwords of more than 4,300 mn0g0.su shoppers were included in the exposed database backup. The customer passwords were better protected than the credit card numbers. The passwords are encrypted with a salted SHA256 hash, although a decent set of password-cracking tools could probably decipher 50-75 percent of the hashed passwords if given enough time.

Continue reading

Updates for Adobe Flash, Shockwave, AIR

August 10, 2011
14 Comments

Adobe has shipped patches to fix a slew of critical security flaws in its products, including Flash, Shockwave Player and Adobe AIR.

The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for Windows, Mac, Linux and Solaris machines (the bugs exist in Flash versions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2.

To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.

Continue reading

22 Reasons to Patch Your Windows PC

August 9, 2011
31 Comments

Microsoft today released 13 software updates to fix at least 22 security flaws in its Windows operating systems and other software. Two of the flaws addressed in the August patch batch earned Microsoft’s most dire “critical” rating, meaning that attackers can exploit them to break into systems without any help from users.

Among the critical updates is a cumulative patch for Internet Explorer that plugs at least five security holes in the browser. The update is considered critical for IE versions 7, 8 and 9 (oddly enough, it earned an overall “important” rating on the insecure IE6).

The other critical patch fixes a serious problem with the DNS server built into Windows Server 2003 and Windows Server 2008 systems (consumer systems such as Windows XP, Vista and Windows 7 are not affected by the flaw). Although the DNS bug is rated critical, Microsoft considers it unlikely that attackers will develop functioning code to exploit the flaw.

Nine other flaws earned Microsoft’s important rating, and six of those ranked high on Microsoft’s exploitability index, meaning the company believes it is likely that attackers will develop code designed to exploit them to break into Windows PC

As always, if you experience any issues during or after applying the updates, please leave a note in the comment section about it. A summary of all patches released today is available at this link.

Judge Nixes Patco’s eBanking Fraud Case

August 8, 2011
56 Comments

A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines.

Sanford, Maine based Patco Construction sued Ocean Bank in 2009, alleging poor security after a $588,000 cyber heist. Patco sued to recover its losses, arguing in part that the bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Patco’s motion for summary judgment and granting the bank’s motion.

On Thursday, the judge presiding over the lawsuit affirmed that recommended decision (PDF), ruling that no further proceedings were necessary. Patco’s attorney Dan Mitchell said the company has 30 days to file an appeal, but that it hasn’t yet decided whether to challenge the decision. Continue reading

Is That a Virus in Your Shopping Cart?

August 5, 2011
17 Comments

Six million Web pages have been booby-trapped with malware, using security vulnerabilities in software that hundreds of thousands of e-commerce Web sites use to process credit and debit card transactions.

Web security firm Armorize said it has detected more than six million Web pages that were seeded with attack kits designed to exploit Web browser vulnerabilities and plant malicious software. The company said the hacked sites appear to be running outdated and insecure versions of osCommerce, an e-commerce shopping cart program that is popular with online stores.

Armorize said the compromised pages hammer a visitor’s browser with exploits that target at least five Web browser plug-in vulnerabilities, including two flaws in Java, a pair of Windows bugs, and a security weakness in Adobe‘s PDF Reader. Patches are available for all of the targeted browser vulnerabilities.

Continue reading

Huge Decline in Fake AV Following Credit Card Processing Shakeup

August 4, 2011
22 Comments

On Wednesday I wrote that many of the top fake antivirus distribution programs had ceased operations, citing difficulty in processing credit card transactions from victims. Others are starting to see the result of this shakeup: Security firm McAfee says it has witnessed a dramatic drop in the number of customers reporting scareware detections in recent weeks.

Image courtesy McAfee

McAfee has tracked more than a 60 percent decrease in the number of customers dealing with fake AV since late May. “From McAfee’s vantage point, we are seeing a significant decline in detections reported from customers as well as the discovery of new FakeAV variants,” said Craig Schmugar, a security threat researcher for McAfee.

These extortion scams persist because criminal hackers get paid between $25-35 each time a victim relents and provides a credit card number. If fake AV distributors can’t get paid for spreading the scam software, they’ll find some other way to make money.

Fake AV bombards victim PCs with misleading alerts about security threats and hijacks the machine until the user pays for bogus security software or figures out how to remove it. For better or worse, it is likely that the dearth of credit card processors serving the fake AV industry has eliminated the first option for many people dealing with infections.

Fake Antivirus Industry Down, But Not Out

August 3, 2011
18 Comments

Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.

During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims: Fake AV brands such as Gagarincash, Gizmo, Nailcash, Best AV, Blacksoftware and Sevantivir.com either ceased operating or alerted affiliates that they may not be paid for current and future installations.

A notice to BestAV affiliates

On July 2, BestAV, one of the larger fake AV distribution networks, told affiliates that unforeseen circumstances had conspired to ruin the moneymaking program for everyone.

“Dear advertisers: Last week was quite complicated. Well-known force majeure circumstances have led to significant sums of money hanging in the banks, or in processing, making it impossible to pay advertisers on time and in full.”

The disruption appears to be partially due to an international law enforcement push against the fake AV industry. In one recent operation, authorities seized computers and servers in the United States and seven other countries in an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake AV.

There may be another reason for the disruption: On June 23, Russian police arrested Pavel Vrublevsky, the co-founder of Russian online payment giant ChronoPay and a major player in the fake AV market.

Black Market Breakdown

ChronoPay employees wait outside as Moscow police search the premises.

Vrublevsky was arrested for allegedly hiring a hacker to launch denial of service attacks against ChronoPay’s rivals in the payments processing business. His role as a pioneer in the fake AV industry has been well-documented on this blog and elsewhere.

In May, I wrote about evidence showing that ChronoPay employees were involved in pushing MacDefender — fake AV software targeting Mac users. ChronoPay later issued a statement denying it had any involvement in the MacDefender scourge.

But last week, Russian cops who raided ChronoPay’s offices in Moscow found otherwise. According to a source who was involved in the raid, police found mountains of evidence that ChronoPay employees were running technical and customer support for a variety of fake AV programs, including MacDefender. The photograph below was taken by police on the scene who discovered Website support credentials and the call records of 1-800 numbers used to operate the support centers.

Continue reading

New Tool Keeps Censors in the Dark

August 2, 2011
10 Comments

A new approach to overcoming state-level Internet censorship relies, ironically enough, on a technique that security experts have frequently associated with government surveillance.

Current anti-censorship technologies, including the services Tor and Dynaweb, direct connections to restricted websites through a network of encrypted proxy servers, with the aim of hiding who’s visiting such sites from censors. But the censors are constantly searching for and blocking these proxies. A new scheme, called Telex, makes it harder for censors to block communications by disguising traffic destined for restricted sites as traffic meant for popular, uncensored websites. It does this by employing the same method of analyzing packets of data that censors often use.

“To route around state-level Internet censorship, people have relied on proxy servers outside of the country doing the censorship,” says J. Alex Halderman, assistant professor of electrical engineering and computer science at the University of Michigan. “The difficulty there is, you have to communicate to those people where the proxies are, and it’s very hard to do that without also letting the government censors figure out where the proxies are.”

The Telex system has two major components: “stations” at dozens of Internet service providers (ISPs)—the stations connect traffic from inside nations that censor to the rest of the Internet—and the Telex client software program that runs on the computers of people who want to avoid censorship.

This is an excerpt from a piece I wrote that was published today in MIT Technology Review. Read the full story here.