Where Have All the Spambots Gone?

July 1, 2011

First, the good news: The past year has witnessed the decimation of spam volume, the arrests of several key hackers, and the high-profile takedowns of some of the Web’s most notorious botnets. The bad news? The crooks behind these huge crime machines are fighting back — devising new approaches designed to resist even the most energetic takedown efforts.

The volume of junk email flooding inboxes each day is way down from a year ago, as much as a 90 percent decrease according to some estimates. Symantec reports that spam volumes hit their high mark in July 2010, when junk email purveyors were blasting in excess of 225 billion spam messages per day. The company says daily spam volumes now hover between 25 and 50 billion missives daily. Anti-spam experts from Cisco Systems are tracking a similarly precipitous decline, from 300 billion per day in June 2010 to just 40 billion in June 2011.

Spam messages per day, July 2010 - July 2011. Image courtesy Symantec.

There may be many reasons for the drop in junk email volumes, but it would be a mistake to downplay efforts by law enforcement officials and security experts.  In the past year, authorities have taken down some of the biggest botnets and apprehended several top botmasters. Most recently, the FBI worked with dozens of ISPs to kneecap the Coreflood botnet. In April, Microsoft launched an apparently successful sneak attack against Rustock, a botnet once responsible for sending 40 percent of all junk email.

Daily spam volume July 2010 - July 2011. Image courtesy Spamcop.net

In December 2010, the FBI arrested a Russian accused of running the Mega-D botnet. In October 2010, authorities in the Netherlands arrested the alleged creator of the Bredolab botnet and dismantled huge chunks of the botnet. A month earlier, Spamit.com, one of the biggest spammer affiliate programs ever created, was shut down when its creator, Igor Gusev, was named the world’s number one spammer and went into hiding. In August 2010, researchers clobbered the Pushdo botnet, causing spam from that botnet to slow to a trickle.

But botmasters are not idly standing by while their industry is dismantled. Analysts from Kaspersky Lab this week published research on a new version of the TDSS malware (a.k.a. TDL), a sophisticated malicious code family that includes a powerful rootkit component that compromises PCs below the operating system level, making it extremely challenging to detect and remove. The latest version of TDSS — dubbed TDL-4 has already infected 4.5 million PCs; it uses a custom encryption scheme that makes it difficult for security experts to analyze traffic between hijacked PCs and botnet controllers. TDL-4 control networks also send out instructions to infected PCs using a peer-to-peer network that includes multiple failsafe mechanisms.

Continue reading

Regulators Issue Updated eBanking Security Guidelines

June 29, 2011

Federal banking regulators today released a long-awaited supplement to the 2005 guidelines that describe what banks should be doing to protect e-banking customers from hackers and account takeovers. Experts called the updated guidance a step forward, but were divided over whether it would be adequate to protect small to mid-sized businesses against today’s sophisticated online attackers.

The new guidance updates “Authentication in an Internet Banking Environment,” a document released in 2005 by the Federal Financial Institutions Examination Council (FFIEC) for use by bank security examiners. The 2005 guidance has been criticized for being increasingly irrelevant in the face of current threats like the password-stealing ZeuS Trojan, which can defeat many traditional customer-facing online banking authentication and security measures. The financial industry has been expecting the update since December 2010, when a draft version of the guidelines was accidentally leaked.

The document released today (PDF) recognizes the need to protect customers from newer threats, but stops short of endorsing any specific technology or approach. Instead, it calls on banks to conduct more rigorous risk assessments,  to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in banking online.

“Fraudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts,” the FFIEC wrote. “Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls.”

The 2005 guidelines drew little distinction between precautions a bank should take to protect consumer and commercial accounts, but the supplement makes clear that online business transactions generally involve much higher level of risk to financial institutions and commercial customers. It calls for “layered security programs” to deal with these riskier transactions, such as:

-methods for detecting transaction anomalies;

-dual transaction authorization through different access devices;

-the use of out-of-band verification for transactions;

-the use of “positive pay” and debit blocks to appropriately limit the transactional use of an account;

-“enhanced controls over account activities,” such as transaction value thresholds, payment recipients, the number of transactions allowed per day and allowable payment days and times; and

-“enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.”

Continue reading

Advertisement

Banks Hold Key to Killing Rogue Pharmacies

June 28, 2011

More than half of all sales at the world’s largest rogue Internet pharmacy in the last four years were charged to credit and debit cards issued by the top seven card-issuing banks, new research suggests.

Unlicensed pharmacies create public health risks and confuse consumers who are looking for safe and reliable prescription medicines. Rogue pharma Web sites are primarily advertised with the help of spam, malicious software, and hacked Web sites. Curbing this drug dealing activity would promote both public health and Internet users’ safety.

Recent findings highlight additional levers that policymakers could use to curb sales at rogue online pharmacies, by convincing the card-issuing banks to stop accepting these charges or by enacting legislation similar to that used to squelch online gambling operations.

The figures shown below come from sales data stolen from Glavmed, a Russian affiliate program that pays webmasters to host and promote online pharmacy sites that sell a variety of prescription drugs without requiring a prescription. Last summer, a source sent KrebsOnSecurity a copy of the Glavmed database, which includes credit card numbers and associated buyer information for nearly $70 million worth of sales at Glavmed sites between 2006 and 2010.

I sorted the buyer data by bank identification number (BIN), indicated by the first six digits in each credit or debit card number. My analysis shows that at least 15 percent of all Glavmed purchases — approximately $10.7 million in rogue pill buys — were made with cards issued by Bank of America.

The Glavmed sales using cards issued by the top seven credit card issuers were almost certainly higher than listed in the chart above.  About 12 percent of the Glavmed sales could not be categorized by bank ID number (some card issuers may have been absorbed into larger banks). Hence, the analysis considers only the 88 percent of Glavmed transactions for which the issuing bank was known. More significantly, the figures in this the analysis do not include close to $100 million in sales generated during that same time period by Spamit.com, a now defunct sister program of Glavmed whose members mainly promoted rogue pharmacies via junk e-mail; the leaked database did not contain credit or debit card numbers for those purchase records. Continue reading

ChronoPay Co-Founder Arrested

June 24, 2011

Russian authorities on Thursday arrested Pavel Vrublevsky, co-founder of ChronoPay, the country’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals.

An undated photo of Vrublevsky

Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for — and in many cases setting up companies on behalf of — rogue anti-virus or “scareware” scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.

Russian state-run news organizations are reporting that Vrublevsky was arrested on June 23. Financial Times reporter Joe Menn writes that Vrublevsky was ordered held without bail and a hearing was set for a month’s time.

Continue reading

$72M Scareware Ring Used Conficker Worm

June 23, 2011

Authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake anti-virus products. Police in Ukraine said the thieves fleeced unsuspecting consumers with the help of the infamous Conficker worm, although it remains unclear how big a role the fast-spreading worm played in this crime.

Image courtesy fbi.gov

The Security Service of Ukraine (SBU) said today that it had seized at least 74 pieces of computer equipment and cash from a criminal group suspected of running a massive operation to steal banking information from consumers with the help of Conficker and scareware, a scam that uses misleading security alerts to frighten people into paying for worthless security software. A Google-translated version of an SBU press release suggests that the crime gang used Conficker to deploy the scareware, and then used the scareware to launch a virus that stole victims’ financial information.

The Ukrainian action appears to be related to an ongoing international law enforcement effort dubbed Operation Trident Tribunal by the FBI. In a statement released Wednesday, the U.S. Justice Department said it had seized 22 computers and servers in the United States that were involved in the scareware scheme. The Justice Department said 25 additional computers and servers located abroad were taken down as part of the operation, in cooperation with authorities in the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom.

On Tuesday, The New York Times reported that dozens of Web sites were knocked offline when FBI officials raided a data center in Reston, Va. and seized Web servers. Officials from an affected hosting company told the Times that they didn’t know the reason for the raid, but the story suggested it may have been related to an ongoing investigation into a string of brazen intrusions by the hacktivist group “Lulzsec.” Sources close to the investigation told KrebsOnSecurity that the raid was instead related to the scareware investigation.

The FBI’s statement confirms the SBU’s estimate of $72 million losses, estimating that the scam claimed at least 960,000 victims. Although the FBI made no mention of Conficker in any of its press materials, the Ukrainian SBU’s press release names and quotes Special Agent Norman Sanders from the FBI’s Seattle field office, broadly known in the security industry as the agency’s lead in the Conficker investigation. Conficker first surfaced in November 2008. The SBU said the FBI has been investigating the case for three years. [Update, June 24, 9:37 a.m.: Not sure whether this was an oversight or a deliberate attempt to deceive, but the picture showing the stack of PCs confiscated in this raid is identical to the one shown in an SBU press release last fall, when the Ukrainian police detained five individuals connected to high-profile ZeuS Trojan attacks.]

Continue reading

Financial Mogul Linked to DDoS Attacks

June 23, 2011

Pavel Vrublevsky, the embattled co-founder of ChronoPay — Russia’s largest online payments processor — has reportedly fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against a top ChronoPay competitor.

KrebsOnSecurity has featured many stories on Vrublevsky’s role as co-founder of the infamous rogue online pharmacy Rx-Promotion, and on his efforts to situate ChronoPay as a major processor for purveyors of “scareware,” software that uses misleading computer virus infection alerts to frighten users into paying for worthless security software.  But these activities have largely gone overlooked by Russian law enforcement officials, possibly because the consequences have not impacted Russian citizens.

In the summer of 2010, rumors began flying in the Russian blogosphere that Vrublevsky had hired a hacker to launch a distributed denial of service (DDoS) attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors. The attack on Assist occurred just weeks before Aeroflot was to decide which company would win the contract; it so greatly affected Assist’s operations that the company was unable to process payments for extended periods of time. Citing the downtime in processing as a factor in its decision, Aeroflot ultimately awarded the contract to neither ChronoPay nor Assist, but instead to Alfa-Bank, the largest private bank in Russia.

According to documents leaked to several Russian security blogs, investigators with the Russian Federal Security Service (FSB) this month arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. The documents indicate that Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky. The same blogs say Vrublevsky has fled the country. Sources close to the investigation say he is currently in the Maldives. Vrublevsky did not respond to multiple requests for comment.

"Topol Mailer" botnet interface allegedly used by Artimovich.

The allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which said it assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured at left) allegedly used to coordinate the DDoS attack against Assist. Group-IB said Artimovich’s botnet also was used to attack several rogue pharmacy programs that were competing with Rx-Promotion, including Glavmed and Spamit (these attacks also were observed by security firm SecureWorks in February).

This DDoS saga is the latest chapter in a fascinating drama playing out between the two largest rogue Internet pharmacies: Vrublevsky’s Rx-Promotion and Glavmed (a.k.a. “Spamit”), a huge pharma affiliate program run by Igor Gusev, the man who co-founded ChronoPay with Vrublevsky in 2003. Continue reading

Antichat Hacker Forum Breach Reveals Weak Passwords

June 22, 2011

Ordinary Internet users frequently are scolded for choosing weak, easily-guessed passwords. New research suggests that hackers in the cyber underground are also likely to pick lame passwords for their favorite online forums.

Last month, KrebsOnSecurity was sent a massive database file that the source said was the user database of Antichat.ru, a Russian language hacker forum that has attracted more than 41,000 users since its founding nearly a decade ago. By matching the user names in the database with those listed in the public pages of the forum, I discovered that I’d been given a snapshot of all Antichat user information and private messages prior to June 2010, when Antichat.ru apparently experienced a forum compromise.

I wanted to match the Antichat user names, associated email and ICQ addresses with those of other forums for which I’ve collected user databases. I also wanted to see how many of the passwords were easily crackable. To do this, I enlisted the help of an anti-spam source that has access to some serious hardware and software capable of cracking thousands of passwords per hour.

More than 18,000 of the 41,037 passwords in the database were crackable within a few days. 4,500 passwords were used by five or more individual users.

The most easily-guessed passwords were six characters long or less, and 75 percent of the top 20 most common simple passwords were uncomplicated number strings. More than three percent of Antichat users whose passwords were cracked (567) picked one of the simplest passwords, “123456”; 1.77 percent (322) chose “111111”; Just over 1 percent selected “123123”. Another 196 users opted for “qwerty,” a common meme easily typed from left to right across a keyboard. Sixty-five Antichat users picked a single-character password: “0.”

Although nearly half of the Antichat user passwords were crackable, the passwords aren’t useful for gaining access to Antichat user accounts: Forum administrators have changed the site’s login process to automatically tie the user’s credentials to his or her Internet address. However, the Internet address data tied to each account may be of interest to law enforcement investigators.

Continue reading

FBI Scrubbed 19,000 PCs Snared By Coreflood Botnet

June 21, 2011

The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court last week. The effort is part of an ongoing and unprecedented legal campaign to destroy one of the longest-running and most menacing online crime machines ever built.

In April, the Justice Department and the FBI were granted authority to seize control over Coreflood, a criminal botnet that enslaved millions of computers. On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut was granted authority to seize 29 domain names used to control the daily operations of the botnet, and to redirect traffic destined for the control servers to a substitute server that the FBI controlled. More significantly, the FBI was awarded a temporary restraining order allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

In a declaration filed with the district court, FBI special agent Kenneth Keller said the bureau has issued approximately 19,000 uninstall commands to infected computers of two dozen identifiable victims in the United States. The FBI said it obtained written consent from all 24 victims, and that none reported any adverse or unintended consequences from the uninstall commands.

Continue reading

Software Cracks: A Great Way to Infect Your PC

June 20, 2011

I often get emails from people asking if it’s safe to download executable programs from peer-to-peer filesharing networks. I always answer with an emphatic “NO!,” and the warning that pirated software and cracks — programs designed to generate product keys or serial numbers for popular software and games — are almost always bundled with some kind of malware. But I seldom come across more than anecdotal data that backs this up.

Recently, I heard from Alfred Huger, vice president of engineering at Immunet, an anti-virus company recently purchased by Sourcefire. Huger was reaching out to offer feedback on my 3 Rules for Online Safety post. He told me that the rules should have included this warning: Do not download pirated software and cracks from filesharing networks and cracks sites because they are a major source of malware infections.

I replied that people who knowingly engage in this type of risky behavior probably don’t care much about my three rules, and that the advice was meant for people who were interested in learning how to stay safe online. But I was curious about his comment, and asked if he had data to support it. Huger said these types of infections were closely correlated with cases in which Immunet users opted to dispute its malware detection for specific files. Files that are “convicted” by anti-virus programs are considered malicious and are placed in a quarantine area on the user’s system. But if users still want to access the file, or they don’t believe or care that it’s malicious, they can reverse or “roll back” that conviction.

“A roll back to us is a file which we convicted but people disagreed with the conviction and rolled it out of quarantine,” Huger said. “About 90% of the false positive roll backs I see which result in more than 10 convictions  — meaning more than 10 people rolled it back, turn out to be real malware. In almost every case when I can actually track down the user and ask why they rolled it back I am told it was a crack or pirated material of some type. They went looking for it and installed it.

Continue reading

Court Favors Small Business in eBanking Fraud Case

June 17, 2011

Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business, a Michigan court ruled. Experts say the decision is likely to spur additional lawsuits from other victims that have been closely watching the case.

Judge Patrick J. Duggan found that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 wire transfers within a few hours from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered amounted to $560,000.

“A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier,” Duggan wrote. Judge Duggan has yet to decide how much Comerica will have to pay.

The problems for Experi-Metal started when company controller Keith Maslowski responded to an e-mail that appeared to be from its bank, Comerica. The message said the bank needed to carry out scheduled maintenance on its banking software, and instructed the EMI employee to log in at a Web site that appeared to be Comerica’s online banking site. Maslowski said the email resembled the annual e-mails Comerica used to send, prompting customers to renew EMI’s digital certificates.

The year before the cyber theft, Comerica had switched from using digital certificates to requiring commercial customers to enter a one-time passcode from a security token. The site linked to in the e-mail asked for that code, and Maslowski complied. Within the span of a few hours, the attackers made 97 wire transfers from EMI’s account to bank accounts in China, Estonia, Finland, Russia and Scotland.

Comerica became aware of the fraudulent transfers four hours after the attack began. Although it took steps to isolate Experi-Metal’s account, the bank also failed to stop more than a dozen additional fraudulent transfers from the company’s account after the bank’s initial response. Experi-Metal sued the bank after it refused to cover any of the losses.

Continue reading