ATM Skimmers, Up Close

January 17, 2011

Recently, I found a guy on an exclusive online scammer forum who has been hawking a variety of paraphernalia used in ATM skimmers, devices designed to be stuck on the outside of cash machines and to steal ATM card and PIN data from bank customers. I wasn’t sure whether I could take this person seriously, but his ratings on the forum — in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions — were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.

Also, this seller’s profile showed that he was a longtime member, and had been vouched for as a “verified” vendor. This meant that forum administrators had vetted him by checking his reputation on other fraud forums, and that he’d paid a fee to use its escrow service if any potential buyers insisted.

Anyway, I wasn’t looking to purchase his skimmers, just to check out his wares. I chatted him up on ICQ, and he said he only sold the plastic housings for the skimmer devices, but that he could show me pictures and videos of what some of his customers had done with them. Above is a video of the seller demonstrating how one of his card skimmer housings fits over the mouth of the card slot on a working Diebold Aptiva ATM.

Below are images he sent that demonstrate two very different skimmers made with his housings. The device on the top in the picture below is a flash-based spy camera nested in a beige plastic molding meant to be attached directly above the ATM PIN pad to steal the customer’s personal identification number. The image on the bottom is the skimmer itself. To the right of each are instructions for configuring the skimmer devices and for harvesting the stolen data stored on them.

A hidden camera (top) and ATM card skimmer (bottom), along with instructions for their use.

Continue reading

Pill Pushers Pop Military, Government, Education Sites

January 14, 2011

A software vulnerability at a U.S. based Web hosting provider let hackers secretly add dozens of Web pages to military, educational, financial and government sites in a bid to promote rogue online pharmacies.

For four months in 2010, a customer of Hostmonster.com, a Provo, Utah based hosting provider, exploited a bug in CPanel — a Web site administration tool used by Hostmonster and a majority of other hosting providers. The customer used the vulnerability to create nearly four dozen subdomains on a number of other Web sites at the hosting facility, said Danny Ashworth, co-founder of Bluehost.com, the parent company of Hostmonster.

The subdomains were linked to dozens of pages created to hijack the sites’ search engine rankings, and to redirect visitors to fly-by-night online stores selling prescription drugs without a prescription. Among the compromised domains were:

Omaha, Neb. financial institution Accessbank.com;
Bankler.com, the sole investigative tax accountant for the U.S. Senate Whitewater Committee;
Ejercito.mil.do, the official site of the Army of the Dominican Republic;
Sacmetrofire.ca.gov, the Sacramento Metropolitan Fire District;
Wi.edu, The Wright Institute.

Ashworth said all of the bogus subdomains were created between April 2nd 2010 and July 1st 2010. But they remained there until the company was contacted by a reporter last week.

Continue reading

Advertisement

Microsoft Plugs Three Windows Security Holes

January 11, 2011

Microsoft today released security updates to fix at least three vulnerabilities in its Windows operating systems, including one labeled “critical,” the company’s most serious rating. However, none of the patches address five zero-day flaws that can be used to attack Windows users.

The critical update targets two weaknesses present in all versions of Windows that Microsoft said hackers could exploit to break into unpatched systems just by getting users to visit a compromised or malicious Web site. A second update fixes a security issue in the Windows backup tool that affects Windows Vista machines.

The vulnerability in the Windows backup tool stems from a weakness that extends to hundreds of third-party, non-Microsoft applications built to run on Windows. I discussed this issue at length in a blog post in September, but the upshot is that Microsoft has made available a FixIt tool to help fortify a number of these applications against a broad swath of security threats that stem from a mix of insecure default behaviors in Windows and poorly-written third party apps. If you haven’t already done so, take a moment to read at least the short version of that post, and apply the supplied FixIt tool from Microsoft.

Continue reading

Exploit Packs Run on Java Juice

January 10, 2011

In October, I showed why Java vulnerabilities continue to be the top moneymaker for purveyors of “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities. Today, I’ll highlight a few more recent examples of this with brand new exploit kits on the market, and explain why even fully-patched Java installations are fast becoming major enablers of browser-based malware attacks.

Check out the screenshots below, which show the administration page for two up-and-coming exploit packs. The first, from an unusually elaborate exploit kit called “Dragon Pack,” is the author’s own installation, so the percentage of “loads” or successful installations of malware on visitor PCs should be taken with a grain of salt (hat tip to Malwaredomainlist.com). Yet, it is clear that miscreants who purchase this pack will have the most success with Java flaws.

This blog has a nice writeup — and an additional stats page — from a compromised site that last month was redirecting visitors to a page laced with exploits from a Dragon Pack installation.

The second image, below, shows an administrative page that is centralizing statistics for several sites hacked with a relatively new $200 kit called “Bleeding Life.” Again, it’s plain that the Java exploits are the most successful. What’s interesting about this kit is that its authors advertise that one of the “exploits” included isn’t really an exploit at all: It’s a social engineering attack. Specifically, the hacked page will simply abuse built-in Java functionality to ask the visitor to run a malicious Java applet.

On Dec. 29, the SANS Internet Storm Center warned about a wave of Java attacks that were apparently using this social engineering approach to great effect. The attacks were taking advantage of built-in Java functionality that will prompt the user to download and run a file, but using an alert from Java (if a Windows user accepts, he or she is not bothered by a separate prompt or warning from the operating system).

“If you don’t have any zero-days, you can always go back to exploiting the human!” SANS incident handler Daniel Wesemann wrote. “This is independent of the JRE version used – with JRE default settings, even on JRE1.6-23, all the user has to do is click ‘Run’ to get owned.  The one small improvement is that the latest JREs show ‘Publisher: (NOT VERIFIED) Java Sun’ in the pop-up, but I guess that users who read past the two exclamation marks will be bound to click ‘Run’ anyway.”

Continue reading

Taking Stock of Rustock

January 5, 2011

Global spam volumes have fallen precipitously in the past two months, thanks largely to the cessation of junk e-mail from Rustock – until recently the world’s most active spam botnet. But experts say the hackers behind Rustock have since shifted the botnet’s resources toward other money-making activities, such as installing spyware and adware.

The decline in spam began in early October, shortly after the closure of Spamit, a Russian affiliate program that paid junk e-mail purveyors to promote Canadian Pharmacy brand pill sites. The graphic below, from M86 Security Labs, shows a sharp drop in overall spam levels from October through the end of 2010.

Another graphic from M86 shows that spam from Rustock positively tanked after Spamit’s closure. Rustock is indicated by the pale blue line near the top of the graphic.

Prior to the Spamit closure, Rustock was responsible for sending a huge percentage of all spam worldwide, M86 reported. But since Christmas Day, the Rustock botnet has basically disappeared, as the amount of junk messages from it has fallen below 0.5 percent of all spam, according to researchers at Symantec‘s anti-spam unit MessageLabs.

Continue reading

Microsoft Warns of Image Problem

January 4, 2011

Microsoft today warned Windows users about a previously unknown security vulnerability that could allow attackers to install malware simply by getting users to view a malicious image in a Web browser or document.

Microsoft said in a security advisory that the problem stems from a bug in the Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP. The software giant said that it is working on a patch for the flaw, but that it isn’t aware of any active attacks exploiting the security hole…yet.

According to the CVE listing cited in the advisory, the vulnerability was discovered by a pair of security researchers who presented their findings at a security conference in Korea late last year.

Continue reading

‘White House’ eCard Dupes Dot-Gov Geeks

January 3, 2011

A malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters.

The attack appears to be the latest salvo from ZeuS malware gangs whose activities over the past year have blurred the boundaries between online financial crime and espionage, by stealing both financial data and documents from victim machines. This activity is unusual because most criminals using ZeuS are interested in money-making activities – such as swiping passwords and creating botnets – whereas the hoovering up of sensitive government documents is activity typically associated with so-called advanced persistent threat attacks, or those deployed to gather industrial and military intelligence.

On Dec. 23, the following message was sent to an unknown number of recipients;

“As you and your families gather to celebrate the holidays, we wanted to take
a moment to send you our greetings. Be sure that we’re profoundly grateful
for your dedication to duty and wish you inspiration and success in
fulfillment of our core mission.

Greeting card:

hxxp://xtremedefenceforce.com/[omitted]
hxxp://elvis.com.au/[omitted]

Merry Christmas!
___________________________________________
Executive Office of the President of the United States
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500

Recipients who clicked either of the above links and opened the file offered were infected with a ZeuS Trojan variant that steals passwords and documents and uploads them to a server in Belarus.  I was able to analyze the documents taken in that attack, which hoovered up more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims.  I feel reasonably confident I have identified several victims,  all of whom appear to be employees of some government or another. Among those who fell for the scam e-mail were:

-An employee at the National Science Foundation’s Office of Cyber Infrastructure. The documents collected from this victim include hundreds of NSF grant applications for new technologies and scientific approaches.

-An intelligence analyst in Massachusetts State Police gave up dozens of documents that appear to be records of court-ordered cell phone intercepts. Several documents included in the cache indicate the victim may have recently received top-secret clearance. Among this person’s cache of documents is a Department of Homeland Security tip sheet called “Safeguarding National Security Information.”

-An unidentified employee at the Financial Action Task Force, an intergovernmental body dedicated to the development and promotion of national and international policies to combat money laundering and terrorist financing.

-An official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.

-An employee at the Millennium Challenge Corporation, a federal agency set up to provide foreign aid for development projects in 15 countries in Africa, Central America and other regions.

The most interesting component of this attack was not the ZeuS variant, which by most accounts was an older, well-understood version of the banking Trojan. Rather, researchers are focusing on the component responsible for stealing documents, which suggests the handiwork of a novice who was quite active in 2010.

Continue reading

Russian e-Payment Giant ChronoPay Hacked

December 29, 2010

Criminals this week hijacked ChronoPay.com, the domain name for Russia’s largest online payment processor, redirecting hundreds of unsuspecting visitors to a fake ChronoPay page that stole customer financial data.

Reached via phone in Moscow, ChronoPay chief executive Pavel Vrublevsky said the bogus payment page was up for several hours spanning December 25 and 26, during which time the attackers collected roughly 800 credit card numbers from customers visiting the site to make payments for various Russian businesses that rely on ChronoPay for processing.

In the attack, ChronoPay’s domain was transferred to Network Solutions, and its domain name system (DNS) servers were changed to “anotherbeast.com,” a domain registered at Network Solutions on Dec. 19, 2010.

The attackers left a message on the ChronoPay home page – designed to look as if it had been posted by Vrublevsky (see image above) – stating that hackers had stolen the personal data of all ChronoPay users who had shared payment information with the company in 2009 and 2010.

Vrublevsky said the message was faked — that it was “absolutely not true” — and that the damage was limited to the 800 card numbers. He added that the company was still working with its registrar Directnic and with Network Solutions to understand how the attackers managed to hijack the domain.

The hackers also stole and posted online at least nine secret cryptographic keys ChronoPay uses to sign the secure sockets layer (SSL) certificates that encrypt customer transactions at chronopay.com. Vrublevsky said all but one of those certs were issued long ago: One of the certs was issued in September, albeit with an older key, he said.

Continue reading

Happy Birthday KrebsOnSecurity.com

December 29, 2010

It’s hard to believe that a year has passed since I posted the first entry on this blog. It seems like just yesterday that I was leaving The Washington Post and making a huge – and somewhat scary – leap as an independent investigative journalist. What an amazing year it has been for security, in every sense!

I’ve been completely blown away by the feedback and encouragement I’ve received from regular readers and new ones (my site metrics report that more than 60 percent of visits are still from new visitors). In the past 12 months, I’ve authored some 270 blog posts, and you the readers have left more than 11,000 comments.

Some readers have been especially generous: So far this year KrebsOnSecurity.com has received more than 50 donations via the PayPal Donate! button in the sidebar.

In short, I am extremely grateful for your support, and am looking forward to a busy 2011: I expect to do quite a bit more public speaking and traveling next year, but I plan to maintain the pace I’ve set this year on the blog.

Thanks for reading, and for your continued support!

Carders.cc, Backtrack-linux.org and Exploit-db.org Hacked

December 25, 2010

Carders.cc, a German security forum that specializes in trading stolen credit cards and other purloined data, has been hacked by security vigilantes for the second time this year. Also waking up to “you’ve been owned” calling cards this Christmas are exploit database exploit-db.org and backtrack-linux.org, the home of Backtrack, an open source “live CD” distribution of Linux.

The hacks were detailed in the second edition of “Owned and Exposed,” an ezine whose first edition in May included the internal database and thousands of stolen credit card numbers and passwords from Carders.cc. The Christmas version of the ezine doesn’t feature credit card numbers, but it does list the user names and hashed passwords of the carders.cc forum administrators. The carders.cc forum itself appears to be down at the moment.

Mati Aharoni, the main administrator for both exploit-db.org and backtrack-linux.org, confirmed that the hacks against his sites were legitimate. Shortly after my e-mail, Aharoni replied with a link to a short statement, noting that a hacking team called inj3ct0r initially took credit for the attack, only to find itself also targeted and shamed in this edition of Owned and Exposed.

“There’s nothing like having your butt kicked Christmas morning, which is exactly what happened to us today. We were owned and exposed, in true fashion,” Aharoni wrote. “Initially, the inj3ct0r team took ‘creds’ for the hack, which quickly proved false as the original ezine showed up – and now inj3ct0r (their new site) is no longer online. As a wise Chinese man once said: ‘do not anger one who has shell on your server’. The zine also mentioned other sites, as well as the ettercap project being backdoored.”

To his credit, Aharoni posted a link to the 2nd edition of Owned and Exposed.

“The irony of posting your zine in our papers section is not lost on us,” Aharoni wrote.

Update 10:40 p.m. ET: An earlier version of this blog post incorrectly identified one of the hacked domains as linux-exploit.org. The blog post above has been corrected. My apologies for the confusion.