FBI: $20M in Fraudulent Wire Transfers to China

April 27, 2011

The Federal Bureau of Investigation warned this week that cyber thieves have stolen approximately $20 million  over the past year from small to mid-sized U.S. businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies located near the country’s border with Russia.

The FBI said that between March 2010 and April 2011, it identified twenty incidents in which small to mid-sized organizations had fraudulent wire transfers to China after their online banking credentials were stolen by malicious software. The alert was sent out Tuesday in cooperation with the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium. The alert notes that actual victim losses are $11 million, suggesting that victim banks were able to claw back some of the fraudulent transfers.

The FBI says it doesn’t know who is behind these fraudulent transfers, but that the intended recipients are companies based in the Heilongjiang province of the People’s Republic of China, and that these firms are registered in port cities that are located near the Russia-China border. The agency says the companies all use the name of a Chinese port city in their names, such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Donging, and that the official name of the companies also include the words “economic and trade,” “trade,” and “LTD”. The recipient entities usually hold accounts with a the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

From the advisory (PDF):

“In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing email or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating that the bank Web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account funds are then transferred to the Chinese economic and trade company bank account.”

Continue reading

Millions of Passwords, Credit Card Numbers at Risk in Breach of Sony Playstation Network

April 26, 2011

Sony warned today that intruders had broken into its PlayStation online game network, a breach that may have jeopardized the user names, addresses, passwords and credit card information of up to 70 million customers.

In a post to the company’s PlayStation blog, Sony spokesman Patrick Seybold said the breach occurred between April 17 and April 19, and that user information on some PlayStation Network and Qriocity music streaming accounts was compromised. The company said it had engaged an outside security firm to investigate what happened, that it was rebuilding its system to better secure account information, and that it would soon begin notifying customers about the incident by email.

From that blog post:

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.”

In short, if you have a PlayStation account, your name, address, email, birthday, user name and password have been compromised, and if you gave Sony a credit card number to fund your account, that and the card’s expiration date may also may have been taken (Sony says no card security codes were lost). Obviously, this becomes a much bigger problem for users who have ignored advice about how to choose and use passwords: If you are a Sony customer and picked a password for your PlayStation account that matched the password for the email account you used to register at Sony, change your email password now.

The first signs of trouble came nearly a week ago, when the PlayStation network went offline. Sony subsequently published at several blog posts apologizing for the outage. On April 22, Sony acknowledged that its networks had been breached, and a day later the company said it was rebuilding its system, but it didn’t disclose the extent of the breach until today. Judging by the comments left on the company’s blog post today, many PlayStation users are irate over having been kept in the dark for so long about the severity of a breach that potentially affects their personal and financial information.

Continue reading

Advertisement

SpyEye Targets Opera, Google Chrome Users

April 26, 2011

The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers.

The author of the SpyEye trojan formerly sold the crimeware-building kit on a number of online cybercrime forums, but has recently limited his showroom displays to a handful of highly vetted underground communities. KrebsOnSecurity.com recently chatted with a member of one of these communities who has purchased a new version of SpyEye. Screenshots from the package show that the latest rendition comes with the option for new “form grabbing” capabilities targeting Chrome and Opera users.

SpyEye component in version 1.3.34 shows form grabbing options for Chrome and Opera

Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard, but this kind of tracking usually creates too much extraneous data for the attackers, who mainly are interested in financial information such as credit card numbers and online banking credentials. Form grabbers accomplish this by stripping out any data that victims enter in specific Web site form fields, snarfing and recording that data before it can be encrypted and sent to the Web site requesting the information.

Both SpyEye and ZeuS have had the capability to do form grabbing against Internet Explorer and Firefox for some time, but this is the first time I’ve seen any major banking trojans claim the ability to target Chrome and Opera users with this feature.

Continue reading

Where Did That Scammer Get Your Email Address?

April 25, 2011

You’ve seen the emails: They claim to have been sent by a financial institution in a faraway land, or from a corrupt bureaucrat in an equally corrupt government. Whatever the ruse, the senders always claim to need your help in spiriting away millions of dollars. These schemes, known as “419,” “advance fee” and “Nigerian letter” scams seemingly have been around forever and are surprisingly effective at duping people. But where in the world do these scammers get their distribution lists, and how did you become a target?

Some of the more prolific spammers rely on bots that crawl millions of Web sites and “scrape” addresses from pages. Others turn to sellers on underground cybercrime forums. Additionally, there are a handful of open-air markets where lists of emails are sold by the millions. If you buy in bulk, you can expect to pay about a penny per 1,000 addresses.

One long-running, open-air bazaar for email addresses is LeadsAndMails.com, which also goes by the name BuyEmails.org. This enterprise is based in New Delhi, India, and advertises its email lists as “100% opt-in and 100 percent legal to use.” I can’t vouch for the company’s claims, but one thing seems clear: Many of its clients are from Nigeria, and many are fraudsters.

Stretching conspicuously across the middle of the site’s home page is a big green message to the site’s Nigerian clientele: “Don’t waste money/times/resources sending [Western Union or Moneygram], Use local deposit option.” The ad links to a page with a list of payment options, which shows that Nigerian customers can pay for their email lists by wiring the money directly from their bank accounts at several financial institutions in Lagos. BuyEmails.org further advises that, “Due to tremendously high rate of fraudulent payments we do not accept Credit Cards or PayPal.  E-Gold has closed, so we don’t accept it either.”

The site sells dozens of country-specific email lists.  Other lists are for oddly specific groups. For example, you can buy a list of one million insurance agent emails for $250. 300 beans will let you reach 1.5 million farmers;  $400 closes on 4 million real estate agents. Need to recruit a whole mess of money mules right away? No problem: You can buy the email addresses of 6 million prospective work-at-home USA residents for just $99. A list of 1,041,977 USA Seniors (45-70 years old) is selling for $325.

Continue reading

Adobe Reader, Acrobat Update Nixes Zero Day

April 21, 2011

Adobe shipped updates to its PDF Reader and Acrobat products today to plug a critical security hole that attackers have been exploiting to break into computers. Fixes are available for Mac, Windows and Linux versions of these software titles.

The patch released today addresses two critical flaws. Adobe pushed out a patch for the standalone Flash Player last week, but that same vulnerable component exists in Adobe Reader and Acrobat. Initially, Adobe said it was only aware of attacks on the Flash Player but, in the the latest advisory, it acknowledged the existence of public reports that hackers have been sending out poisoned PDFs that exploit the Flash flaw. Malwaretracker.com, for example, reported that it was receiving reports of malicious PDFs attacking the Flash bug as early as Apr. 17.

The Reader/Acrobat patch also addresses another critical bug (a flaw in the CoolType library of Reader & Acrobat) that could allow attackers to install malicious software. Not much information is public about this vulnerability, except that Poland’s CERT is credited with reporting it. Adobe spokesperson Wiebke Lips said the company was not aware of any exploits in the wild targeting this bug.

The advisory for the latest version is here. Users on Windows and Macintosh can grab the update using the product’s update mechanism. To manually check for an update, open your Reader or Acrobat and choose Help > Check for Updates.

Are Megabreaches Out? E-Thefts Downsized in 2010

April 19, 2011

The number of financial and confidential records compromised as a result of data breaches in 2010 fell dramatically compared to previous years, a decrease that cybercrime investigators attribute to a sea-change in the motives and tactics used by criminals to steal information. At the same time, organizations of all sizes are dealing with more frequent  and smaller breaches than ever before, and most data thefts continue to result from security weaknesses that are relatively unsophisticated and easy to prevent.

These are some of the conclusions drawn from Verizon‘s fourth annual Data Breach Investigations Report. The report measures data breaches based on compromised records, including the theft of Social Security numbers, intellectual property, and credit card numbers, among other things.

It’s important to note at the outset that Verizon’s report only measures loss in terms of records breached. Many businesses hit by cyber crooks last year lost hundreds of thousands of dollars apiece when thieves stole one set of records, such as their online banking credentials.

The data-rich 74-page study is based on information gleaned from Verizon and U.S. Secret Service investigations into about 800 new data compromise incidents since last year’s report (the study also includes an appendix detailing 30 cybercrime cases investigated by the Dutch National High Tech Crime Unit).

Although the report examines the data from more breaches in a single year than ever before (the total Verizon/US Secret Service dataset from all previous years included just over 900 breaches), Verizon found that the total number of breached records fell from 361 million in 2008 to 144 million in 2009 to just 4 million last year.

A good portion of the report is dedicated to positing what might be responsible for this startling decline, but its authors seem unwilling to let the security industry take any credit for it.

“An optimist may interpret these results as a sign that the security industry is WINNING! Sorry, Charlie”, the report says. “While we’d really like that to be the case, one year just isn’t enough time for such a wholesale improvement in security practices necessary to cut data loss so drastically.”

The study suggests a number of possible explanations. For example:

-There were relatively few huge data heists. Those which had been responsible for the majority of the breached records in the past few years were breaches involving tens of millions of stolen credit and debit cards. Those high profile attacks may have achieved fame and fortune for the attackers, but they also attracted a lot of unwanted attention.  Many of the past megabreaches ended in the capture and arrest of those responsible, such the case of Albert Gonzales, the former Secret Service informant who was sentenced last year to 20 years in prison for his role in the theft of 130 million credit and debit card numbers from card processing giant Heartland Payment Systems. “Those that wish to stay out of jail may have changed their goals and tactics to stay  under the radar,” the report notes. “This could be one of the chief reasons behind the rash of ‘mini breaches’ involving smaller organizations.”

-Megabreaches of years past flooded criminal underground markets with so many stolen card numbers that their value plummeted. Criminals’ attention may have turned to stealing other lower profile data types, such as bank account credentials, personal information and intellectual property. In other words, criminals might opt to let the markets clear before stealing more huge quantities or selling what they already had purloined. “It’s worth noting that a lot of the cards that were stolen over the last few years in these megabreaches probably are going to start expiring soon,” said Bryan Sartin, director of investigative response at Verizon Business. “So we could be in a holding pattern right now.”

Continue reading

Time to Patch Your Flash

April 15, 2011

If it seems like you just updated your Flash Player software to plug a security hole that attackers were using to break into computers, you’re probably not imagining things: Three weeks ago, Adobe rushed out a new version to sew up a critical new security flaw. Today, Adobe issued a critical Flash update to eliminate another dangerous security hole that criminals are actively exploiting.

This new update addresses a vulnerability first detailed here at KrebsOnSecurity.com on Tuesday, and Adobe deserves credit for responding quickly with a patch. But there are few things that are simple about updating Flash, which ships in a dizzying array of version numbers and for many users must be deployed at least twice to cover all browsers. In addition, users may have to uninstall the existing version before updating to guarantee a trouble-free install. Also, Adobe Air will need to be updated if that software also is already installed. Finally, fixing this same vulnerability in Adobe Reader and Acrobat will require installing another patch, which won’t be out for at least another 10 days.

Continue reading

U.S. Government Takes Down Coreflood Botnet

April 14, 2011

The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs.

Sample network diagram of Coreflood, Source:FBI

Sample network diagram of Coreflood, Source:FBI

The target of the takedown was “Coreflood,” an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. Over the years, the crooks running the botnet began to use it to defraud owners of the victim PCs by stealing bank account information and draining balances.

Coreflood has morphed into a menacing crime machine since its emergence in 2002. As I noted in a 2008 story for The Washington Post, this is the same botnet that was used to steal more than $90,000 from Joe Lopez in 2005, kicking off the first of many high profile lawsuits that would be brought against banks by victims of commercial account takeovers. According to the Justice Department, Coreflood also was implicated in the theft of $241,866 from a defense contractor in Tennessee; $115,771 from a real estate company in Michigan; and $151,201 from an investment firm in North Carolina.

By 2008, Coreflood had infected some 378,000 PCs, including computers at hospitals and government agencies. According to research done by Joe Stewart, senior malware researcher for Dell SecureWorks, the thieves in charge of Coreflood had stolen more than 500 gigabytes of banking credentials and other sensitive data, enough data to fill 500 pickup trucks if printed on paper.

On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unknown (“John Doe”) defendants responsible for running Coreflood, and was granted authority to seize 29 domain names used to control the daily operations of the botnet. The government also was awarded a temporary restraining order (TRO) allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

The government was able to do this because it also won the right to have the Coreflood control servers redirected to networks run by the nonprofit Internet Systems Consortium (ISC). When bots reported to the control servers – as they were programmed to do periodically – the ISC servers would reply with commands telling the bot program to quit.

ISC President Barry Greene said the government was wary of removing the bot software from infected machines.

“They didn’t want to do the uninstall, just exit,” Greene said. “Baby steps. But this was significant for the DOJ to be able to do this. People have been saying we should be able to do this for a long time, and nobody has done what we’re doing until now.”

No U.S. law enforcement authority has ever sought to commandeer a botnet using such an approach. Last year, Dutch authorities took down the Bredolab botnet using a similar method that directed affected users to a Web page warning of the infection. Last month, Microsoft took down the Rustock spam botnet by convincing a court to grant it control over both the botnet’s control domains and the hard drives used by those control servers.

Continue reading

Microsoft Issues Monster Patch Update

April 13, 2011

Microsoft released a record number of software updates yesterday to fix at least 64 security vulnerabilities in its Windows operating systems and Office products, including at least one that attackers are actively exploiting.

Updates are available for all versions of Windows via Windows Update or Automatic Update. Nine of the patches earned Microsoft’s “critical” rating, which means the vulnerabilities they fix could be exploited to compromise PCs with little or no action on the part of the user, apart from visiting a booby-trapped Web site or opening a tainted file.

Redmond said three of patches should be top priorities. Two of them fix critical vulnerabilities in the “server message block” or SMB service, which handles Windows networking. Attackers could exploit the flaw addressed by MS11-020 by sending a single, specially crafted evil data packet to a targeted system. This is the type of flaw that should concern any network administrator, because it has high potential to be used to power an automated computer worm.

Microsoft also called attention to MS11-018, which is a cumulative security update for Internet Explorer that fixes critical flaws in all versions of the browser except the latest IE9, which is not affected. One of the IE vulnerabilities — the MHTML flaw I wrote about in January — is currently being exploited; another was discovered at the Pwn2Own hacking competition earlier this year.

Continue reading

New Adobe Flash Zero Day Being Exploited?

April 11, 2011

Attackers are exploiting a previously unknown security flaw in Adobe’s ubiquitous Flash Player software to launch targeted attacks, according to several reliable sources. The attacks  come less than three weeks after Adobe issued a critical update to fix a different Flash flaw that crooks were similarly exploiting to install malicious software.

According to sources, the attacks exploit a vulnerability in fully-patched versions of Flash, and are being leveraged in targeted spear-phishing campaigns launched against select organizations and individuals that work with or for the U.S. government. Sources say the attacks so far have embedded the Flash exploit inside of Microsoft Word files made to look like important government documents.

Adobe spokesperson Wiebke Lips said the company is currently investigating reports of a new Flash vulnerability, and that Adobe may issue an advisory later today if it is confirmed.

On March 11, Adobe issued a critical update to fix a security hole in Flash that it had earlier said was being attacked via malicious Flash content embedded in Microsoft Excel files. It’s not clear how long attackers have been exploiting this newest Flash flaw, but its exploitation in such a similar manner as the last flaw suggests the attackers may have a ready supply of unknown, unpatched security holes in Flash at their disposal.

Update, 3:57 p.m. ET: Ever wonder what anti-virus detection looks like in the early hours of a zero day outbreak like this? A scan of one tainted file used in this attack that was submitted to Virustotal.com indicates that just one out of 42 anti-virus products used to scan malware at the service detected this thing as malicious.

Update, 4:10 p.m. ET: Removed advice about deleting or renaming authplay.dll, which several readers (and now Adobe) have pointed out is specific to Adobe Reader and Acrobat.

Update, 5:05 p.m. ET: Adobe just released an advisory about this that confirms the above information.