Spear Phishing Attacks Snag E-mail Marketers

November 24, 2010

Criminals have been conducting complex, targeted e-mail attacks against employees at more than 100 e-mail service providers (ESPs) over the past several months in a bid to hijack computers at companies that market directly to customers of some of the world’s largest corporations, anti-spam experts warn.

The attacks are a textbook example of how organized thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks. According to multiple sources, the so-called “spear phishing” attacks in this fraud campaign arrived as virus-laden e-mails addressing ESP employees by name, and many cases included the name of the ESP in the body of the message.

The poisoned missives used a variety of ruses, but generally included an invitation to view images at a Web site URL included in the message — such as a link to wedding photos or an online greeting card. Recipients who clicked the links were redirected to sites that attempted to silently install software designed to steal passwords and give attackers remote control over infected systems.

Neil Schwartzman, senior director of security strategy at e-mail security provider Return Path Inc, said the spear-phishing attacks have targeted e-mail marketing companies that manage opt-in campaigns for some of the biggest corporate brands in existence.

“This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems,” Schwartzman said. “Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable.”

Update: Nov. 25, 12:33 p.m. ET: Return Path is now saying that it also was compromised and that its clients are reporting that they have received spear-phishing attacks over the last 24 hours. Read on past the jump for more on this update.

Original post:

Chris Nelson, a security manager at an ESP that was compromised by these attacks, spoke with KrebsOnSecurity.com on condition that his employer not be named. Nelson said he traced the attack used to infiltrate his company’s servers back to Internet addresses in the Netherlands, where he found evidence that at least a dozen other ESPs were similarly compromised. The attacks, he said, appear aimed at gaining control over customer accounts and e-mail address lists that could be used in future spam and scam campaigns.

All of the evidence suggests these attacks have been going on for several months, Nelson said.

Continue reading

Escrow Co. Sues Bank Over $440K Cyber Theft

November 23, 2010

An escrow firm in Missouri is suing its bank to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines.

The attack against Springfield, Mo. based title insurance provider Choice Escrow and Land Title LLC began late in the afternoon on St. Patrick’s Day, when hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.

The following day, when Choice Escrow received a notice about the transfer from its financial institution — Tupelo, Miss. based BancorpSouth Inc. — it contacted the bank to dispute the transfer. But by the close of business on March 18, the bank was distancing itself from the incident and its customer, said Jim A. Payne, director of business development for Choice Escrow.

“They said, ‘We’re going to get back to you, we’re working on it’,” Payne said. “What they really were doing is contacting their legal department and figuring out what they were going to say to us. It took them until 5 p.m. to call us back, and they basically said, ‘Sorry, we can’t help you. This is your responsibility.'”

A spokesman for BancorpSouth declined to discuss the bank’s security measures or the specifics of this case, saying the institution does not comment on ongoing litigation.

According to documents filed today with the Circuit Court of Greene County, Mo., BancorpSouth’s most secure option for Internet-based authentication requires the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer waives or does not choose dual control — requires one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argue that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

“BancorpSouth should have, and could have, offered a commercially reasonable multifactor authentication method, since it had ample time (more than four years, October 2005 to March 2010) and knowledge of the need and requirement to provide its customers with secure authentication methods, as evidenced from the numerous documents it received, and/or knew about or should have known about, from the FFIEC and FDIC,” the complaint charges.

Continue reading

Advertisement

Crooks Rock Audio-based ATM Skimmers

November 23, 2010

Criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers, devices designed to be attached to cash machines and siphon card + PIN data, a new report warns.

The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs.

EAST said it also discovered that  a new type of analog skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs).

In the somewhat low-res pictures supplied by EAST here, the audio skimming device is mounted on a piece of plastic that fits over the ATM’s card reader throat. A separate micro camera embedded in the plastic steals the victim’s PIN.

The use of audio technology to record data stored on the magnetic stripe on the backs of all credit and debit cards has been well understood for many years. The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37). Since then, other electronics enthusiasts have blogged about their experiments with sound skimmers; for example, this guy discusses how he made a card reader device out of an old cassette recorder.

Continue reading

Adobe Reader X: Seeking Safety in the Sandbox

November 22, 2010

Adobe has at long last released Reader X, a fortified version of its PDF Reader software that is built to withstand attacks from the sort of zero-day security vulnerabilities that repeatedly have threatened its user base over the past several years.

The new Reader X version makes good on a promise Adobe announced in July of this year, when it said it would soon release a new kind of Reader designed to run the application in protected or “sandboxed” mode on Windows. Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

The hardened Reader X software is specifically crafted to block attacks against previously unknown security holes in the program. On at least four occasions over the past year, attackers have leveraged newly discovered flaws in Reader to install malicious software when unsuspecting users opened poisoned PDF files.

It would have been refreshing had Adobe chosen this occasion to simplify the process of installing its software. Unfortunately, Windows users who grab the new version from the Adobe home page still need to dodge the add-ons (such as McAfee security scan) and endure the annoying Adobe Download Manager. Those who would rather not monkey around with this stuff can grab the direct download from this link (the direct download link for Mac users is here).

I look forward to the day that Adobe warns of attacks against unpatched flaws in Reader but assures Reader X users that they are already protected against those threats. Only time will tell if this highly-anticipated feature lives up to the hype. A full list of features included in this latest version is available here.

Why Counting Flaws is Flawed

November 18, 2010

Once or twice each year, some security company trots out a “study” that counts the number of vulnerabilities that were found and fixed in widely used software products over a given period and then pronounces the worst offenders in a Top 10 list that is supposed to tell us something useful about the relative security of these programs. And nearly without fail, the security press parrots this information as if it were newsworthy.

The reality is that these types of vulnerability count reports — like the one issued this week by application whitelisting firm Bit9 — seek to measure a complex, multi-faceted problem from a single dimension. It’s a bit like trying gauge the relative quality of different Swiss cheese brands by comparing the number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions.

The Bit9 report is more notable for what it fails to measure than for what it does, which is precious little: The applications included in its 2010 “Dirty Dozen” Top Vulnerable Applications list had to:

  • Be legitimate, non-malicious applications;
  • Have at least one critical vulnerability that was reported between Jan. 1, 2010 and Oct. 21, 2010; and
  • Be assigned a severity rating of high (between 7 and 10 on a 10-point scale in which 10 is the most severe).

The report did not seek to answer any of the questions that help inform how concerned we should be about these vulnerabilities, such as:

  • Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers (or attackers)?
  • How long after being initially notified or discovering the flaw did it take each vendor to fix the problem?
  • Which products had the broadest window of vulnerability, from notification to patch?
  • How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem?
  • How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?
  • Which vendors make use of auto-update capabilities? For those vendors that include auto-update capabilities, how long does it take “n” percentage of customers to be updated to the latest, patched version?

Continue reading

Critical Updates for Adobe Reader, Acrobat

November 17, 2010

Adobe on Tuesday issued a critical update to patch at least two security holes in its PDF Reader and Acrobat software, including one flaw that was publicly disclosed earlier this month.

Updates are available for Windows, Mac and UNIX versions of Reader and Acrobat. The newest version is v. 9.4.1. If you use either of these products, take a moment to update them by clicking “Help,” then “Check for Updates.” Direct links to the new versions also are available in the Adobe advisory for this update. Note that this is not the sandboxed version (Adobe Reader X, or v 10.0) which is expected to be released at the end of this month.

Separately, the company is warning users not to fall for recent phishing and other e-mail scams targeted at Adobe customers looking for the Adobe Acrobat X, a new product being released this week. “Many of these emails require recipients to register and/or provide personal information. Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf,” Adobe said.

Captchabot: Blurring Human and Machine

November 16, 2010

Last week, I wrote about a “bulletproof hosting” provider that offers dodgy Web hosting that is insulated from takedown by abuse complaints or requests from Western law enforcement agencies. Today, I’ll look at one of that bulletproof provider’s biggest clients: Captchabot.com, a service that automates the solving of “CAPTCHAs,” those annoying agglomerations of squiggly numbers and letters that many online services require users to solve to help ensure that new accounts are not being auto-created by a computer.

These so-called reverse Turing Tests can be exasperating for legitimate users, but these days they are little more than a speed bump for those who specialize in mass-creating bogus new accounts at popular online destinations like Facebook, MySpace, YouTube for use in spreading spyware and pimping spammy Web sites.

That’s thanks largely to services like Captchabot, which automate the solving of CAPTCHAs with the help of low-paid workers in China, India and Eastern Europe who earn pennies per hour deciphering the puzzles.

Captchabot charges clients based on how many thousand CAPTCHAs they ask the service solve: $1 buys about 1,000 solved CAPTCHAs. The service claims at least an 80 percent success rate, and customers only pay for CAPTCHAs that are solved correctly.

In their seminal paper (PDF) on CAPTCHA-solving services, researchers at UC San Diego earlier this year tried to estimate how many employees it would take to solve the daily workload of CAPTCHAs fed to the various services. The researchers guessed that Captchabot.com would need to have between 130 and 200 workers available more or less around the clock (for a look at how these services performed against CAPTCHAs required by MySpace, Google, Wikipedia and others, see this graphic.)

The researchers also sought to learn where most of the puzzle-solving workers resided, so they fed Captchabot and other services a variety of CAPTCHAs from different languages. The results, shown in the screen shot here, indicated that most of the workers were Chinese, English and Russian speakers.

I contacted the owner of Captchabot.com, a hacker named Mirko Res, via online chat to see if I could fine-tune the UCSD estimates on the number of workers employed by the service, but he was unwilling to give an exact figure (“under NDA,” he explained). He did say, however, that the majority of the workers employed by his service live in Belarus, and that workers are only passed puzzles that can’t be solved by the service’s automated CAPTCHA-guessing algorithm.

“They using it for legal Webspam, like blog comments,” Res said of his operation’s customers. In fact, a widely-used forum- and blog-spamming tool known as XRumer relies exclusively on Captchabot to deliver its CAPTCHA-cracking capability.

Continue reading

OS X Patch Catch-Up

November 15, 2010

Apple recently released a massive update to address at least 130 security vulnerabilities in Mac OS X systems, including a monster patch that fixes 55 flaws in Adobe Flash Player.

The seventh major update to OS X  this year includes a fix that stems from a vulnerability Apple patched in the iPhone earlier this year but apparently never scrubbed on OS X. According to security vendor Core Security — which said it released details about the flaw ahead of Apple’s advisory after waiting nearly three months for Apple to fix it — the vulnerability is a variation of the flaw exposed this summer that helped iPhone users jailbreak devices running iOS4. Apple fixed that bug in the iPhone shortly after the exploit was released, but until last week the flaw remained a weak spot in OS X 10.5/Leopard systems, Core said.

Continue reading

Pursuing Koobface and ‘Partnerka’

November 12, 2010

In any given week, I read at least a dozen reports and studies, but I seldom write about them because their conclusions either are obvious or appear slanted toward generating demand for specific products and services. Occasionally, though, a report will come along that is so full of useful data — and resonates so loudly with some of my own investigations — that it forces me to reassess my immediate research and reporting priorities.

One report released today that falls squarely into the latter category is Nart Villeneuve‘s superbly researched and detailed analysis (PDF) of “Koobface,” a huge network of hacked computers that are compromised mostly by social engineering scams spread among users of Facebook.com (Koobface is an anagram of “Facebook”). As the report describes, the Koobface infrastructure is a crime machine fed by cyber criminal gangs tied to a variety of moneymaking schemes involving Web browser search hijacking and the installation of rogue anti-virus software.

This report traces the trail of Koobface activity back through payments made to top criminal partners — known as Partnerka (PDF) — a mix of private and semi-public affiliate groups that form to facilitate coordinated malware propagation.

From the report:

“The Koobface operators maintain a server known as the mothership [which] acts as an intermediary between the pay-per-click and rogue security software affiliates and the compromised victims. This server receives intercepted search queries from victims’ computers and relays this information to Koobface’s pay-per-click affiliates. The affiliates then provide advertisements that are sent to the user. When a user attempts to click on the search results, they are sent to one of the provided advertisement links instead of the intended location. In addition, Koobface will receive and display URLs to rogue security software landing pages or will directly push rogue security software binaries to compromised computers. As a result, Koobface operators were able to generate over two million dollars in a one-year period.”

The report lists the nicknames of top Koobface affiliates, showing the earnings for each over the past year and the Web addresses of their associated affiliate programs. This is the kind of intelligence that — if shared broadly — has the potential to massively disrupt large scale criminal operations, because cybercrime researchers can use it to make sense of seemingly disparate pieces of information about criminal actors and groups. Nevertheless, it is rare to see this kind of raw data published, at least while those implicated remain at large.

Part 3 of the report, titled “The Takedown,” indicates that operations to shutter the Koobface infrastructure may already be underway. Earlier this year, McAfee published an analysis I wrote about takedowns that classified them into two groups: “Shuns” — which seek to shame the peers of a malicious network into severing its connections — and “stuns,” which refer to efforts to disconnect the physical and network control infrastructure used by a botnet. According to the report’s authors, a stun against Koobface is in the works.

“Prior to the publication of this report, notifications were delivered to the owners of the infrastructure that Koobface is abusing,” Villeneuve writes. “They include: fraudulent and stolen Facebook and Google accounts, stolen FTP credentials, and dedicated command and control servers. We are working to synchronize notification to the operators of these elements in order to have an impact on the operations of the Koobface botnet.”

Almost certainly more to come soon. Stay tuned.

Gelezyaka.biz, one of the rogue anti-virus affiliate programs tied to Koobface

Charting the Carnage from eBanking Fraud II

November 12, 2010

Several readers have asked to be notified if the U.S. map showing recent victims of high-dollar online banking thefts was updated. Below is a (non-interactive) screen shot of the updated, interactive map that lives here. Click the red markers to see more detail about the victim at that location, including a link to a story about the attack.