Java: A Gift to Exploit Pack Makers

October 11, 2010

I have long urged readers who have no need for Java to remove the program, because failing to keep this software updated with the latest security patches exposes users to dangerous, ubiquitous attacks. In this blog post, I’ll show readers how attacks against Java vulnerabilities have fast emerged as the top moneymaker for authors of the best-selling “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities.

Take one look at the newest kit on the block — “Blackhole” — and it is obvious that Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles.

I spoke briefly via instant message with the developer of this Blackhole kit (pictured at right), and he assured me that these images were taken from a working installation. The screen shot here shows the administration panel for this exploit pack, which lists the number of hits (хиты) and downloads (загрузки). The statistics show that on average this kit finds a working exploit that it can use to install malicious software on a visiting host about 10 percent of the time.

Granted, as exploit pack administration pages go, this one is very young (13,289 hits at the time this screen shot was taken), but already some patterns emerge from the data. For example, we can see that Java vulnerabilities are by far the most useful, comprising more than 90 percent of all successful exploits.

This pattern is not confined to Blackhole. Have a look at the following three screen shots, taken from the exploit results pages of three different working installations of SEO Sploit Pack, another common exploit kit. All three screen shots clearly show Java vulnerabilities are the most productive, accounting for between 50 and 65 percent of malware installs or “loads” (thanks to Malwaredomainlist.com for help on this).

Continue reading

Bill Would Give Cities, Towns and Schools Same e-Banking Security Guarantees as Consumers

October 7, 2010

In response to a series of costly online banking heists perpetrated against towns, cities and school districts, Sen. Charles Schumer (D-NY) has introduced legislation that would extend those entities the same protections afforded to consumers who are victims of e-banking fraud.

Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — if they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen more than $70 million from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI.

On Sept. 29, computer crooks stole $600,000 from the coastal town of Brigantine, N.J.; seven months earlier, computer crooks stole $100,000 from Egg Harbor Township just 20 miles away. In late December 2009, an organized cyber gang took $3.8 million from the Duanesburg Central School District in Schumer’s home state. In that attack, the bank managed to retrieve some of the money, but the district is still missing roughly $500,000.

The same day as the Brigantine breach, Schumer introduced S. 3898, a bill that would extend EFTA’s Regulation E protections to certain local government entities, including municipalities and school districts. The Board of Governors of the Federal Reserve System is to define which entities are included in the categories of “municipality” and “school district.”

Steve Verdier, executive vice president and director of congressional affairs for the Independent Community Bankers of America, said the thinking behind the current law is that banks can absorb the losses from this type of fraud when it happens to consumers because there is usually a comparatively smaller amount of money involved.

“The bank is probably in no better position to protect against this type of fraud than the [business] account holder,” Verdier said. “Whereas consumers may not be as good a position to protect themselves against these types of losses, you would hope a government or school district would have employee procedures to guard against this type of thing. And if the bank is forced to start making good on these losses, that weakens its ability to serve consumers and they’re going to have to price that risk into all of their services.”

Avivah Litan, a financial fraud analyst with Gartner Inc., said there are a number of promising new technologies that banks can make available to their customers that help guard against these attacks, referring to several products that use specially encoded USB keys to load a virtual operating system on the customers computer and encrypt the keystrokes between the bank and the customer.

“Also, why limit this to schools and municipalities? Small businesses have just as much risk as school districts, as do churches for that matter,” Litan said. “So does that mean that small businesses have more resources to deal with this type of fraud than cities and counties do?”

There isn’t much — if any — likelihood that the bill will be acted upon before the November elections, in which case Schumer will need to reintroduce the bill when the 112th Congress convenes early next year.

A copy of Schumer’s bill is here (PDF).

Advertisement

FCC May Confront ISPs on Bot, Malware Scourge

October 6, 2010

The Federal Communications Commissions (FCC) may soon kickstart a number of new initiatives to encourage Internet service providers to do a better job cleaning up bot-infected PCs and malicious Web sites on their networks, KrebsOnSecurity has learned.

Earlier this year, the commission requested public comment on its “Cybersecurity Roadmap,” an ambitious plan to identify dangerous vulnerabilities in the Internet infrastructure, as well as threats to consumers, businesses and governments. Twice over the past few weeks I had an opportunity to chat with Jeffery Goldthorp, associate bureau chief of the FCC’s Public Safety & Homeland Security Bureau, about some of the ideas the commission is considering for inclusion in the final roadmap, due to be released in January 2011.

Goldthorp said there are several things that the commission can do to create incentives for ISPs to act more vigorously to protect residential users from infections by bot programs.

“Along those lines would be something like an ISP ‘code of conduct’ and best practice-oriented approach that ISPs could opt-in to or not, basically a standard of behavior for ISPs to follow when they find that a user of theirs has been infected,” Goldthorp said. “The goal of that would be to clean up the consumer and residential networks. We’re also very interested in trying to figure out if there are rules we have on our books that stand in the way of ISPs being more proactive and creating a safer environment for consumers online.”

In addition, Goldthorp said the FCC is considering ways to encourage ISPs to be more proactive in dealing with malicious Web sites.

“At the server level, we’re looking at doing things that would allow us in an operational role to apply our jurisdiction with ISPs and try to reduce the time to remediation of things like malicious hosts and phishing or spam sites,” he said. “That’s really an area that [the FCC is] doing nothing in right now. We don’t get any information now about what those sites are and what we could do about them. So, we expect that there will be specific things we’d propose on all those areas of the roadmap.”

Prompted in part by the FCC’s request for comment, I wrote a column for CSO Online last month in which I called on the commission to begin measuring the responsiveness of ISPs in quashing malicious threats that take up residence on their networks. One of the ways I suggested the commission could do that is by publishing data about badness on these networks – data that is already being collected by a myriad of mostly volunteer-led groups that monitor this type of activity.

Continue reading

Reader, Acrobat Patches Plug 23 Security Holes

October 5, 2010

A new security update from Adobe plugs at least 23 security holes in its PDF Reader and Acrobat software, including two vulnerabilities that attackers are actively exploiting to break into computers.

Adobe is urging Reader and Acrobat users of versions 9.3.4 and earlier for Windows, Mac and UNIX systems to upgrade to version 9.4 (Adobe says those who can’t upgrade to the 9.x version should instead apply the version 8.2.5 update).

Adobe says one of the 23 flaws fixed by this new version is being actively exploited. A second zero-day flaw corrected by today’s update — a critical vulnerability in Adobe Flash player that the company fixed in a separate update last month for the stand-alone Flash player — also exists in Adobe Acrobat and Reader, although Adobe says it is not aware of any attacks exploiting this flaw in those products yet.

Continue reading

Spam Volumes Dip After Spamit.com Closure

October 4, 2010

Spam trackers are seeing a fairly dramatic drop in junk e-mail sent over the past few days, specifically spam relayed by one of the world’s largest spam botnets – although security experts disagree on exactly which botnet may be throttling back or experiencing problems.

According to M86 Security Labs, the volume of spam has dipped quite a bit, approximately 40 percent since the beginning of the month by the looks of the graphic the company publishes on its site (pictured at right).

M86 says the decrease in spam is due to a rapid drop in activity from the Rustock botnet (see graphic below left), a collection of spam-spewing zombie PCs that experts say is responsible for relaying about 40 percent of all junk e-mail on any given day.

The decline in spam volume comes at about the same time that the world’s largest spam affiliate program — spamit.com — said it would stop paying affiliates to promote its online pharmacy Web sites — on Oct. 1.

Bradley Anstis, vice president of technical strategy for M86, said the most likely explanation is that the person(s) operating Rustock rented the botnet to a number of spamit.com affiliates, and many of those affiliates have not yet switched over to another pharmacy affiliate program.

“To me, that’s the most logical explanation,” Anstis said. “The timing certainly hooks up well, because we started seeing this decline right around the first of October.”

Continue reading

Comcast Pushes Bot Alert Program Nationwide

October 4, 2010

Comcast, the nation’s largest residential Internet service provider, announced last week that it is expanding an initiative to contact customers whose PCs appear to be infected with a malicious bot program.

The Philadelphia-based cable Internet company is expanding nationwide a pilot program that began in Denver last year, which automatically informs affected customers with an e-mail urging them to visit the company’s security page. The system also sends the customer’s browser a so-called “service notice,” a semi-transparent banner that overlays a portion of whatever page is being displayed in the user’s Web browser.

Customers can then either move or close the alert, or click Go to Anti-Virus Center, for recommended next-steps, which for Windows customers includes:

  • Downloading any missing Microsoft security updates.
  • Making sure the customer has some kind of up-to-date anti-virus software running.
  • Downloading and running Microsoft’s malicious software removal tool.
  • Downloading and installing Secunia‘s free Personal Software Inspector tool, a program that periodically scans the user’s computer for missing security updates for commonly used third party applications, such as Adobe Reader, Flash, and Java, and QuickTime.

Continue reading

Hackers Steal $600,000 from Brigantine, NJ

October 4, 2010

Organized cyber thieves took roughly $600,000 from the coastal city of Brigantine, New Jersey this week after stealing the city’s online banking credentials.

The break-in marks the second time this year that hackers have robbed the coffers of an Atlantic County town: In March, a similar attack struck Egg Harbor Township, N.J., which lost $100,000 in a similar intrusion.

Like the Egg Harbor incident and dozens of others documented here, the loot from the Brigantine heist was sent to multiple “money mules,” willing or unwitting people hired through work-at-home job offers to help computer crooks launder stolen cash.

Brigantine City officials said the incident began sometime before 6 p.m. on September 28th, when TD Bank notified city finance officers that multiple wire transfers had been made from its accounts. Brigantine Police’s Lt. James Bennett said in a written statement:

“Unknown person(s) had apparently obtained a user name and password for the city’s main TD Bank account when our finance personnel attempted to login (through either a fake Web page or an undetectable virus). Then several wire transfers were started with amounts ranging from a few thousand to over $300,000, for a total of about $600,000. The last update from TD Bank was that they were able to recall approximately $400,000 in transfers and were working on recalling the remainder. The investigation is being handled by the FBI, New Jersey State Police with the Brigantine Police Department and TD Bank security.”

The attack occurred in the middle of a week in which federal officials announced dozens of arrests and charges against money mules and the organized criminals responsible for orchestrating these types of break-ins. While it’s unclear whether those responsible for the attack on Brigantine were apprehended or charged this week, the method by which the thieves made off with at least some of the loot bears the same fingerprint as past breaches, including the Egg Harbor attack.

Continue reading

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists

October 2, 2010

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

The FBI said five individuals detained by the Security Service of Ukraine (SBU) on Sept. 30 were members of a gang responsible for creating specialized versions of the password-stealing ZeuS banking Trojan and deploying the malware in e-mails targeted at small to mid-sized businesses.

Investigators say the Ukrainian gang used the software to break into computers belonging to at least 390 U.S. companies, transferring victim funds to more than 3,500 so-called “money mules,” individuals in the United States willingly or unwittingly recruited to receive the cash and forward it overseas to the attackers. In connection with the investigation, some 50 SBU officials also executed eight search warrants in the eastern region of Ukraine this week.

Friday’s media briefing at the FBI Hoover building in Washington, D.C. was designed to give reporters a clearer view of the sophistication of an organized crime group whose handiwork had largely escaped broader national media attention until this week. On Wednesday, authorities in the United Kingdom charged 11 people there – all Eastern Europeans – with recruiting and managing money mules. Then on Thursday, officials in New York announced they had charged 92 and arrested 39 money mules, including dozens of Russians who allegedly acted as mules while visiting the United States on student visas.

According to sources familiar with the investigation, the arrests, charges and announcements were intended to be executed simultaneously, but U.K. authorities were forced to act early in response to intelligence that several key suspects under surveillance were planning to flee the country.

SBU officials could not be reached for comment. But FBI agents described the Ukrainian group as the brains behind the attacks. Gordon M. Snow, assistant director of the FBI’s Cyber Division, said the individuals detained by the SBU are thought to have worked with the developer of the ZeuS Trojan to order up custom-made components and versions of ZeuS.

For example, security researchers identified one ZeuS variant that was specific to the Ukrainians known as JabberZeuS because it alerted the gang via Jabber instant message whenever online banking credentials for customers of specific institutions were stolen.

Snow said this week’s law enforcement action was a particularly big deal because of the unprecedented level of cooperation from foreign governments, particularly Ukraine and the Netherlands.

“We worked with legal attachés in 75 countries, and we are very proud of the level of coordination that took place to get this done,” Snow said.

Pim Takkenberg, team leader for the Netherlands Police Agency’s High Tech Crime Unit, said his group played a “small but important role” in helping to identify the hackers by monitoring the miscreants’ use of Dutch infrastructure.

“We helped in connecting all the dots together,” Takkenberg said in a phone interview. “The Netherlands provide for a large portion of the critical internet infrastructure, of which we can monitor certain parts. When criminals are unaware of the fact that they use Dutch infrastructure, that gives us good investigative opportunities. In this particular case we had an interest of our own, since the ZeuS malware made a lot of Dutch victims as well.”

The FBI’s Snow said the investigation began in May 2009, when FBI agents in Omaha, Neb. were alerted to automated clearing house (ACH) batch payments to 46 separate bank accounts through the United States.

I will continue to follow this important story in the days ahead, particularly as more information about the Ukrainian suspects is made public. Stay tuned.

U.S. Charges 37 Alleged Money Mules

September 30, 2010

Troy Owen never thought he’d see the day when the cyber thieves who robbed his company of $800,000 would ever be charged with any crime. Owen said investigators had warned him early on that the perpetrators were mostly overseas in places like Ukraine and Moldova, and that it might be tough to pursue those responsible.

But earlier today, authorities in New York announced they had charged more than 60 individuals — and arrested 20 — in connection with international cyber heists perpetrated against dozens of companies in the United States, including Owen’s.

In November 2009, cyber crooks used a sophisticated password stealing Trojan horse program called “ZeuS” to hack into computers at Owen’s firm — Plano, Texas-based Hillary Machinery. The program swiped the company’s online banking passwords, allowing the attackers to initiate more than $800,000 in bogus transfers out of the company’s online account to dozens of people in the United States who helped launder the money and send it to the attackers in Eastern Europe.

Fraudulent wire transfers from Hillary Machinery.

More than $14,100 of Hillary’s money was wired to Stanislav Rastorgeuv, a 22-year-old Russian national who entered the United States in June 2009 on a “J1” student visa. According to charging documents, Rastorgeuv was the poster child for money launderers looking to recruit new mules to help retrieve the proceeds of ZeuS Trojan virus attacks.

Authorities say almost all of those arrested or charged in this case are young Eastern Europe men and women who were either planning to travel to, or were already present in, the United States on J1 student visas. Once the students  were in the United States, the organizers  of the mule organization gave  the recruits fake foreign passports to open accounts at local banks.

Then, days or weeks after those accounts were opened, other actors in the group would transfer money from cybercrime victims into the mule accounts, typically in amounts close to $10,000. Once the transfers were complete, the mules would quickly withdraw the money, keep a portion for themselves (usually 8 to 10 percent) and transfer the remaining amount to other participants in the fraud scheme, usually individuals overseas.

Some mules were asked to open a large number of bank accounts to help launder stolen funds. Charging documents say Rastogeuv opened up multiple bank accounts under his own name and using fake passports for fictitious individuals, including the names “Petr Rubsashkin” and “Alexey Iankov.” In addition to the unauthorized transfer sent to him by Hillary Machinery, Rastogeuv allegedly helped to launder nearly $30,000 from other victim companies over the next two months.

U.S. authorities say the ringleader of the New York-based money mule gang was Artem “Artur” Tsygankov, a Russian citizen living in New York who allegedly recruited Rastogeuv and other mules, supplied them with fake identity documents, and managed their daily activities. In all, the New York gang cleared more than $3 million from victim corporations using hundreds of accounts opened under false identities.

Others are charged with hacking into and siphoning funds from online brokerage accounts. Jamal Beyrouti, 53, Lorenzo Babbo, 20, and 29-year-old Vincenzo Vitello worked with hackers who infiltrated trading accounts at E-Trade and TD Ameritrade, executing fraudulent sales of securities and transferring the proceeds to accounts the mules controlled. At the same time, the attackers blasted victims’ phones with a barrage of calls to prevent the brokerage firms from contacting them to confirm the legitimacy of the transactions. The scam allowed mules to transfer roughly $1.2 million from hacked brokerage accounts.

Continue reading

11 Charged In ZeuS & Money Mule Ring

September 30, 2010

Authorities in the United Kingdom on Wednesday charged 11 individuals with running an international cybercrime syndicate that laundered millions of dollars stolen from consumers and businesses with the help of the help of the ultra-sophisticated ZeuS banking Trojan.

Yevhen Kulibaba

The gang is believed to be responsible for stealing more than $30 million from banks worldwide between October 2009 and September 28, 2010, and roughly £6 million (US$9.5 million) from financial institutions in the United Kingdom over a three-month period.

Karina Kostromina, in undated photo.

According to sources close to the case, members of the group also were heavily involved in online banking thefts perpetrated against dozens of small businesses and organizations based in the United States. Eight gang members were charged with money laundering, and 10 were charged with conspiracy to defraud. Police arrested 20 people in a pre-dawn raid on Tuesday; nine were bailed on Wednesday. The Metropolitan Police’s Central e-Crime Unit said those individuals may face charges at a later date. Those charged were due to appear in Westminster Magistrates’ Court court early this morning.

The individuals arrested in the U.K. are thought to be a subset of a global cybercrime operation. The Wall Street Journal now reports that the U.S. Attorney’s office in Manhattan is preparing to announce that 60 people have been charged in connection with a major ZeuS crime ring.

Sources say the ringleader of the U.K. gang, 32-year-old Ukrainian property developer Yevhen Kulibaba (pictured above right), shuttled some of the stolen funds from the U.K. to Ukraine and to Latvia, where he has been building a home with his wife. Information obtained by KrebsOnSecurity indicates that Kulibaba’s wife may be Karina Kostromina (pictured above left), a 33-year-old Latvian woman who was among those charged with money laundering and conspiracy in connection with this case. The U.K. Metropolitan Police declined to confirm or deny whether Kulibaba and Kostromina were married, although their public statement puts the two in the same neighborhood – Nevada Heights, Chingford, Essex.

Yuriy Konovalenko

Kulibaba’s right-hand man, 28-year-old Yuriy Konovalenko — also of Nevada Heights — is described by the e-Crime Unit as a self-employed Web designer from Ukraine. Sources say Konovalenko was chiefly responsible for managing a large number of “money mules,” people hired to withdraw, carry or transmit cash stolen by the gang. A review of Konovalenko’s social networking site identities suggests he is a blood relative of Kulibaba’s, but U.K. police declined to confirm or deny this information.

Also charged with conspiracy and stealing money from online bank accounts is Milka Valerij (pictured below), a 29-year-old Ukrainian whom U.K. police say was a building laborer.

Milka Valerij

The oldest alleged member of the group — 34 year-old Georgian Zurab Revazishvili — is facing violations of the U.K. Identity Cards Act of 2005, which makes it a crime to possess false identity documents. The Metropolitan Police statement on the crimes doesn’t specify what Revazishvili’s role was, but sources say he may have been responsible for creating false identity documents for the gang’s money mules.

Continue reading