‘White House’ eCard Dupes Dot-Gov Geeks

January 3, 2011

A malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters.

The attack appears to be the latest salvo from ZeuS malware gangs whose activities over the past year have blurred the boundaries between online financial crime and espionage, by stealing both financial data and documents from victim machines. This activity is unusual because most criminals using ZeuS are interested in money-making activities – such as swiping passwords and creating botnets – whereas the hoovering up of sensitive government documents is activity typically associated with so-called advanced persistent threat attacks, or those deployed to gather industrial and military intelligence.

On Dec. 23, the following message was sent to an unknown number of recipients;

“As you and your families gather to celebrate the holidays, we wanted to take
a moment to send you our greetings. Be sure that we’re profoundly grateful
for your dedication to duty and wish you inspiration and success in
fulfillment of our core mission.

Greeting card:

hxxp://xtremedefenceforce.com/[omitted]
hxxp://elvis.com.au/[omitted]

Merry Christmas!
___________________________________________
Executive Office of the President of the United States
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500

Recipients who clicked either of the above links and opened the file offered were infected with a ZeuS Trojan variant that steals passwords and documents and uploads them to a server in Belarus.  I was able to analyze the documents taken in that attack, which hoovered up more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims.  I feel reasonably confident I have identified several victims,  all of whom appear to be employees of some government or another. Among those who fell for the scam e-mail were:

-An employee at the National Science Foundation’s Office of Cyber Infrastructure. The documents collected from this victim include hundreds of NSF grant applications for new technologies and scientific approaches.

-An intelligence analyst in Massachusetts State Police gave up dozens of documents that appear to be records of court-ordered cell phone intercepts. Several documents included in the cache indicate the victim may have recently received top-secret clearance. Among this person’s cache of documents is a Department of Homeland Security tip sheet called “Safeguarding National Security Information.”

-An unidentified employee at the Financial Action Task Force, an intergovernmental body dedicated to the development and promotion of national and international policies to combat money laundering and terrorist financing.

-An official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.

-An employee at the Millennium Challenge Corporation, a federal agency set up to provide foreign aid for development projects in 15 countries in Africa, Central America and other regions.

The most interesting component of this attack was not the ZeuS variant, which by most accounts was an older, well-understood version of the banking Trojan. Rather, researchers are focusing on the component responsible for stealing documents, which suggests the handiwork of a novice who was quite active in 2010.

Continue reading

Russian e-Payment Giant ChronoPay Hacked

December 29, 2010

Criminals this week hijacked ChronoPay.com, the domain name for Russia’s largest online payment processor, redirecting hundreds of unsuspecting visitors to a fake ChronoPay page that stole customer financial data.

Reached via phone in Moscow, ChronoPay chief executive Pavel Vrublevsky said the bogus payment page was up for several hours spanning December 25 and 26, during which time the attackers collected roughly 800 credit card numbers from customers visiting the site to make payments for various Russian businesses that rely on ChronoPay for processing.

In the attack, ChronoPay’s domain was transferred to Network Solutions, and its domain name system (DNS) servers were changed to “anotherbeast.com,” a domain registered at Network Solutions on Dec. 19, 2010.

The attackers left a message on the ChronoPay home page – designed to look as if it had been posted by Vrublevsky (see image above) – stating that hackers had stolen the personal data of all ChronoPay users who had shared payment information with the company in 2009 and 2010.

Vrublevsky said the message was faked — that it was “absolutely not true” — and that the damage was limited to the 800 card numbers. He added that the company was still working with its registrar Directnic and with Network Solutions to understand how the attackers managed to hijack the domain.

The hackers also stole and posted online at least nine secret cryptographic keys ChronoPay uses to sign the secure sockets layer (SSL) certificates that encrypt customer transactions at chronopay.com. Vrublevsky said all but one of those certs were issued long ago: One of the certs was issued in September, albeit with an older key, he said.

Continue reading

Advertisement

Happy Birthday KrebsOnSecurity.com

December 29, 2010

It’s hard to believe that a year has passed since I posted the first entry on this blog. It seems like just yesterday that I was leaving The Washington Post and making a huge – and somewhat scary – leap as an independent investigative journalist. What an amazing year it has been for security, in every sense!

I’ve been completely blown away by the feedback and encouragement I’ve received from regular readers and new ones (my site metrics report that more than 60 percent of visits are still from new visitors). In the past 12 months, I’ve authored some 270 blog posts, and you the readers have left more than 11,000 comments.

Some readers have been especially generous: So far this year KrebsOnSecurity.com has received more than 50 donations via the PayPal Donate! button in the sidebar.

In short, I am extremely grateful for your support, and am looking forward to a busy 2011: I expect to do quite a bit more public speaking and traveling next year, but I plan to maintain the pace I’ve set this year on the blog.

Thanks for reading, and for your continued support!

Carders.cc, Backtrack-linux.org and Exploit-db.org Hacked

December 25, 2010

Carders.cc, a German security forum that specializes in trading stolen credit cards and other purloined data, has been hacked by security vigilantes for the second time this year. Also waking up to “you’ve been owned” calling cards this Christmas are exploit database exploit-db.org and backtrack-linux.org, the home of Backtrack, an open source “live CD” distribution of Linux.

The hacks were detailed in the second edition of “Owned and Exposed,” an ezine whose first edition in May included the internal database and thousands of stolen credit card numbers and passwords from Carders.cc. The Christmas version of the ezine doesn’t feature credit card numbers, but it does list the user names and hashed passwords of the carders.cc forum administrators. The carders.cc forum itself appears to be down at the moment.

Mati Aharoni, the main administrator for both exploit-db.org and backtrack-linux.org, confirmed that the hacks against his sites were legitimate. Shortly after my e-mail, Aharoni replied with a link to a short statement, noting that a hacking team called inj3ct0r initially took credit for the attack, only to find itself also targeted and shamed in this edition of Owned and Exposed.

“There’s nothing like having your butt kicked Christmas morning, which is exactly what happened to us today. We were owned and exposed, in true fashion,” Aharoni wrote. “Initially, the inj3ct0r team took ‘creds’ for the hack, which quickly proved false as the original ezine showed up – and now inj3ct0r (their new site) is no longer online. As a wise Chinese man once said: ‘do not anger one who has shell on your server’. The zine also mentioned other sites, as well as the ettercap project being backdoored.”

To his credit, Aharoni posted a link to the 2nd edition of Owned and Exposed.

“The irony of posting your zine in our papers section is not lost on us,” Aharoni wrote.

Update 10:40 p.m. ET: An earlier version of this blog post incorrectly identified one of the hacked domains as linux-exploit.org. The blog post above has been corrected. My apologies for the confusion.

Exploit Published for New Internet Explorer Flaw

December 23, 2010

Hackers have released exploit code that can be used to compromise Windows PCs through a previously unknown security flaw present in all versions Internet Explorer, Microsoft warned today.

Dave Forstrom, director of trustworthy computing at Microsoft, said although the software giant is not aware of any attacks wielding this flaw against Windows users, “given the public disclosure of this vulnerability, the likelihood of criminals using this information to actively attack our customers may increase.”

Microsoft’s security advisory says the problem has to do with the way IE handles CSS style sheets. A posting on Microsoft’s Security Research & Defense blog notes that the Metasploit Project recently published an exploit for this flaw that evades two of the key security defenses built into Windows Vista and Windows 7 — Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Continue reading

The Cyberwar Will Not Be Streamed

December 20, 2010

In early 2000 — ages ago in Internet time — some of the biggest names in e-commerce were brought to their knees by a brief but massive assault from a set of powerful computers hijacked by a glory-seeking young hacker. The assailant in that case, known online as Mafiaboy, was a high school student from a middle-class suburban area of Canada who was quickly arrested after bragging about his role in the attacks.

It wasn’t long before the antics from novice hackers like Mafiaboy were overshadowed by more discrete attacks from organized cyber criminal gangs, which began using these distributed denial-of-service (DDoS) assaults to extort money from targeted businesses. Fast-forward to today, and although vanity DDoS attacks persist, somehow elements in the news media have begun conflating them with the term “cyberwar,” a vogue but still-squishy phrase that conjures notions of far more consequential, nation-state level conflicts.

If any readers have been living under a rock these last few weeks, I’m referring to the activities of Anonymous, an anarchic and leaderless collection of individuals that has directed attacks against anyone who dares inhibit or besmirch the activities of Wikileaks, an organization dedicated to exposing secret government documents. To date, the Web sites attacked by Anonymous include Amazon.com, EveryDNS.com, Mastercard.com, Paypal.com, and Visa.com, among others.

The rest of this article can be read at CSO Online.

Google Debuts “This Site May Be Compromised” Warning

December 17, 2010

Google has added a new security feature to its search engine that promises to increase the number of Web page results that are flagged as potentially having been compromised by hackers.

The move is an expansion of a program Google has had in place for years, which appends a “This site may harm your computer” link in search results for sites that Google has determined are hosting malicious software. The new notation – a warning that reads “This site may be compromised” – is designed to include pages that may not be malicious but which indicate that the site might not be completely under the control of the legitimate site owner — such as when spammers inject invisible links or redirects to pharmacy Web sites.

Google also will be singling out sites that have had pages quietly added by phishers. While spam usually is routed through hacked personal computers, phishing Web pages most often are added to hacked, legitimate sites: The Anti-Phishing Working Group, an industry consortium,  estimates that between 75 and 80 percent of phishing sites are legitimate sites that have been hacked and seeded with phishing kits designed to mimic established e-commerce and banking sites.

It will be interesting to see if Google can speed up the process of re-vetting sites that were flagged as compromised, once they have been cleaned up by the site owners. In years past, many people who have had their sites flagged by Google for malware infections have complained that the search results warnings persist for weeks after sites have been scrubbed.

Denis Sinegubko, founder and developer at Unmask Parasites, said Google has a lot of room for improvement on this front.

“They know about it, and probably work internally on the improvements but they don’t disclose such info,” Sinegubko said. “This process is tricky. In some cases it may be very fast. But in others it may take unreasonably long. It uses the same form for reconsideration requests, but [Google says] it should be faster…less than two weeks for normal reconsideration requests.”

Continue reading

Russian Police Only Translate the Good News

December 16, 2010

Internet security and cybercrime experts often complain that Russian law enforcement agencies don’t place a high priority on investigating and arresting hackers in that country. While that criticism may be fair, it may also be that Russian bureaucrats simply do not wish to call any attention to any sort of crime in their country — at least not to Westerners’ view.

I discovered something fascinating while searching for information on the Web site of the Russian Interior Ministry (MVD), the organization that runs the police departments in each Russian city: The Russian version of the site features dozens of stories every day about police corruption, theft, murder, extortion, drug trafficking and all manner of badness. If, however, you opt to view the English version of the site, the MVD shows you only news with a positive slant.

Here are all of the MVD news headlines on the English version of the site for Dec. 14:

“Photo-exhibition ‘Ministry of Interior. Open lens’ opened in trading and entertaining center in Perm”
“Photo exhibition ‘Open lens’ opened at Internal Affairs Directorate in Tomsk region”
“‘Round table meeting'” devoted to interaction of militia and youth associations took place in Kaluga”
“Krasnoyarsk militia officers rescued life of man”
“Ryazan militia officer is awarded medal of RF Ombudsman”
“Visit of police officer of state Washington, assistant to sheriff of district King Steve Bitsa to Sakhalin has finished
National team of Petersburg Central Internal Affairs Directorate won world mini-football tournament
Campaign ‘Tell your friend about traffic safety rules’ took place in Adygea

And here are just a few headlines (roughly Google-translated) from the dozens of press releases on the Russian version of the MVD’s site for that same day:

Continue reading

Fallout from Recent Spear Phishing Attacks?

December 15, 2010

McDonald’s and Walgreens this week revealed that data breaches at partner marketing firms had exposed customer information. There has been a great deal of media coverage treating these and other similar cases as isolated incidents, but all signs indicate they are directly tied to a spate of “spear phishing” attacks against e-mail marketing firms that have siphoned customer data from more than 100 companies in the past few months.

On Nov. 24, I published an investigative piece that said criminals were conducting complex, targeted e-mail attacks against employees at more than 100 e-mail service providers (ESPs) over the past several months in a bid to hijack computers at companies that market directly to customers of some of the world’s largest corporations. From that story:

“The attacks are a textbook example of how organized thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks. According to multiple sources, the so-called “spear phishing” attacks in this fraud campaign arrived as virus-laden e-mails addressing ESP employees by name, and many cases included the name of the ESP in the body of the message.”

Artist haven deviantART also disclosed this week that its e-mail database — including 13 million addresses — had been hacked. deviantART blamed the breach on SilverPop Systems Inc., an e-mail marketing firm with whom it partners.

McDonald’s said its data spill was due to hacked computer systems operated by an e-mail database management firm hired by its longtime business partner Arc Worldwide, a marketing services arm of advertising firm Leo Burnett. Contacted by phone, Arc Worldwide President William Rosen referred all questions to another employee, who declined to return calls seeking comment.

Walgreens didn’t name the source of the breach, but said it was due to “unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data.” Interestingly, Arc Worldwide stated in a July 27, 2009 press release that Walgreens had chosen it as the promotion marketing agency of record.

Continue reading

Microsoft Patches 40 Security Holes

December 14, 2010

Microsoft today issued 17 software updates to plug a total of 40 security holes in computers running its Windows operating system and other software. December’s bounty of patches means Microsoft fixed a record number of security vulnerabilities this year.

According to Microsoft, the most urgent of the patches is a critical update that fixes at least seven vulnerabilities in Internet Explorer versions 6, 7 and 8, including three that were publicly disclosed prior to today’s update. Microsoft said that at least one of the public flaws is already being actively exploited.

Microsoft also called special attention to the only other critical bulletin in the batch – a vulnerability in the OpenType Font Driver in Windows.  Redmond warns that an attacker could compromise a machine on a network simply by getting a user to open a shared folder containing a malicious OpenType font file.

Continue reading