To Catch a Mule

April 26, 2010

Much digital ink has been spilled in this blog detailing the activities of so-called “money mules,” willing or unwitting individuals here in the United States who are lured into laundering money for international organized cyber crime gangs. The subject almost always generates fierce debate among readers about whether these mules should be prosecuted, and the debate usually hinges on whether the mules knew that they were contributing to a crime.

Of course, ignorance of the law is no excuse, and this blog entry is in no way meant to defend the mules. But I did want to shed more light on the efforts that some mule recruitment gangs take to help potential mules believe they are in fact working for a legitimate company.

Take, for example, the efforts of what we’ll call the “Back Office,” mule recruitment gang — so named because the Web sites used to recruit and manage these folks almost always include the term “backoffice”. Potential Back Office mules are recruited via e-mail, with a message stating that the employer found the recipient’s resume on a job search site and would he or she be interested in working as a financial agent in an international finance company?

Those who respond are directed to create an account at a Back Office site, and from there the new recruits are processed through a series of interviews. According to conversations with multiple mules recruited by the Back Office gang, the process normally starts with a lengthy telephone interview, wherein the recruit is asked about his or her work history, ethics and attitudes.

Following the verbal interview, mules are asked to complete a lengthy questionnaire that asks roughly three dozen questions, including many that one might expect to find in a legitimate interview for a professional position.

“How do you evaluate success?”

“What classes or seminars have you taken on your own during the last three years to advance your careers and personal growth?


Charting the Carnage from eBanking Fraud

April 23, 2010

Aaron Jacobson of Authentify put together this map of all 43 of the U.S. commercial e-banking victims I’ve mentioned in stories at Krebsonsecurity.com and at the Washington Post’s Security Fix blog.

Clicking on this Google Maps link brings up an interactive version of this map showing the names of the victim at each point on the map, as well as their monetary losses.

What’s interesting that I hadn’t realized before seeing this map is that the victims appear to be heavily clustered in the East Coast and Midwest. I’m not sure if there is a connection, but the thieves perpetrating these attacks typically recruit their money mules almost exclusively from these regions. The thinking is that the criminals — most of whom reside in the Eastern European Time Zone (EET), don’t want to spend all night managing these mules. As such, they crooks tend not to solicit mules from those living in the Western United States. Again, there may not be an actual link between the mule trend and the grouping of victims, but just thought it was worth noting.

Advertisement

Hiding from Anti-Malware Search Bots

April 23, 2010

Malicious hackers spend quite a bit of time gaming the Internet search engines in a bid to have their malware-laden sites turn up on the first page of search results for hot, trending news topics. Increasingly, though, computer criminals also are taking steps to block search engines bots from indexing legitimate Web pages that have been hacked and booby-trapped with hostile code.

Search giants Yahoo! and Google each have automated programs that crawl millions of Web sites each week in search of those hosting malicious code. When the search providers find these sites, they typically append a warning to the hacked Web site’s listing in search results, alerting the would-be visitor that the site could be dangerous. These warnings not only result in fewer people visiting infected sites, but they have a tendency to alert a listed site’s owners to a malware problem that needs attention.

This is all well and good for you and me, but not so wonderful for the bad guys. Unless, of course, said bad guys have planned ahead, by inserting code in their hacked sites that hands out malicious code to everyone except the automated anti-malware bots deployed by the top search providers.

Which is precisely what security expert David Dede found earlier this month while analyzing some Web-based malware.

Continue reading

Rogue Antivirus Gangs Seize on McAfee Snafu

April 22, 2010

Purveyors of rogue anti-virus, a.k.a. “scareware,” often seize upon hot trending topics in their daily efforts to beef up the search engine rankings of their booby-trapped landing pages. So it’s perhaps no surprise that these scammers are capitalizing on search terms surrounding McAfee, which just yesterday shipped a faulty anti-virus update that caused serious problems for a large number of customers.

Continue reading

Fire Alarm Company Burned by e-Banking Fraud

April 22, 2010

A fire alarm company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and drained its payroll account.

On Wednesday, Apr. 7, Ft. Smith based JE Systems Inc. received a call from its bank stating that the company needed to move more money into its payroll account, chief executive Melanie Eakel said. Over the course of the previous two days, someone had approved two batches of payroll payments — one for $45,000 and another for $67,000.

“They said ‘You’re overdraft,’ and I told them that was impossible because we didn’t do our payroll…we do it every Thursday,  not on Mondays at 2 a.m., which was when this was put through,” Eakel said. “I told them we did not authorize that.”

A few days later, however, the First National Bank of Fort Smith sent JE Systems a letter saying the bank would not be responsible for the loss. First National did not return calls seeking comment.

“They said it was our [Internet] address that was used to process the payments, and our online banking user name and password,” Eakel said. “I feel like the bank should have caught this.

Continue reading

McAfee False Detection Locks Up Windows XP

April 21, 2010

McAfee‘s anti-virus software is erroneously detecting legitimate Windows system files as malicious, causing reboot loops and serious stability problems for many Windows XP users, according to multiple reports.

The SANS Internet Storm Center has received dozens of reports from McAfee users who complained that a recent anti-virus update (DAT 5958) is causing Windows xP Service Pack 3 clients to be locked out. According to SANS incident handler Johannes Ulllrich, McAfee is flagging “svchost.exe” as malicious. Svchost is a common system process typically used by multiple legitimate programs on a Windows system (although malware does often inject itself into this process), so having an anti-virus program that flags the process as a threat could cause major problems on a host system, Ullrich said.

“The [reports] keep coming in,” Ullrich said. “Systems either get stuck in a reboot loop, or networking is no longer working.”

One symptom seems to be that McAfee reports that user systems are infected with W32.Wecorl.a. The anti-virus program’s attempts to destroy or quarantine that targeted process then forces the Windows machine into a reboot cycle.

McAfee’s own support forum is currently queuing up with a large number of users piping in with stories about how the incident is affecting their operations. That thread,which began at 9:54 a.m. today, has more than 27,000 views and 83 replies.

Stay tuned for more updates as available.

Update, 1:56 p.m. ET: McAfee released the following statement regarding this event. “McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2.00 PM GMT+1 (6am Pacific Time).

Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.

The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers. We are not aware of significant impact on consumer customers and believe we have effectively limited such occurrence.

McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. McAfee apologizes for any inconvenience to our customers.”

Update, 3:51 p.m. ET: McAfee’s main support forum is down due to an “unusually large traffic.” McAfee has posted a separate thread here that includes a couple of workarounds for customers struggling to deal with this problem.

Krebsonsecurity.com Partners with Federated Media

April 21, 2010

Readers may notice over the next day or so advertisements in one or two prominent spots on this blog. This is the result of a new partnership between Krebs on Security and Federated Media Publishing, a company that connects independent Web site authors with advertisers.

Federated Media currently represents more than 100 of the most respected social media properties on the Web, including The New York Times, BoingBoing, Breitbart, Mashable, and ReadWriteWeb, to name a few.

The reporting and investigations I have been conducting through krebsonsecurity.com take up a substantial amount of my time, and this partnership should help ensure that I can continue to dedicate my attention to this vital and highly relevant beat. Thank you for your continued support and readership.

Call Centers for Computer Criminals

April 20, 2010

A call service that catered to bank and identity thieves has been busted up by U.S. and international authorities. The takedown provides a fascinating glimpse into a bustling and relatively crowded niche of fraud services in the criminal hacker underground.

In an indictment unsealed on Monday, New York authorities said two Belarusian nationals suspected of operating a rent-a-fraudster service called Callservice.biz were arrested overseas. Wired.com’s Kim Zetter has the lowdown:

According to the indictment (.pdf), the two entrepreneurs launched the site in Lithuania in June 2007 and filled a much-needed niche in the criminal world — providing English- and German-speaking “stand-ins” to help crooks thwart bank security screening measures.

In order to conduct certain transactions — such as initiating wire transfers, unblocking accounts or changing the contact information on an account — some financial institutions require the legitimate account holder to authorize the transaction by phone.

Thieves could provide the stolen account information and biographical information of the account holder to CallService.biz, along with instructions about what needed to be authorized. The biographical information sometimes included the account holder’s name, address, Social Security number, e-mail address and answers to security questions the financial institution might ask, such as the age of the victim’s father when the victim was born, the nickname of the victim’s oldest sibling or the city where the victim was married.

U.S. authorities have seized the Callservice.biz Web site, which now features the seals for the FBI and Justice Department prominently on its homepage. The feds also seized Cardingworld.cc, a highly-restricted online criminal forum where Callservice.biz was hosted.

If you spend any amount of time on underground forums like Cardingworld.cc, however, you’ll quickly discover that these criminal call centers are among the most popular of fraud services offered. For example, another fraud forum — Verified.su — is home to a number of calling services. Among them are two competing call centers that each began as point-and-click fraud shops that helped customers purchase electronics with stolen credit cards and then split the profits after selling the goods on eBay.

One such service, Atlanta Alliance, used to offer paying members a password-protected Web site where customers could select a range of high-priced gadgets — such as digital cameras, laptops and smart phones — that could be bought with stolen credit cards. The service even allowed customers to manage the shipment of these products to awaiting “reshipping mules,” individuals in the United States recruited for the purpose of receiving stolen goods and reshipping them to Russia, Ukraine and other nations where many vendors refuse to ship due to the high incidence of fraud from those areas.

Continue reading

Mozilla Disables Insecure Java Plugin in Firefox

April 20, 2010

Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code.

On April 15, Oracle Corp. pushed out an update to its Java software to fix a dangerous security flaw in the program. The patch came just a day after it became clear that criminals were using the flaw to break into vulnerable systems.

Continue reading

Network Solutions Again Under Siege

April 19, 2010

For the second time in as many weeks, Internet hosting provider Network Solutions is trying to limit the damage from a hacking incident that has left many customer Web sites serving up malicious code.

In a post to its blog on Sunday titled We Feel Your Pain and We are Working Hard to Fix This, Network Solutions spokesman Shashi Bellamkonda apologized for the incident.

“We have received reports that Network Solutions customers are seeing malicious code added to their websites and we are really sorry for this experience,” Bellamkonda wrote. “At this time since anything we say in public may help the perpetrators, we are unable to provide details.”

Reached by telephone Monday, company spokeswoman Susan Wade declined to offer much more detail about the incident, such as how many customers may have been impacted and whether Network Solutions had uncovered the cause.

“It’s not impacting the entire hosting platform, but a subset of customers,” Wade said. “We’re trying to be very careful of what we say publicly right now. We want to make sure we have our facts straight and that we understand the scope of the problem. We’re putting countermeasures in place, but we’re not quite ready to come out and talk about them just yet.”

Unlike last week’s bout of customer site compromises, which seemed to impact mainly WordPress blogs, security experts have been hard-pressed to find a commonality among the victim sites, other than the malicious sites they are linking to.

“Note that this time we are seeing all kind of sites hacked, from WordPress, Joomla to just simple HTML sites,” wrote David Dede, a Brazilian security blogger who helped to raise the alarm over last week’s Network Solutions infections.

The StopMalvertising blog includes a host of information about the malicious scripts inserted into the hacked sites, indicating that the injected code redirects the visitor’s browser to Web pages that silently try to install malicious software using a variety of known vulnerabilities in popular Web browser plugins — such as Adobe PDF Reader — as well as insecure ActiveX (Internet Explorer) components.