Call Centers for Computer Criminals

April 20, 2010

A call service that catered to bank and identity thieves has been busted up by U.S. and international authorities. The takedown provides a fascinating glimpse into a bustling and relatively crowded niche of fraud services in the criminal hacker underground.

In an indictment unsealed on Monday, New York authorities said two Belarusian nationals suspected of operating a rent-a-fraudster service called Callservice.biz were arrested overseas. Wired.com’s Kim Zetter has the lowdown:

According to the indictment (.pdf), the two entrepreneurs launched the site in Lithuania in June 2007 and filled a much-needed niche in the criminal world — providing English- and German-speaking “stand-ins” to help crooks thwart bank security screening measures.

In order to conduct certain transactions — such as initiating wire transfers, unblocking accounts or changing the contact information on an account — some financial institutions require the legitimate account holder to authorize the transaction by phone.

Thieves could provide the stolen account information and biographical information of the account holder to CallService.biz, along with instructions about what needed to be authorized. The biographical information sometimes included the account holder’s name, address, Social Security number, e-mail address and answers to security questions the financial institution might ask, such as the age of the victim’s father when the victim was born, the nickname of the victim’s oldest sibling or the city where the victim was married.

U.S. authorities have seized the Callservice.biz Web site, which now features the seals for the FBI and Justice Department prominently on its homepage. The feds also seized Cardingworld.cc, a highly-restricted online criminal forum where Callservice.biz was hosted.

If you spend any amount of time on underground forums like Cardingworld.cc, however, you’ll quickly discover that these criminal call centers are among the most popular of fraud services offered. For example, another fraud forum — Verified.su — is home to a number of calling services. Among them are two competing call centers that each began as point-and-click fraud shops that helped customers purchase electronics with stolen credit cards and then split the profits after selling the goods on eBay.

One such service, Atlanta Alliance, used to offer paying members a password-protected Web site where customers could select a range of high-priced gadgets — such as digital cameras, laptops and smart phones — that could be bought with stolen credit cards. The service even allowed customers to manage the shipment of these products to awaiting “reshipping mules,” individuals in the United States recruited for the purpose of receiving stolen goods and reshipping them to Russia, Ukraine and other nations where many vendors refuse to ship due to the high incidence of fraud from those areas.

Continue reading

Mozilla Disables Insecure Java Plugin in Firefox

April 20, 2010

Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code.

On April 15, Oracle Corp. pushed out an update to its Java software to fix a dangerous security flaw in the program. The patch came just a day after it became clear that criminals were using the flaw to break into vulnerable systems.

Continue reading

Advertisement

Network Solutions Again Under Siege

April 19, 2010

For the second time in as many weeks, Internet hosting provider Network Solutions is trying to limit the damage from a hacking incident that has left many customer Web sites serving up malicious code.

In a post to its blog on Sunday titled We Feel Your Pain and We are Working Hard to Fix This, Network Solutions spokesman Shashi Bellamkonda apologized for the incident.

“We have received reports that Network Solutions customers are seeing malicious code added to their websites and we are really sorry for this experience,” Bellamkonda wrote. “At this time since anything we say in public may help the perpetrators, we are unable to provide details.”

Reached by telephone Monday, company spokeswoman Susan Wade declined to offer much more detail about the incident, such as how many customers may have been impacted and whether Network Solutions had uncovered the cause.

“It’s not impacting the entire hosting platform, but a subset of customers,” Wade said. “We’re trying to be very careful of what we say publicly right now. We want to make sure we have our facts straight and that we understand the scope of the problem. We’re putting countermeasures in place, but we’re not quite ready to come out and talk about them just yet.”

Unlike last week’s bout of customer site compromises, which seemed to impact mainly WordPress blogs, security experts have been hard-pressed to find a commonality among the victim sites, other than the malicious sites they are linking to.

“Note that this time we are seeing all kind of sites hacked, from WordPress, Joomla to just simple HTML sites,” wrote David Dede, a Brazilian security blogger who helped to raise the alarm over last week’s Network Solutions infections.

The StopMalvertising blog includes a host of information about the malicious scripts inserted into the hacked sites, indicating that the injected code redirects the visitor’s browser to Web pages that silently try to install malicious software using a variety of known vulnerabilities in popular Web browser plugins — such as Adobe PDF Reader — as well as insecure ActiveX (Internet Explorer) components.

Fraud Fighter ‘Bobbear’ to Hang Up His Cape

April 17, 2010

The owner and curator of bobbear.co.uk, a site that specializes in exposing Internet scams and phantom online companies, announced Saturday that he will be shuttering the site at the end of April.

Bobbear and its companion site bobbear.com, are creations of Bob Harrison, a 66-year-old U.K. resident who for the last four years has tirelessly chronicled and exposed a myriad of fraud and scam Web sites. The sites, which are well-indexed by Google and other search engines and receive about 2,000 hits per day, often are among the first results returned in a search for the names of fly-by-night corporations advertised in spam and aimed at swindling the unsuspecting or duping the unwitting.

Indeed, bobbear.co.uk has been extremely valuable resource to krebsonsecurity.com, which has used it to track the constant stream of new fraudulent corporations used to recruit so-called money mules, people lured into helping organized criminals launder money stolen through online banking theft.

In an interview with krebsonsecurity, Harrison said he’s been considering this move for some time now, and finally decided to quit the site for health and quality-of-life reasons.

“The wife says I spend about 15 hours a day on it, although it may not be quite that much,” joked the pseudonymous Harrison, speaking via phone from his home near Kent, about 50 miles outside of London. “Things are quite hard and health isn’t that good, so the time has come.”

An example of a money mule recruitment site exposed by bobbear.co.uk

Continue reading

iPack Exploit Kit Bites Windows Users

April 16, 2010

Not long ago, there were only a handful of serious so-called “exploit packs,” crimeware packages that make it easy for hackers to booby-trap Web sites with code that installs malicious software.

These days, however, it seems like we’re hearing about a new custom exploit kit every week. Part of the reason for this may be that more enterprising hackers are seeing the moneymaking potential of these offerings, which range from a few hundred dollars per kit to upwards of $10,000 per installation — depending on the features and plugins requested.

Take, for example, the iPack crimeware kit, an exploit pack that starts at around $500.

Continue reading

Java Patch Targets Latest Attacks

April 15, 2010

Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.

Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

Continue reading

Unpatched Java Exploit Spotted In-the-Wild

April 14, 2010

Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.

On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he’d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site.  Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user’s system.

As of this morning, songlyrics.com, a site that according to traffic analysis firm compete.com receives about 1.7 million visits each month, was loading code from assetmancomcareers.com, a Russian Web site with a history of pushing rogue anti-virus. The domain name servers for assetmancomcareers.com also serve:

spyeraser-security.com
spyeraser-trial.com
spyeraser-software.com

According to Roger Thompson, chief research officer at AVG, the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers (see screenshot of a Crimepack administration page below).

It’s unclear whether Oracle plans to change the behavior of this feature in Java. For now, if you have Java installed on your system (don’t know? click here), you might consider implementing one or both of the workarounds mentioned here in a SANS Internet Storm Center writeup on this.

Continue reading

Immunet: A Second Opinion Worth a Second Look

April 14, 2010

Security experts have long maintained that running two different anti-virus products on the same Windows machine is asking for trouble, because the programs inevitably will compete for resources and slow down or even crash the host PC.

But an upstart anti-virus company called Immunet Protect is hoping Windows users shrug off this conventional wisdom and embrace the dual anti-virus approach. Indeed, the company’s free product works largely by sharing data about virus detections from other anti-virus products already resident on the PCs of the Immunet user community.

Users can run Immunet alone, and many do: The program scans files using two types of threat profiles: specific definitions or fingerprints of known threats, and generic signatures that are more akin to looking for a specific malware modus operandi.

But what makes Immunet different from other anti-virus products is that it also incorporates detections for malware from other anti-virus products that may be resident on users’ machines. For example, each time someone’s PC in the Immunet user base encounters a virus, that threat is logged and flagged on a centralized server so that all Immunet users can be protected from that newly identified malware.

I’ve been running Immunet in tandem with Kaspersky Internet Security 2010 for the past three months, and have haven’t noticed any impact on system resources or stability issues. Immunet’s creators are especially proud of that last aspect of the program, and say it’s due to the fact that the program does most of its scanning and operations “in-the-cloud,” – that is, not on the user’s system. Immunet currently has about 133,000 active users, and that number changes constantly: Each time you reboot a system with it installed, chances are you will see a different – usually higher – number of users in the community.

I spoke recently with Immunet’s vice president of engineering, Alfred Huger, a former VP at Symantec Corp., and Adam O’Donnell, director of cloud engineering for the startup. That conversation — excerpts of which are included below — provides interesting insights into how the anti-virus industry operates, how consumers interact with these products, and how Immunet hopes to differentiate itself in already crowded field.

Continue reading

Adobe, Microsoft Push Security Upgrades

April 13, 2010

Software giants Adobe and Microsoft today each released software updates to fix critical security flaws in their products. In addition, Adobe is rolling out a new auto-updater tool that should make it easier for hundreds of millions of Adobe Reader users to more safely run one of the most frequently attacked software applications.

Continue reading

TrendMicro Toolbar + Long URL = Fail

April 12, 2010

Many anti-virus products — particularly the “Internet security suite” variety — now ship with various Web browser toolbars, plug-ins and add-ons designed to help protect the customer’s personal information and to detect malicious Web sites. Unfortunately, if designed poorly, these browser extras can actually lower the security posture of the user’s system by introducing safety and stability issues.

The last time I caught up with security researcher Alex Holden, he was showing me a nifty way to crash IE6 and prevent the user from easily reopening the badly outdated and insecure browser version ever again. Just the other day, Holden asked me to verify a crash he’d found that affects users who have Trend Micro Internet Security installed, which installs a security toolbar in both Internet Explorer and Mozilla-based browsers on Microsoft Windows.

The video here was made on a virgin install of Windows XP SP3, with the latest Firefox build and a brand new copy of Trend Micro Internet Security. Paste a really long URL into the address bar with the Trend toolbar enabled, and Firefox crashes every time. Do the same with the toolbar disabled, and the browser lets the Web site at whatever domain name you put in front of the garbage characters handle the bogus request as it should. This isn’t limited to Firefox: The same long URL crashes IE8 with the Trend toolbar enabled, although for some strange reason it fails to crash IE6. I didn’t attempt to test it against IE7.

Continue reading