A leading security researcher today published perhaps the best evidence yet showing a link between Chinese hackers and the sophisticated cyber intrusions at Google, Adobe and a slew of other top U.S. corporations late last year.
In mid-December, Google discovered that its networks had been breached by attackers who appeared by coming from China. A Wall Street Journal article cited researchers saying the attacks — dubbed Operation Aurora — were launched from six Internet addresses in Taiwan, which experts say is a common staging ground for Chinese espionage.
While Google itself has said that the attacks “originated in China,” experts have been quick to point out that attackers commonly route their communications through faraway computers, and that the real attackers may be located anywhere in the world. But new clues about the origins of the malicious software that was used to exploit the as-yet unpatched Internet Explorer vulnerability suggest that the exploit was in fact assembled by Chinese programmers
The evidence comes from forensic work published today by Joe Stewart, director of malware research for Atlanta based managed security firm SecureWorks. Stewart said he found that a snippet of the source code used in the backdoor Trojan horse program planted by the exploit (called “Hydraq” by various anti-virus companies) matched a source code sample that was detailed in a Chinese-language white paper on mathematical algorithms used in electronics.
Stewart said a Google search for one of the key text strings in that code sample shows that it is virtually unknown outside of China, and that almost every page with meaningful content concerning the algorithm is written in Chinese.
Money mules are quite literally the workhorses of the online fraud world. The term “money mule” is borrowed from the nomenclature used to describe the human pack horses of the drug cartels — so-called “drug mules” — people who physically carry illegal substances on their person while crossing the U.S. border. Some drug mules actually ingest large numbers of tiny bags full of illegal substances, and carry the narcotics in their digestive system on the way into the United States. You can probably guess how the drugs are…er…offloaded by these mules.
Of course, money mules don’t actually ingest the cash they help steal from banks and small businesses that are victimized by criminal gangs, although they do occasionally eat the cost when their bank turns around and holds them liable for the missing money. However, some of the mules — mainly young Eastern European men and women of college age who are here in the United States on temporary J1 visas — do physically carry the cash on their person when they head back home.
Anyway, this blog posts focuses on the former group, those willing or unwitting individuals who stand to very likely make $500-$700 from a single transaction with the crooks. Money mules are recruited through work-at-home job offers that arrive via e-mail, usually claiming that the prospective employer found the recipient’s resume’ on careerbuilders.com, monster.com, or some other job search site. Recruits are told they will be helping to move money for international companies, and are asked to provide their bank account and routing numbers so that they can receive incoming transfers.
Now, technically speaking, most mules are by default fired after their first and only successful job: Each mule is worth slightly less than $10,000 to the cyber gangs, who will cease communicating with a mule the minute after he or she successfully wires the money to the crooks and e-mails the access number the criminals need to pick up the cash.
The mules’ job isn’t that difficult: Wait by the computer between 8 and 11 a.m. for a message saying a deposit is ready for withdraw. The mule is instructed to then go down to their bank, pull out the money in cash, and then wire it abroad via Western Union and Moneygram.
But you’d be surprised at how often the mules screw this up. Here are the Top 10 ways that mules can get fired:
Web site domain registrar and hosting provider Network Solutions acknowledged Tuesday that hackers had broken into its servers and defaced hundreds of customer Web sites.
The hackers appear to have replaced each site’s home page with anti-Israeli sentiments and pictures of masked militants armed with rocket launchers and rifles, alongside the message “HaCKed by CWkomando.”
According to results for that search term entered into Microsoft’s Bing search engine, there may in fact be thousands of sites affected by this mass defacement.
One of the defaced pages belonged to Minnesota’s 8th District GOP, according to a story in The Minnesota Independent, which said the Arabic writing that accompanies the defaced pages contains the dedication “For Palestine,” and the repeated phrase “Allahu Akbar” [God is great].
Apple his shipped a software update that fixes at least a dozen security vulnerabilities in Mac OS X Leopard and Snow Leopard systems. The update applies to OS X 10.5 and 10.6 desktop and server machines, is available through Software Update or from Apple Downloads. More than half of the fixes are to update the Mac version of Adobe’s Flash Player plugin. Check out this link for more nitty gritty on the individual flaws fixed in this update.
I had just finished opening an account at the local bank late last week when I happened to catch a glimpse of the bank manager’s computer screen: He had about 20 Web browser windows open, and it was hard to ignore the fact that he was using Internet Explorer 6 to surf the Web.
For more than a second I paused, and considered asking for my deposit back.
“Whoa,” I said. “Are you really still using IE6?”
“Yeah,” the guy grinned sheepishly, shaking his head. “We’re supposed to get new computers soon, but I dunno, that’s been a long time coming.”
“Wow. That’s nuts,” I said. “You’ve heard about this latest attack on IE, right?”
I might as well have asked him about the airspeed velocity of an African Swallow. Dude just shook his head, and so did I.
Well, you can’t really blame the poor guy for not knowing. Just hours before, Microsoft Chief Executive Steve Ballmer looked a bit like a deer in headlights when, standing in front of the White House in a planned CNBC interview on how the Obama administration is looking to use technology to streamline its operations, he was suddenly asked about a report just released from McAfee effectively blaming a slew of recent cyber break-ins at Google, Adobe and more than 30 top other Silicon Valley firms on a previously unknown flaw in IE.
“Cyber attacks and occasional vulnerabilities are a way of life,” Ballmer said. “If the issue is with us, we’ll work through it with all of the important parties. We have a whole team of people that responds very real time to any report that it may have something to do with our software, which we don’t know yet.”
The other day I had a chance to chat with Steve Santorelli, director of global outreach at Team Cymru (pronounced kum-ree), a security research and investigation firm that is often privy to some fascinating, granular data on network attacks, as well as fairly unique holistic views about large scale Internet threats.
Santorelli wanted to interview me as part of their ongoing Who and Why Show, and gave me a few minutes to answer the question, “What keeps you up at night?” My answer was basically that I worry what will happen to the Internet as we know it when people start to die in a measurable way because of computer and Internet security vulnerabilities and attacks.
Click the embedded video image below to listen to the short interview.
By the way, the title of this post is an open-ended question: Are there Internet/computer security threats that keep you — the reader — up at night? If so, sound off in the comments.
It is said that you can judge the mettle of a man by the quality of his enemies. So I guess it should be flattering when a group of individuals who appear dedicated to making misery for countless Internet users express glee at what they perceive as my misfortune.
Since my final posting on The Washington Post‘s Security Fix blog last year, I’ve been made aware of several discussions among different shadowy online groups who were apparently celebrating the end of that blog.
Some of those conversations I am not at liberty to point to here, but at least one of them is public: A thread on crutop.nu, a 8,000 member Russian language forum dedicated to Webmasters who specialize in high-risk Web sites, including rogue anti-virus software sales, pharmacy sites, and all manner of extreme porn (including beastiality and rape).
Less than 24 hours after Microsoft acknowledged the existence of an unpatched, critical flaw in all versions of its Internet Explorer Web browser, computer code that can be used to exploit the flaw has been posted online.
This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.
Microsoft said it will continue monitoring this situation and take appropriate action to protect its customers, including releasing an out-of-band patch to address the threat. Typically, Microsoft issues patches on the second Tuesday of the month (a.k.a. “Patch Tuesday), but due to the seriousness of this threat and the sheer number of companies that have apparently already been hacked because of it, Microsoft is likely to push out an update before the end of the month. In fact, I would not be surprised to see a fix for this within the next 7 to 10 days.
In the meantime, Redmond is urging IE users to upgrade to the latest version, IE8, which the company touts as its most secure version of the browser. Still, even IE is still vulnerable, and this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple‘s Safari for Windows.
Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.
This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?
The recent targeted cyber attacks against Google, Adobe and other major companies were fueled in part by a previously unknown — and currently unpatched — security flaw in Microsoft‘s Internet Explorer Web browser, anti-virus vendor McAfee said today.
McAfee said its investigation revealed that one of the malicous software samples used in the attacks exploited a new, not publicly known vulnerability in IE that is present in all of Microsoft’s most recent operating system releases, including Windows 7.