Krebs on Security

A Stroll Down Victim Lane

May 10, 2010

Last week I traveled to Cooperstown, N.Y. to deliver a keynote address about the scourge of online banking fraud that I’ve written about so frequently this past year. I flew into Albany, and in the short, 60 minute drive west to Cooperstown, I passed through tiny Duanesburg, a town whose middle school district is still out a half million dollars from e-banking fraud. On my way to Cooperstown, I also passed within a few minutes of several other recent victims — including a wrecking firm based on Schenectady that lost $70,000 last month when organized thieves raided its online bank account.

Alexander “Sandy” Jackson‘s world started crashing down on Apr. 20, the day he learned that more than $70,000 of company’s cash had been transferred to 10 complete strangers scattered about the United States. Since then, the owner of Jackson Demolition Service has spent a good deal of time trying to retrieve that money. So far, he and his bank have recovered about one-third of the amount stolen.

Oddly enough, Jackson first learned of the fraud after being contacted by an individual who received close to $5,000 of the firm’s money.

That individual was Montgomery, Ala. resident April Overton. In March, Overton responded to an e-mail from a company that said it found her resume on Careerbuilder.com, and would she be interested in a work-at-home job entering tax information on behalf of American tax filers? Overton said she accepted the job, and for more than a month worked several hours each day completing various tax forms with personal tax information sent to her via e-mail, forms that she then had to fax back to her employers, who claimed to be Tax World LLC, at www.taxreturnsworld.com.

“I was basically processing tax returns, and they’d have me log in to a site every morning between the hours of 8:30 a.m. and 11:30 a.m., and would send me information, have me filing out [IRS Form] 1040 tax returns,” Overton said.

Continue reading →

Visa Warns of Fraud Attack from Criminal Group

May 8, 2010

17 Comments

Visa is warning financial institutions that it has received reliable intelligence that an organized criminal group plans to attempt to move large amounts of fraudulent payments through a merchant account in Eastern Europe, possibly as soon as this weekend.

In an alert sent to banks, card issuers and processors this week, Visa said it “has received intelligence from a third-party entity indicating that a criminal group has plans to execute “a large batch settlement fraud scheme.”

Continue reading →

Fun with ATM Skimmers, Part III

May 7, 2010

44 Comments

ATM skimmers, or devices that thieves secretly attach to cash machines in order to capture and ultimately clone ATM cards, have captured the imagination of many readers. Past posts on this blog about ATM skimmers have focused on their prevalence and stealth in attacking cash machines in the United States, but these devices also are a major problem in Europe as well.

According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.

EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin” or EMV (an initialism for Europay, Mastercard and VISA) standard.

ATM cards store account data on magnetic strips on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them. RSA‘s Idan Aharoni wrote an informative post about this technology earlier this year.

Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day.

While many of the images below are not new, they showcase some of the actual ATM skimmers deployed against European cash machines (click any of the images to view a slideshow).

: Image courtesy IBM. Hidden camera in false panel above PIN pad.

: Courtsey ENISA: A type of fraud device called a cashtrap siphons off bills as they exit the machine.

: Image courtesy IBM: False ATM front-mount that includes card skimmer.

: Image courtesy IBM: The back of the false ATM front-mount w/ skimmer.

: Image courtesy ENSA: Bogus PIN pad overlay + ATM card skimmer

: Image courtesy ENISA: False ATM top with camera + ATM card skimmer

[EPSB]

Have you seen:

All-in-one Skimmers…ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs. Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.

[/EPSB]

New Software Turns iPad into iSpy

May 6, 2010

14 Comments

A new commercial software program marketed to employers, parents and suspicious spouses lets customers surreptitiously monitor their Apple iPads remotely and view a record of all e-mail and Web use on the devices.

The software-as-a-service is the latest offering from Jacksonville, Fla. based Retina-X Studios, a company whose Mobile Spy products have long allowed people to remotely spy on iPhones, Blackberries and other smartphones. For $99.97 a year, customers get access to a Web interface that allows them to view a list of every Web site visited, every e-mail sent and received, as well as any contacts added to the iPad.

Mobile Spy pitches the product thusly:

Are your kids viewing pornography while you are alseep? [sic] Are your employees sending company secrets through their personal email? You will have the answers to all these questions answered. Logs are instantly uploaded and viewable inside your control panel.

The company said in a press release that it plans to roll out even more capabilities for its iPadspy product, such as the ability to record the target’s location (by tapping the built-in GPS), and rifle through photos and notes stored on the device.

I haven’t used the service (I don’t even own an iPad, sadly). But these kinds of services are a good reminder about the importance of physical security for your computers and gadgets: In most cases, once an attacker has physical access to a device, it’s game over.

The software only works on jailbroken iPads, as the iPad is not able to run more than one program at a time unless it’s jailbroken.

Opera Plugs ‘Extremely Severe’ Security Hole

May 5, 2010

8 Comments

The makers of the Opera Web browser are urging users to apply an update that fixes what the company described as an “extremely severe” security flaw in Windows and Mac versions of the software. The vulnerability is fixed in the latest version, v. 10.53, available from this link. Alternatively, Opera users can click “Help” then “Check for Updates” from within the browser.

Accused Mariposa Botnet Operators Sought Jobs at Spanish Security Firm

May 3, 2010

20 Comments

Luis Corrons spent much of the last year helping Spanish police with an investigation that led to the arrest of three local men suspected of operating and renting access to a massive and global network of hacked computers. Then, roughly 60 days after their arrest, something strange happened: Two of them unexpectedly turned up at Corrons’ office and asked to be hired as security researchers.

Corrons, a technical director and blogger for Spanish security firm Panda Security, said he received a visit from the hackers on the morning of March 22. The two men, known by the online nicknames “Netkairo” and “Ostiator,” were arrested in February by Spanish police for their alleged role in running the “Mariposa” botnet, a malware distribution platform that spread malicious software to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for “butterfly”).

Now, here the two Mariposa curators were at Panda’s headquarters in Bilbao, their resumes in hand, practically begging for a job, Corrons said.

“At first, I couldn’t believe it, and I thought someone in the office was playing a practical joke on me,” Corrons said. “But these guys were the real guys, and they were serious.

“Ostiator told me, ‘The thing is, with everything that’s been happening, we’re not earning any money at the moment,” Corrons recalled. “He said, ‘We thought we could look for some kind of agreement in which both sides would benefit. We think we have knowledge [that] could be useful to Panda and thought we could have some kind of agreement with Panda.'”

Spanish police do not typically release the names of individuals who have been arrested, and Netkairo and Ostiator haven’t yet been charged with any crime. But Corrons recognized that the names and addresses on the resumes matched those that police had identified as residences belonging to Netkairo and Ostiator.

Corrons said Panda’s lawyers were unwilling to release the full names of the two men that visited Panda Labs, but said Ostiator’s first name is Juan Jose, and that he is a 25-year-old male from Santiago de Compostela. Corrons said Netkairo is a 31-year-old from Balmaseda named Florencio.

Shortly after the arrests were announced, local Spanish media said the third individual arrested by Spanish authorities in connection with Mariposa — a 30-year-old identified by his initials “JPR” — used the hacker nickname “Johny Loleante” and lived in Molina de Segura, Murcia.

On Mar. 3, I had the opportunity to interview Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. Lorenzana told Krebsonsecurity.com that Netkairo and his associate were earning about 3,000 Euros each month renting out the Mariposa botnet to other hackers.

Interviewing the same hackers less than three weeks later, Corrons asked them how they got started creating Mariposa.

“Basically, they said they started it as kind of a hobby, and that they weren’t working at the time,” Corrons said. “Suddenly, they started to earn money, a few hundred Euros a week to start, and then discovered they couldn’t stop. And the whole time, their network kept growing.”

Continue reading →

NSA on Computer Network Attack & Defense

April 30, 2010

9 Comments

I spent the past few days in Mexico City participating in the annual meeting of the Honeynet Project, an international group dedicated to developing and deploying technologies that collect intelligence on the methods malicious hackers use in their attacks. The event brought in experts from around the globe, and our hosts — the National Autonomous University of Mexico (in Spanish, UNAM) were gracious and helpful.

As it happens, honeynets and other “deception technologies” are among the approaches discussed in the following document, written by the National Security Agency‘s Information Assurance Directorate. A source of mine passed it along a while back, but I only rediscovered it recently. I could not find a public version of this document that was published online previously, so it has been uploaded here.

The 605-page PDF document reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks. Of particular interest to me was the section on deception technologies, which discusses the use of honeynet technology to learn more about attackers’ methods, as well as the potential legal and privacy aspects of using honeynets. Another section delves into the challenges of attributing the true origin(s) of a computer network attack.

The document is a final draft from back in 2004, although I’m told the final version of the document varies little from this copy. In any event, it may be surprising to some to see how many of the techniques, technologies and challenges detailed in this document remain relevant and timely six years later. It is embedded in this blog as a Scribd file, viewable after the jump (the document is > 5mb, so please be patient). I removed the Scribd embedded PDF, because it was causing problems for too many readers. The full PDF is available at this link here.

A Closer Look at Rapport from Trusteer

April 29, 2010

121 Comments

A number of readers recently have written in to say their banks have urged customers to install a security program called Rapport as a way to protect their online bank accounts from fraud. The readers who pinged me all said they didn’t know much about this product, and did I recommend installing it? Since it has been almost two years since I last reviewed the software, I thought it might be useful to touch base with its creators to see how this program has kept pace with the latest threats.

The basics elements of Rapport – designed by a company called Trusteer — haven’t changed much. As I wrote in May 2008, the software works by assuming control over the application programming interfaces or APIs in Windows, the set of tools which allow software developers to create programs that interact with key Windows functionalities.

From that 2008 piece:

“Some of today’s nastiest data-stealing malware works by hijacking these Windows APIs. For example, keyloggers simply hijack or ‘hook’ the Windows API that handles the transmission of data from user interfaces, such as the keyboard and mouse. A more advanced type of malware – known as a ‘form grabber’ – hijacks the ‘WinInet‘ API – which sets up the SSL (think https://) transaction between the user’s browser and the encrypted Web site. By hijacking this API, a form grabber can rip out usernames and passwords even when the user is submitting them into a site that encrypts the data during transmission because it grabs that information at the lower level of the operating system, before it is encrypted.

Trusteer’s software examines these and other vital Windows APIs to see if any other process is trying to intercept sensitive data. It then blocks those that do.”

I spoke last week with Trusteer CEO Mickey Boodaei about his company’s software, how it has changed over the years, and what’s new about it.

BK: A lot of customers are being asked to download the software and don’t know much about Trusteer or Rapport. One customer wrote in banked at BBVA, and another was with Fifth Third. Both banks very recently had multiple customers lose hundreds of thousands of dollars to the sort of online banking fraud I’ve been writing about lately.

MB: Well, the more press coverage we get, the more it will help build familiarity with our brand among consumers.

BK: Since we last talked, you were working with just a handful of banks — such as ING. Can you talk about how the business has grown and who you’re partnering with now?

MB: Over the last year in the U.S., we’ve been seeing a significant change in the amount of interest we’re getting from banks, especially around business banking. It looks like banks are getting really worried about it, as many have seen fairly significant fraud losses. Right now in North America we have around 50 banks using our technology, and few others in the United Kingdom.

Read on after the jump for my thoughts on this software, and a discussion of some of the malware that specifically targets Rapport.

Continue reading →

Infamous Storm Worm Stages a Comeback

April 28, 2010

6 Comments

The “Storm Worm,” a strain of malicious software once responsible for blasting out 20 percent of spam sent worldwide before it died an ignominious death roughly 18 months ago, was resurrected this week. Researchers familiar with former strains of the worm say telltale fingerprints in the new version strongly suggest that it was either rebuilt by its original creators or was sold to another criminal malware gang.

Continue reading →

Fake Anti-virus Peddlers Outmaneuvering Legitimate AV

April 27, 2010

39 Comments

Purveyors of fake anti-virus or “scareware” programs have aggressively stepped up their game to evade detection by legitimate anti-virus programs, according to new data from Google.

In a report being released today, Google said that between January 2009 and the end of January 2010, its malware detection infrastructure found some 11,000 malicious or hacked Web pages that attempted to foist fake anti-virus on visitors. The search giant discovered that as 2009 wore on, scareware peddlers dramatically increased both the number of unique strains of malware designed to install fake anti-virus as well as the frequency with which they deployed hacked or malicious sites set up to force the software on visitors.

Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What’s more, victims end up handing their credit or debit card information over to the people most likely to defraud them.

Google found that miscreants spreading fake anti-virus have over the last six months taken aggressive steps to evade the two most prevalent countermeasures against scareware: The daily updates shipped by the legitimate anti-virus makers designed to detect scareware installers; and programs like Google’s which scan millions of Web pages for malicious software and flag search results that lead to malware.

Google’s automated system scanned each potentially malicious page in real time using a number of licensed anti-virus engines, and all of the files were rescanned again at the end of the study. Beginning in June 2009, Google charted a massive increase in the number of unique fake anti-virus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate anti-virus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent.

“We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates,” said Niels Provos, principal software engineer for Google’s infrastructure group. “It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads.”

Continue reading →

Last »