Fire Alarm Company Burned by e-Banking Fraud

April 22, 2010
59 Comments

A fire alarm company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and drained its payroll account.

On Wednesday, Apr. 7, Ft. Smith based JE Systems Inc. received a call from its bank stating that the company needed to move more money into its payroll account, chief executive Melanie Eakel said. Over the course of the previous two days, someone had approved two batches of payroll payments — one for $45,000 and another for $67,000.

“They said ‘You’re overdraft,’ and I told them that was impossible because we didn’t do our payroll…we do it every Thursday,  not on Mondays at 2 a.m., which was when this was put through,” Eakel said. “I told them we did not authorize that.”

A few days later, however, the First National Bank of Fort Smith sent JE Systems a letter saying the bank would not be responsible for the loss. First National did not return calls seeking comment.

“They said it was our [Internet] address that was used to process the payments, and our online banking user name and password,” Eakel said. “I feel like the bank should have caught this.

Continue reading

McAfee False Detection Locks Up Windows XP

April 21, 2010
23 Comments

McAfee‘s anti-virus software is erroneously detecting legitimate Windows system files as malicious, causing reboot loops and serious stability problems for many Windows XP users, according to multiple reports.

The SANS Internet Storm Center has received dozens of reports from McAfee users who complained that a recent anti-virus update (DAT 5958) is causing Windows xP Service Pack 3 clients to be locked out. According to SANS incident handler Johannes Ulllrich, McAfee is flagging “svchost.exe” as malicious. Svchost is a common system process typically used by multiple legitimate programs on a Windows system (although malware does often inject itself into this process), so having an anti-virus program that flags the process as a threat could cause major problems on a host system, Ullrich said.

“The [reports] keep coming in,” Ullrich said. “Systems either get stuck in a reboot loop, or networking is no longer working.”

One symptom seems to be that McAfee reports that user systems are infected with W32.Wecorl.a. The anti-virus program’s attempts to destroy or quarantine that targeted process then forces the Windows machine into a reboot cycle.

McAfee’s own support forum is currently queuing up with a large number of users piping in with stories about how the incident is affecting their operations. That thread,which began at 9:54 a.m. today, has more than 27,000 views and 83 replies.

Stay tuned for more updates as available.

Update, 1:56 p.m. ET: McAfee released the following statement regarding this event. “McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2.00 PM GMT+1 (6am Pacific Time).

Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.

The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers. We are not aware of significant impact on consumer customers and believe we have effectively limited such occurrence.

McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. McAfee apologizes for any inconvenience to our customers.”

Update, 3:51 p.m. ET: McAfee’s main support forum is down due to an “unusually large traffic.” McAfee has posted a separate thread here that includes a couple of workarounds for customers struggling to deal with this problem.

Advertisement

Krebsonsecurity.com Partners with Federated Media

April 21, 2010
29 Comments

Readers may notice over the next day or so advertisements in one or two prominent spots on this blog. This is the result of a new partnership between Krebs on Security and Federated Media Publishing, a company that connects independent Web site authors with advertisers.

Federated Media currently represents more than 100 of the most respected social media properties on the Web, including The New York Times, BoingBoing, Breitbart, Mashable, and ReadWriteWeb, to name a few.

The reporting and investigations I have been conducting through krebsonsecurity.com take up a substantial amount of my time, and this partnership should help ensure that I can continue to dedicate my attention to this vital and highly relevant beat. Thank you for your continued support and readership.

Call Centers for Computer Criminals

April 20, 2010
14 Comments

A call service that catered to bank and identity thieves has been busted up by U.S. and international authorities. The takedown provides a fascinating glimpse into a bustling and relatively crowded niche of fraud services in the criminal hacker underground.

In an indictment unsealed on Monday, New York authorities said two Belarusian nationals suspected of operating a rent-a-fraudster service called Callservice.biz were arrested overseas. Wired.com’s Kim Zetter has the lowdown:

According to the indictment (.pdf), the two entrepreneurs launched the site in Lithuania in June 2007 and filled a much-needed niche in the criminal world — providing English- and German-speaking “stand-ins” to help crooks thwart bank security screening measures.

In order to conduct certain transactions — such as initiating wire transfers, unblocking accounts or changing the contact information on an account — some financial institutions require the legitimate account holder to authorize the transaction by phone.

Thieves could provide the stolen account information and biographical information of the account holder to CallService.biz, along with instructions about what needed to be authorized. The biographical information sometimes included the account holder’s name, address, Social Security number, e-mail address and answers to security questions the financial institution might ask, such as the age of the victim’s father when the victim was born, the nickname of the victim’s oldest sibling or the city where the victim was married.

U.S. authorities have seized the Callservice.biz Web site, which now features the seals for the FBI and Justice Department prominently on its homepage. The feds also seized Cardingworld.cc, a highly-restricted online criminal forum where Callservice.biz was hosted.

If you spend any amount of time on underground forums like Cardingworld.cc, however, you’ll quickly discover that these criminal call centers are among the most popular of fraud services offered. For example, another fraud forum — Verified.su — is home to a number of calling services. Among them are two competing call centers that each began as point-and-click fraud shops that helped customers purchase electronics with stolen credit cards and then split the profits after selling the goods on eBay.

One such service, Atlanta Alliance, used to offer paying members a password-protected Web site where customers could select a range of high-priced gadgets — such as digital cameras, laptops and smart phones — that could be bought with stolen credit cards. The service even allowed customers to manage the shipment of these products to awaiting “reshipping mules,” individuals in the United States recruited for the purpose of receiving stolen goods and reshipping them to Russia, Ukraine and other nations where many vendors refuse to ship due to the high incidence of fraud from those areas.

Continue reading

Mozilla Disables Insecure Java Plugin in Firefox

April 20, 2010
19 Comments

Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code.

On April 15, Oracle Corp. pushed out an update to its Java software to fix a dangerous security flaw in the program. The patch came just a day after it became clear that criminals were using the flaw to break into vulnerable systems.

Continue reading

Network Solutions Again Under Siege

April 19, 2010
12 Comments

For the second time in as many weeks, Internet hosting provider Network Solutions is trying to limit the damage from a hacking incident that has left many customer Web sites serving up malicious code.

In a post to its blog on Sunday titled We Feel Your Pain and We are Working Hard to Fix This, Network Solutions spokesman Shashi Bellamkonda apologized for the incident.

“We have received reports that Network Solutions customers are seeing malicious code added to their websites and we are really sorry for this experience,” Bellamkonda wrote. “At this time since anything we say in public may help the perpetrators, we are unable to provide details.”

Reached by telephone Monday, company spokeswoman Susan Wade declined to offer much more detail about the incident, such as how many customers may have been impacted and whether Network Solutions had uncovered the cause.

“It’s not impacting the entire hosting platform, but a subset of customers,” Wade said. “We’re trying to be very careful of what we say publicly right now. We want to make sure we have our facts straight and that we understand the scope of the problem. We’re putting countermeasures in place, but we’re not quite ready to come out and talk about them just yet.”

Unlike last week’s bout of customer site compromises, which seemed to impact mainly WordPress blogs, security experts have been hard-pressed to find a commonality among the victim sites, other than the malicious sites they are linking to.

“Note that this time we are seeing all kind of sites hacked, from WordPress, Joomla to just simple HTML sites,” wrote David Dede, a Brazilian security blogger who helped to raise the alarm over last week’s Network Solutions infections.

The StopMalvertising blog includes a host of information about the malicious scripts inserted into the hacked sites, indicating that the injected code redirects the visitor’s browser to Web pages that silently try to install malicious software using a variety of known vulnerabilities in popular Web browser plugins — such as Adobe PDF Reader — as well as insecure ActiveX (Internet Explorer) components.

Fraud Fighter ‘Bobbear’ to Hang Up His Cape

April 17, 2010
10 Comments

The owner and curator of bobbear.co.uk, a site that specializes in exposing Internet scams and phantom online companies, announced Saturday that he will be shuttering the site at the end of April.

Bobbear and its companion site bobbear.com, are creations of Bob Harrison, a 66-year-old U.K. resident who for the last four years has tirelessly chronicled and exposed a myriad of fraud and scam Web sites. The sites, which are well-indexed by Google and other search engines and receive about 2,000 hits per day, often are among the first results returned in a search for the names of fly-by-night corporations advertised in spam and aimed at swindling the unsuspecting or duping the unwitting.

Indeed, bobbear.co.uk has been extremely valuable resource to krebsonsecurity.com, which has used it to track the constant stream of new fraudulent corporations used to recruit so-called money mules, people lured into helping organized criminals launder money stolen through online banking theft.

In an interview with krebsonsecurity, Harrison said he’s been considering this move for some time now, and finally decided to quit the site for health and quality-of-life reasons.

“The wife says I spend about 15 hours a day on it, although it may not be quite that much,” joked the pseudonymous Harrison, speaking via phone from his home near Kent, about 50 miles outside of London. “Things are quite hard and health isn’t that good, so the time has come.”

An example of a money mule recruitment site exposed by bobbear.co.uk

Continue reading

iPack Exploit Kit Bites Windows Users

April 16, 2010
14 Comments

Not long ago, there were only a handful of serious so-called “exploit packs,” crimeware packages that make it easy for hackers to booby-trap Web sites with code that installs malicious software.

These days, however, it seems like we’re hearing about a new custom exploit kit every week. Part of the reason for this may be that more enterprising hackers are seeing the moneymaking potential of these offerings, which range from a few hundred dollars per kit to upwards of $10,000 per installation — depending on the features and plugins requested.

Take, for example, the iPack crimeware kit, an exploit pack that starts at around $500.

Continue reading

Java Patch Targets Latest Attacks

April 15, 2010
14 Comments

Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.

Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

Continue reading

Unpatched Java Exploit Spotted In-the-Wild

April 14, 2010
33 Comments

Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.

On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he’d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site.  Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user’s system.

As of this morning, songlyrics.com, a site that according to traffic analysis firm compete.com receives about 1.7 million visits each month, was loading code from assetmancomcareers.com, a Russian Web site with a history of pushing rogue anti-virus. The domain name servers for assetmancomcareers.com also serve:

spyeraser-security.com
spyeraser-trial.com
spyeraser-software.com

According to Roger Thompson, chief research officer at AVG, the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers (see screenshot of a Crimepack administration page below).

It’s unclear whether Oracle plans to change the behavior of this feature in Java. For now, if you have Java installed on your system (don’t know? click here), you might consider implementing one or both of the workarounds mentioned here in a SANS Internet Storm Center writeup on this.

Continue reading