Krebs on Security

Comerica Phish Foiled 2-Factor Protection

February 8, 2010

A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.

Experi-Metal sells metal stampings, trim moldings and specialty items.

The lawsuit, filed by Experi-Metal Inc. (EMI), in Sterling Heights, Mich., charges that Dallas-based Comerica Bank effectively groomed its customers to become phishing victims by routinely sending them e-mail messages that asked recipients to click a link to update the bank’s security technology. The company also alleges that Comerica’s security protections for customers are not commercially reasonable, because the phishing scam routed around the bank’s 2-factor authentication system.

According to a complaint EMI filed in December with a Michigan circuit court, for many years Comerica used “digital certificates” for authenticating online banking customers. Digital certificates are the browser-based counterparts to ATM cards, and many banks require customers to include the bank’s cryptographically signed digital certificate in their browser before the bank’s online system will allow users access.

Once a year from 2000 to 2008, Comerica sent emails to EMI and other customers directing them to click on a link in the email, and then log in at the resulting Web site in order to renew the digital certificate that Comerica required.

Continue reading →

Zeus Attack Spoofs NSA, Targets .gov and .mil

February 6, 2010

50 Comments

Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.

According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.
Continue reading →

Hackers Try to Steal $150,000 from United Way

February 3, 2010

32 Comments

Hackers broke into computer systems at a Massachusetts chapter of the United Way last month and attempted to make off with more than $150,000 from one of the nation’s largest charities.

Patricia Latimore, chief financial officer at the United Way of Massachusetts Bay and Merrimac Valley, said unknown attackers tried to initiate a number of bogus financial transfers out of the organization’s bank account, but that the United Way was able to work with its bank to block or reverse the unauthorized transfers.

“We were able to pretty much capture things as they were happening,” Latimore said. “Fortunately, we saw it on the day that it occurred.”

The intruders attempted to send more than $110,000 in unauthorized payroll transfers to at least a dozen individuals across the United States who had no prior business with the United Way chapter. At least one large wire transfer was attempted, for nearly $40,000, to a 32-year-old man in New York.

Continue reading →

Another Way to Ditch IE6

February 3, 2010

32 Comments

This past week, I was reminded of a conversation I had with an ethical hacker I met at the annual Defcon security conference in Las Vegas a couple of years back who showed me what remains the shortest, most elegant and reliable trick I’ve seen to crash the Internet Explorer 6 Web browser.

If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):

ms-its:%F0:

or just click this link with IE6.

Here’s a short video example of the crash that results from typing that text above into an IE6 window:

Continue reading →

ATM Skimmers, Part II

February 2, 2010

104 Comments

Easily the most-viewed post at krebsonsecurity.com so far has been the entry on a cleverly disguised ATM skimmer found attached to a Citibank ATM in California in late December. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.

According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said.

Click the individual images below for an enlarged version.

: An ATM skimmer that fits over the card insert slot

: An ATM skimmer panel that fits directly on top of the real ATM

: Image at left shows a PIN capture device overlay. The image on the right shows the actual card skimmer attached (right edge)

: A closeup of the ATM card skimmer removed from the face of the ATM

: Some ATMs are in building lobbies that require visitors to swipe their ATM card at the door. This device was found attached to the reader at a lobby entry. This ATM door skimmer was originally flush with the device. The skimmer and the real reader have been pulled away from the face to better show the two devices.

: ATM PIN capture overlay device pulled back to reveal the legitimate PIN entry pad.

: A brochure rack was outfitted with a spy camera to record PINs in conjunction wtih a skimmer.

: By the end of 2004, 70 percent of all new ATMs shipped worldwide were Windows-based, according to Lockheed’s Rick Doten

: A Diebold spokesperson estimates that 90 percent of Diebold’s global shipments are now Windows-based ATMs — Rick Doten

[EPSB]

Have you seen:

Would You Have Spotted This ATM Fraud?…The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.

[/EPSB]

A Tale of Two Victims

February 1, 2010

63 Comments

When a computer virus infection at a business allows thieves to steal tens of thousands of dollars from the company’s commercial banking account, banks typically don’t reimburse the victim company. But the truth is, most banks make that decision on a case-by-case basis.

Take, for example, the case of two Umpqua Bank customers in Vancouver, Wash., both of which suffered major financial losses last year after compromises at employee computers allowed thieves to access their accounts remotely.

Continue reading →

Simmering Over a ‘Cyber Cold War’

January 29, 2010

15 Comments

New reports released this week on recent, high-profile data breaches make the compelling case that a simmering Cold War-style cyber arms race has emerged between the United States and China.

A study issued Thursday by McAfee and the Center for Strategic and International Studies found that more than half of the 600 executives surveyed worldwide said they had been subject to “stealthy infiltration” by high-level adversaries, and that 59 percent believed representatives of foreign governments had been involved in the attacks.

A more granular analysis issued Thursday by Mandiant, an Alexandria, Va. based security firm, focuses on data breaches it has responded to involving the so-called “advanced persistent threat,” or those characterized by highly targeted attacks using custom-made malicious software in the hands of patient, well-funded assailants.

Mandiant notes that the scale, operation and logistics of conducting these attacks – against the government, commercial and private sectors – indicates that they’re state-sponsored.

The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement. Nonetheless, we’ve been able to correlate almost every APT intrusion we’ve investigated to current events within China. In all cases, information exfiltrated by each set of attackers correlates with a need for intelligence related to upcoming major U.S. / China mergers and acquisitions, corporate business negotiations, or defense industrial base acquisition opportunities [emphasis added].

The reports come just days after the Christian Science Monitor revealed that three Texas-based oil companies – Conoco, ExxonMobil and Marathon – were alerted by the FBI that their systems were penetrated back in 2008. The Monitor story said the attacks, thought to have originated in China, targeted “bid data” about oil reserves and potential drilling sites.

Continue reading →

Dear Snowflake: Happy ‘Data Privacy Day’

January 28, 2010

20 Comments

Here in the States, today is “National Data Privacy Day.” Declared as such on this day a year ago by the U.S. Congress, this unofficial holiday is meant to remind teens and young adults about the importance of protecting their personal information online, particularly in the context of social networking.

What’s that? You didn’t know about NDPD? Yeah, neither did I: A bloke I know from the U.K. clued me in over instant message with a link to this Wikipedia page. Oddly enough, his note interrupted my reading of a story about how at least 30 congressional Web sites were defaced in apparent response to President Obama’s State of the Union address last night. Social networking, indeed. [Update, 1:29 p.m. The AP is now reporting 49 House sites were hacked].

Incidentally, I got interested in the mass defacement story while searching for a distraction from going through all the mail on my desk. Among the bills and other notices we received recently was a notice from the National Archives and Records Administration. It seems someone had stolen or misplaced a hard drive from the Archives a while back that contained the Social Security information on my wife (the breach affected roughly 250,000 other people as well). Why did the NARA have my wife’s Social? She made the mistake of touring the White House during the Clinton administration.

I, for one, applaud Congress for its example in encouraging all of us to take a moment to reflect — at least once a year — on just how little privacy most of us have in today’s online world, and how little control most of us have over the security of personal information that countless organizations hold about us.

Little children are sometimes taught that — just as no two snowflakes are exactly alike – each of us is unique and special. There’s ample evidence to suggest this is also basically true for our online selves as well.

Continue reading →

The Rise of Point-and-Click Botnets

January 27, 2010

9 Comments

The graphic above is from a report out today by Team Cymru, a group that monitors studies online attacks and other badness in the underground economy. It suggests an increasing divergence in the way criminals are managing botnets, those large amalgamations of hacked PCs that are used for everything from snarfing up passwords to relaying spam and anonymizing traffic for the bad guys, to knocking the targeted host or Web site offline.

The bottom line in the graphic shows the prevalence of botnets that are managed using Internet relay chat (IRC) control channels (think really basic text-based instant message communications). The blue line trending upward depicts the number of Web-based botnets, those that the botmaster can control with point-and-click ease using a regular Web browser.

Continue reading →

Texas Bank Sues Customer Hit by $800,000 Cyber Heist

January 26, 2010

110 Comments

A machine equipment company in Texas is tussling with its bank after organized crooks swiped more than $800,000 in a 48-hour cyber heist late last year. While many companies similarly victimized over the past year have sued their banks for having inadequate security protection, this case is unusual because the bank is preemptively suing the victim.

Both the victim corporation – Plano based Hillary Machinery Inc. – and the bank, Lubbock based PlainsCapital, agree on this much: In early November, cyber thieves initiated a series of unauthorized wire transfers totaling $801,495 out of Hillary’s account, and PlainsCapital managed to retrieve roughly $600,000 of that money.

Continue reading →

Last »