Would You Have Spotted this ATM Fraud?

March 25, 2010
91 Comments

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

The stories I’ve written on ATM skimmers — devices criminals can attach to bank money machines to steal customer data — remain the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods.

Indeed, police in Alexandria, Va. — just a couple of miles to the East of where I reside — recently were alerted to a skimmer found on an ATM at a Wachovia Bank there. The device reportedly was discovered On Sunday, Feb. 28, at around 1:30 p.m., by an ATM technician (no one I’ve asked has been able to explain why the technician was there on a Sunday in the first place, but I digress). According to the Alexandria Police, the technician spotted the skimming device attached to the card reader on the ATM, snapped some pictures of it, and then went inside the bank to notify the bank’s security office. When he returned a few minutes later, the skimmer had been removed.

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

Skimmers are typically placed at the mouth of the card acceptance slot, and designed to record the data off of the magnetic strip on the back of a customer’s ATM card when he or she inserts the card into the machine. Usually, thieves will plant another device used to record the customer’s PIN, such as a hidden camera or a PIN pad overlay. With the data from the magnetic strip and the customer’s PIN, the thieves can later clone that ATM card and use it to withdraw cash. The police in this case couldn’t say whether there was also a PIN stealing apparatus attached to the ATM, although it seems likely that the technician simply overlooked it.

Cmdr. Jody D. Donaldson, head of the Alexandria Police Department’s Media Services Unit, said crooks sell skimmers in different adaptations and colors depending on the make and model of the ATM that their thieving customers want to target. The skimmer attached to the front of the Wachovia ATM for example, was manufactured for a specific model of Diebold ATMs, Donaldson said.

Donaldson said several customers have come forward to report fraudulent charges on their bank cards, with current losses from the incident estimated at more than $60,000.

Read on after the jump about how the skimmer used in this attack matches a model sold online by criminals in rent-to-own kits, complete with instructional videos and software that divvies up the stolen data.

Continue reading

Cybersecurity Policy Roundup

March 24, 2010
21 Comments

There are several cybersecurity policy issues on Capitol Hill that are worth keeping an eye on. Lawmakers in the Senate have introduced a measure that would call for trade restrictions against countries identified as hacker havens. Another proposal is meeting resistance from academics who worry about the effect of the bill’s mandatory certification programs for cyber security professionals.

As reported by The Hill newspaper, Senators Orrin Hatch (R-Utah) and Kirsten Gillibrand (D-NY) have introduced The International Cybercrime Reporting and Cooperation Act, a bill that would penalize foreign countries that fail to crack down on cyber criminals operating within their borders.

Continue reading

Advertisement

AVprofit: Rogue AV + Zeus = $

March 24, 2010
10 Comments

The presence of rogue anti-virus products, also known as scareware, on a Microsoft Windows computer is often just the most visible symptom of a more serious and insidious system-wide infection. To understand why, it helps to take a peek inside some of the more popular rogue anti-virus distribution networks that are paying people to peddle scareware alongside far more invasive threats.

Distributors or “affiliates” who sign up with avprofit.com, for example, are given access to an installer program that downloads not only rogue anti-virus but also ZeuS, a stealthy piece of malware that specializes in mining online banking credentials from infected PCs. ZeuS is the very piece of malware directly responsible for helping thieves steal tens of millions of dollars from small to mid-sized businesses over the past year.

Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install. Typically, affiliates will embed these installers at porn sites or bundle them with programs seeded on peer-to-peer file-sharing services. The nightmare for the victim starts when he or she responds to the fake anti-virus pop-up warning of supposed threats resident on the victim’s PC, by agreeing to download and run a scanning tool.

What’s remarkable about this entire ecosystem is that in many cases, victims who have this installer run on their systems often end up paying for the rogue anti-virus, in addition to unknowingly giving up their passwords and handing complete control of their computer to the bad guys running this distribution network.

Continue reading

Bring Back ‘Live’ Web Chats?

March 23, 2010
27 Comments

I’ve been hearing from a number of readers who followed me here from the Security Fix blog at The Washington Post, asking if I plan to resume my bi-weekly “live” chats wherein I attempt  to field questions from readers about security, privacy and other tech-related matters.

I hosted roughly 50 of these live Web chats with readers between Jan 2008 and the end of 2009. They were usually fun, but almost always took up a lot of time. I’m amenable to restarting them at Krebs on Security, but I’d like to get a better feel for public interest in this. So, I’ll put it to a vote. Please take a moment to list your response in the poll below.

[poll id=”4″]

Organized Crooks Hit NJ Town, Ark. Utility

March 22, 2010
44 Comments

An Arkansas public water utility and a New Jersey town are the latest victims of an organized cyber crime gang that is stealing tens of millions of dollars from small to mid-sized organizations via online bank theft.

On Thursday, officials in Egg Harbor Township, N.J. acknowledged that a sizable amount of money was taken in an “outside intrusion into a municipal banking account,” suggesting in public statements that computer criminals were responsible.

On Monday, details began to emerge that implicate the work of the same gang that Krebs on Security has been tracking for close to a year now.

Mayor James J. “Sonny” McCullough confirmed that the thieves took close to $100,000 from town coffers, sending the money in sub-$10,000 chunks to individuals around the country who had no prior businesses with Egg Harbor.

McCullough said the town is working with local authorities and the FBI.

“There’s a possibility that the bank will be able to [retrieve] some of the money,” McCullough told Krebs on Security.

Continue reading

Bad BitDefender Antivirus Update Hobbles Windows PCs

March 20, 2010
39 Comments

A faulty update  is being blamed for incapacitating an untold number of Microsoft Windows systems running anti-virus software from BitDefender.

BitDefender says the problem occurred Saturday morning with a faulty update for 64-bit Windows systems that  caused multiple Windows and BitDefender files to be quarantined. The bad update causes the anti-virus program to flag thousands of legitimate Windows and BitDefender program files as a threat called “”FakeAlert.5”.

The Romanian software firm  said the glitchy update has been removed and that the company is working on a fix for the problem.  BitDefender’s user forum has lit up with complaints from customers, and the company appears to be fielding quite a number of inquiries on the problem via its Twitter page.

“We are creating a patch that will restore all quarantined files,” the company said in a statement on its site. “The patch will be available shortly. We apologize for this error and we will work to prevent this from occurring again in the future.”

BitDefender has posted partial recovery instructions for users who are having trouble booting up Windows after this bad update, although several apparent users commenting on the company’s Twitter feed indicated they were still unable to boot after following the instructions.

Meanwhile, Bitdefender representatives on Twitter are warning users that malware writers already are taking advantage of the situation, and urging users to download the fix — whenever it is made available — only from BitDefender’s Web site.

Naming and Shaming ‘Bad’ ISPs

March 19, 2010
64 Comments

Roughly two years ago, I began an investigation that sought to chart the baddest places on the Internet, the red light districts of the Web, if you will. What I found in the process was that many security experts, companies and private researchers also were gathering this intelligence, but that few were publishing it. Working with several other researchers, I collected and correlated mounds of data, and published what I could verify in The Washington Post. The subsequent unplugging of malware and spammer-friendly ISPs Atrivo and then McColo in late 2008 showed what can happen when the Internet community collectively highlights centers of badness online.

Fast-forward to today, and we can see that there are a large number of organizations publishing data on the Internet’s top trouble spots. I polled some of the most vigilant sources of this information for their recent data, and put together a rough chart indicating the Top Ten most prevalent ISPs from each of their vantage points.  [A few notes about the graphic below: The ISPs or hosts that show up more frequently than others on these lists are color-coded to illustrate consistency of findings. The ISPs at the top of each list are the “worst,” or have the most number of outstanding abuse issues.  “AS” stands for “autonomous system” and is mainly a numerical way of keeping track of ISPs and hosting providers. Click the image to enlarge it.]

What you find when you start digging through these various community watch efforts is not that the networks named are entirely or even mostly bad, but that they do tend to have more than their share of  neighborhoods that have been overrun by the online equivalent of street gangs.  The trouble is, all of these individual efforts tend to map ISP reputation from just one or a handful of perspectives, each of which may be limited in some way by particular biases, such as the type of threats that they monitor. For example, some measure only phishing attacks, while others concentrate on charting networks that play host to malicious software and botnet controllers. Some only take snapshots of badness, as opposed to measuring badness that persists at a given host for a sizable period of time.

Also, some organizations that measure badness are limited by their relative level of visibility or by simple geography. That is to say, while the Internet is truly a global network, any one watcher’s view of things may be colored by where they are situated in the world geographically, or where they most often encounter threats, as well as their level of visibility beyond their immediate horizon.

In February 2009, I gave the keynote address at a Messaging Anti-Abuse Working Group (MAAWG) conference in San Francisco, where I was invited to talk about research that preceded the Atrivo and McColo takedowns. The biggest point I tried to hammer home in my talk was that there was a clear need for an entity whose organizing principle was to collate and publish near real-time information on the Web’s most hazardous networks. Instead of having 15 or 20 different organizations independently mapping ISP reputation, I said, why not create one entity that does this full-time?

Unfortunately, some of the most clear-cut nests of badness online — the Troyaks of the world and other networks that appear to designed from the ground up for cyber criminals — are obscured for the most part from surface data collation efforts such as my simplistic attempt above. For a variety of reasons, unearthing and confirming that level of badness requires a far deeper dive. But even at its most basic, an ongoing, public project that cross-correlates ISP reputation data from a multiplicity of vantage points could persuade legitimate ISPs — particularly major carriers here in the United States — to do a better job of cleaning up their networks.

What follows is the first in what I hope will be a series of stories on different, ongoing efforts to measure ISP reputation, and to hold Internet providers and Web hosts more accountable for the badness on their networks.

Continue reading

Researchers Map Multi-Network Cybercrime Infrastructure

March 17, 2010
32 Comments

Last week, security experts launched a sneak attack to disconnect Troyak, an Internet service provider in Eastern Europe that served as a global gateway to a nest of cyber crime activity. For the past seven days, unnamed members of the security community reportedly have been playing Whac-a-Mole with Troyak, which has bounced from one legitimate ISP to the next in a bid to reconnect to the wider Internet.

But experts say Troyak’s apparent hopscotching is expected behavior from what is in fact a carefully architected, round-robin network of backup and redundant carriers, all designed to keep a massive organized criminal operation online should a disaster like the Troyak disconnection strike.

Security firm RSA believes Troyak is but one of five upstream providers that encircle a nest of eight so-called “bulletproof networks” – Web hosting providers considered impervious to takedown by local law enforcement (pictured in red in the graphic below). RSA said this group of eight hosts some of the Internet’s largest concentrations of malicious software, including password stealing banking Trojans like ZeuS and Gozi, as well as huge repositories of personal and financial data stolen by these Trojans and a notorious Russian phishing operation known as RockPhish.

Continue reading

MSE Users: Check for Updates, Piracy

March 16, 2010
18 Comments

One of the systems that just sits here idling all the time in what the wife lovingly calls the Krebs on Security “command center” runs Microsoft’s free Security Essentials anti-virus and security tool. Late last week, I just happened to notice that for who-knows-how-long, a pending upgrade to the program has left that system “potentially unprotected,” according to Microsoft.

I’m not terribly concerned, as I don’t use that system to browse the Web. But if you depend on MSE, check to see if you’ve applied this upgrade, which brings MSE from version 1.0.1959 to version 1.0.1961. You can check the version number by clicking the “Help” tab on the right edge of the MSE main screen, and the selecting “About Microsoft Security Essentials.”

It took a little digging, but here’s Microsoft’s account of what’s new in this updated version of MSE:

The latest version of Microsoft Security Essentials includes improved messaging on the Update tab, improved scan reports on the Home tab, performance improvements, and enforcement of runtime Windows Activation Technology (WAT) in Microsoft Security Essentials.

More here. Unfortunately, this update comes with another attempt by Microsoft to check whether their customers are in fact software pirates. I would assume that people who are running a pirated version of Windows probably wouldn’t install MSE, but then again, we have seen time and again how Microsoft’s various anti-piracy checks often flag users who have purchased legitimate copies of Windows. I don’t fault Microsoft for trying to tackle the piracy problem, which is undoubtedly enormous in the Windows space, but at least now I understand why information about what was in this update or why it was being offered wasn’t so easy to find.

It seems that around the time Microsoft shipped this update, crooks peddling rogue anti-virus products began marketing a rogue app that mimics Microsoft’s Security Essentials offering. True to form, scammers never miss an opportunity to cash in on user confusion over updates like these.

eBanking Victim? Take a Number.

March 16, 2010
57 Comments

Over the past nine months, I have spent a substantial amount of time investigating and detailing the plight of dozens of small businesses that have had their bank accounts cleaned out by organized criminals. One of the most frequent questions I get from readers and from my journalist peers is, “How many of these stories are you going to tell?”

The answer is simple: As many as I can verify. The reason is just as plain: I’m finding that most small business owners have no clue about the threats they face or the liability they assume when banking online, even as the frequency and sophistication of attacks appears to be increasing.

I am now hearing from multiple companies each week that have suffered tens of thousands or hundreds of thousands of dollar losses from a single virus infection (last week I spoke with people from four different companies that had been victimized over the past two months alone). In each of these dramas, the plot line is roughly the same: Attackers planted malicious software on the victim’s PC to steal the company’s online banking credentials, and then used those credentials to siphon massive amounts of money from the targeted accounts. The twists to the stories come in how the crooks evade security technologies, how the banks react, and whether the customers are left holding the (empty) bag.

In most cases I’ve followed, the banks will do what they can to reverse the fraudulent transactions. But beyond that, the bank’s liability generally ends, because — unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them.

Earlier this month, I spoke with the CEO of Eskola LLC, a Treadway, Tenn. roofing firm that had $130,000 stolen from its online bank accounts in a series of five unauthorized wire transfers in late January. The bank was able to reverse most of those transfers, but Eskola was unable to recover more than $30,000 of the stolen money.

“It really took our bank by surprise and triggered a whole series of internal reviews, because they told me they’ve been hit several other times since then,” Jon Eskola said. “They said so far this year, it’s been the number one thing that’s come across their plate, and that this type of crime had increased 500 to 600 percent over a year ago.”

Continue reading