Annual Protest to ‘Fight Krebs’ Raises €150K+

March 30, 2020

In 2018, KrebsOnSecurity unmasked the creators of Coinhive — a now-defunct cryptocurrency mining service that was being massively abused by cybercriminals — as the administrators of a popular German language image-hosting forum. In protest of that story, forum members donated hundreds of thousands of euros to nonprofits that combat cancer (Krebs means “cancer” in German). This week, the forum is celebrating its third annual observance of that protest to “fight Krebs,” albeit with a Coronavirus twist.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted a large number of ‘thank you’ receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”). They ended up raising more than a quarter-million dollars worth of donations from members.

Last year’s commemoration of the protest fundraiser — dubbed “Krebsaction” by Pr0gramm — raised almost $300,000 for anti-cancer research groups. Interestingly, Coinhive announced it was shutting down around the same time as that second annual fundraiser.

This year’s Krebsaction started roughly three days ago and so far has raised more than 150,000 euros (~$165,000), with many Pr0gramm members posting screenshots of their online donations. The primary beneficiary appears to be DKMS, a German nonprofit that works to combat various blood cancers, such as leukemia and lymphoma.

The pr0gramm post kicking off this year’s “Krebsaction” fundraiser.

This year, however, Pr0gramm’s administrators exhorted forum members to go beyond just merely donating money to a worthy cause, and encouraged them to do something to help those most affected by the COVID-19/Coronavirus pandemic.

“This year pr0gramm-members shall not only donate but do a good act in terms of corona (and prove it), for example bring food to old people, bring proof of volunteering and such stuff,” reads the Pr0gramm image kicking off this year’s Krebsaction.  The message further states, “Posts mit geringem Einsatz können wir nicht akzeptieren,” which translates roughly to “Posts with little effort we cannot accept.”

Russians Shut Down Huge Card Fraud Ring

March 26, 2020

Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade.

In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.

A still image from a video of the raids released by the Russian FSB this week shows stacks of hundred dollar bills and cash counting machines seized at a residence of one of the accused.

The FSB has not released a list of those apprehended, but the agency’s statement came several days after details of the raids were first leaked on the LiveJournal blog of cybersecurity blogger Andrey Sporov. The post claimed that among those apprehended was the infamous cybercriminal Alexey Stroganov, who goes by the hacker names “Flint” and “Flint24.”

According to cyber intelligence firm Intel 471, Stroganov has been a long-standing member of major underground forums since at least 2001. In 2006, Stroganov and an associate Gerasim Selivanov (a.k.a. “Gabrik“) were sentenced to six years of confinement in Russia, but were set free just two years into their sentence. Intel 471 says Selivanov also was charged along with Stroganov in this past week’s law enforcement action.

“Our continuous monitoring of underground activity revealed despite the conviction, Flint24 never left the cybercrime scene,” reads an analysis penned by Intel 471.

“You can draw your own conclusions [about why he was released early],” Sporaw wrote, suggesting that perhaps the accused bribed someone to get out of jail before his sentence was up.

Flint is among the biggest players in the crowded underground market for stolen credit card data, according to a U.S. law enforcement source who asked to remain anonymous because he was not authorized to speak to the media. The source described Flint’s role as that of a wholesaler of credit card data stolen in some of the biggest breaches at major Western retailers.

“He moved hundreds of millions of dollars through BTC-e,” the source said, referring to a cryptocurrency exchange that was seized by U.S. authorities in 2017. “Flint had a piece of almost every major hack because in many cases it was his guys doing it. Whether or not his marketplaces sold it, his crew had a role in a lot of the big breaches over the last ten years.”

Intel 471’s analysis seemed to support that conclusion, noting that Flint worked closely with other major carding shops that were not his, and that he associated with a number of cybercrooks who regularly bought stolen credit cards in batches of 100,000 pieces at once.

Top denizens of several cybercrime forums who’ve been tracking the raids posited that Stroganov and others were busted because they had a habit of violating the golden rule for criminal hackers residing in Russia or in a former Soviet country: Don’t target your own country’s people and/or banks. Continue reading

Advertisement

US Government Sites Give Bad Security Advice

March 25, 2020

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.

For example, the official U.S. Census Bureau website https://my2020census.gov carries a message that reads, “An official Web site of the United States government. Here’s how you know.” Clicking the last part of that statement brings up a panel with the following information:

A message displayed at the top of many U.S. .gov Web sites.

The text I have a beef with is the bit on the right, beneath the “This site is secure” statement. Specifically, it says, “The https:// ensures that you are connecting to the official website….”

Here’s the deal: The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

However, the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

In other words, while readers should never transmit sensitive information to a site that does not use https://, the presence of this security feature tells you nothing about the trustworthiness of the site in question.

Here’s a sobering statistic: According to PhishLabs, by the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates. PhishLabs found this percentage increased from 68% in Q3 and 54% in Q2 of 2019. Continue reading

Who’s Behind the ‘Web Listings’ Mail Scam?

March 23, 2020

In December 2018, KrebsOnSecurity looked at how dozens of U.S. political campaigns, cities and towns had paid a shady company called Web Listings Inc. after receiving what looked like a bill for search engine optimization (SEO) services rendered on behalf of their domain names. The story concluded that this dubious service had been scamming people and companies for more than a decade, and promised a Part II to explore who was behind Web Listings. What follows are some clues that point to a very convincing answer to that question.

Since at least 2007, Web Listings Inc. has been sending snail mail letters to domain registrants around the world. The missives appear to be an $85 bill for an “annual search engine listing” service. The notice does disclose that it is in fact a solicitation and not a bill, but wording of the notice asserts the recipient has already received the services in question.

Image: Better Business Bureau.

The mailer references the domain name web-listings.net, one of several similarly-named domains registered sometime in 2007 or later to a “James Madison,” who lists his address variously as a university in New Britain, Connecticut or a UPS Store mailbox in Niagara Falls, New York.

Some others include: weblistingservices.com, webservicescorp.net, websiteservicescorp.com, web-listingsinc.com, weblistingsinc.net, and weblistingsreports.net. At some point, each of these domains changes the owner’s name from James Madison to “Mark Carter.” As we’ll see, Mark is a name that comes up quite a bit in this investigation.

Image: Better Business Bureau.

A Twitter account for Web Listings Inc. has posts dating back to 2010, and points to even more Web Listings domains, including weblistingsinc.orgCached versions of weblistingsinc.org at archive.org show logos similar to the one featured on the Web Listings mailer, and early versions of the site reference a number of “business partners” in India that also perform SEO services.

Searching the Internet for some of these Web listing domains mentioned in the company’s Twitter account brings up a series of press releases once issued on behalf of the company. One from May 2011 at onlineprnews.com sings the praises of Weblistingsinc.info, weblistingsinc.org and web-listings.net in the same release, and lists the point of contact simply as “Mark.”

Historic WHOIS registration records from Domaintools [an advertiser on this blog] say Weblistingsinc.org was registered in Nov. 2010 to a Mark Scott in Blairgowrie, Scotland, using the email address clientnews@reputationmanagementfor.com.

Reputationmanagementfor.com bills itself as an online service for “fighting negative and incorrect content on the internet,” which is especially interesting for reasons that should become clearer in a few paragraphs. The site says Mark Scott, 46, is an employee of Reputationmanagementfor.com, and that he is also involved with two other companies:

-GoBananas, a business that sets up group outings, with a focus on bachelor and bachelorette parties;

-HelpMeGo.to, an entity in Scotland that did online marketing and travel tourism both in Scotland (via sites like Scotland.org.uk and marketinghotelsonline.co.uk) and on India’s coastal Kerala state where HelpMeGo.to employed a number of people involved in the SEO business. Helpmego.to now simply redirects to GoBananas.

According to Farsight Security, a company that keeps historic records of which Web sites were hosted at which Internet addresses, Weblistingsinc.org was for a while hosted at the IP address 68.169.45.65 with just six other domains, including travelingalberta.com, which was a blog about traveling and living in Alberta, Canada registered to Mark Scott and the email address management@helpmego.to. Cached versions of this site from 2011 show it naming Web Listings Inc. as a business partner.

That same management@helpmego.to email address is tied to the WHOIS records for markscottblog.com, gobananas.co.uk, gobananas.com. Cached copies of markscottblog.com from 2010 at Archive.org show his profile page on blogger.com links to another blog with much the same content, images and links called internetmadness.blogspot.com.

Among the 2011 entries from the Internetmadness blog is a post promoting the wonders of benefits of Web Listings Inc.

A cached copy of Mark Scott’s blog Internet Madness from 2011 promotes Web Listings Inc.

Continue reading

Security Breach Disrupts Fintech Firm Finastra

March 20, 2020

Finastra, a company that provides a range of technology solutions to banks worldwide, said today it was shutting down key systems in response to a security breach discovered this morning. The company’s public statement and notice to customers does not mention the cause of the outage, but their response so far is straight out of the playbook for dealing with ransomware attacks.

London-based Finastra has offices in 42 countries and reported more than $2 billion in revenues last year. The company employs more than 10,000 people and has over 9,000 customers across 130 countries — including nearly all of the top 50 banks globally.

Earlier today, sources at two different U.S. financial institutions forwarded a notice they received from Finastra saying the outage was expected to disrupt certain services, particularly for clients in North America.

“We wish to inform our valued customers that we are investigating a potential security breach. At 3:00 a.m. EST on March 20, 2020, we were alerted to anomalous activity on our network which risked the integrity of our data-centers,” reads the notice. “As such, and to protect our customers, we have taken quick and strict remedial action to contain and isolate the incident, while we investigate further.”

Update, 5:21 p.m. ET: Finastra has acknowledged that it is battling ransomware.

“At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted,” the company said in a revised statement.

Continue reading

Zyxel Flaw Powers New Mirai IoT Botnet Strain

March 20, 2020

In February, hardware maker Zyxel fixed a zero-day vulnerability in its routers and VPN firewall products after KrebsOnSecurity told the company the flaw was being abused by attackers to break into devices. This week, security researchers said they spotted that same vulnerability being exploited by a new variant of Mirai, a malware strain that targets vulnerable Internet of Things (IoT) devices for use in large-scale attacks and as proxies for other cybercrime activity.

Security experts at Palo Alto Networks said Thursday their sensors detected the new Mirai variant — dubbed Mukashi — on Mar. 12. The new Mirai strain targets CVE-2020-9054, a critical flaw that exists in many VPN firewalls and network attached storage (NAS) devices made by Taiwanese vendor Zyxel Communication Corp., which boasts some 100 million devices deployed worldwide.

Like other Mirai variants, Mukashi constantly scans the Internet for vulnerable IoT devices like security cameras and digital video recorders (DVRs), looking for a range of machines protected only by factory-default credentials or commonly-picked passwords.

Palo Alto said IoT systems infected by Mukashi then report back to a control server, which can be used to disseminate new instructions — such as downloading additional software or launching distributed denial of service (DDoS) attacks.

The commands Mukashi botmasters can send to infected devices include scanning for and exploiting other systems, and launching DDoS attacks. Image: Palo Alto Networks.

Zyxel issued a patch for the flaw on Feb. 24, but the update did not fix the problem on many older Zyxel devices which are no longer being supported by the company. For those devices, Zyxel’s advice was not to leave them connected to the Internet.

A joint advisory on CVE-2020-9054 from the U.S. Department of Homeland Security and the CERT Coordination Center rates this vulnerability at a “10” — the most severe kind of flaw. The DHS/CERT advisory also includes sample code to test if a Zyxel product is vulnerable to the flaw.

My advice? If you can’t patch it, pitch it, as Mukashi is not the only thing interested in this Zyxel bug: Recent activity suggests attackers known for deploying ransomware have been actively working to test it for use against targets.

Coronavirus Widens the Money Mule Pool

March 17, 2020

With many people being laid off or working from home thanks to the Coronavirus pandemic, cybercrooks are almost certain to have more than their usual share of recruitable “money mules” — people who get roped into money laundering schemes under the pretense of a work-at-home job offer. Here’s the story of one upstart mule factory that spoofs a major nonprofit and tells new employees they’ll be collecting and transmitting donations for an international “Coronavirus Relief Fund.”

On the surface, the Web site for the Vasty Health Care Foundation certainly looks legitimate. It includes various sections on funding relief efforts around the globe, explaining that it “connects nonprofits, donors, and companies in nearly every country around the world.” The site says it’s a nonprofit with offices based in Nebraska and Quebec, Canada.

Vasty is a phony charity that pretends to raise money for Coronavirus victims but instead hires people to help launder stolen funds. This and the rest of the content at Vasty’s site was lifted from GlobalGiving, a legitimate charity that is helping people affected by the pandemic.

The “Vasty Health Care Foundation” is one of several fraudulent Web sites that recruit money mules in the name of helping Coronavirus victims. The content on Vasty’s site was lifted almost entirely from globalgiving.org, a legitimate charity that actually is trying to help people affected by the pandemic.

“We have been contacted by job seekers asking if we are related to some of these job opportunities they’ve been finding on Indeed.com and Monster.com,” said Kevin Conroy, chief product officer at GlobalGiving. “And we always tell them no that’s not from us, and not to cash any checks someone may be giving them in relation to those offers.”

The Vasty domain — vastyhealthcarefoundation[.]com — was registered just weeks ago, although the site claims its organization has been around for years.

The crooks behind this scheme also seem to have submitted the Vasty name in custom links at vetting sites like The Better Business Bureau and Guidestar that ultimately take one to a summary of data on GlobalGiving. No doubt this is part of an effort to lend legitimacy to the Vasty name (hovering over the links above reveals the trickery).

What proof is there that Vasty isn’t a legitimate charity? None of the dozens of Canadian mules contacted by this author responded to requests for comment. But KrebsOnSecurity received copious amounts of information about this scam from Milwaukee, Wisc. based Hold Security, which managed to intercept key file exchanges between threat actors through public file sharing services.

Among those files were a set of form letters and boilerplate email messages that describe the ideal candidate for the job at Vasty and welcome new recruits to the Vasty payroll. Here’s a look at part of the job description, which includes (not pictured) a description of the healthcare plans and other benefits allegedly offered to Vasty employees.

After congratulating applicants (everyone who applies is “hired”) on their new positions, Vasty asks the recruits to do some busy work. In this case, new hires are sent to local pharmacies on some bogus errand, such as to inspect the pricing of face masks and hand sanitizer products for price-gouging.

“Now we have the first task for you. You will have to perform a trip within your city. So that we can compensate for transportation costs along with your hourly rate, I ask you to keep receipts confirming your expenses.

LOCATION: Sam’s Geneva Street Pharmacy

ADDRESS:  284 Geneva St, St. Catharines, ON L2N 2E8

I ask you to go to the pharmacy at the specified address. We are increasingly receiving reports of private sellers violating the pricing policy for products such as: aspirin, face masks are loose surgical masks with elastic loops that go around the ears, hand sanitizers.”

New recruits are then asked to assemble and submit a written report of their observations at the store in question.

These types of menial, meaningless tasks are a typical tactic of money mule recruitment schemes and they serve two main purposes: They separate out slackers from people who really need and want a job, and they help the employee feel like he’s doing something useful and legitimate (aside from just moving money around, which if brought up too soon might make him question whether the job is legit). Continue reading

The Web’s Bot Containment Unit Needs Your Help

March 16, 2020

Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace: Shadowserver.org, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.

Image: Ghostbusters.

Shadowserver provides free daily live feeds of information about systems that are either infected with bot malware or are in danger of being infected to more than 4,600 ISPs and to 107 national computer emergency response teams (CERTs) in 136 countries. In addition, it has aided the FBI and other nations’ federal law enforcement officials in “sinkholing” domain names used to control the operations of far-flung malware empires.

In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. Typically, a sinkhole is set up in tandem with some kind of legal action designed to wrest control over key resources powering a malware network.

Some of these interventions involving ShadowServer have been documented here, including the Avalanche spam botnet takedown, the Rustock botnet takeover, the Gameover malware botnet seizure, and the Nitol botnet sneak attack. Last week, Shadowserver was instrumental in helping Microsoft kneecap the Necurs malware network, one of the world’s largest spam and malware botnets.

Image: Shadowserver.org

Sinkholing allows researchers to assume control over a malware network’s domains, while redirecting any traffic flowing to those systems to a server the researchers control. As long as good guys control the sinkholed domains, none of the infected computers can receive instructions about how to harm themselves or others online.

And Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.

But very recently, Shadowserver got the news that the company which has primarily funded its operations for more than 15 years, networking giant Cisco Systems Inc., opted to stop providing that support.

Cisco declined to respond to questions about why it withdrew funding. But it did say the company was exploring the idea of supporting the organization as part of a broader support effort by others in the technology industry going forward.

“Cisco supports the evolution of Shadowserver to an industry alliance enabling many organizations to contribute and grow the capabilities of this important organization,” the company said in a written statement. “Cisco is proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape.”

To make matters worse, Shadowserver has been told it needs to migrate its data center to a new location by May 15, a chore the organization reckons will cost somewhere in the neighborhood of $400,000.

“Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control ​by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased,” Shadowserver wrote in a blog post published today about their financial plight.
Continue reading

Live Coronavirus Map Used to Spread Malware

March 12, 2020

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu.

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware.

Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate.

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”

The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java. Continue reading

Crafty Web Skimming Domain Spoofs “https”

March 11, 2020

Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site’s source code: “http[.]ps” (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).

This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida. Here’s what a portion of the login page looked like until earlier today when you right-clicked on the page and selected  “view-source”:

The malicious domain added to the HTML code for grandwesternsteaks.com (highlighted in orange) fetched a script that intercepted data entered by customers, including credit card details and logins. The code has since been removed from the site.

Viewing the HTML source for the malicious link highlighted in the screenshot above reveals the obfuscated card-skimming code, a snippet of which is pictured below:

The obfuscated card skimming code is full of references to “ants” and “cockroaches,” which is enough to give any site owner the heebie-jeebies.

A simple search on the malicious domain “http[.]ps” at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations. Continue reading