Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted

September 2, 2018

A 20-year-old from Vancouver, Washington was indicted last week on federal hacking charges and for allegedly operating the “Satori” botnet, a malware strain unleashed last year that infected hundreds of thousands of wireless routers and other “Internet of Things” (IoT) devices. This outcome is hardly surprising given that the accused’s alleged alter ego has been relentless in seeking media attention for this global crime machine.

Schuchman, in an undated photo posted online and referenced in a “dox,” which alleged in Feb. 2018 that Schuchman was Nexus Zeta.

The Daily Beast‘s Kevin Poulsen broke the news last week that federal authorities in Alaska indicted Kenneth Currin Schuchman of Washington on two counts of violating the Computer Fraud and Abuse Act by using malware to damage computers between August and November 2017.

The 3-page indictment (PDF) is incredibly sparse, and includes few details about the meat of the charges against Schuchman. But according to Poulsen, the charges are related to Schuchman’s alleged authorship and use of the Satori botnet. Satori, also known as “Masuta,” is a variant of the Mirai botnet, a powerful IoT malware strain that first came online in July 2016.

“Despite the havoc he supposedly wreaked, the accused hacker doesn’t seem to have been terribly knowledgeable about hacking,” Poulsen notes.

Schuchman reportedly went by the handle “Nexus Zeta,” the nickname used by a fairly inexperienced and clumsy ne’er-do-well who has tried on multiple occasions to get KrebsOnSecurity to write about the Satori botnet. In January 2018, Nexus Zeta changed the login page for his botnet control panel that he used to remotely control his hacked routers to include a friendly backhanded reference to this author:

The login prompt for Nexus Zeta’s IoT botnet included the message “Masuta is powered and hosted on Brian Kreb’s [sic] 4head.” To be precise, it’s a 5head.

This wasn’t the first time Nexus Zeta said hello. In late November 2017, he chatted me up on on Twitter and Jabber instant message for several days. Most of the communications came from two accounts: “9gigs_ProxyPipe” on Twitter, and ogmemes123@jabber.ru (9gigs_ProxyPipe would later change its Twitter alias to Nexus Zeta, and Nexus Zeta himself admitted that 9gigs_ProxyPipe was his Twitter account.)

In each case, this person wanted to talk about a new IoT botnet that he was “researching” and that he thought deserved special attention for its size and potential disruptive impact should it be used in a massive Distributed Denial-of-Service (DDoS) attack aimed at knocking a Web site offline — something for which Satori would soon become known.

A Jabber instant message conversation with Nexus Zeta on Nov. 29, 2017.

Nexus Zeta’s Twitter nickname initially confused me because both 9gigs and ProxyPipe are names claimed by Robert Coelho, owner of ProxyPipe hosting (9gigs is a bit from one of Coelho’s Skype account names). Coelho’s sleuthing was quite instrumental in helping to unmask 21-year-old New Jersey resident Paras Jha as the author of the original Mirai IoT botnet (Jha later pleaded guilty to co-authoring and using Mirai and is due to be sentenced this month in Alaska and New Jersey). “Ogmemes” is from a nickname used by Jha and his Mirai botnet co-author.

On Nov. 28, 2017, 9gigs_ProxyPipe sent a message to the KrebsOnSecurity Twitter account:

“I have some information in regards to an incredibly dangerous IoT botnet you may find interesting,” the Twitter message read. “Let me know how you would prefer to communicate assuming you are interested.”

We connected on Jabber instant message. In our chats, Ogmemes123 said he couldn’t understand why nobody had noticed a botnet powered by a Mirai variant that had infected hundreds of thousands of IoT devices (he estimated the size of the botnet to be about 300,000-500,000 at the time). He also talked a lot about how close he was with Jha. Nexus Zeta’s Twitter account profile photo is a picture of Paras Jha. He also said he knew this new botnet was being used to attack ProxyPipe.

Less than 24 hours after that tweet from Nexus Zeta, I heard from ProxyPipe’s Coelho. They were under attack from a new Mirai variant. Continue reading

Instagram’s New Security Tools are a Welcome Step, But Not Enough

August 29, 2018

Instagram users should soon have more secure options for protecting their accounts against Internet bad guys.  On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.

New two-factor authentication options Instagram says it is rolling out to users over the next few weeks.

For years, security experts have warned that hackers are exploiting weak authentication at Instagram to commandeer accounts. Instagram has long offered users a security option to have a one-time code sent via text message to a mobile device, but these codes can be intercepted via several methods (more on that in a bit).

The new authentication offering requires users to download a third-party app like Authy, Duo or Google Authenticator, which generates a one-time code that needs to be entered after the user supplies a password.

In a blog post Tuesday, Instagram said support for third-party authenticator apps “has begun to roll out and will be available to the global community in the coming weeks.

Instagram put me on a whitelist of accounts to get an early peek at the new security feature, so these options probably aren’t yet available to most users. But there’s a screenshot below that shows the multi-factor options available in the mobile app. When these options do become more widely available, Instagram says people can use a third-party app to receive a one-time code. To do this:

  1. Go to your Settings.
  2. Scroll down and tap Two-Factor Authentication.
  3. If you haven’t already turned two-factor authentication on, tap Get Started.
  4. Tap next to Authentication App, then follow the on-screen instructions.
  5. Enter the confirmation code from the third party authentication app to complete the process.

Note that if you have previously enabled SMS-based authentication, it is likely still enabled unless and until you disable it. The app also prompts users to save a series of recovery codes, which should be kept in a safe place in case one’s mobile device is ever lost.

WHAT IT DOESN’T FIX

Instagram has received quite a lot of bad press lately from publications reporting numerous people who had their accounts hijacked even though they had Instagram’s SMS authentication turned on. The thing is, many of those stories have been about people having their Instagram accounts hijacked because fraudsters were able to hijack their mobile phone number.

In these cases, the fraudsters were able to hijack the Instagram accounts because Instagram allows users to reset their account passwords with a single factor — using nothing more than a text message sent to a mobile number on fileAnd nothing in these new authentication offerings will change that for people who have shared their mobile number with Instagram.

Criminals can and do exploit SMS-based password reset requests to hijack Instagram accounts by executing unauthorized “SIM swaps,” i.e., tricking the target’s mobile provider into transferring the phone number to a device or account they control and intercepting the password reset link sent via SMS. Once they hijack the target’s mobile number, they can then reset the password for the associated Instagram account.

I asked Instagram if there was any way for people who have supplied the company with their phone number to turn off SMS-based password reset requests. I received this response from their PR folks:

“I can confirm that disabling SMS two factor will not disable the ability to reset a password via SMS,” a spokesperson said via email. “We recommend that the community use a third-party app for authentication, in place of SMS authentication. We’ll continue to iterate and improve on this product to keep people safe on our platform.” Continue reading

Advertisement

Fiserv Flaw Exposed Customer Data at Hundreds of Banks

August 28, 2018

Fiserv, Inc., a major provider of technology services to financial institutions, just fixed a glaring weakness in its Web platform that exposed personal and financial details of countless customers across hundreds of bank Web sites, KrebsOnSecurity has learned.

Brookfield, Wisc.-based Fiserv [NASDAQ:FISV] is a Fortune 500 company with 24,000 employees and $5.7 billion in earnings last year. Its account and transaction processing systems power the Web sites for hundreds of financial institutions — mostly small community banks and credit unions. According to FedFis.com, Fiserv is by far the top bank core processor, with more than 37 percent market share.

Two weeks ago this author heard from security researcher Kristian Erik Hermansen, who said he’d discovered something curious while logged in to an account at a tiny local bank that uses Fiserv’s platform.

Hermansen had signed up to get email alerts any time a new transaction posted to his account, and he noticed the site assigned his alert a specific “event number.” Working on a hunch that these event numbers might be assigned sequentially and that other records might be available if requested directly, Hermansen requested the same page again but first edited the site’s code in his browser so that his event number was decremented by one digit.

In an instant, he could then view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.

Hermansen said a cybercriminal could abuse this access to enumerate all other accounts with activity alerts on file, and to add or delete phone numbers or email addresses to receive alerts about account transactions.

This would allow any customer of the bank to spy on the daily transaction activity of other customers, and perhaps even target customers who signed up for high minimum balance alerts (e.g., “alert me when the available balance goes below $5,000”).

“I shouldn’t be able to see this data,” Hermansen said. “Anytime you spend money that should be a private transaction between you and your bank, not available for everyone else to see.”

Hermansen said he told his bank about what he found, and that he tried unsuccessfully to get the attention of different Fiserv employees, including the company’s CEO via LinkedIn. But he wasn’t sure whether the flaw he found existed in all bank sites running on Fiserv’s ebanking platform, or just his bank’s installation.

Naturally, KrebsOnSecurity offered to help figure that out, and to get Fiserv’s attention, if warranted. Over the past week I signed up for accounts at two small local banks that each use Fiserv’s online banking platform.

In both cases I was able to replicate Hermansen’s findings and view email addresses, phone numbers, partial account numbers and alert details for other customers of each bank just by editing a single digit in a Web page request. I was relieved to find I could not use my online account access at one bank to view transaction alerts I’d set up at a different Fiserv affiliated bank.

A single digit changed in a Web browser request caused someone else’s alerts to pop up in my account at this small local bank in Virginia.

Continue reading

Who’s Behind the Screencam Extortion Scam?

August 25, 2018

The sextortion email scam last month that invoked a real password used by each recipient and threatened to release embarrassing Webcam videos almost certainly was not the work of one criminal or even one group of criminals. Rather, it’s likely that additional spammers and scammers piled on with their own versions of the phishing email after noticing that some recipients were actually paying up. The truth is we may never find out who’s responsible, but it’s still fun to follow some promising leads and see where they take us.

On August 7, 2018, a user on the forum of free email service hMailServer posted a copy of the sextortion email he received, noting that it included a password he’d formerly used online.

Helpfully, this user pasted a great deal of information from the spam email message, including the domain name from which it was sent (williehowell-dot-com) and the Internet address of the server that sent the message (46.161.42.91).

A look at the other domain names registered to this IP address block 46.161.42.x reveals some interesting patterns:

46.161.42.51 mail25.uscourtsgov[.]com
46.161.42.52 mail24.uscourtsgov[.]com
46.161.42.53 mail23.uscourtsgov[.]com
46.161.42.54 mail22.uscourtsgov[.]com
46.161.42.55 mail21.uscourtsgov[.]com
46.161.42.56 mail20.uscourtsgov[.]com
46.161.42.57 mail19.uscourtsgov[.]com
46.161.42.58 mail18.uscourtsgov[.]com
46.161.42.59 mail17.uscourtsgov[.]com
46.161.42.60 mail16.uscourtsgov[.]com
46.161.42.61 mail15.uscourtsgov[.]com
46.161.42.62 mail14.uscourtsgov[.]com
46.161.42.63 mail13.uscourtsgov[.]com
46.161.42.64 mail12.uscourtsgov[.]com
46.161.42.65 mail11.uscourtsgov[.]com
46.161.42.66 mail10.uscourtsgov[.]com
46.161.42.67 mail9.uscourtsgov[.]com
46.161.42.68 mail8.uscourtsgov[.]com
46.161.42.69 mail7.uscourtsgov[.]com
46.161.42.70 mail6.uscourtsgov[.]com
46.161.42.71 mail5.uscourtsgov[.]com
46.161.42.72 mail4.uscourtsgov[.]com
46.161.42.73 mail3.uscourtsgov[.]com
46.161.42.74 mail2.uscourtsgov[.]com
46.161.42.75 mail1.uscourtsgov[.]com
46.161.42.76 mail[.]commarysmith[.]com
46.161.42.77 mail.joancooper[.]com
46.161.42.78 mail.florencewoods[.]com
46.161.42.79 mail.ednawest[.]com
46.161.42.80 mail.ethelwebb[.]com
46.161.42.81 mail.eleanorhunt[.]com
46.161.42.82 mail.sallypierce[.]com
46.161.42.83 mail.reginaberry[.]com
46.161.42.84 mail.junecarroll[.]com
46.161.42.85 mail.robertaharper[.]com
46.161.42.86 mail.reneelane[.]com
46.161.42.87 mail.almaaustin[.]com
46.161.42.88 mail.elsiekelley[.]com
46.161.42.89 mail.vickifields[.]com
46.161.42.90 mail.ellaoliver[.]com
46.161.42.91 mail.williehowell[.]com
46.161.42.92 mail.veramccoy[.]com
46.161.42.93 mail.agnesbishop[.]com
46.161.42.94 mail.tanyagilbert[.]com
46.161.42.95 mail.mattiehoffman[.]com
46.161.42.96 mail.hildahopkins[.]com
46.161.42.97 beckymiles[.]com
46.161.42.98 mail.fayenorris[.]com
46.161.42.99 mail.joannaleonard[.]com
46.161.42.100 mail.rosieweber[.]com
46.161.42.101 mail.candicemanning[.]com
46.161.42.102 mail.sherirowe[.]com
46.161.42.103 mail.leticiagoodman[.]com
46.161.42.104 mail.myrafrancis[.]com
46.161.42.105 mail.jasminemaxwell[.]com
46.161.42.106 mail.eloisefrench[.]com

Search Google for any of those two-name domains above (e.g., fayenorris-dot-com) and you’ll see virtually all of them were used in these sextortion emails, and most were registered at the end of May 2018 through domain registrar Namecheap.

Notice the preponderance of the domain uscourtsgov-dot-com in the list above. All of those two-name domains used domain name servers (DNS servers) from uscourtsgov-dot-com at the time these emails were sent. In early June 2018, uscourtsgov-dot-com was associated with a Sigma ransomware scam delivered via spam. Victims who wanted their files back had to pay a bitcoin ransom.

In the months just before either the password-laced sextortion scam or the uscourtsgov-dot-com ransomware scam, uscourtsgov-com was devoid of content, aside from a message promoting the spamming services of the web site mtaexpert-dot-info. Uscourtsgov-dot-com is now offline, but it was active as of two weeks ago. Here’s what its homepage looked like:

The domain uscourtsgov-dot-com was redirecting visitors to mtaexpert-dot-info for many months up to and including the sextortion email campaign. Image: Domaintools.com

Interestingly, this same message promoting mtaexpert-dot-info appeared on the homepages of many other two-name domain names mentioned above (including fayenorris-dot-com):

Like uscourtsgov-dot-com, Fayenorris-dot-com also urged visitors to go to mtaexpert-dot-info.

Continue reading

Experts Urge Rapid Patching of ‘Struts’ Bug

August 23, 2018

In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw — in a Web component known as Apache Struts — led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.

On Aug. 22, the Apache Software Foundation released software updates to fix a critical vulnerability in Apache Struts, a Web application platform used by an estimated 65 percent of Fortune 100 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers.

Attackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker’s choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.

An alert about the Apache security update was posted Wednesday by Semmle, the San Francisco software company whose researchers discovered the bug.

“The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of vulnerability, illustrate the threat that this vulnerability poses,” the alert warns.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” wrote Semmle co-founder Pavel Avgustinov. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.” Continue reading

Alleged SIM Swapper Arrested in California

August 22, 2018

Authorities in Santa Clara, Calif. have arrested and charged a 19-year-old area man on suspicion hijacking mobile phone numbers as part of a scheme to steal large sums of bitcoin and other cryptocurrencies. The arrest is the third known law enforcement action this month targeting “SIM swappers,” individuals who specialize in stealing wireless phone numbers and hijacking online financial and social media accounts tied to those numbers.

Xzavyer Clemente Narvaez was arrested Aug. 17, 2018 by investigators working with Santa Clara County’s “REACT task force,” which says it’s targeting those involved in “the takeovers of cell phone, email and financial accounts resulting in the theft of cryptocurrency.”

Prosecutors allege Narvaez used the proceeds of his crimes (estimated at > $1 million in virtual currencies) to purchase luxury items, including a McLaren — a $200,000 high-performance sports car. Investigators said they interviewed several alleged victims of Narvaez, including one man who reported being robbed of $150,000 in virtual currencies after his phone number was hijacked.

A fraudulent SIM swap occurs when a victim’s cell phone service is redirected from a SIM card under the control of the victim to one under the control of the suspect, without the knowledge or authorization of the victim account holder.

When a victim experiences a fraudulent SIM swap, their phone suddenly has no service and all incoming calls and text messages are sent to the attacker’s device. This includes any one-time codes sent via text message or automated phone call that many companies use to supplement passwords for their online accounts.

Narvaez came to law enforcement’s attention following the arrest of Joel Ortiz, a gifted 20-year-old college student from Boston who was charged in July 2018 with using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

A redacted “statement of facts” in the case obtained by KrebsOnSecurity says records obtained from Google revealed that a cellular device used by Ortiz to commit SIM swaps had at one point been used to access the Google account identified as Xzavyer.Narvaez@gmail.com.

That statement refers frequently to the term IMEI; this is the International Mobile Equipment Identity number, which is a unique identification number or serial number that all mobile phones and smartphones have.

Prosecutors used data gathered from a large number of tech companies to put Narvaez’s phone in specific places near his home in Tracy, Calif. at the time his alleged victims reported having their phones hijacked. His alleged re-use of the same mobile device for multiple SIM hijacks ultimately gave him away:

“On 7/18/18, investigators received information from an AT&T investigator regarding unauthorized SIM swaps conducted through an AT&T authorized retailer. He reported that approximately 28 SIM swaps were conducted using the same employee ID number over an approximately two-week time period in November 2017. Records were obtained that included a list of IMEI numbers used to take over the victims’ cell phone numbers.”

“AT&T provided call detail records pertaining to the IMEI numbers listed to conduct the SIM swaps. One of those IMEI numbers, ending in 3218, was used to take over the cell phone of a resident of Illinois. I contacted the victim who verified that some of his accounts had been “hacked” in late 2017 but said he did not suffer any financial loss. Sgt. Tarazi analyzed the AT&T location data pertaining to that account takeover. That data indicated that on 7/27/17, when the victim from Illinois lost access to his accounts, the IMEI (ending in 3218) of the cell phone controlling the victim’s cell phone number was located in Tracy, California.”

“The specific tower is located approximately 0.6 miles away from the address 360 Yosemite Drive in Tracy. Several “NELOS” records (GPS coordinates logged by AT&T to estimate the location of devices on their network) indicate the phone was within 1000 meters of 360 Yosemite Drive in Tracy. AT&T also provided call detail records pertaining to Narvaez’ cell phone account, which was linked to him through financial services account records. Sgt. Tarazi examined those records and determined that Narvaez’ own cell phone was connected to the same tower and sector during approximately the same time frame that the suspect device (ending in 3218) was connected to the victim’s account.”

Apple responded to requests with records pertaining to customer accounts linked to that same suspect IMEI number. Those records identified three California residents whose Apple accounts were linked to that same IMEI number. Continue reading

Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning

August 17, 2018

On Sunday, Aug. 12, KrebsOnSecurity carried an exclusive: The FBI was warning banks about an imminent “ATM cashout” scheme about to unfold across the globe, thanks to a data breach at an unknown financial institution. On Aug. 14, a bank in India disclosed hackers had broken into its servers, stealing nearly $2 million in fraudulent bank transfers and $11.5 million unauthorized ATM withdrawals from cash machines in more than two dozen countries.

The FBI put out its alert on Friday, Aug. 10. The criminals who hacked into Pune, India-based Cosmos Bank executed their two-pronged heist the following day, sending co-conspirators to fan out and withdraw a total of about $11.5 million from ATMs in 28 countries.

The FBI warned it had intelligence indicating that criminals had breached an unknown payment provider’s network with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs.

Organized cybercrime gangs that coordinate these so-called “unlimited attacks” typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum withdrawal amounts and any limits on the number of customer ATM transactions daily.

The perpetrators alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.

My story about the FBI alert was breaking news on Sunday, but it was just a day short of useful to financial institutions impacted by the breach and associated ATM cashout blitz.

But according to Indian news outlet Dailypionneer.com, there was a second attack carried out on August 13, when the Cosmos Bank hackers transferred nearly $2 million to the account of ALM Trading Limited at Hang Seng Bank in Hong Kong.

“The bank came to know about the malware attack on its debit card payment system on August 11, when it was observed that unusually repeated transactions were taking place through ATM VISA and Rupay Card for nearly two hours,” writes TN Raghunatha for the Daily Pioneer. Continue reading

Hanging Up on Mobile in the Name of Security

August 16, 2018

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.

The claims come in a lawsuit filed this week in Los Angeles on behalf of Michael Terpin, who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

According to Terpin, this was the second time in six months someone had hacked his AT&T number. On June 11, 2017, Terpin’s phone went dead. He soon learned his AT&T password had been changed remotely after 11 attempts in AT&T stores had failed. At the time, AT&T suggested Terpin take advantage of the company’s “extra security” feature — a customer-specified six-digit PIN which is required before any account changes can be made.

Terpin claims an investigation by AT&T into the 2018 breach found that an employee at an AT&T store in Norwich, Conn. somehow executed the SIM swap on his account without having to enter his “extra security” PIN, and that AT&T knew or should have known that employees could bypass its customer security measures.

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”

AN ‘IDENTITY CRISIS’?

Mobile phone companies are a major weak point in authentication because so many companies have now built their entire procedure for authenticating customers on a process that involves sending a one-time code to the customer via SMS or automated phone call.

In some cases, thieves executing SIM swaps have already phished or otherwise stolen a target’s bank or email password. But many major social media platforms — such as Instagramallow users to reset their passwords using nothing more than text-based (SMS) authentication, meaning thieves can hijack those accounts just by having control over the target’s mobile phone number.

Allison Nixon is director of security research at Flashpoint, a security company in New York City that has been closely tracking the murky underworld of communities that teach people how to hijack phone numbers assigned to customer accounts at all of the major mobile providers.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

“Phone numbers were never originally intended as an identity document, they were designed as a way to contact people,” Nixon said. “But because of all these other companies are building in security measures, a phone number has become an identity document.”

In essence, mobile phone companies have become “critical infrastructure” for security precisely because so much is riding on who controls a given mobile number. At the same time, so little is needed to undo weak security controls put in place to prevent abuse.

“The infrastructure wasn’t designed to withstand the kind of attacks happening now,” Nixon said. “The protocols need to be changed, and there are probably laws affecting the telecom companies that need to be reviewed in light of how these companies have evolved.”

Unfortunately, with the major mobile providers so closely tied to your security, there is no way you can remove the most vulnerable chunks of this infrastructure — the mobile store employees who can be paid or otherwise bamboozled into helping these attacks succeed.

No way, that is, unless you completely disconnect your mobile phone number from any sort of SMS-based authentication you currently use, and replace it with Internet-based telephone services that do not offer “helpful” customer support — such as Google Voice.

Google Voice lets users choose a phone number that gets tied to their Google account, and any calls or messages to that number will be forwarded to your mobile number. But unlike phone numbers issued by the major mobile providers, Google Voice numbers can’t be stolen unless someone also hacks your Google password — in which case you likely have much bigger problems.

With Google Voice, there is no customer service person who can be conned over the phone into helping out. There is no retail-store employee who will sell access to your SIM information for a paltry $80 payday. In this view of security, customer service becomes a customer disservice.

Mind you, this isn’t my advice. The above statement summarizes the arguments allegedly made by one of the most accomplished SIM swap thieves in the game today. On July 12, 2018, police in California arrested Joel Ortiz, a 20-year-old college student from Boston who’s accused of using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

Ortiz allegedly had help from a number of unnamed accomplices who collectively targeted high-profile and wealthy people in the cryptocurrency space. In one of three brazen attacks at a bitcoin conference this year, Ortiz allegedly used his SIM swapping skills to steal more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million the victim had crowdfunded.

A July 2018 posting from the “OG” Instagram account “0”, allegedly an account hijacked by Joel Ortiz (pictured holding an armload of Dom Perignon champagne).

Ortiz reportedly was a core member of OGUsers[dot]com, a forum that’s grown wildly popular among criminals engaging in SIM swaps to steal cryptocurrency and hijack high-value social media accounts. OG is short for “original gangster,” and it refers to a type of “street cred” for possession of social media account names that are relatively short (between one and six characters). On ogusers[dot]com, Ortiz allegedly picked the username “j”. Short usernames are considered more valuable because they confer on the account holder the appearance of an early adopter on most social networks.

Discussions on the Ogusers forum indicate Ortiz allegedly is the current occupant of perhaps the most OG username on Twitter — an account represented by the number zero “0”. The alias displayed on that twitter profile is “j0”. He also apparently controls the Instagram account by the same number, as well as the Instagram account “t”, which lists its alias as “Joel.”

Shown below is a cached snippet from an Ogusers forum posting by “j” (allegedly Ortiz), advising people to remove their mobile phone number from all important multi-factor authentication options, and to replace it with something like Google Voice.

Ogusers SIM swapper “j” advises forum members on how not to become victims of SIM swapping. Click to enlarge.

Continue reading

Patch Tuesday, August 2018 Edition

August 15, 2018

Adobe and Microsoft each released security updates for their software on Tuesday. Adobe plugged five security holes in its Flash Player browser plugin. Microsoft pushed 17 updates to fix at least 60 vulnerabilities in Windows and other software, including two “zero-day” flaws that attackers were already exploiting before Microsoft issued patches to fix them.

According to security firm Ivanti, the first of the two zero-day flaws (CVE-2018-8373) is a critical flaw in Internet Explorer that attackers could use to foist malware on IE users who browse to hacked or booby-trapped sites. The other zero-day is a bug (CVE-2018-8414) in the Windows 10 shell that could allow an attacker to run code of his choice.

Microsoft also patched more variants of the Meltdown/Spectre memory vulnerabilities, collectively dubbed “Foreshadow” by a team of researchers who discovered and reported the Intel-based flaws. For more information about how Foreshadow works, check out their academic paper (PDF), and/or the video below. Microsoft’s analysis is here.

One nifty little bug fixed in this patch batch is CVE-2018-8345. It addresses a problem in the way Windows handles shortcut files; ending in the “.lnk” extension, shortcut files are Windows components that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu.

That description of a shortcut file was taken verbatim from the first widely read report on what would later be dubbed the Stuxnet worm, which also employed an exploit for a weakness in the way Windows handled shortcut (.lnk) files. According to security firm Qualys, this patch should be prioritized for both workstations and servers, as the user does not need to click the file to exploit. “Simply viewing a malicious LNK file can execute code as the logged-in user,” Qualys’ Jimmy Graham wrote. Continue reading

FBI Warns of ‘Unlimited’ ATM Cashout Blitz

August 12, 2018

The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.

“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert the FBI shared with banks privately on Friday.

The FBI said unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs.

“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the alert continues. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

Organized cybercrime gangs that coordinate unlimited attacks typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily.

The perpetrators also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.

“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI warned. “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”

Virtually all ATM cashout operations are launched on weekends, often just after financial institutions begin closing for business on Saturday. Last month, KrebsOnSecurity broke a story about an apparent unlimited operation used to extract a total of $2.4 million from accounts at the National Bank of Blacksburg in two separate ATM cashouts between May 2016 and January 2017.

In both cases, the attackers managed to phish someone working at the Blacksburg, Virginia-based small bank. From there, the intruders compromised systems the bank used to manage credits and debits to customer accounts. Continue reading