Krebs on Security

Alleged Spam King Pyotr Levashov Arrested

April 10, 2017

Authorities in Spain have arrested a Russian computer programmer thought to be one of the world’s most notorious spam kingpins.

Spanish police arrested Pyotr Levashov under an international warrant executed in the city of Barcelona, according to Reuters. Russian state-run television station RT (formerly Russia Today) reported that Levashov was arrested while vacationing in Spain with his family.

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.

According to numerous stories here at KrebsOnSecurity, Levashov was better known as “Severa,” the hacker moniker used by a pivotal figure in many Russian-language cybercrime forums. Severa was the moderator for the spam subsection of multiple online communities, and in this role served as the virtual linchpin connecting virus writers with huge spam networks — including some that Severa allegedly created and sold himself.

Levashov is currently listed as #7 in the the world’s Top 10 Worst Spammers list maintained by anti-spam group Spamhaus. The U.S. Justice Department maintains that Severa was the Russian partner of Alan Ralsky, a convicted American spammer who specialized in “pump-and-dump” spam schemes designed to artificially inflate the value of penny stocks.

Levashov allegedly went by the aliases Peter Severa and Peter of the North (Pyotr is the Russian form of Peter). My reporting indicates that — in addition to spamming activities — Severa was responsible for running multiple criminal operations that paid virus writers and spammers to install “fake antivirus” software. So-called “fake AV” uses malware and/or programming tricks to bombard the victim with misleading alerts about security threats, hijacking the PC until its owner either pays for a license to the bogus security software or figures out how to remove the invasive program.

A screenshot of a fake antivirus or “scareware” affiliate program run by “Severa,” allegedly the cybercriminal alias of Pyotr Levashov.

There is ample evidence that Severa is the cybercriminal behind the Waledac spam botnet, a spam engine that for several years infected between 70,000 and 90,000 computers and was capable of sending approximately 1.5 billion spam messages a day.

In 2010, Microsoft launched a combined technical and legal sneak attack on the Waledac botnet, successfully dismantling it. The company would later do the same to the Kelihos botnet, a global spam machine which shared a great deal of computer code with Waledac.

The connection between Waledac/Kelihos and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. According to the stolen SpamIt records, Severa — this time using the alias “Viktor Sergeevich Ivashov” — brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period.

Severa also was a moderator of Spamdot.biz (pictured in the first screenshot above), a vetted, members-only forum that at one time attracted almost daily visits from most of Russia’s top spammers. Leaked Spamdot forum posts for Severa indicate that he hails from Saint Petersburg, Russia’s second-largest city. Continue reading →

Gamestop.com Investigating Possible Breach

April 7, 2017

45 Comments

Video game giant GameStop Corp. [NSYE: GME] says it is investigating reports that hackers may have siphoned credit card and customer data from its website — gamestop.com. The company acknowledged the investigation after being contacted by KrebsOnSecurity.

“GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website,” a company spokesman wrote in response to questions from this author.

“That day a leading security firm was engaged to investigate these claims. Gamestop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified,” the company’s statement continued.

Two sources in the financial industry told KrebsOnSecurity that they have received alerts from a credit card processor stating that Gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017.

Those same sources said the compromised data is thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the backs of credit cards.

Online merchants are not supposed to store CVV2 codes, but hackers can steal the codes by placing malicious software on a company’s e-commerce site, so that the data is copied and recorded by the intruders before it is encrypted and transmitted to be processed.

GameStop would not comment on the possible timeframe of the suspected breach, or say what types of customer data might be impacted.

Continue reading →

Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer

April 6, 2017

83 Comments

The author of a banking Trojan called Nuclear Bot — a teenager living in France — recently released the source code for his creation just months after the malware began showing up for sale in cybercrime forums. Now the young man’s father is trying to convince him not to act on a job offer in the United States, fearing it may be a trap set by law enforcement agents.

In December 2016, Arbor Networks released a writeup on Nuclear Bot (a.k.a. NukeBot) after researchers discovered the malware package for sale in the usual underground cybercrime forums for the price of USD $2,500.

The program’s author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites.

The administration panel for Nuclear Bot. Image: IBM X-Force.

Malware analysts at IBM’s X-Force research division also examined the code, primarily because the individual selling it claimed that Nuclear Bot could bypass Trusteer Rapport, an IBM security product that many banks offer customers to help blunt the effectiveness of banking trojans.

“These claims are unfounded and incorrect,” IBM’s researchers wrote. “Rapport detection and protection against the NukeBot malware are effective on all protection layers.”

But the malware’s original author — 18-year-old Augustin Inzirillo — begs to differ, saying he released the source code for the bot late last month in part because he wanted others be able to test his claims.

In an interview with KrebsOnSecurity, Inzirillo admits he wrote the Nuclear Bot trojan as a proof-of-concept to demonstrate a method he developed that he says bypasses Rapport. But he denies ever selling or marketing the malware, and maintains that this was done without his permission by an acquaintance with whom he shared the code privately.

“I’ve been interested in malware since I [was] a child, and I wanted to have a challenge,” Inzirillo said. “I was excited about this, and having nobody to share this with, I distributed the code to ‘friends’ who tried to profit off my work.”

After the source code for Nuclear Bot was released on Github, IBM followed up with a more in-depth examination of it, which argued that the author of the code appeared to release it in a failed bid to shore up his fragile ego.

According to IBM, a hacker calling himself “Gosya” tried to sell the malware in such a clumsy and inexperienced fashion that he managed to get himself banned from multiple cybercrime forums for violating specific rules about how such products should be sold.

“He did not have the malware tested and certified by forum admins, nor did he provide any test versions to members,” IBM researchers Limor Kessem and Ilya Kolmanovich wrote. “At the same time, he was attacked by existing competition, namely the FlokiBot vendor, who wanted to get down to the technical nitty gritty with him and find out if Gosya’s claims about his malware’s capabilities were indeed viable.”

The IBM authors continued:

“In posts where he replied to challenging questions, Gosya got nervous and defensive, raising suspicion among other forum members. This was likely a simple case of inexperience, but it cost him the trust of potential buyers.”

“For his next wrong move, Gosya started selling on additional forums under multiple monikers. When fraudsters realized that the same person was trying to vend under different names, they got even more suspicious that he was a ripper, misrepresenting or selling a product he does not possess. The issue got worse when Gosya changed the malware’s name to Micro Banking Trojan in one last attempt to buy it a new life.”

Inzirillo said the main reason he released his code was to prevent others from profiting off his creation. But now he says he regrets that decision as well.

“It was a big mistake, because now I know people will reuse my code to steal money from other people,” Inzirillo told KrebsOnSecurity in an online chat.

Inzirillo released the code on Github with a short note explaining his motivations, and included a contact email address at a domain (inzirillo.com) set up long ago by his father, Daniel Inzirillo.

KrebsOnSecurity also reached out to Augustin’s dad, and heard back from him roughly an hour before Augustin replied to requests for an interview. Inzirillo the elder said his son used the family domain name in his source code release as part of a misguided attempt to impress him.

“He didn’t do it for money,” said Daniel Inzirillo, whose CV shows he has built an impressive career in computer programming and working for various financial institutions. “He did it to spite all the cyber shitheads. The idea was that they wouldn’t be able to sell his software anymore because it was now free for grabs.”

Daniel Inzirillo said he’s worried because his son has expressed a strong interest in traveling to the United States after receiving a job offer from a supposed recruiter at a technology firm which said it was impressed by Augustin’s coding skills.

“I am very worried for him, because some technology company told him they wanted to fly him to the U.S. for a job interview as a result of him posting that online,” Daniel Inzirillo said. “There is a strong possibility that in one or two weeks he’s going to be flying to California, and I am concerned that maybe some guy in some law enforcement agency has his sights on him.” Continue reading →

Dual-Use Software Criminal Case Not So Novel

April 4, 2017

75 Comments

“He built a piece of software. That tool was pirated and abused by hackers. Now the feds want him to pay for the computer crooks’ crimes.”

The above snippet is the subhead of a story published last month by the The Daily Beast titled, “FBI Arrests Hacker Who Hacked No One.” The subject of that piece — a 26-year-old American named Taylor Huddleston — faces felony hacking charges connected to two computer programs he authored and sold: An anti-piracy product called Net Seal, and a Remote Administration Tool (RAT) called NanoCore that he says was a benign program designed to help users remotely administer their computers.

Photo illustration by Lyne Lucien/The Daily Beast

The author of the Daily Beast story, former black hat hacker and Wired.com editor Kevin Poulsen, argues that Huddleston’s case raises a novel question: When is a programmer criminally responsible for the actions of his users?

“Some experts say [the case] could have far reaching implications for developers, particularly those working on new technologies that criminals might adopt in unforeseeable ways,” Poulsen wrote.

But a closer look at the government’s side of the story — as well as public postings left behind by the accused and his alleged accomplices — paints a more complex and nuanced picture that suggests this may not be the case to raise that specific legal question in any meaningful way.

Mark Rumold, senior staff attorney at the Electronic Frontier Foundation (EFF), said cases like these are not so cut-and-dry because they hinge on intent, and determining who knew what and when.

“I don’t read the government’s complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this,” Rumold said. “Whether or not [the government’s] claims are valid is going to be extraordinarily fact-specific, but unfortunately there is not a precise set of facts that would push this case from being about the valid reselling of a tool that no one questions can be done legally to crossing that threshold of engaging in a criminal conspiracy.”

Citing group chat logs and other evidence that hasn’t yet been made public, U.S. prosecutors say Huddleston intended NanoCore to function more like a Remote Access Trojan used to remotely control compromised PCs, and they’ve indicted Huddleston on criminal charges of conspiracy as well as aiding and abetting computer intrusions.

Poulsen depicts Huddleston as an ambitious — if extremely naive — programmer struggling to make an honest living selling what is essentially a dual-use software product. Using the nickname “Aeonhack,” Huddleston marketed his NanoCore RAT on Hackforums[dot]net, an English-language hacking forum that is overrun with young, impressionable but otherwise low-skilled hackers who are constantly looking for point-and-click tools and services that can help them demonstrate their supposed hacking prowess.

Yet we’re told that Huddleston was positively shocked to discover that many buyers on the forum were using his tools in a less-than-legal manner, and that in response he chastised and even penalized customers who did so. By way of example, Poulsen writes that Huddleston routinely used his Net Seal program to revoke the software licenses for customers who boasted online about using his NanoCore RAT illegally.

We later learn that — despite Net Seal’s copy protection abilities — denizens of Hackforums were able to pirate copies of NanoCore and spread it far and wide in malware and phishing campaigns. Eventually, Huddleston said he grew weary of all the drama and sold both programs to another Hackforums member, using the $60,000 or so in proceeds to move out of the rusty trailer he and his girlfriend shared and buy a house in a low-income corner of Hot Springs, Arkansas.

From the story:

Continue reading →

Why I Always Tug on the ATM

March 31, 2017

96 Comments

Once you understand how easy and common it is for thieves to attach “skimming” devices to ATMs and other machines that accept debit and credit cards, it’s difficult not to closely inspect and even tug on the machines before using them. Several readers who are in the habit of doing just that recently shared images of skimmers they discovered after gently pulling on various parts of a cash machine they were about to use.

Viewed from less than two feet away, this ATM looks reasonably safe to use, right?

Although it's difficult to tell from even this close, this ATM's card acceptance slot and cash dispenser are both compromised by skimming devices.

Although it may be difficult to tell from even this close, this ATM’s card acceptance slot and cash dispenser are both compromised by skimming devices.

But something fishy comes into view when we change our perspective slightly. Can you spot what doesn’t belong here?

Can you spot what doesn’t belong here?

Congratulations if you noticed the tiny pinhole in the upper right corner of the phony black bezel that was affixed over top of the cash dispenser slot. That fake bezel overlay contained a tiny pinhole camera angled toward the PIN pad to record time-stamped videos of people entering their PINs:

A closeup of the tiny pinhole that allows a mini spy camera embedded in the fake cash dispenser bezel to record customers entering their PINs.

How about the card acceptance slot? Looks legit (if a tad shinier than the rest of the ATM), right?

fakecardbezel

What happens if we apply a tiny bit of pressure to the anti-skimming green bezel where customers are expected to insert their ATM cards? Look at that! The cheap plastic bezel that skimmer thieves placed on top of the real card acceptance slot starts to pull away. Also, you can see some homemade electronics that are not very well hidden at the mouth of the bezel.

Notice the left side of this card skimmer overlay starts to pull away from the rest of the facade when squeezed. Also note the presence of a circuit board close to the mouth of the fake bezel.

Continue reading →

Post-FCC Privacy Rules, Should You VPN?

March 30, 2017

198 Comments

Many readers are understandably concerned about recent moves by the U.S. Congress that would roll back privacy rules barring broadband Internet service providers (ISPs) from sharing or selling customer browsing history, among other personal data. Some are concerned enough by this development that they’re looking at obfuscating all of their online browsing by paying for a subscription to a virtual private networking (VPN) service. This piece is intended to serve as a guidepost for those contemplating such a move.

vpn On Tuesday, the House approved a Senate resolution to roll back data privacy regulations enacted late last year at the Federal Communications Commission (FCC) that would block ISPs from selling to advertisers information about where you go and what you do online. President Trump has signaled his intent to sign the bill (S.J. Res. 34) into law soon.

As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.

Nevertheless, this hasn’t stopped news outlets from breathlessly urging concerned citizens to reclaim their privacy by turning to VPN providers. And VPN providers have certainly capitalized on the news. One quite large (and savvy) VPN provider even took out a full-page ad in the New York Times listing the names of the Republican senators who voted to repeal the still-dormant regulations.

I’m happy if this issue raises the general level of public awareness about privacy and the need for Internet users everywhere to take a more active role in preserving it. And VPNs can be a useful tool for protecting one’s privacy online. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process.

In case any readers are unclear on the technology, in a nutshell VPNs rely on specialized software that you download and install on your computer. Some VPN providers will supply customers with their own custom brand of VPN software, while others may simply assign customers a set user credentials and allow users to connect to the service via open-source VPN software like OpenVPN.

Either way, the software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. A VPN service allows a customer in, say, New York City, to tunnel his traffic through one of several servers around the world, making it appear to any Web sites that his connection is coming from those servers, not from his ISP in New York.

If you just want a VPN provider that will keep your ISP from snooping on your everyday browsing, virtually any provider can do that for you. But if you care about choosing from among VPN providers with integrity and those that provide reliable, comprehensive, trustworthy and affordable offerings, you’re going to want to do your homework before making a selection. And there are plenty of factors to consider.

For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers.

That’s because affiliate programs often create a perverse incentive for unscrupulous marketers to do things like manufacture phony VPN reviews by the virtual truckload, reviews that are aimed at steering as many people as possible to signing up with the service and earning them commissions. In my admittedly limited experience, this seems to have the effect of funneling search results toward VPN providers which spend a lot of money marketing their offerings and paying for affiliate programs.

Also, good luck figuring out who owns and operates many of these companies. Again, from the admittedly few instances in which I’ve attempted to determine exactly who or what is at the helm of a specific VPN provider, I can say that this has not been a particularly fruitful endeavor.

My bar for choosing a VPN provider has more to do with selecting one that makes an effort to ensure its customers understand how to use the service securely and safely, and to manage their customers’ expectations about the limitations of using the service. Those include VPN companies that take the time to explain seemingly esoteric but important concepts, such as DNS and IPv6 leaks, and whether they keep any logs of customer activity. I also tend to put more stock in VPN providers that offer payment mechanisms which go beyond easily-traceable methods such as credit cards or PayPal, to offering more privacy-friendly payment options like Bitcoin (or even cash).

Many VPN providers claim they keep zero records of customer activity. However, this is almost always untrue if you take the time to read the fine print. Also, some VPN services can’t truthfully make this claim because they merely resell network services offered by third-parties. Providers that are honest and up-front about what information they collect and keep and for how long carry more weight in my book.

Most VPN providers will keep basic information about their customers, including any information supplied at the creation of the account, as well as the true Internet address of the customer and the times that customers connect and disconnect from the service. I’ve found that VPN providers which collect the minimum amount of information about their customers also tend to offer little or no customer support. This isn’t necessarily a bad thing, especially if you know what you’re doing and don’t need or want a lot of hand-holding. For my part, I would avoid any VPN provider which asks for personal information that isn’t required by the form of payment I choose.

Then there are more practical, day-to-day considerations that may have little to do with privacy and anonymity. For example, some VPN providers pay a great deal of attention to privacy and security, but may not offer a huge number of servers and locations to chose from. This can present issues for people who frequently watch streaming video services that are restricted for use in specific countries. Other VPN providers may offer an impressive range of countries and/or states to chose from, but do not provide fast enough speeds to reliably satisfy data-intensive applications, such as streaming video. Continue reading →

Alleged vDOS Owners Poised to Stand Trial

March 27, 2017

67 Comments

Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.

On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

The front page of vDOS, when it was still online last year.

After those restrictions came and went, some readers expressed surprise that there were no formal charges announced against either of the young men. This week, however, Israeli police sent letters to lawyers for both men stating that the official investigation was nearing completion and that they planned to urge government prosecutors to pursue criminal charges.

The police are preparing to recommend prosecutors charge the men with computer fraud and extortion, alleging they caused more than six million shekels worth of damage (approximately USD $1.65 million).

Bidani’s attorney Perach Aroch told KrebsOnSecurity that her client has not yet been officially charged with any crime. But she said once the investigation is complete the defense will have 30 days to review the evidence and to make arguments as to why the case should be dismissed.

“They have to give us 30 days to see all the evidence and to try to convince them why they should not take this case to court,” Aroch said. “After that, [the prosecutors will] decide if it should go to trial.”

18-year-old Yarden Bidani.

The arrest of Bidani and Huri came after the police received information from the Federal Bureau of Investigation (FBI). But the United States apparently isn’t the only country weighing in on this case: According to a story published Sunday by Israeli news outlet TheMarker.com, the government of Sweden also is urging Israeli prosecutors to pursue formal charges.

It’s unclear exactly why the Swedish government is so interested in this case, but the vDOS service has been implicated in a series high-profile attacks that brought down some of the country’s largest news media Web sites last year.

Shortly after those attacks in March 2016, Somerville, Mass.-based security intelligence firm Recorded Future published an analysis linking the assaults against Swedish media sites to vDOS and to “applej4ck,” the hacker nickname allegedly used by Bidani.

In publicizing the news of vDOS’s hack last year, KrebsOnSecurity also published several months of attack logs from the vDOS service. However, those logs only dated back to May 2016.

Itay Huri’s lawyer declined to comment for this story, but TheMarker’s Amitai Ziv obtained a statement from Huri’s attorney, who accused Israeli police of applying pressure and terror through the media instead of looking for the truth.

Ziv said sources he’s spoken to believe the case will almost certainly go to trial.

“Professionals involved in the case said the likelihood of indictments in the affair is very high,” he wrote.

According to Bidani’s lawyer Aroch, the two former friends are now pointing the finger of blame at each other and are no longer speaking to one another.

“They each now accuse each other in things, so it’s a little bit of a problem,” Aroch said.

Aroch said both Bidani and Huri are free to travel and even leave the country, although both men have had their bank and PayPal accounts frozen.

Bidani and Huri allegedly started vDOS when they were 14 years old. By the time the service was shut down last September, it had attracted tens of thousands of customers who paid for attacks in PayPal (when vDOS’s PayPal accounts were shut down, the service briefly shifted to accepting payment via Bitcoin).

My Sept. 2016 investigation into the hacking of vDOS revealed that in just two of the four years the service was in operation, it brought in revenues of more than $600,000. Continue reading →

Phishing 101 at the School of Hard Knocks

March 24, 2017

48 Comments

A recent, massive spike in sophisticated and successful phishing attacks is prompting many universities to speed up timetables for deploying mandatory two-factor authentication (2FA) — requiring a one-time code in addition to a password — for access to student and faculty services online. This is the story of one university that accelerated plans to require 2FA after witnessing nearly twice as many phishing victims in the first two-and-half months of this year than it saw in all of 2015.

Bowling Green State University in Ohio has more than 20,000 students and faculty, and like virtually any other mid-sized state school its Internet users are constantly under attack from scammers trying to phish login credentials for email and online services.

BGSU had planned later this summer to make 2FA mandatory for access to the school’s portal — the primary place where students register for classes, pay bills, and otherwise manage their financial relationship to the university.

That is, until a surge in successful phishing attacks resulted in several students having bank accounts and W-2 tax forms siphoned.

On March 1, 2017 all BGSU account holders were required to change their passwords, and on March 15, 2017 two-factor authentication (Duo) protection was placed in front of the MyBGSU portal [full disclosure: Duo is a longtime advertiser on KrebsOnSecurity].

Matt Haschak, director of IT security and infrastructure at BGSU, said the number of compromised accounts detected at BGSU has risen from 250 in calendar year 2015 to 1000 in 2016, and to approximately 400 in the first 75 days of 2017.

Left unchecked, phishers are on track to steal credentials from nearly 10 percent of the BGSU student body by the end of this year. The university has offered 2FA options for its portal access since June 2016, but until this month few students or faculty were using it, Haschak said.

“We saw very low adoption when it was voluntary,” he said. “And typically the people who adopted it were not my big security risks.”

Haschak said it’s clear that the scale and size of the phishing problem is hardly unique to BGSU.

“As I keep preaching to our campus community, this is not unique to BGSU,” Haschak said. “I’ve been talking a lot lately to my counterparts at universities in Ohio and elsewhere, and we’re all getting hit with these attacks very heavily right now. Some of the phishing scams are pretty good, but unfortunately some are god-awful, and I think people are just not thinking or they’re too busy in their day, they receive something on their phone and they just click it.”

Last month, an especially tricky phishing scam fooled several students who are also employed at the university into giving away their BGSU portal passwords, after which the thieves changed the victims’ direct deposit information so that their money went to accounts controlled by the phishers.

In other scams, the phishers would change the routing number for a bank account tied to a portal user, and then cancel that student’s classes near the beginning of a semester — thus kicking off a fraudulent refund.

One of the victims even had a fraudulent tax refund request filed in her name with the IRS as a result, Haschak said.

“They went in and looked at her W-2 information, which is also available via the portal,” he said. Continue reading →

eBay Asks Users to Downgrade Security

March 22, 2017

105 Comments

Last week, KrebsOnSecurity received an email from eBay. The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option.

ebay2fa In early 2007, PayPal (then part of the same company as eBay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. In fact, I wrote about this development back when I was a reporter at The Washington Post:

“Armed with one of these keys, if you were to log on to your account from an unfamiliar computer and some invisible password stealing program were resident on the machine, the bad guys would still be required to know the numbers displayed on your token, which of course changes every 30 seconds. Likewise, if someone were to guess or otherwise finagle your PayPal password.”

The PayPal security key.

I’ve still got the same hardware token I ordered when writing about that offering, and it’s been working well for the past decade. Now, eBay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA).

The move by eBay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication. NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception, noting that thieves can divert the target’s SMS messages and calls to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks). Continue reading →

Student Aid Tool Held Key for Tax Fraudsters

March 21, 2017

36 Comments

Citing concerns over criminal activity and fraud, the U.S. Internal Revenue Service (IRS) has disabled an automated tool on its Web site that was used to help students and their families apply for federal financial aid. The removal of the tool has created unexpected hurdles for many families hoping to qualify for financial aid, but the action also eliminated a key source of data that fraudsters could use to conduct tax refund fraud.

Last week, the IRS and the Department of Education said in a joint statement that they were temporarily shutting down the IRS’s Data Retrieval Tool. The service was designed to make it easier to complete the Education Department’s Free Application for Federal Student Aid (FAFSA) — a lengthy form that serves as the starting point for students seeking federal financial assistance to pay for college or career school.

The U.S. Department of Education’s FAFSA federal student aid portal. A notice about the closure of the IRS’s data retrieval tool can be seen in red at the bottom right of this image.

In response to requests for comment, the IRS shared the following statement: “As part of a wider, ongoing effort at the IRS to protect the security of data, the IRS decided to temporarily suspend their Data Retrieval Tool (DRT) as a precautionary step following concerns that information from the tool could potentially be misused by identity thieves.”

“The scope of the issue is being explored, and the IRS and FSA are jointly investigating the issue,” the statement continued. “At this point, we believe the issue is relatively isolated, and no additional action is needed by taxpayers or people using these applications. The IRS and FSA are actively working on a way to further strengthen the security of information provided by the DRT. We will provide additional information when we have a specific timeframe for returning the DRT or other details to share.”

The removal of the IRS’s tool received relatively broad media coverage last week. For example, a story in The Wall Street Journal notes that the Treasury Inspector General for Tax Administration — which provides independent oversight of the IRS — “opened a criminal investigation into the potentially fraudulent use of the tool.”

Nevertheless, I could not find a single publication that sought to explain precisely what information identity thieves were seeking from this now-defunct online resource. Two sources familiar with the matter but who asked to remain anonymous because they were not authorized to speak on the record told KrebsOnSecurity that identity thieves were using the IRS’s tool to look up the “adjusted gross income” (AGI), which is an individual or family’s total gross income minus specific deductions.

Anyone completing a FAFSA application will need to enter the AGI as reported on the previous year’s income tax return of their parents or guardians. The AGI is listed on the IRS-1040 forms that taxpayers must file with the IRS each year. The IRS’s online tool was intended as a resource for students who needed to look up the AGI but didn’t have access to their parents’ tax returns.

Eligible FAFSA applicants could use the IRS’s data retrieval tool to populate relevant fields in the application with data pulled directly from the IRS. Countless college Web sites explain how the tool works in more detail; here’s one example (PDF).

As it happens, the AGI is also required to sign and validate electronic tax returns filed with the IRS. Consequently, the IRS’s data retrieval tool would be a terrific resource to help identity thieves successfully file fraudulent tax refund requests with the agency.

A notice from the IRS states that the adjusted gross income (AGI) is needed to validate electronically-filed tax returns.

Continue reading →

Last »