iPhone Robbers Try to iPhish Victims

February 24, 2017

In another strange tale from the kinetic-attack-meets-cyberattack department, earlier this week I heard from a loyal reader in Brazil whose wife was recently mugged by three robbers who nabbed her iPhone. Not long after the husband texted the stolen phone — offering to buy back the locked device — he soon began receiving text messages stating the phone had been found. All he had to do to begin the process of retrieving the device was click the texted link and log in to the phishing page mimicking Apple’s site.

applephish

Edu Rabin is a resident of Porto Alegre, the capital and largest city of the Brazilian state of Rio Grande do Sul in southern Brazil. Rabin said three thugs robbed his wife last Saturday in broad daylight. Thankfully, she was unharmed and all they wanted was her iPhone 5s.

Rabin said he then tried to locate the device using the “Find my iPhone” app.

“It was already in a nearby city, where the crime rates are even higher than mine,” Rabin said.

He said he then used his phone to send the robbers a message offering to buy back his wife’s phone.

“I’d sent a message with my phone number saying, ‘Dear mister robber, since you can’t really use the phone, I’m preparing to rebuy it from you. All my best!’ This happened on Saturday. On Sunday, I’d checked again the search app and the phone was still offline and at same place.”

But the following day he began receiving text messages stating that his phone had been recovered.

“On Monday, I’d started to receive SMS messages saying that my iphone had been found and a URL to reach it,” Rabin said. Here’s a screenshot of one of those texts:

buscariphonetext

The link led to a page that looks exactly like the Brazilian version of Apple’s sign-in page, but which is hosted on a site that allows free Web hosting.

fakeapple Continue reading

How to Bury a Major Breach Notification

February 21, 2017

Amid the hustle and bustle of the RSA Security Conference in San Francisco last week, researchers at RSA released a startling report that received very little press coverage relative to its overall importance. The report detailed a malware campaign that piggybacked on a popular piece of software used by system administrators at some of the nation’s largest companies. Incredibly, the report did not name the affected software, and the vendor in question has apparently chosen to bury its breach disclosure. This post is an attempt to remedy that.

The RSA report detailed the threat from a malware operation the company dubbed “Kingslayer.” According to RSA, the attackers compromised the Web site of a company that sells software to help Windows system administrators better parse and understand Windows event logs. RSA said the site hosting the event log management software was only compromised for two weeks — from April 9, 2015 to April 25, 2015 — but that the intrusion was likely far more severe than the short duration of the intrusion suggests.

That’s because in addition to compromising the download page for this software package, the attackers also hacked the company’s software update server, meaning any company that already had the software installed prior to the site compromise would likely have automatically downloaded the compromised version when the software regularly checked for available updates (as it was designed to do).

Image: RSA

Image: RSA

RSA said that in April 2016 it “sinkholed” or took control over the Web site that the malware used as a control server — oraclesoft[dot]net — and from there they were able to see indicators of which organizations might still be running the backdoored software. According to RSA, the victims included five major defense contractors; four major telecommunications providers; 10+ western military organizations; more than two dozen Fortune 500 companies; 24 banks and financial institutions; and at least 45 higher educational institutions.

RSA declined to name the software vendor whose site was compromised, but said the company issued a security notification on its Web site on June 30, 2016 and updated the notice on July 17, 2016 at RSA’s request following findings from further investigation into a defense contractor’s network. RSA also noted that the victim software firm had a domain name ending in “.net,” and that the product in question was installed as a Windows installer package file (.msi).

Using that information, it wasn’t super difficult to find the product in question. An Internet search for the terms “event log security notification april 2015” turns up a breach notification from June 30, 2016 about a software package called EVlog, produced by an Altair Technologies Ltd. in Mississauga, Ontario. The timeline mentioned in the breach notification exactly matches the timeline laid out in the RSA report.

As far as breach disclosures go, this one is about the lamest I’ve ever seen given the sheer number of companies that Altair Technologies lists on its site as subscribers to eventid.net, an online service tied to EVlog. I could not locate a single link to this advisory anywhere on the company’s site, nor could I find evidence that Altair Technologies had made any effort via social media or elsewhere to call attention to the security advisory; it is simply buried in the site. A screenshot of the original, much shorter, version of that notice is here. Continue reading

Advertisement

February Updates from Adobe, Microsoft

February 19, 2017

A handful of readers have inquired as to the whereabouts of Microsoft‘s usual monthly patches for Windows and related software. Microsoft opted to delay releasing any updates until next month, even though there is a zero-day vulnerability in Windows going around. However, Adobe did push out updates this week as per usual to fix critical issues in its Flash Player software.

brokenwindowsIn a brief statement this week, Microsoft said it “discovered a last minute issue that could impact some customers” that was not resolved in time for Patch Tuesday, which normally falls on the second Tuesday of each month. In an update to that advisory posted on Wednesday, Microsoft said it would deliver February’s batch of patches as part of the next regularly-scheduled Patch Tuesday, which falls on March 14, 2017.

On Feb. 2, the CERT Coordination Center at Carnegie Mellon University warned that an unpatched bug in a core file-sharing component of Windows (SMB) could let attackers crash Windows 8.1, and Windows 10 systems, as well as server equivalents of those platforms. CERT warned that exploit code for the flaw was already available online. Continue reading

Men Who Sent Swat Team, Heroin to My Home Sentenced

February 17, 2017

It’s been a remarkable week for cyber justice. On Thursday, a Ukrainian man who hatched a plan in 2013 to send heroin to my home and then call the cops when the drugs arrived was sentenced to 41 months in prison for unrelated cybercrime charges. Separately, a 19-year-old American who admitted to being part of a hacker group that sent a heavily-armed police force to my home in 2013 was sentenced to three years probation.

Sergei "Fly" Vovnenko, in an undated photo. In a letter to this author following his arrest, Vovnenko said he forgave me for "doxing" him -- printing his real name and image -- on my site.

Sergei “Fly” Vovnenko, in an undated photo. In a letter to this author following his arrest, Vovnenko said he forgave me for “doxing” him — printing his real name and image — on my site.

Sergey Vovnenko, a.k.a. “Fly,” “Flycracker” and “MUXACC1,” pleaded guilty last year to aggravated identity theft and conspiracy to commit wire fraud. Prosecutors said Vovnenko operated a network of more than 13,000 hacked computers, using them to harvest credit card numbers and other sensitive information.

When I first became acquainted with Vovnenko in 2013, Fly was the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

After I secretly gained access to his forum, I learned he’d hatched a plot to have heroin sent to my home and to have one of his forum lackeys call the police when the drugs arrived.

I explained this whole ordeal in great detail in 2015, when Vovnenko initially was extradited from Italy to face charges here in the United States. In short, the antics didn’t end when I foiled his plot to get me arrested for drug possession, and those antics likely contributed to his arrest and to this guilty plea.

Vovnenko contested his extradition from Italy, and in so doing spent roughly 15 months in arguably Italy’s worst prison. During that time, he seemed to have turned his life around, sending me postcards at Christmas time and even an apparently heartfelt apology letter.

Seasons greetings from my pen pal, Flycracker.

Seasons greetings from my pen pal, Flycracker.

On Thursday, a judge in New Jersey sentenced Vovnenko to 41 months in prison, three years of supervised released and ordered him to pay restitution of $83,368. Continue reading

Who Ran Leakedsource.com?

February 15, 2017

Late last month, multiple news outlets reported that unspecified law enforcement officials had seized the servers for Leakedsource.com, perhaps the largest online collection of usernames and passwords leaked or stolen in some of the worst data breaches — including billions of credentials for accounts at top sites like LinkedIn and Myspace.

In a development that could turn out to be deeply ironic, it seems that the real-life identity of LeakedSource’s principal owner may have been exposed by many of the same stolen databases he’s been peddling.

The now-defunct Leakedsource service.

The now-defunct LeakedSource service.

LeakedSource in October 2015 began selling access to passwords stolen in high-profile breaches. Enter any email address on the site’s search page and it would tell you if it had a password corresponding to that address. However, users had to select a payment plan before viewing any passwords.

LeakedSource was a curiosity to many, and for some journalists a potential source of news about new breaches. But unlike services such as BreachAlarm and HaveIBeenPwned.com — which force users to verify that they can access a given account or inbox before the site displays whether it has found a password associated with the account in question — LeakedSource did nothing to validate users. This fact, critics charged, showed that the proprietors of LeakedSource were purely interested in making money and helping others pillage accounts.

I also was curious about LeakedSource, but for a different reason. I wanted to chase down something I’d heard from multiple sources: That one of the administrators of LeakedSource also was the admin of abusewith[dot]us, a site unabashedly dedicated to helping people hack email and online gaming accounts.

Abusewith[dot]us began in September 2013 as a forum for learning and teaching how to hack accounts at Runescape, a massively multiplayer online role-playing game (MMORPG) set in a medieval fantasy realm where players battle for kingdoms and riches.
runescape

The currency with which Runescape players buy and sell weapons, potions and other in-game items are virtual gold coins, and many of Abusewith[dot]us’s early members traded in a handful of commodities: Phishing kits and exploits that could be used to steal Runescape usernames and passwords from fellow players; virtual gold plundered from hacked accounts; and databases from hacked forums and Web sites related to Runescape and other online games.

The administrator of Abusewith[dot]us is a hacker who uses the nickname “Xerx3s.” The avatar attached to Xerx3s’s account suggests the name is taken from Xerxes the Great, a Persian king who lived during the fifth century BC.

Xerx3s the hacker appears to be especially good at breaking into discussion forums and accounts dedicated to Runescape and online gaming. Xerx3s also is a major seller of Runescape gold — often sold to other players at steep discounts and presumably harvested from hacked accounts.

Xerx3s's administrator account profile at Abusewith.us.

Xerx3s’s administrator account profile at Abusewith.us.

I didn’t start looking into who might be responsible for LeakedSource until July 2016, when I sought an interview by reaching out to the email listed on the site (leakedsourceonline@gmail.com). Soon after, I received a Jabber chat invite from the address “leakedsource@chatme.im.”

The entirety of that brief interview is archived here. I wanted to know whether the proprietors of the service believed they were doing anything wrong (we’ll explore more about the legal aspects of LeakedSource’s offerings later in this piece).  Also, I wanted to learn whether the rumors of LeakedSource arising out of Abusewith[us] were true.

“After many of the big breaches of 2015, we noticed a common public trend…’Where can I search it to see if I was affected?’,” wrote the anonymous person hiding behind the leakedsource@chatme.im account. “And thus, the idea was born to fill that need, not rising out of anything. We are however going to terminate the interview as it does seem to be more of a witch hunt instead of journalism. Thank you for your time.”

Nearly two weeks after that chat with the LeakedSource administrator, I got a note from a source who keeps fairly close tabs on the major players in the English-speaking cybercrime underground. My source told me he’d recently chatted with Xerx3s using the Jabber address Xerx3s has long used prior to the creation of LeakedSource — xerx3s@chatme.im.

Xerx3s told my source in great detail about my conversation with the Leakedsource administrator, suggesting that either Xerx3s was the same person I spoke with in my brief interview with LeakedSource, or that the LeakedSource admin had shared a transcript of our chat with Xerx3s.

Although his username on Abusewith[dot]us was Xerx3s, many of Xerx3s’s closest associates on the forum referred to him as “Wade” in their forum postings. This is in reference to a pseudonym Xerx3s frequently used, “Jeremy Wade.”

An associate of Xerx3s tells another abusewith[dot]us user that Xerx3s is the owner of LeakedSource. That comment was later deleted from the discussion thread pictured here.

An associate of Xerx3s tells another abusewith[dot]us user that Xerx3s is the owner of LeakedSource. That comment was later deleted from the discussion thread pictured here.

One email address this Jeremy Wade identity used pseudonymously was imjeremywade@gmail.com. According to a “reverse WHOIS” record search ordered through Domaintools.com, that email address is tied to two domain names registered in 2015: abusing[dot]rs, and cyberpay[dot]info. The original registration records for each site included the name “Secure Gaming LLC.” [Full disclosure: Domaintools is an advertiser on this blog].

The “Jeremy Wade” pseudonym shows up in a number of hacked forum databases that were posted to both Abusewith[dot]us and LeakedSource, including several other sites related to hacking and password abuse.

For example, the user database stolen and leaked from the DDoS-for-hire service “panic-stresser[dot]xyz” shows that a PayPal account tied to the email address eadeh_andrew@yahoo.com paid $5 to cover a subscription for a user named “jeremywade;” The leaked Panicstresser database shows the Jeremywade account was tied to the email address xdavros@gmail.com, and that the account was created in July 2012.

The leaked Panicstresser database also showed that the first login for that Jeremywade account came from the Internet address 68.41.238.208, which is a dynamic Internet address assigned to residential customers of Comcast Communications in Michigan.

According to a large number of forum postings, it appears that whoever used the xdavros@gmail.com address also created several variations on that address, including alexdavros@gmail.com, davrosalex3@yahoo.com, davrosalex4@yahoo.com, as well as themarketsales@gmail.com.

The Gmail account xdavros@gmail.com was used to register at least four domain names almost six years ago in 2011. Two of those domains — daily-streaming.com and tiny-chats.com — were originally registered to a “Nick Davros” at 3757 Dunes Parkway, Muskegon, Mich. The other two were registered to a Nick or Alex Davros at 868 W. Hile Rd., Muskegon, Mich. All four domain registration records included the phone number +12313430295.

I took that 68.41.238.208 Internet address that the leaked Panicstresser database said was tied to the account xdavros@gmail.com and ran an Internet search on it. The address turned up in yet another compromised hacker forum database — this time in the leaked user database for sinister[dot]ly, ironically another site where users frequently post databases plundered from other sites and forums.

The leaked sinister[dot]ly forum database shows that a user by the name of “Jwade” who registered under the email address trpkisaiah@gmailcom first logged into the forum from the same Comcast Internet address tied to the xdavros@gmail.com account at Panicstresser. Continue reading

Fast Food Chain Arby’s Acknowledges Breach

February 9, 2017

Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.

arbys2A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.

“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”

Arby’s said the breach involved malware placed on payment systems inside Arby’s corporate stores, and that Arby’s franchised restaurant locations were not impacted.

Arby’s has more than 3,330 stores in the United States, and roughly one-third of those are corporate-owned. The remaining stores are franchises. However, this distinction is likely to be lost on Arby’s customers until the company releases more information about individual restaurant locations affected by the breach.

“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.” Continue reading

‘Top 10 Spammer’ Indicted for Wire Fraud

February 8, 2017

Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email purveyor tagged as one of the World’s Top 10 Worst Spammers, was indicted this week on federal wire fraud charges tied to an alleged spamming operation.

According to an indictment returned in federal court in Chicago, Persaud used multiple Internet addresses and domains – a technique known as “snowshoe spamming” – to transmit spam emails over at least nine networks.

persaud-fb

The Justice Department says Persaud sent well over a million spam emails to recipients in the United States and abroad. Prosecutors charge that Persaud often used false names to register the domains, and he created fraudulent “From:” address fields to conceal that he was the true sender of the emails. The government also accuses Persaud of “illegally transferring and selling millions of email addresses for the purpose of transmitting spam.”

Persaud is currently listed as #8 on the World’s 10 Worst Spammers list maintained by Spamhaus, an anti-spam organization. In 1998, Persaud was sued by AOL, which charged that he committed fraud by using various names to send millions of get-rich-quick spam messages to America Online customers. Persaud did not contest the charges and was ordered to pay more than a half-million dollars in restitution and damages. Continue reading

House Passes Long-Sought Email Privacy Bill

February 7, 2017

The U.S. House of Representatives on Monday approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails. Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge.

cloudprivacyThe House passed by a voice vote The Email Privacy Act (HR 387). The bill amends the Electronic Communications Privacy Act (ECPA), a 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.

Online messaging was something of a novelty when lawmakers were crafting ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information.

But the U.S. Justice Department wanted different treatment for stored electronic communications. Congress struck a compromise, decreeing that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with an administrative subpoena and without requiring the approval of a judge. Continue reading

InterContinental Confirms Breach at 12 Hotels

February 6, 2017

InterContinental Hotels Group (IHG), the parent company for thousands of hotels worldwide including Holiday Inn, acknowledged Friday that a credit card breach impacted at least a dozen properties. News of the breach was first reported by KrebsOnSecurity more than a month ago.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

In a statement issued late Friday, IHG said it found malicious software installed on point of sale servers at restaurants and bars of 12 IHG-managed properties between August and December 2016. The stolen data included information stored on the magnetic stripe on the backs of customer credit and debit cards — the cardholder name, card number, expiration date, and internal verification code.

A list of the known breached locations is here. IHG said cards used at the front desk of these properties were not affected.

According to IHG, we may not yet know the full scope of this breach: The company advised that its investigation into other properties in the Americas region is ongoing.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt. Continue reading

How Google Took on Mirai, KrebsOnSecurity

February 3, 2017

The third week of September 2016 was a dark and stormy one for KrebsOnSecurity. Wave after wave of huge denial-of-service attacks flooded this site, forcing me to pull the plug on it until I could secure protection from further assault. The site resurfaced three days later under the aegis of Google’s Project Shield, an initiative which seeks to protect journalists and news sites from being censored by these crippling digital sieges.

Damian Menscher, a Google security engineer with whom I worked very closely on the migration to Project Shield, spoke this week about the unique challenges involved in protecting a small site like this one from very large, sustained and constantly morphing attacks.

Google Security Reliability Engineer Damian Menscher speaking at the Enigma conference this week. Photo: @mrisher

Google Security Reliability Engineer Damian Menscher speaking at the Enigma conference this week. Photo: @mrisher

Addressing the Enigma 2017 security conference in Oakland, Calif., Menscher said his team only briefly considered whether it was such a good idea to invite a news site that takes frequent swings at the DDoS-for-hire industry.

“What happens if this botnet actually takes down google.com and we lose all of our revenue?” Menscher recalled. “But we considered [that] if the botnet can take us down, we’re probably already at risk anyway. There’s nothing stopping them from attacking us at any time. So we really had nothing to lose here.” Continue reading