Posts Tagged: alex holden


29
Nov 16

San Francisco Rail System Hacker Hacked

The San Francisco Municipal Transportation Agency (SFMTA) was hit with a ransomware attack on Friday, causing fare station terminals to carry the message, “You are Hacked. ALL Data Encrypted.” Turns out, the miscreant behind this extortion attempt got hacked himself this past weekend, revealing details about other victims as well as tantalizing clues about his identity and location.

A copy of the ransom message left behind by the "Mamba" ransomware.

A copy of the ransom message left behind by the “Mamba” ransomware.

On Friday, The San Francisco Examiner reported that riders of SFMTA’s Municipal Rail or “Muni” system were greeted with handmade “Out of Service” and “Metro Free” signs on station ticket machines. The computer terminals at all Muni locations carried the “hacked” message: “Contact for key (cryptom27@yandex.com),” the message read.

The hacker in control of that email account said he had compromised thousands of computers at the SFMTA, scrambling the files on those systems with strong encryption. The files encrypted by his ransomware, he said, could only be decrypted with a special digital key, and that key would cost 100 Bitcoins, or approximately USD $73,000.

On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same cryptom27@yandex.com inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password. A screen shot of the user profile page for cryptom27@yandex.com shows that it was tied to a backup email address, cryptom2016@yandex.com, which also was protected by the same secret question and answer.

Copies of messages shared with this author from those inboxes indicate that on Friday evening, Nov. 25, the attacker sent a message to SFMTA infrastructure manager Sean Cunningham with the following demand (the entirety of which has been trimmed for space reasons), signed with the pseudonym “Andy Saolis.”

“if You are Responsible in MUNI-RAILWAY !

All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!

We have 2000 Decryption Key !

Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server’s HDD!!”

One hundred Bitcoins may seem like a lot, but it’s apparently not far from a usual payday for this attacker. On Nov. 20, hacked emails show that he successfully extorted 63 bitcoins (~$45,000) from a U.S.-based manufacturing firm.

The attacker appears to be in the habit of switching Bitcoin wallets randomly every few days or weeks. “For security reasons” he explained to some victims who took several days to decide whether to pay the ransom they’d been demanded. A review of more than a dozen Bitcoin wallets this criminal has used since August indicates that he has successfully extorted at least $140,000 in Bitcoin from victim organizations.

That is almost certainly a conservative estimate of his overall earnings these past few months: My source said he was unable to hack another Yandex inbox used by this attacker between August and October 2016, “w889901665@yandex.com,” and that this email address is tied to many search results for tech help forum postings from people victimized by a strain of ransomware known as Mamba and HDD Cryptor.

Copies of messages shared with this author answer many questions raised by news media coverage of this attack, such as whether the SFMTA was targeted. In short: No. Here’s why.

Messages sent to the attacker’s cryptom2016@yandex.com account show a financial relationship with at least two different hosting providers. The credentials needed to manage one of those servers were also included in the attacker’s inbox in plain text, and my source shared multiple files from that server.

KrebsOnSecurity sought assistance from several security experts in making sense of the data shared by my source. Alex Holden, chief information security officer at Hold Security Inc, said the attack server appears to have been used as a staging ground to compromise new systems, and was equipped with several open-source tools to help find and infect new victims.

“It appears our attacker has been using a number of tools which enabled the scanning of large portions of the Internet and several specific targets for vulnerabilities,” Holden said. “The most common vulnerability used ‘weblogic unserialize exploit’ and especially targeted Oracle Corp. server products, including Primavera project portfolio management software.”

According to a review of email messages from the Cryptom27 accounts shared by my source, the attacker routinely offered to help victims secure their systems from other hackers for a small number of extra Bitcoins. In one case, a victim that had just forked over a 20 Bitcoin ransom seemed all too eager to pay more for tips on how to plug the security holes that got him hacked. In return, the hacker pasted a link to a Web server, and urged the victim to install a critical security patch for the company’s Java applications.

“Read this and install patch before you connect your server to internet again,” the attacker wrote, linking to this advisory that Oracle issued for a security hole that it plugged in November 2015.

In many cases, the extortionist told victims their data would be gone forever if they didn’t pay the ransom in 48 hours or less. In other instances, he threatens to increase the ransom demand with each passing day. Continue reading →


13
Aug 16

Visa Alert and Update on the Oracle Breach

Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle‘s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices. Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang.

VSA-oracle

The Visa alert is the first substantive document that tries to help explain what malware and which malefactors might have hit Oracle — and by extension many of Oracle’s customers — since KrebsOnSecurity broke news of the breach on Aug. 8. That story cited sources close to the investigation saying hackers had broken into hundreds of servers at Oracle’s retail division, and had completely compromised Oracle’s main online support portal for MICROS customers.

MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.

In short, tens of millions of credit cards are swiped at MICROS terminals monthly, and a breach involving the theft of credentials that might have granted remote access to even just a small percentage of those systems is potentially a big and costly problem for all involved.

So far, however, most MICROS customers are left scratching their heads for answers. A frequently asked questions bulletin (PDF) Oracle also released last Monday held little useful information. Oracle issued the same cryptic response to everyone who asked for particulars about how far the breach extended. “Oracle has detected and addressed malicious code in certain legacy MICROS systems.”

Oracle also urged MICROS customers to change their passwords, and said “we also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.”

One of two documents Oracle sent to MICROS customers and the sum total of information the company has released so far about the breach.

One of two documents Oracle sent to MICROS customers and the sum total of information the company has released so far about the breach.

Some technology and fraud experts, including Gartner Analyst Avivah Litan, read that statement highlighted in yellow above as an acknowledgement by Oracle that hackers may have abused credentials gained in the MICROS portal breach to plant malicious code on the point-of-sale devices run by an unknown number of MICROS customers.

“This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider,” Litan told me last week. “I’d say there’s a big chance that the hackers in this case found a way to get remote access” to MICROS customers’ on-premises point-of-sale devices.”

Clearly, Visa is concerned about this possibility as well.

INDICATORS OF COMPROMISE

In my original story about the breach, I wasn’t able to reveal all the data I’d gathered about the apparent source of the attacks and attackers. A key source in that story asked that I temporarily delay publishing certain details of the investigation, specifically those known as indicators of compromise (IOCs). Basically, IOCs are list of suspect Internet addresses, domain names, filenames and other curious digital clues that are thought to connect the victim with its attacker.

I’ve been inundated all week with calls and emails from security experts asking for that very data, but sharing it wasn’t my call. That is, until yesterday (8/12/16), when Visa published a “merchant communication alert” to some customers. In that alert (PDF), Visa published IOCs that may be connected with the intrusion. These IOCs could be extremely useful to MICROS customers because the presence of Internet traffic to and from these online destinations would strongly suggest the organization’s point-of-sale systems may be similarly compromised.

Some of the addresses on this list from Visa are known to be associated with the Carbanak Gang, a group of Eastern European hackers that Russian security firm Kaspersky Lab estimates has stolen more than $1 billion from banks and retailers. Here’s the IOCs list from the alert Visa pushed out Friday:

VISA warned merchants to check their systems for any communications to and from these Internet addresses and domain names associated with a Russian organized cybercrime gang called "Carbanak."

Visa warned merchants to check their systems for any communications to and from these Internet addresses and domain names associated with a Russian organized cybercrime gang called “Carbanak.”

Thankfully, since at least one of the addresses listed above (192.169.82.86) matched what’s on my source’s list, the source agreed to let me publish the entire thing. Here it is. I checked my source’s list and found at least five Internet addresses that were seen in both the Oracle attack and in a Sept. 2015 writeup about Carbanak by ESET Security, a Slovakian antivirus and security company. [NB: If you are unskilled at safely visiting malicious Web sites and/or handling malware, it’s probably best not to visit the addresses in the above-linked list.]

Visa also mentioned a specific POS-malware threat in its alert called “MalumPOS.” According to researchers at Trend Micro, MalumPOS is malware designed to target point-of-sale systems in hotels and related industries. In fact, Trend found that MalumPOS is set up to collect data specifically from point-of-sale systems running on Oracle’s MICROS platform.

It should come as no surprise then that many of Oracle’s biggest customers in the hospitality industry are starting to make noise, accusing Oracle of holding back key information that could help MICROS-based companies stop and clean up breaches involving malware and stolen customer credit card data.

“Oracle’s silence has been deafening,” said Michael Blake, chief executive officer at HTNG, a trade association for hotels and technology. “They are still grappling and trying to answer questions on the extent of the breach. Oracle has been invited to the last three [industry] calls this week and they are still going about trying to reach each customer individually and in the process of doing so they have done nothing but given the lame advice of changing passwords.”

The hospitality industry has been particularly hard hit by point-of-sale compromises over the past two years. Last month, KrebsOnSecurity broke the news of a breach at Kimpton Hotels (Kimpton appears to run MICROS products, but the company declined to answer questions for this story).

Kimpton joins a long list of hotel brands that have acknowledged card breaches over the last year, including Trump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice), Starwood Hotels and Hyatt. In many of those incidents, thieves had planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. And, no doubt, many of those cash registers were run on MICROS systems.

If Oracle doesn’t exactly know which — if any — of its MICROS customers had malware on their point-of-sale systems as a result of the breach, it may be because the network intruders didn’t have any reason to interact with Oracle’s customers via the MICROS portal after stealing usernames and passwords that would allow them to remotely access customer on-premises systems. In theory, at that point the fraudsters could have bypassed Oracle altogether from then on. Continue reading →


18
May 16

As Scope of 2012 Breach Expands, LinkedIn to Again Reset Passwords for Some Users

A 2012 data breach that was thought to have exposed 6.5 million hashed passwords for LinkedIn users instead likely impacted more than 117 million accounts, the company now says. In response, the business networking giant said today that it would once again force a password reset for individual users thought to be impacted in the expanded breach.

leakedinThe 2012 breach was first exposed when a hacker posted a list of some 6.5 million unique passwords to a popular forum where members volunteer or can be hired to hack complex passwords. Forum members managed to crack some the passwords, and eventually noticed that an inordinate number of the passwords they were able to crack contained some variation of “linkedin” in them.

LinkedIn responded by forcing a password reset on all 6.5 million of the impacted accounts, but it stopped there. But earlier today, reports surfaced about a sales thread on an online cybercrime bazaar in which the seller offered to sell 117 million records stolen in the 2012 breach. In addition, the paid hacked data search engine LeakedSource claims to have a searchable copy of the 117 million record database (this service said it found my LinkedIn email address in the data cache, but it asked me to pay $4.00 for a one-day trial membership in order to view the data; I declined).

Inexplicably, LinkedIn’s response to the most recent breach is to repeat the mistake it made with original breach, by once again forcing a password reset for only a subset of its users.

“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” wrote Cory Scott, in a post on the company’s blog. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”

LinkedIn spokesman Hani Durzy said the company has obtained a copy of the 117 million record database, and that LinkedIn believes it to be real.

“We believe it is from the 2012 breach,” Durzy said in an email to KrebsOnSecurity. “How many of those 117m are active and current is still being investigated.”

Regarding the decision not to force a password reset across the board back in 2012, Durzy said “We did at the time what we thought was in the best interest of our member base as a whole, trying to balance security for those with passwords that were compromised while not disrupting the LinkedIn experience for those who didn’t appear impacted.”

The 117 million figure makes sense: LinkedIn says it has more than 400 million users, but reports suggest only about 25 percent of those accounts are used monthly. Continue reading →


25
Feb 16

Breached Credit Union Comes Out of its Shell

Notifying people and companies about data breaches often can be a frustrating and thankless job. Despite my best efforts, sometimes a breach victim I’m alerting will come away convinced that I am not an investigative journalist but instead a scammer. This happened most recently this week, when I told a California credit union that its online banking site was compromised and apparently had been for nearly two months.

On Feb. 23, I contacted Coast Central Credit Union, a financial institution based in Eureka, Calif. that serves more than 60,000 customers. I explained who I was, how they’d likely been hacked, how they could verify the hack, and how they could fix the problem. Two days later when I noticed the site was still hacked, I contacted the credit union again, only to find they still didn’t believe me.

News of the compromise came to me via Alex Holden, a fellow lurker in the cybercrime underground and founder of Hold Security [full disclosure: While Holden’s site lists me as an advisor to his company, I receive zero compensation for that role]. Holden told me that crooks had hacked the credit union’s site and retrofitted it with a “Web shell,” a simple backdoor program that allows an attacker to remotely control the Web site and server using nothing more than a Web browser.

A view of the credit union's hacked Web site via the Web shell.

A screen shot of the credit union’s hacked Web site via the Web shell.

The credit union’s switchboard transferred me to a person in Coast Central’s tech department who gave his name only as “Vincent.” I told Vincent that the credit union’s site was very likely compromised, how he could verify it, etc. I also gave him my contact information, and urged him to escalate the issue. After all, I said, the intruders could use the Web shell program to upload malicious software that steals customer passwords directly from the credit union’s Web site. Vincent didn’t seem terribly alarmed about the news, and assured me that someone would be contacting me for more information.

This afternoon I happened to reload the login page for the Web shell on the credit union’s site and noticed it was still available. A call to the main number revealed that Vincent wasn’t in, but that Patrick in IT would take my call. For better or worse, Patrick was deeply skeptical that I was not impersonating the author of this site.

I commended him on his wariness and suggested several different ways he could independently verify my identity. When asked for a contact at the credit union that could speak to the media, Patrick said that person was him but declined to tell me his last name. He also refused to type in a Web address on his own employer’s Web site to verify the Web shell login page.

“I hope you do write about this,” Patrick said doubtfully, after I told him that I’d probably put something up on the site today about the hack. “That would be funny.”

The login page for the Web shell that was removed today from Coast Central Credit Union's Web site.

The login page for the Web shell that was removed today from Coast Central Credit Union’s Web site.

Exasperated, I told Patrick good luck and hung up. Thankfully, I did later hear from Ed Christians, vice president of information systems at Coast Central. Christians apologized for the runaround and said everyone in his department were regular readers of KrebsOnSecurity. “I was hoping I’d never get a call from you, but I guess I can cross that one off my list,” Christians said. “We’re going to get this thing taken down immediately.”

The credit union has since disabled the Web shell and is continuing to investigate the extent and source of the breach. There is some evidence to suggest the site may have been hacked via an outdated version of Akeeba Backup — a Joomla component that allows users to create and manage complete backups of a Joomla-based website. Screen shots of the files listed by the Web shell planted on Coast Central Credit Union indeed indicate the presence of Akeeba Backup on the financial institution’s Web server.

A Web search on one backdoor component that the intruders appear to have dropped on the credit union’s site on Dec. 29, 2015 — a file called “sfx.php” — turns up this blog post in which Swiss systems engineer Claudio Marcel Kuenzler described his investigation of a site that was hacked through the Akeeba Backup function. Continue reading →


4
Jan 16

Fraudsters Automate Russian Dating Scams

Virtually every aspect of cybercrime has been made into a service or plug-and-play product. That includes dating scams — among the oldest and most common of online swindles. Recently, I had a chance to review a package of dating scam emails, instructions, pictures, videos and love letter templates that are sold to scammers in the underground, and was struck by how commoditized this type of fraud has become.

The dating scam package is assembled for and marketed to Russian-speaking hackers, with hundreds of email templates written in English and a variety of European languages. Many of the sample emails read a bit like Mad Libs or choose-your-own-adventure texts, featuring decision templates that include advice for ultimately tricking the mark into wiring money to the scammer.

The romance scam package is designed for fraudsters who prey on lonely men via dating Web sites and small spam campaigns. The vendor of the fraud package advertises a guaranteed response rate of at least 1.2 percent, and states that customers who average 30 scam letters per day can expect to earn roughly $2,000 a week. The proprietor also claims that his method is more than 20% effective within three replies and over 60% effective after eight.

One of hundreds of sample template files in the dating scam package.

One of hundreds of sample template files in the dating scam package.

The dating scam package advises customers to stick to a tried-and-true approach. For instance, scammers are urged to include an email from the mother of the girl in the first 10 emails between the scammer and a target. The scammer often pretends to be a young woman in an isolated or desolate region of Russia who is desperate for a new life, and the email from the girl’s supposed mother is intended to add legitimacy to the scheme.

Then there are dozens of pre-fabricated excuses for not talking on the phone, an activity reserved for the final stretch of the scam when the fraudster typically pretends to be stranded at the airport or somewhere else en route to the target’s home town.

“Working with dozens of possible outcomes, they carefully lay out every possible response, including dealing with broke guys who fell in love online,” said Alex Holden, the security expert who intercepted the romance scam package. “If the mark doesn’t have money, the package contains advice for getting him credit, telling the customer to restate his love and discuss credit options.”

A sample letter with multiple-choice options for creating unique love letter greetings.

A sample letter with multiple-choice options for creating unique love letter greetings.

Interestingly, although Russia is considered by many to be among the most hostile countries toward homosexuals, the makers of this dating scam package also include advice and templates for targeting gay men.

Also included in the dating scam tutorial is a list of email addresses and pseudonyms favored by anti-scammer vigilantes who try to waste the scammers’ time and otherwise prevent them from conning real victims. In addition, the package bundles several photos and videos of attractive Russian women, some of whom are holding up blank signs onto which the scammer can later Photoshop whatever message he wants.

Holden said that an enterprising fraudster with the right programming skills or the funds to hire a coder could easily automate the scam using bots that are programmed to respond to emails from the targets with content-specific replies.

CALL CENTERS TO CLOSE THE DEAL

The romance scam package urges customers to send at least a dozen emails to establish a rapport and relationship before even mentioning the subject of traveling to meet the target. It is in this critical, final part of the scam that the fraudster is encouraged to take advantage of criminal call centers that staff women who can be hired to play the part of the damsel in distress.

The login page for a criminal call center.

The login page for a criminal call center.

“When you get down to the final stage, there has to be a crisis, some compelling reason why the target should you send the money,” said Holden, founder of Hold Security [full disclosure: Yours Truly is an uncompensated adviser to Holden’s company]. “Usually this is something like the girl is stranded at the airport or needs money to get a travel visa. There has to be some kind of distress situation for this person to be duped into wiring money, which can be anywhere between $200 and $2,000 on average.” Continue reading →


16
Mar 15

‘AntiDetect’ Helps Thieves Hide Digital Fingerprints

As a greater number of banks in the United States shift to issuing more secure credit and debit cards with embedded chip technology, fraudsters are going to direct more of their attacks against online merchants. No surprise, then, that thieves increasingly are turning to an emerging set of software tools to help them evade fraud detection schemes employed by many e-commerce companies.

Every browser has a relatively unique “fingerprint” that is shared with Web sites. That signature is derived from dozens of qualities, including the computer’s operating system type, various plugins installed, the browser’s language setting and its time zone. Banks can leverage fingerprinting to flag transactions that occur from a browser the bank has never seen associated with a customer’s account.

Payment service providers and online stores often use browser fingerprinting to block transactions from browsers that have previously been associated with unauthorized sales (or a high volume of sales for the same or similar product in a short period of time).

In January, several media outlets wrote about a crimeware tool called FraudFox, which is marketed as a way to help crooks sidestep browser fingerprinting. However, FraudFox is merely the latest competitor to emerge in a fairly established marketplace of tools aimed at helping thieves cash out stolen cards at online merchants.

Another fraudster-friendly tool that’s been around the underground hacker forums even longer is called Antidetect. Currently in version 6.0.0.1, Antidetect allows users to very quickly and easily change components of the their system to avoid browser fingerprinting, including the browser type (Safari, IE, Chrome, etc.), version, language, user agent, Adobe Flash version, number and type of other plugins, as well as operating system settings such as OS and processor type, time zone and screen resolution.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Antidetect is marketed to fraudsters involved in ripping off online stores.

The seller of this product shared the video below of someone using Antidetect along with a stolen credit card to buy three different downloadable software titles from gaming giant Origin.com. That video has been edited for brevity and to remove sensitive information; my version also includes captions to describe what’s going on throughout the video. Continue reading →


6
Aug 14

Q&A on the Reported Theft of 1.2B Email Accounts

My phone and email have been flooded with questions and interview requests from various media outlets since security consultancy Hold Security dropped the news that a Russian gang has stolen more than a billion email account credentials. Rather than respond to each of these requests in turn, allow me to add a bit of perspective here in the most direct way possible: The Q&A.

Q: Who the heck is Alex Holden?

A: I’ve known Hold Security’s Founder Alex Holden for nearly seven years. Coincidentally, I initially met him in Las Vegas at the Black Hat security convention (where I am now). Alex is a talented and tireless researcher, as well as a forthright and honest guy. He is originally from Ukraine, and speaks/reads Russian and Ukrainian fluently. His research has been central to several of my big scoops over the past year, including the breach at Adobe that exposed tens of millions of customer records.

Q: Is this for real?

A: Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors.

Q: Ok, but more than a billion credentials? That seems like a lot.

A: For those unfamiliar with the operations of large-scale organized crime syndicates, yes, it does. Unfortunately, there are more than a few successful cybercrooks who are quite good at what they do, and do it full-time. These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.

One micro example of this: Last year, I wrote about a botnet that enslaved thousands of hacked computers which disguised itself as a legitimate add-on for Mozilla Firefox and forced infected PCs to scour Web sites for SQL vulnerabilities. Continue reading →


16
May 14

White-Hat Hacker Schools Security Pro School

If you’re taking an exam to test your skills as an Internet security professional, do you get extra credit for schooling the organization that hosts the test? If that organization is the International Information Systems Security Certification Consortium (ISC)² — the non-profit that administers the Certified Information Systems Security Professional (CISSP) exam — the answer is “no,” but you might get a nice ‘thank you’ from the head of the organization.

isc2-2

Last month, I heard from Alex Holden, a security consultant who is quite gifted at quickly identifying security holes in Internet-facing things. Holden was visiting the site to pay his annual CISSP membership dues, and was getting ready to fork over the $85 annual fee when he noticed a glaring weakness in the organization’s checkout page: The URL listed all of his registration information in plaintext.

The site hadn’t yet requested his credit card, but Holden found that he could skip the payment process merely by changing the $85 amount in the URL produced by the checkout page to a negative number. Clicking submit after that change was made produced an email congratulating him on his successful renewal. Continue reading →


16
Dec 13

Botnet Enlists Firefox Users to Hack Web Sites

An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities, an investigation by KrebsOnSecurity has discovered.

The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.

The "Advanced Power" botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

The “Advanced Power” botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases.

Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.

The fraudulent Firefox add-on.

The fraudulent Firefox add-on.

The malicious code comes from sources referenced in this Malwr writeup and this Virustotal entry (please don’t go looking for this malware unless you really know what you’re doing). On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant” (this bogus add-on does not appear to be the same thing as this add-on by the same name). The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities.

Alex Holden, chief information security officer at Hold Security LLC, said the botnet appears to have been built to automate the tedious and sometimes blind guesswork involved in probing sites for SQL vulnerabilities.

“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” Holden said. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”

Holden said he believes the authors of this botnet may be natives of and/or reside in the Czech Republic, noting that a few transliterated text strings in the malware are auto-detected by Google Translate as Czech.

Continue reading →


20
Nov 13

Cupid Media Hack Exposed 42M Passwords

An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity.

The data stolen from Southport, Australia-based niche dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), among others.

The purloined database contains more than 42 million entries in the format shown in the redacted image below. I reached out to Cupid Media on Nov. 8. Six days later, I heard back from Andrew Bolton, the company’s managing director. Bolton said the information appears to be related to a breach that occurred in January 2013.

“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Bolton said. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”

 A redacted screen shot showing several of the stolen user accounts. Passwords were stored in plain text.

A redacted screen shot showing several of the stolen user accounts. Passwords were stored in plain text.

I couldn’t find any public record — in the media or elsewhere — about this January 2013 breach. When I told Bolton that all of the Cupid Media users I’d reached confirmed their plain text passwords as listed in the purloined directory, he suggested I might have “illegally accessed” some of the company’s member accounts. He also noted that “a large portion of the records located in the affected table related to old, inactive or deleted accounts.”

“The number of active members affected by this event is considerably less than the 42 million that you have previously quoted,” Bolton said.

The company’s Web site and Twitter feed state that Cupid Media has more than 30 million customers around the globe. Unfortunately, many companies have a habit of storing data on customers who are no longer active.

Alex Holden, chief information security officer at Hold Security LLC, said Bolton’s statement is reminiscent of the stance that software giant Adobe Systems Inc. took in the wake of its recently-disclosed breach. In that case, a database containing the email and password information on more than 150 million people was stolen and leaked online, but Adobe says it has so far only found it necessary to alert the 38 million active users in the leaked database.

“Adobe said they have 38 million users and they lost information on 150 million,” Holden said. “It comes to down to the definition of users versus individuals who entrusted their data to a service.”

34 million Cupid users registered with a Yahoo, Hotmail or Gmail address. 56 Homeland Security Dept. employees were looking for love here as well.

34 million Cupid users registered with a Yahoo, Hotmail or Gmail address. 56 Homeland Security Dept. employees were looking for love here as well.

The danger with such a large breach is that far too many people reuse the same passwords at multiple sites, meaning a compromise like this can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user’s email address. Indeed, Facebook has been mining the leaked Adobe data for information about any of its own users who might have reused their Adobe password and inadvertently exposed their Facebook accounts to hijacking as a result of the breach.

Holden added that this database would be a gold mine for spammers, noting that Cupid’s customers are probably more primed than most to be responsive to the types of products typically advertised in spam (think male enhancement pills, dating services and diet pills).

Continue reading →