Posts Tagged: George Mason University


17
Aug 15

Stress-Testing the Booter Services, Financially

The past few years have witnessed a rapid proliferation of cheap, Web-based services that troublemakers can hire to knock virtually any person or site offline for hours on end. Such services succeed partly because they’ve enabled users to pay for attacks with PayPal. But a collaborative effort by PayPal and security researchers has made it far more difficult for these services to transact with their would-be customers.

Image:

Image:

By offering a low-cost, shared distributed denial-of-service (DDoS) attack infrastructure, these so-called “booter” and “stresser” services have attracted thousands of malicious customers and are responsible for hundreds of thousands of attacks per year. Indeed, KrebsOnSecurity has repeatedly been targeted in fairly high-volume attacks from booter services — most notably a service run by the Lizard Squad band of miscreants who took responsibility for sidelining the Microsoft xBox and Sony Playstation on Christmas Day 2014.

For more than two months in the summer 2014, researchers with George Mason University, UC Berkeley’s International Computer Science Institute, and the University of Maryland began following the money, posing as buyers of nearly two dozen booter services in a bid to discover the PayPal accounts that booter services were using to accept payments. In response to their investigations, PayPal began seizing booter service PayPal accounts and balances, effectively launching their own preemptive denial-of-service attacks against the payment infrastructure for these services.

PayPal will initially limit reported merchant accounts that are found to violate its terms of service (turns out, accepting payments for abusive services is a no-no). Once an account is limited, the merchant cannot withdraw or spend any of the funds in their account. This results in the loss of funds in these accounts at the time of freezing, and potentially additional losses due to opportunity costs the proprietors incur while establishing a new account. In addition, PayPal performed their own investigation to identify additional booter domains and limited accounts linked to these domains as well.

The efforts of the research team apparently brought some big-time disruption for nearly two-dozen of the top booter services. The researchers said that within a day or two following their interventions, they saw the percentage of active booters quickly dropping from 70 to 80 percent to around 50 percent, and continuing to decrease to a low of around 10 percent that were still active.

ppintervention

While some of the booter services went out of business shortly thereafter, more than a half-dozen shifted to accepting payments via Bitcoin (although the researchers found that this dramatically cut down on the services’ overall number of active customers). Once the target intervention began, they found the average lifespan of an account dropped to around 3.5 days, with many booters’ PayPal accounts only averaging around two days before they were no longer used again.

The researchers also corroborated the outages by monitoring hacker forums where the services were marketed, chronicling complaints from angry customers and booter service operators who were inconvenienced by the disruption (see screen shot galley below).

A booter service proprietor advertising his wares on the forum Hackforums complains about Paypal repeatedly limiting his account.

A booter service proprietor advertising his wares on the forum Hackforums complains about Paypal repeatedly limiting his account.

Another booter seller on Hackforums whinges about PayPal limiting the account he uses to accept attack payments from customers.

Another booter seller on Hackforums whinges about PayPal limiting the account he uses to accept attack payments from customers.

"It's a shame PayPal had to shut us down several times causing us to take money out of our own pocket to purchase servers, hosting and more," says this now-defunct booter service to its former customers.

“It’s a shame PayPal had to shut us down several times causing us to take money out of our own pocket to purchase servers, hosting and more,” says this now-defunct booter service to its former customers.

Deadlyboot went dead after the PayPal interventions. So sad.

Deadlyboot went dead after the PayPal interventions. So sad.

Daily attacks from Infected Stresser dropped off precipitously following the researchers' work.

Daily attacks from Infected Stresser dropped off precipitously following the researchers’ work.

As I’ve noted in past stories on booter service proprietors I’ve tracked down here in the United States, many of these service owners and operators are kids operating within easy reach of U.S. law enforcement. Based on the aggregated geo-location information provided by PayPal, the researchers found that over 44% of the customer and merchant PayPal accounts associated with booters are potentially owned by someone in the United States. Continue reading →


22
Sep 14

Who’s Behind the Bogus $49.95 Charges?

Hardly a week goes by when I don’t hear from a reader wondering about the origins of a bogus credit card charge for $49.95 or some similar amount for a product they never ordered. As this post will explain, such charges appear to be the result of crooks trying to game various online affiliate programs by using stolen credit cards.

Bogus $49.95 charges for herbal weight loss products like these are showing up on countless consumer credit statements.

Bogus $49.95 charges for herbal weight loss products like these are showing up on countless consumer credit statements.

Most of these charges are associated with companies marketing products of dubious value and quality, typically by knitting a complex web of front companies, customer support centers and card processing networks. Whether we’re talking about a $49.95 payment for a bottle of overpriced vitamins, $12.96 for some no-name software title, or $9.84 for a dodgy Internet marketing program, the unauthorized charge usually is for a good or service that is intended to be marketed by an online affiliate program.

Affiliate programs are marketing machines built to sell a huge variety of products or services that are often of questionable quality and unknown provenance. Very often, affiliate programs are promoted using spam, and the stuff pimped by them includes generic prescription drugs, vitamins and “nutriceuticals,” and knockoff designer purses, watches, handbags, shoes and sports jerseys.

At the core of the affiliate program is a partnership of convenience: The affiliate managers handle the boring backoffice stuff, including the customer service, product procurement (suppliers) and order fulfillment (shipping). The sole job of the “affiliates” — the commission-based freelance marketers who sign up to promote whatever is being sold by the affiliate program — is to drive traffic and sales to the program.

THE NEW FACE OF SPAM

It is no surprise, then, that online affiliate programs like these often are overrun with scammers, spammers and others easily snagged by the lure of get-rich-quick schemes. In June, I began hearing from dozens of readers about unauthorized charges on their credit card statements for $49.95. The charges all showed up alongside various toll-free 888- numbers or names of customer support Web sites, such as supportacr[dot]com and acrsupport[dot]com. Readers who called these numbers or took advantage of the chat interfaces at these support sites were all told they’d ordered some kind of fat-burning pill or vitamin from some random site, such as greenteahealthdiet[dot]com or naturalfatburngarcinia[dot]com.

Those sites were among tens of thousands that are being promoted via spam, according to Gary Warner, chief technologist at Malcovery, an email security firm. The Web site names themselves are not included in the spam; rather, the spammers include a clickable URL for a hacked Web site that, when visited, redirects the user to the pill shop’s page. This redirection is done to avoid having the pill shop pages indexed by anti-spam filters and other types of blacklists used by security firms, Warner said. Continue reading →


31
Mar 14

Who’s Behind the ‘BLS Weblearn’ Credit Card Scam?

A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years.

onlinelearningaccess.com, one of the fraudulent affiliate marketing schemes that powers these bogus micropayments.

onlinelearningaccess.com, one of the fraudulent affiliate marketing schemes that powers these bogus micropayments.

At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574).

I began hearing from readers about this early this month, in part because of my previous sleuthing on an eerily similar scheme that also leveraged payment systems in Malta to put through unauthorized junk charges ($9.84) for “online learning” software systems. Unfortunately, while the names of the companies and payment systems have changed, this latest scam appears to be remarkably similar in every way.

Reading up on this latest scam, it appears that the payments are being processed by a company called BlueSnap, which variously lists its offices in Massachusetts, California, Israel, Malta and London. Oddly enough, the payment network used by the $9.84 scams that surfaced last year — Credorax — also lists offices in Massachusetts, Israel, London and Malta.

And, just like with the $9.84 scam, this latest micropayment fraud scheme involves an extremely flimsy-looking affiliate income model that seems merely designed for abuse. According to information from several banks contacted for this story, early versions of this scam (in which fraudulent transactions were listed on statements as PLI*WEBLEARN) leveraged pliblue.com, formerly associated with a company called Plimus, a processor that also lists offices in California and Israel (in addition to Ukraine).

The very first time I encountered Plimus was in Sept. 2011, when I profiled an individual responsible for selling access to tens of thousands of desktop computers that were hacked and seeded with the TDSS botnet. That miscreant — a fellow who used the nickname “Fizot” — had been using Plimus to accept credit card payments for awmproxy.net, an anonymization service that was sold primarily to individuals engaged in computer fraud.

Apparently, the Internet has been unkind to Plimus’s online reputation, because not long ago the company changed its name to BlueSnap. This blog has a few ideas about what motivated the name change, noting that it might have been prompted in part by a class action lawsuit (PDF) against Plimus which alleges that the company’s marketing campaigns include the “mass production of fabricated consumer reviews, testimonials and fake blogs that are all intended to deceive consumers seeking a legitimate product and induce them to pay. Yet, after consumers pay for access to any of these digital goods websites, they quickly realize that the promotional materials and representations were blatantly false.”

Continue reading →


26
Nov 13

An Anti-Fraud Service for Fraudsters

Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also “test buys” from security researchers, law enforcement and other meddlers.

One anti-fraud measure commonly used in e-commerce is the address verification service (AVS), which seeks to verify the address of a person claiming to own a credit card. Some business employ additional “geo-IP” checks, which try to determine the geographical location of Website visitors based on their Internet addresses, and then match that with the billing address provided by the customer.

The trouble with these services is that they can get pricey in a hurry, and they’re often sold by the very companies that spammers are trying to outsmart. Enter services like fraudcheck[dot]cc: This service, run by an established spammer on a semi-private cybercrime forum, performs a multitude of checks on each transaction, apparently drawing on accounts from different, legitimate anti-fraud services. It accepts payment solely via WebMoney, a virtual currency that is popular in Russia and Eastern Europe.

fraudcheck[dot]cc resells bundles of anti-fraud services from legitimate providers like MaxMind.

fraudcheck[dot]cc resells bundles of anti-fraud services from legitimate providers like MaxMind.

This fraudster-friendly antifraud service does the following analysis:

  • Queries the geo-IP location from four distinct sources;
  • Calculates the billing ZIP code distance from the customer’s geo-IP coordinates;
  • Checks the customer’s Internet address against lists of known proxies that are used to mask an Internet user’s true location, and assigns a “risk score” of zero to 4.2 (the higher the number, the greater the certainty that the purchase was made via a proxy).
  • Generates a “fraud score” from 0-100 to rate the riskiness of the transaction (100 being the riskiest)

The bulk of the fraud checks appear to be conducted through [hijacked?] accounts at MaxMind.com, a Waltham, Mass. company that screens more than 45 million online transactions per month for 7,000 companies. MaxMind sells a suite of legitimate anti-fraud solutions, including two specifically called out in the screen shot above (minFraud and GeoIP).

As detailed in this white paper (PDF), MaxMind’s minFraud service checks for a number of potential risk factors, such as whether the customer is using a free Webmail account, or there is a mismatch in the shipping and billing address. It also looks to see whether the customer is paying with a card from a known bank. Failure to identify a “bank identification number” (BIN) — the first six digits of any card — may indicate the customer is paying with a prepaid card and thus trying to mask their identity or location.

Based on the combined results of these tests, MaxMind’s service will assign a “fraud score” from 0 to 100, indicating the service’s best guess about whether the transaction should be allowed or declined. In the example from the screenshot above, it’s not clear why the service assigned such a high fraud score (96.84) to the transaction in question — perhaps because the service could not identify the bank that issued the card used in the transaction and determined that it was a prepaid card.

Continue reading →


11
Sep 13

‘Yahoo Boys’ Have 419 Facebook Friends

Earlier this week, I wrote about an online data theft service that got hacked. That compromise exposed a user base of mostly young Nigerian men apparently engaged in an array of cybercrime activities — from online dating scams to 419 schemes. It turned out that many of these guys signed up for the data theft service using the same email address they used to register their Facebook accounts. Today’s post looks at the social networks between and among these individuals.

Of the nearly 3,000 BestRecovery users, about 280 of them had Facebook accounts tied to their BestRecovery email addresses. George Mason University associate professor Damon McCoy and several of his grad students volunteered to scrape those profiles that were open and map their social networks to see if there were any obvious or discernible patterns in the data.

The raw data itself — which ranked the BestRecovery users on number of connections they had to other users — was potentially useful, but difficult to parse into meaningful chunks. Oddly enough, as I was poring over that data I heard from Chris Ahlberg, the CEO of Recorded Future Inc., a Cambridge, Mass. software company that specializes in Web intelligence and predictive analytics. Ahlberg was writing to say that he enjoyed the blog — particularly the posts with data-intensive analyses — and that he’d be delighted to collaborate on a data-rich research project at some point. I told him his timing couldn’t have been more serendipitous.

Ahlberg and his team took the raw scraped data sets from the Facebook accounts and ran it through their cyber intelligence applications. In short order, they produced some very compelling and beautiful graphs, shown below.

Staffan Truvé, Recorded Future’s chief technology officer noted that — with few exceptions — the BestRecovery users largely appear to belong to one of two very separate social networks.

RecordedFuture's rendering of the Facebook profiles shows fairly two tight-knit social networks.

RecordedFuture’s rendering of the Facebook profiles shows fairly two tight-knit social networks.

“There appears to be two fairly separate, quite tightly knit networks, each with a few central leaders, and also with just a few individuals being the bridge between the two networks — and that those middlemen are themselves not connected,” said Staffan Truvé, Recorded Future’s chief technology officer.

I noted in my previous story that a majority of the BestRecovery keylog service users who had Facebook pages that reported a location listed either somewhere in Nigeria (usually Lagos), or Kuala Lumpur, Malaysia. Not surprisingly, those two geographic groups are generally represented by these two globs of Facebook users (with several exceptions of users who are from Nigeria but living in Kuala Lumpur and vice versa).

Here’s a closer look at the most influential/connected members at the center of Cluster 1 (upper in the diagram above)

cluster1

Continue reading →


9
Sep 13

Spy Service Exposes Nigerian ‘Yahoo Boys’

A crude but effective online service that lets users deploy keystroke logging malware and then view the stolen data remotely was hacked recently. The information leaked from that service has revealed a network of several thousand Nigerian email scammers and offers a fascinating glimpse into an entire underground economy that is seldom explored.

The login page for the BestRecovery online keylog service.

The login page for the BestRecovery online keylog service.

At issue is a service named “BestRecovery” (recently renamed PrivateRecovery). When I first became aware of this business several months ago, I had a difficult time understanding why anyone would pay the $25 to $33 per month fee to use the service, which is visually quite amateurish and kludgy (see screenshot at right).

But that was before I shared a link to the site with a grey hat hacker friend, who replied in short order with the entire username and password database of more than 3,000 paying customers.

Initially, I assumed my source had unearthed the data via an SQL injection attack or some other  database weakness. As it happens, the entire list of users is recoverable from the site using little more than a Web browser.

The first thing I noticed upon viewing the user list was that a majority of this service’s customers had signed up with yahoo.com emails, and appeared to have African-sounding usernames or email addresses. Also, running a simple online search for some of the user emails (dittoswiss@yahoo.com, for example) turned up complaints related to a variety of lottery, dating, reshipping and confidence scams.

The site was so poorly locked down that it also exposed the keylog records that customers kept on the service. Logs were indexed and archived each month, and most customers used the service to keep tabs on multiple computers in several countries. A closer look at the logs revealed that a huge number of the users appear to be Nigerian 419 scammers using computers with Internet addresses in Nigeria.

The seriously ghetto options page for BestRecovery web-based keylogger service.

The seriously ghetto options page for BestRecovery web-based keylogger service.

Also known as “advance fee” and “Nigerian letter” scams, 419 schemes have been around for many years and are surprisingly effective at duping people. The schemes themselves violate Section 419 of the Nigerian criminal code, hence the name. Nigerian romance scammers often will troll online dating sites using stolen photos and posing as attractive U.S. or U.K. residents working in Nigeria or Ghana, asking for money to further their studies, care for sick relatives, or some such sob story.

More traditionally, these miscreants pretend to be an employee at a Nigerian bank or government institution and claim to need your help in spiriting away millions of dollars. Those who fall for the ruses are strung along and milked for increasingly large money transfers, supposedly to help cover taxes, bribes and legal fees. As the FBI notes, once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances. “While such an invitation impresses most law-abiding citizens as a laughable hoax, millions of dollars in losses are caused by these schemes annually,” the FBI warns. “Some victims have been lured to Nigeria, where they have been imprisoned against their will along with losing large sums of money. The Nigerian government is not sympathetic to victims of these schemes, since the victim actually conspires to remove funds from Nigeria in a manner that is contrary to Nigerian law.”

Oddly enough, a large percentage of the keylog data stored at BestRecovery indicates that many of those keylog victims are in fact Nigerian 419 scammers themselves. One explanation is that this is the result of scammer-on-scammer attacks. According to a study of 419ers published in the Dec. 2011 edition of Cyberpsychology, Behavior, and Social Networking (available from the Library of Congress here or via this site for a fee), much of the 419 activity takes place in cybercafes, where “bulk tickets are sold for sending spam emails and some systems are dedicated to fraudsters for hacking and spamming.”

The keylog records available for the entries marked "Yahoo Boys" show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

The keylog records available for the entries marked “Yahoo Boys” show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

Perhaps some enterprising Nigerian spammers simply infected a bunch of these cybercafe machines to save themselves some work. It is also possible that vigilante groups which target 419 scammers — such as Artists Against 419 and 419eater.com — were involved, although it’s difficult to believe those guys would bother with such a rudimentary service.

BestRecovery gives customers instructions on how to use a provided tool to create a custom Windows-based keylogger and then disguise it as a legitimate screensaver application. New victims are indexed by date, time, Internet address, country, and PC name. Each keylogger instance lets the user specify a short identifier in the “note” field (failing to manually enter an identifier in the note field appears to result in that field being populated by the version number of the keylogger used). Interestingly, many of the victim PCs have a curious notation: “Yahoo Boys”.

Keylog data apparently collected from a Yahoo Boy.

Keylog data [partially redacted] that was apparently collected from a Yahoo Boy.

BLACK HAT OR BLACK MAGIC?

As noted in the above-mentioned academic paper (“Understanding Cybercrime Perpetrators and the Strategies They Employ in Nigeria”), the term “Yahoo Boys” is the nickname given to categories of young men in Nigeria who specialize in various types of cybercrime.  According to that paper, in which researchers spent time with and interviewed at least 40 active Yahoo Boys, most of the cybercrime perpetrators in Nigeria are between the age of 22 and 29, and are undergraduates who have distinct lifestyles from other youths.

“Their strategies include collaboration with security agents and bank officials, local and international networking, and the use of voodoo [emphasis added]. It was clear that most were involved in online dating and buying and selling with fake identities. The Yahoo boys usually brag, sag, do things loudly, drive flashy cars, and change cars frequently. They turn their music loud and wear expensive and latest clothes and jewelry. They also have a special way of dressing and relate, they spend lavishly, love material things, and go to clubs. They are prominent at night parties picking prostitutes at night. They also move in groups of two, three, and four when going to eateries. They speak different coded languages and use coded words such as “Mugun,” “Maga,” and “Maga don pay,” which all means “the fool (i.e., their victim) has paid.”

Continue reading →


14
Aug 13

Buying Battles in the War on Twitter Spam

The success of social networking community Twitter has given rise to an entire shadow economy that peddles dummy Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers.

Image: Twitterbot.info

Image: Twitterbot.info

Twitter prohibits the sale and auto-creation of accounts, and the company routinely suspends accounts created in violation of that policy. But according to researchers from George Mason University, the International Computer Science Institute and the University of California, Berkeley, Twitter traditionally has done so only after these fraudulent accounts have been used to spam and attack legitimate Twitter users.

Seeking more reliable methods of detecting auto-created accounts before they can be used for abuse, the researchers approached Twitter last year for the company’s blessing to purchase credentials from a variety of Twitter account merchants. Permission granted, the researchers spent more than $5,000 over ten months buying accounts from at least 27 different underground sellers.

In a report to be presented at the USENIX security conference in Washington, D.C. today, the research team details its experience in purchasing more than 121,000 fraudulent Twitter accounts of varying age and quality, at prices ranging from $10 to $200 per one thousand accounts.

The research team quickly discovered that nearly all fraudulent Twitter account merchants employ a range of countermeasures to evade the technical hurdles that Twitter erects to stymie the automated creation of new accounts.

“Our findings show that merchants thoroughly understand Twitter’s existing defenses against automated registration, and as a result can generate thousands of accounts with little disruption in availability or instability in pricing,” the paper reads. “We determine that merchants can provide thousands of accounts within 24 hours at a price of $0.02 – $0.10 per account.”

SPENDING MONEY TO MAKE MONEY

For example, to fulfill orders for fraudulent Twitter accounts, merchants typically pay third-party services to help solve those squiggly-letter CAPTCHA challenges. I’ve written here and here about these virtual sweatshops, which rely on low-paid workers in China, India and Eastern Europe who earn pennies per hour deciphering the puzzles.

topemailThe Twitter account sellers also must verify new accounts with unique email addresses, and they tend to rely on services that sell cheap, auto-created inboxes at HotmailYahoo and Mail.ru, the researchers found. “The failure of email confirmation as a barrier directly stems from pervasive account abuse tied to web mail providers,” the team wrote. “60 percent of the accounts were created with Hotmail, followed by yahoo.com and mail.ru.”

Bulk-created accounts at these Webmail providers are among the cheapest of the free email providers, probably because they lack additional account creation verification mechanisms required by competitors like Google, which relies on phone verification. Compare the prices at this bulk email merchant: 1,000 Yahoo accounts can be had for $10 (1 cent per account), and the same number Hotmail accounts go for $12. In contrast, it costs $200 to buy 1,000 Gmail accounts.

topcountriesFinally, the researchers discovered that Twitter account merchants very often spread their new account registrations across thousands of Internet addresses to avoid Twitter’s IP address blacklisting and throttling. They concluded that some of the larger account sellers have access to large botnets of hacked PCs that can be used as proxies during the registration process.

“Our analysis leads us to believe that account merchants either own or rent access to thousands of compromised hosts to evade IP defenses,” the researchers wrote.

Damon McCoy, an assistant professor of computer science at GMU and one of the authors of the study, said the top sources of the proxy IP addresses were computers in developing countries like India, Ukraine, Thailand, Mexico and Vietnam.  “These are countries where the price to buy installs [installations of malware that turns PCs into bots] is relatively low,” McCoy said.

Continue reading →


30
Jul 13

Mail from the (Velvet) Cybercrime Underground

Over the past six months, “fans” of this Web site and its author have shown their affection in some curious ways. One called in a phony hostage situation that resulted in a dozen heavily armed police surrounding my home. Another opened a $20,000 new line of credit in my name. Others sent more than $1,000 in bogus PayPal donations from hacked accounts. Still more admirers paid my cable bill for the next three years using stolen credit cards. Malware authors have even used my name and likeness to peddle their wares.

“Flycracker,” the administrator of thecc.bz crime forum, hatches plan to send drugs to my home.

“Flycracker,” the administrator of thecc.bz crime forum, hatches plan to send drugs to my home.

But the most recent attempt to embarrass and fluster this author easily takes the cake as the most elaborate: Earlier this month, the administrator of an exclusive cybercrime forum hatched and executed a plan to purchase heroin, have it mailed to my home, and then spoof a phone call from one of my neighbors alerting the local police. Thankfully, I had already established a presence on his forum and was able to monitor the scam in real time and alert my local police well in advance of the delivery.

This would-be smear campaign was the brainchild of a fraudster known variously online as “Fly,” “Flycracker,” and MUXACC1 (muxa is transliterated Russian for “муха” which means “fly”). Fly is the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

On July 14, Flycracker posted a new  forum discussion thread titled, “Krebs Fund,” in which he laid out his plan: He’d created a bitcoin wallet for the exclusive purpose of accepting donations from other members. The goal: purchase heroin in my name and address from a seller on the Silk Road, an online black market that is only reachable via the Tor network.  In the screenshot pictured above, Flycracker says to fellow members:

“Guys, it became known recently that Brian Krebs is a heroin addict and he desperately needs the smack, so we have started the “Helping Brian Fund”, and shortly we will create a bitcoin wallet called “Drugs for Krebs” which we will use to buy him the purest heroin on the Silk Road.  My friends, his withdrawal is very bad, let’s join forces to help the guy! We will save Brian from the acute heroin withdrawal and the world will get slightly better!”

Together, forum members raised more than 2 bitcoins – currently equivalent to about USD $200. At first, Fly tried to purchase a gram of heroin from a Silk Road vendor named 10toes, an anonymous seller who had excellent and plentiful feedback from previous buyers as a purveyor of reliably good heroin appropriate for snorting or burning and inhaling (see screnshot below).

Flycracker discussing the purchase of a gram of heroin from Silk Road seller "10toes."

Flycracker discussing the purchase of a gram of heroin from Silk Road seller “10toes.”

For some reason, that transaction with 10toes fell through, and Flycracker turned to another Silk Road vendor — Maestro — from whom he purchased a dozen baggies of heroin of “HIGH and consistent quality,” to be delivered to my home in Northern Virginia earlier today. The purchase was made using a new Silk Road account named “briankrebs7,” and cost 1.6532 bitcoins (~USD $165).

Flycracker ultimately bought 10 small bags of smack from Silk Road seller "Maestro."

Flycracker ultimately bought 10 small bags of smack from Silk Road seller “Maestro.” The seller threw in two extra bags for free (turns out he actually threw in three extra bags).

In the screen shot below, Fly details the rest of his plan:

“12 sacks of heroin [the seller gives 2 free sacks for a 10-sacks order] are on the road, can anyone make a call [to the police] from neighbors, with a record? Seller said the package will be delivered after 3 days, on Tuesday. If anyone calls then please say that drugs are hidden well.”

h3

Last week, I alerted the FBI about this scheme, and contacted a Fairfax County Police officer who came out and took an official report about it. The cop who took the report just shook his head incredulously, and kept saying he was trying to unplug himself from various accounts online with the ultimate goal of being “off the Internet and Google” by the time he retired. Before he left, the officer said he would make a notation on my report so that any officer dispatched to respond to complaints about drugs being delivered via mail to my home would prompted to review my report.

FOLLOWING THE MONEY

I never doubted Flycracker”s resolve for a minute, but I still wanted to verify his claims about having made the purchase. On that front I received assistance from Sara Meiklejohn, a graduate student at the University of California, San Diego who’s been analyzing the role of bitcoin and anonymity on the Silk Road. Meiklejohn confirmed that the bitcoin wallet linked to in Fly’s forum thread was indeed used to deposit two bitcoins into a purse controlled by anonymous individuals who help manage commerce on the Silk Road.

Meiklejohn and fellow researcher Damon McCoy, an assistant professor of computer science at George Mason University, have been mapping out a network of bitcoin wallets that are used exclusively by the curators of the Silk Road. If you wish to transact with merchants on the Silk Road, you need to fund your account with bitcoins. The act of adding credits appears to be handled by a small number of bitcoin purses.

“All Silk Road purchases are handled internally by Silk Road, which means money trades hands from the Silk Road account of the buyer to the Silk Road account of the seller,”  explained Meiklejohn, author of the paper, A Fistful of Bitcoins: Characterizing Payments Among Men with No Names, to be released in October 2013 at the ACM Internet Measurement Conference in Barcelona, Spain.

Continue reading →


28
May 13

U.S. Government Seizes LibertyReserve.com

Indictment, arrest of virtual currency founder targets alleged “financial hub of the cybercrime world.”

U.S. federal law enforcement agencies on Tuesday announced the closure and seizure of Liberty Reserve, an online, virtual currency that the U.S. government alleges acted as “a financial hub of the cyber-crime world” and processed more more than $6 billion in criminal proceeds over the past seven years.

After being unreachable for four days, Libertyreserve.com's homepage now includes this seizure notice.

After being unreachable for four days, Libertyreserve.com now includes this seizure notice.

The news comes four days after libertyreserve.com inexplicably went offline and newspapers in Costa Rica began reporting the arrest in Spain of the company’s founder Arthur Budovsky, 39-year-old Ukrainian native who moved to Costa Rica to start the business.

According to an indictment (PDF) filed in the U.S. District Court for the Southern District of New York, Budovsky and five alleged co-conspirators designed and operated Liberty Reserve as “a financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.”

The U.S. government alleges that Liberty Reserve processed more than 12 million financial transactions annually, with a combined value of more than $1.4 billion. “Overall, from 2006 to May 2013, Liberty Reserve processed an estimated 55 million separate financial transactions and is believed to have laundered more than $6  billion in criminal proceeds,” the government’s indictment reads. Liberty Reserve “deliberately attracted and maintained a customer base of criminals by making financial activity on Liberty Reserve anonymous and untraceable.”

Despite the government’s claims, certainly not everyone using Liberty Reserve was involved in shady or criminal activity. As noted by the BBC, many users — principally those outside the United States — simply viewed the currency as cheaper, more secure and private alternative to PayPal. The company charged a one percent fee for each transaction, plus a 75 cent “privacy fee” according to court documents.

“It had allowed users to open accounts and transfer money, only requiring them to provide a name, date of birth and an email address,”  BBC wrote. “Cash could be put into the service using a credit card, bank wire, postal money order or other money transfer service. It was then “converted” into one of the firm’s own currencies – mirroring either the Euro or US dollar – at which point it could be transferred to another account holder who could then extract the funds.”

But according to the Justice Department, one of the ways that Liberty Reserve enabled the use of its services for criminal activity was by offering a shopping cart interface that merchant Web sites could use to accept Liberty Reserve as a form of payment (I’ve written numerous stories about many such services).

“The ‘merchants’ who accepted LR currency were overwhelmingly criminal in nature,” the government’s indictment alleges. “They included, for example, traffickers of stolen credit card data and personal identity information; peddlers of various types of online Ponzi and get-rich-quick schemes; computer hackers for hire; unregulated gambling enterprises; and underground drug-dealing websites.”

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

It remains unclear how much money is still tied up in Liberty Reserve, and whether existing customers will be afforded access to their funds. At a press conference today on the indictments, representatives from the Justice Department said the Liberty Reserve accounts are frozen. In a press release, the agency didn’t exactly address this question, saying: “If you believe you were a victim of a crime and were defrauded of funds through the use of Liberty Reserve, and you wish to provide information to law enforcement and/or receive notice of future developments in the case or additional information, please contact (888) 238- 0696 or (212) 637-1583.”

Continue reading →


18
Oct 12

Rogue Pharma, Fake AV Vendors Feel Credit Card Crunch

New research suggests that companies behind some of America’s best known consumer brands may be far more effective at fighting cybercrime than any efforts to enact more stringent computer security and anti-piracy laws.

Recent legislative proposals in the United States — such as the Stop Online Piracy Act —  have sought to combat online trafficking in copyrighted intellectual property and counterfeit goods by granting Internet service providers and authorities broader powers to prosecute offenders, and by imposing stronger criminal penalties for such activity. But recent data collected by academic researchers suggests that brand holders already have the tools to quash much of this activity.

Over the past two years, a team of academic researchers made hundreds of “test buys” at Web sites from 40 different shady businesses peddling knockoff prescription drugs, counterfeit software and fake antivirus products. The researchers, from George Mason University, the International Computer Science Institute, and the University of California, San Diego, posed as buyers for these products, which tend to be promoted primarily via hacked Web sites, junk email and computer viruses.

Test buys showed relationships between 40 affiliate programs and 25 banks, although a majority of the transactions filtered through a handful of banks in Azerbaijan, China, Georgia, Latvia, and Mauritius.

The test buys were intended to reveal relationships between the shadowy merchants and the banks that process credit and debit card transactions for these businesses. Following the money trail showed that a majority of the purchases were processed by just 12 banks in a handful of countries, including Azerbaijan, China, Georgia, Latvia, and Mauritius.

The researchers said they submitted the test buy results to a database run by the International AntiCounterfeiting Coalition, (IACC), a Washington, D.C.-based non-profit organization devoted to combating product counterfeiting and piracy. Several pharmacy and software vendors and IACC members whose trademarks were infringed in those transactions (the researchers said non-disclosure agreements prohibit them from naming the brands) used the data to lodge complaints with Visa (only Visa-branded debit cards were used to make the test buys).

Contracts between the banks and Visa and MasterCard stipulate that merchants are prohibiting from selling goods and services that are illegal in the country into which those goods or services are being sold. The credit card associations have a standard process for accepting complaints about such transactions, in which they warn the online merchant’s bank (including a notice of potential fines for noncompliance). After a complaint about such activity, the merchant’s bank conducts its investigation, and may choose to contest the issue if they believe it is in error. But if the bank decides not to challenge the complaint, then they will need to take action to prevent future such transactions, or else face an escalating series of fines from the card associations.

The researchers noticed that in case after case, merchant accounts that were used in fraudulent activity for some extended period of time before they filed a complaint with the IACC generally stopped being used within one month after a complaint was lodged. Neither Visa nor the IACC responded to requests for comment on this story.

Stefan Savage, a professor at UCSD’s Department of Computer Science and Engineering, said the data suggests that the private sector can have a major impact on cybercrime merely by going after the funding for these operations.

It doesn’t require a judge, a law-enforcement officer or even much in the way of sophisticated security capabilities.  If you can purchase a product, then there’s a record of it and that record points back to the merchant account getting the money,” Savage said. “Visa and MasterCard frown on sales of illegal purchases made on their networks and will act appropriately on complaints from brandholders based on undercover purchases.”

Savage said it doesn’t take concerted action by all of the affected brands to have a major impact on the rogue businesses that incentivize this type of commerce. On the contrary, he said one software brandholder pursued the merchant banks tied to all of the group’s test buys for its products with such a ferocity and swiftness that it virtually shut down the market for pirated brand name software [a.k.a “OEM”] overnight.

“This vendor went after everything. They did it so quickly — and not only for their own products — that it all but shut down the entire OEM ecosystem,” Savage said. “A couple of [OEM affiliate programs] survived by getting rid of that company’s brand, but in the beginning, when people had no clue what’s going on, it shut down the entire business for everyone.”

FINES ‘RAINING DOWN ON MERCHANTS’

The researchers note that in mid-2011, Visa made a series of changes to their operating regulations that seem designed to specifically target on-line pharmacies and sellers of counterfeit goods. First, sales of goods categorized as pharmaceutical-related were explicitly classified as “high risk” (along with gambling and various kinds of direct marketing services), and acquirers issuing new contracts for high-risk e-commerce merchants required significantly more due diligence (including $100M in equity capital and good standing in risk management programs). Also, the new documents explicitly call out examples of illegal transactions including “Unlawful sale of prescription drugs,” and “Sale of counterfeit or trademark-infringing products or services,” among others. Finally, these changes include more aggressive fine schedules for noncompliance.

Some of the best evidence of the success of the test buys+complaints strategy comes directly from the folks operating the affiliate programs that reward spammers and miscreants for promoting fake antivirus, pirated software and dodgy pill sites. In June 2012, a leader of one popular pharmacy affiliate program posted a lengthy message to gofuckbiz.com, a Russian language forum that caters to a variety of such affiliate programs. In that discussion thread, which is now some 234 pages long, the affiliate program manager explains to a number of mystified forum members why the pharmacy programs have had so much trouble maintaining reliable credit card processing. Continue reading →