Posts Tagged: Hold Security


4
Jan 16

Fraudsters Automate Russian Dating Scams

Virtually every aspect of cybercrime has been made into a service or plug-and-play product. That includes dating scams — among the oldest and most common of online swindles. Recently, I had a chance to review a package of dating scam emails, instructions, pictures, videos and love letter templates that are sold to scammers in the underground, and was struck by how commoditized this type of fraud has become.

The dating scam package is assembled for and marketed to Russian-speaking hackers, with hundreds of email templates written in English and a variety of European languages. Many of the sample emails read a bit like Mad Libs or choose-your-own-adventure texts, featuring decision templates that include advice for ultimately tricking the mark into wiring money to the scammer.

The romance scam package is designed for fraudsters who prey on lonely men via dating Web sites and small spam campaigns. The vendor of the fraud package advertises a guaranteed response rate of at least 1.2 percent, and states that customers who average 30 scam letters per day can expect to earn roughly $2,000 a week. The proprietor also claims that his method is more than 20% effective within three replies and over 60% effective after eight.

One of hundreds of sample template files in the dating scam package.

One of hundreds of sample template files in the dating scam package.

The dating scam package advises customers to stick to a tried-and-true approach. For instance, scammers are urged to include an email from the mother of the girl in the first 10 emails between the scammer and a target. The scammer often pretends to be a young woman in an isolated or desolate region of Russia who is desperate for a new life, and the email from the girl’s supposed mother is intended to add legitimacy to the scheme.

Then there are dozens of pre-fabricated excuses for not talking on the phone, an activity reserved for the final stretch of the scam when the fraudster typically pretends to be stranded at the airport or somewhere else en route to the target’s home town.

“Working with dozens of possible outcomes, they carefully lay out every possible response, including dealing with broke guys who fell in love online,” said Alex Holden, the security expert who intercepted the romance scam package. “If the mark doesn’t have money, the package contains advice for getting him credit, telling the customer to restate his love and discuss credit options.”

A sample letter with multiple-choice options for creating unique love letter greetings.

A sample letter with multiple-choice options for creating unique love letter greetings.

Interestingly, although Russia is considered by many to be among the most hostile countries toward homosexuals, the makers of this dating scam package also include advice and templates for targeting gay men.

Also included in the dating scam tutorial is a list of email addresses and pseudonyms favored by anti-scammer vigilantes who try to waste the scammers’ time and otherwise prevent them from conning real victims. In addition, the package bundles several photos and videos of attractive Russian women, some of whom are holding up blank signs onto which the scammer can later Photoshop whatever message he wants.

Holden said that an enterprising fraudster with the right programming skills or the funds to hire a coder could easily automate the scam using bots that are programmed to respond to emails from the targets with content-specific replies.

CALL CENTERS TO CLOSE THE DEAL

The romance scam package urges customers to send at least a dozen emails to establish a rapport and relationship before even mentioning the subject of traveling to meet the target. It is in this critical, final part of the scam that the fraudster is encouraged to take advantage of criminal call centers that staff women who can be hired to play the part of the damsel in distress.

The login page for a criminal call center.

The login page for a criminal call center.

“When you get down to the final stage, there has to be a crisis, some compelling reason why the target should you send the money,” said Holden, founder of Hold Security [full disclosure: Yours Truly is an uncompensated adviser to Holden’s company]. “Usually this is something like the girl is stranded at the airport or needs money to get a travel visa. There has to be some kind of distress situation for this person to be duped into wiring money, which can be anywhere between $200 and $2,000 on average.” Continue reading →


16
Mar 15

‘AntiDetect’ Helps Thieves Hide Digital Fingerprints

As a greater number of banks in the United States shift to issuing more secure credit and debit cards with embedded chip technology, fraudsters are going to direct more of their attacks against online merchants. No surprise, then, that thieves increasingly are turning to an emerging set of software tools to help them evade fraud detection schemes employed by many e-commerce companies.

Every browser has a relatively unique “fingerprint” that is shared with Web sites. That signature is derived from dozens of qualities, including the computer’s operating system type, various plugins installed, the browser’s language setting and its time zone. Banks can leverage fingerprinting to flag transactions that occur from a browser the bank has never seen associated with a customer’s account.

Payment service providers and online stores often use browser fingerprinting to block transactions from browsers that have previously been associated with unauthorized sales (or a high volume of sales for the same or similar product in a short period of time).

In January, several media outlets wrote about a crimeware tool called FraudFox, which is marketed as a way to help crooks sidestep browser fingerprinting. However, FraudFox is merely the latest competitor to emerge in a fairly established marketplace of tools aimed at helping thieves cash out stolen cards at online merchants.

Another fraudster-friendly tool that’s been around the underground hacker forums even longer is called Antidetect. Currently in version 6.0.0.1, Antidetect allows users to very quickly and easily change components of the their system to avoid browser fingerprinting, including the browser type (Safari, IE, Chrome, etc.), version, language, user agent, Adobe Flash version, number and type of other plugins, as well as operating system settings such as OS and processor type, time zone and screen resolution.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Antidetect is marketed to fraudsters involved in ripping off online stores.

The seller of this product shared the video below of someone using Antidetect along with a stolen credit card to buy three different downloadable software titles from gaming giant Origin.com. That video has been edited for brevity and to remove sensitive information; my version also includes captions to describe what’s going on throughout the video. Continue reading →


6
Aug 14

Q&A on the Reported Theft of 1.2B Email Accounts

My phone and email have been flooded with questions and interview requests from various media outlets since security consultancy Hold Security dropped the news that a Russian gang has stolen more than a billion email account credentials. Rather than respond to each of these requests in turn, allow me to add a bit of perspective here in the most direct way possible: The Q&A.

Q: Who the heck is Alex Holden?

A: I’ve known Hold Security’s Founder Alex Holden for nearly seven years. Coincidentally, I initially met him in Las Vegas at the Black Hat security convention (where I am now). Alex is a talented and tireless researcher, as well as a forthright and honest guy. He is originally from Ukraine, and speaks/reads Russian and Ukrainian fluently. His research has been central to several of my big scoops over the past year, including the breach at Adobe that exposed tens of millions of customer records.

Q: Is this for real?

A: Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors.

Q: Ok, but more than a billion credentials? That seems like a lot.

A: For those unfamiliar with the operations of large-scale organized crime syndicates, yes, it does. Unfortunately, there are more than a few successful cybercrooks who are quite good at what they do, and do it full-time. These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.

One micro example of this: Last year, I wrote about a botnet that enslaved thousands of hacked computers which disguised itself as a legitimate add-on for Mozilla Firefox and forced infected PCs to scour Web sites for SQL vulnerabilities. Continue reading →


16
May 14

White-Hat Hacker Schools Security Pro School

If you’re taking an exam to test your skills as an Internet security professional, do you get extra credit for schooling the organization that hosts the test? If that organization is the International Information Systems Security Certification Consortium (ISC)² — the non-profit that administers the Certified Information Systems Security Professional (CISSP) exam — the answer is “no,” but you might get a nice ‘thank you’ from the head of the organization.

isc2-2

Last month, I heard from Alex Holden, a security consultant who is quite gifted at quickly identifying security holes in Internet-facing things. Holden was visiting the site to pay his annual CISSP membership dues, and was getting ready to fork over the $85 annual fee when he noticed a glaring weakness in the organization’s checkout page: The URL listed all of his registration information in plaintext.

The site hadn’t yet requested his credit card, but Holden found that he could skip the payment process merely by changing the $85 amount in the URL produced by the checkout page to a negative number. Clicking submit after that change was made produced an email congratulating him on his successful renewal. Continue reading →


12
Nov 13

Zero-Days Rule November’s Patch Tuesday

Microsoft today issued security updates to fix at least 19 vulnerabilities in its software, including a zero-day flaw in Internet Explorer browser that is already being actively exploited. Separately, Adobe has released a critical update that plugs at least two security holes in its Flash Player software.

crackedwinThree of the eight patches that Microsoft released earned its most dire “critical” label, meaning the vulnerabilities fixed in them can be exploited by malware or miscreants remotely without any help from Windows users. Among the critical patches is an update for Internet Explorer (MS13-088) that mends at least two holes in the default Windows browser (including IE 11). MS13-089 is a critical file handling flaw present in virtually every supported version of Windows.

The final critical patch — MS13-090 — fixes essentially another IE flaw (ActiveX) that showed up in targeted attacks late last week. Microsoft says attackers used a second, “information disclosure” vulnerability in tandem with the ActiveX flaw, but that the company is still investigating that one. It noted that its Enhanced Mitigation Experience Toolkit (EMET) tool successfully blocked the ActiveX exploit.

Nevertheless, it’s important for IE users to apply these updates as quickly as possible. According to Rapid7, exploit code for the ActiveX vulnerability appeared on Pastebin this morning.

“It was known to be under some targeted exploitation, but that will probably expand now that the exploit is public,” said Ross Barrett, senior manager of security engineering at Rapid7. “I would call patching this issue priority #1.” For what it’s worth, Microsoft agrees, at least according to this suggested patch deployment chart.

Today’s patch batch from Redmond did not include an official patch for yet another zero-day vulnerability that has been under active exploitation, although Microsoft did release a stopgap Fix-It tool last week to help blunt the threat. The company also is once again advising Windows users to take another look at EMET.

Check out Microsoft’s Technet blog for more information on these and other updates that the company released today.

brokenflash-aIn a separate patch release, Adobe issued a fix for its Flash Player software for Windows, Mac, Linux and Android devices. The Flash update brings the ubiquitous player to v. 11.9.900.152 on Mac and Windows systems. Users browsing the Web with IE10 or IE11 on Windows 8.x should get the new version of Flash (11.9.900.152) automatically; IE users not on Windows 8 will need to update manually if Flash is not set to auto-update.

To check which version of Flash you have installed, visit this page. Direct links to the various Flash installers are available here. Be aware that downloading Flash Player from Adobe’s recommended spot — this page — often includes add-ons, security scanners or other crud you probably don’t want. Strangely enough, when I visited that page today with IE10 , the download included a pre-checked box to install Google Toolbar and to switch my default browser to Google Chrome.

Continue reading →