Posts Tagged: U.S. Justice Department


16
Sep 20

Two Russians Charged in $17M Cryptocurrency Phishing Spree

U.S. authorities today announced criminal charges and financial sanctions against two Russian men accused of stealing nearly $17 million worth of virtual currencies in a series of phishing attacks throughout 2017 and 2018 that spoofed websites for some of the most popular cryptocurrency exchanges.


The Justice Department unsealed indictments against Russian nationals Danil Potekhin and Dmitirii Karasavidi, alleging the duo was responsible for a sophisticated phishing and money laundering campaign that resulted in the theft of $16.8 million in cryptocurrencies and fiat money from victims.

Separately, the U.S. Treasury Department announced economic sanctions against Potekhin and Karasavidi, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them.

According to the indictments, the two men set up fake websites that spoofed login pages for the currency exchanges Binance, Gemini and Poloniex. Armed with stolen login credentials, the men allegedly stole more than $10 million from 142 Binance victims, $5.24 million from 158 Poloniex users, and $1.17 million from 42 Gemini customers.

Prosecutors say the men then laundered the stolen funds through an array of intermediary cryptocurrency accounts — including compromised and fictitiously created accounts — on the targeted cryptocurrency exchange platforms. In addition, the two are alleged to have artificially inflated the value of their ill-gotten gains by engaging in cryptocurrency price manipulation using some of the stolen funds.

For example, investigators alleged Potekhin and Karasavidi used compromised Poloniex accounts to place orders to purchase large volumes of “GAS,” the digital currency token used to pay the cost of executing transactions on the NEO blockchain — China’s first open source blockchain platform.

“Using digital crurency in one victim Poloniex account, they placed an order to purchase approximately 8,000 GAS, thereby immediately increasing the market price of GAS from approximately $18 to $2,400,” the indictment explains.

Potekhin and others then converted the artificially inflated GAS in their own fictitious Poloniex accounts into other cryptocurrencies, including Ethereum (ETH) and Bitcoin (BTC). From the complaint:

“Before the Eight Fictitious Poloniex Accounts were frozen, POTEKHIN and others transferred approximately 759 ETH to nine digital currency addresses. Through a sophisticated and layered manner, the ETH from these nine digital currency addresses was sent through multiple intermediary accounts, before ultimately being deposited into a Bitfinex account controlled by Karasavidi.”

The Treasury’s action today lists several of the cryptocurrency accounts thought to have been used by the defendants. Searching on some of those accounts at various cryptocurrency transaction tracking sites points to a number of phishing victims.

“I would like to blow your bitch ass away, if you even had the balls to show yourself,” exclaimed one victim, posting in a comment on the Etherscan lookup service. Continue reading →


31
Jul 20

Three Charged in July 15 Twitter Compromise

Three individuals have been charged for their alleged roles in the July 15 hack on Twitter, an incident that resulted in Twitter profiles for some of the world’s most recognizable celebrities, executives and public figures sending out tweets advertising a bitcoin scam.

Amazon CEO Jeff Bezos’s Twitter account on the afternoon of July 15.

Nima “Rolex” Fazeli, a 22-year-old from Orlando, Fla., was charged in a criminal complaint in Northern California with aiding and abetting intentional access to a protected computer.

Mason “Chaewon” Sheppard, a 19-year-old from Bognor Regis, U.K., also was charged in California with conspiracy to commit wire fraud, money laundering and unauthorized access to a computer.

A U.S. Justice Department statement on the matter does not name the third defendant charged in the case, saying juvenile proceedings in federal court are sealed to protect the identity of the youth. But an NBC News affiliate in Tampa reported today that authorities had arrested 17-year-old Graham Clark as the alleged mastermind of the hack.

17-year-old Graham Clark of Tampa, Fla. was among those charged in the July 15 Twitter hack. Image: Hillsborough County Sheriff’s Office.

Wfla.com said Clark was hit with 30 felony charges, including organized fraud, communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information and one count of access to a computer or electronic device without authority. Clark’s arrest report is available here (PDF). A statement from prosecutors in Florida says Clark will be charged as an adult.

On Thursday, Twitter released more details about how the hack went down, saying the intruders “targeted a small number of employees through a phone spear phishing attack,” that “relies on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”

By targeting specific Twitter employees, the perpetrators were able to gain access to internal Twitter tools. From there, Twitter said, the attackers targeted 130 Twitter accounts, tweeting from 45 of them, accessing the direct messages of 36 accounts, and downloading the Twitter data of seven.

Among the accounts compromised were democratic presidential candidate Joe BidenAmazon CEO Jeff BezosPresident Barack ObamaTesla CEO Elon Musk, former New York Mayor Michael Bloomberg and investment mogul Warren Buffett.

The hacked Twitter accounts were made to send tweets suggesting they were giving away bitcoin, and that anyone who sent bitcoin to a specified account would be sent back double the amount they gave. All told, the bitcoin accounts associated with the scam received more than 400 transfers totaling more than $100,000.

Sheppard’s alleged alias Chaewon was mentioned twice in stories here since the July 15 incident. On July 16, KrebsOnSecurity wrote that just before the Twitter hack took place, a member of the social media account hacking forum OGUsers named Chaewon advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.

The OGUsers forum user “Chaewon” taking requests to modify the email address tied to any twitter account.

On July 17, The New York Times ran a story that featured interviews with several people involved in the attack. The young men told The Times they weren’t responsible for the Twitter bitcoin scam and had only brokered the purchase of accounts from the Twitter hacker — who they referred to only as “Kirk.”

One of those interviewed by The Times used the alias “Ever So Anxious,” and said he was a 19-year from the U.K. In my follow-up story on July 22, it emerged that Ever So Anxious was in fact Chaewon.

The person who shared that information was the principal subject of my July 16 post, which followed clues from tweets sent by one of the accounts claimed during the Twitter compromise back to a 21-year-old from the U.K. who uses the nickname PlugWalkJoe.

That individual shared a series of screenshots showing he had been in communications with Chaewon/Ever So Anxious just prior to the Twitter hack, and had asked him to secure several desirable Twitter usernames from the Twitter hacker. He added that Chaewon/Ever So Anxious also was known as “Mason.”

The negotiations over highly-prized Twitter usernames took place just prior to the hijacked celebrity accounts tweeting out bitcoin scams. PlugWalkJoe is pictured here chatting with Ever So Anxious/Chaewon/Mason using his Discord username “Beyond Insane.”

On July 22, KrebsOnSecurity interviewed Mason/Chaewon/Ever So Anxious, who confirmed that PlugWalkJoe had indeed asked him to ask Kirk to change the profile picture and display name for a specific Twitter account on July 15. Mason/Chaewon/Ever So Anxious acknowledged that while he did act as a “middleman” between Kirk and others seeking to claim desirable Twitter usernames, he had nothing to do with the hijacking of the VIP Twitter accounts for the bitcoin scam that same day.

“Encountering Kirk was the worst mistake I’ve ever made due to the fact it has put me in issues I had nothing to do with,” he said. “If I knew Kirk was going to do what he did, or if even from the start if I knew he was a hacker posing as a rep I would not have wanted to be a middleman.”

Another individual who told The Times he worked with Ever So Anxious/Chaewon/Mason in communicating with Kirk said he went by the nickname “lol.” On July 22, KrebsOnSecurity identified lol as a young man who went to high school in Danville, Calif.

Federal investigators did not mention lol by his nickname or his real name, but the charging document against Sheppard says that on July 21 federal agents executed a search warrant at a residence in Northern California to question a juvenile who assisted Kirk and Chaewon in selling access to Twitter accounts. According to that document, the juvenile and Chaewon had discussed turning themselves in to authorities after the Twitter hack became publicly known.


25
Jun 20

New Charges, Sentencing in Satori IoT Botnet Conspiracy

The U.S. Justice Department today charged a Canadian and a Northern Ireland man for allegedly conspiring to build botnets that enslaved hundreds of thousands of routers and other Internet of Things (IoT) devices for use in large-scale distributed denial-of-service (DDoS) attacks. In addition, a defendant in the United States was sentenced today to drug treatment and 18 months community confinement for his admitted role in the botnet conspiracy.

Indictments unsealed by a federal court in Alaska today allege 20-year-old Aaron Sterritt from Larne, Northern Ireland, and 21-year-old Logan Shwydiuk of Saskatoon, Canada conspired to build, operate and improve their IoT crime machines over several years.

Prosecutors say Sterritt, using the hacker aliases “Vamp” and “Viktor,” was the brains behind the computer code that powered several potent and increasingly complex IoT botnet strains that became known by exotic names such as “Masuta,” “Satori,” “Okiru” and “Fbot.”

Shwydiuk, a.k.a. “Drake,” “Dingle, and “Chickenmelon,” is alleged to have taken the lead in managing sales and customer support for people who leased access to the IoT botnets to conduct their own DDoS attacks.

A third member of the botnet conspiracy — 22-year-old Kenneth Currin Schuchman of Vancouver, Wash. — pleaded guilty in Sept. 2019 to aiding and abetting computer intrusions in September 2019. Schuchman, whose role was to acquire software exploits that could be used to infect new IoT devices, was sentenced today by a judge in Alaska to 18 months of community confinement and drug treatment, followed by three years of supervised release.

Kenneth “Nexus-Zeta” Schuchman, in an undated photo.

The government says the defendants built and maintained their IoT botnets by constantly scanning the Web for insecure devices. That scanning primarily targeted devices that were placed online with weak, factory default settings and/or passwords. But the group also seized upon a series of newly-discovered security vulnerabilities in these IoT systems — commandeering devices that hadn’t yet been updated with the latest software patches.

Some of the IoT botnets enslaved hundreds of thousands of hacked devices. For example, by November 2017, Masuta had infected an estimated 700,000 systems, allegedly allowing the defendants to launch crippling DDoS attacks capable of hurling 100 gigabits of junk data per second at targets — enough firepower to take down many large websites.

In 2015, then 15-year-old Sterritt was involved in the high-profile hack against U.K. telecommunications provider TalkTalk. Sterritt later pleaded guilty to his part in the intrusion, and at his sentencing in 2018 was ordered to complete 50 hours of community service.

The indictments against Sterritt and Shwydiuk (PDF) do not mention specific DDoS attacks thought to have been carried out with the IoT botnets. In an interview today with KrebsOnSecurity, prosecutors in Alaska declined to discuss any of their alleged offenses beyond building, maintaining and selling the above-mentioned IoT botnets.

But multiple sources tell KrebsOnSecuirty Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others.

In 2018, authorities with the U.K.’s National Crime Agency (NCA) interviewed a suspect in connection with the Dyn attack, but ultimately filed no charges against the youth because all of his digital devices had been encrypted.

“The principal suspect of this investigation is a UK national resident in Northern Ireland,” reads a June 2018 NCA brief on their investigation into the Dyn attack (PDF), dubbed Operation Midmonth. “In 2018 the subject returned for interview, however there was insufficient evidence against him to provide a realistic prospect of conviction.”

The login prompt for Nexus Zeta’s IoT botnet included the message “Masuta is powered and hosted on Brian Kreb’s [sic] 4head.” To be precise, it’s a 5head.

Continue reading →


14
Feb 20

A Light at the End of Liberty Reserve’s Demise?

In May 2013, the U.S. Justice Department seized Liberty Reserve, alleging the virtual currency service acted as a $6 billion financial hub for the cybercrime world. Prompted by assurances that the government would one day afford Liberty Reserve users a chance to reclaim any funds seized as part of the takedown, KrebsOnSecurity filed a claim shortly thereafter to see if and when this process might take place. This week, an investigator with the U.S. Internal Revenue service finally got in touch to discuss my claim.

Federal officials charged that Liberty Reserve facilitated a “broad range of criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.” The government says from 2006 until the service’s takedown, Liberty Reserve processed an estimated 55 million financial transactions worth more than $6 billion, with more than 600,000 accounts associated with users in the United States alone.

While it’s clear that the digital currency system for years was the go-to money-moving vehicle for many engaged in dodgy online activities, it also was favored by users primarily because it offered a relatively anonymous way to send irrevocable transfers globally with low fees.

The two stories I wrote about the closure of Liberty Reserve in 2013 remain among the most-read on this site, and have generated an enormous volume of emails from readers who saw many thousands of dollars held in legal limbo — much of it related to investments in online gaming platforms, payments to and from adult entertainment services, and various investment schemes.

The IRS official who contacted me was not authorized to be quoted in the media (and indeed did not initially realize he was speaking to a member of the press when he called). But he told me the government had recently obtained legal access to some of the funds held in overseas bank accounts that were used by Liberty Reserve, and that IRS investigators were now starting to contact people and vet any claims made in the wake of the takedown.

“We’re just getting to the point where we have received funds,” the investigator said. “We’ve started to contact people who originally contacted us, to vet their claims, make sure they weren’t involved in any illegal activity, and that the claim amounts match the records that we have.” Continue reading →


10
Feb 20

U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack

The U.S. Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

The nine-count indictment names Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊) as members of the PLA’s 54th Research Institute, a component of the Chinese military. They are each charged with three counts of conspiracy to commit computer fraud, economic espionage and wire fraud.

The government says the men disguised their hacking activity by routing attack traffic through 34 servers located in nearly 20 countries, using encrypted communications channels within Equifax’s network to blend in with normal network activity, and deleting log files daily to remove evidence of their meanderings through the company’s systems.

U.S. Attorney General Bill Barr said at a press conference today that the Justice Department doesn’t normally charge members of another country’s military with crimes (this is only the second time the agency has indicted Chinese military hackers). But in a carefully worded statement that seemed designed to deflect any criticism of past offensive cyber actions by the U.S. military against foreign targets, Barr said the DOJ did so in this case because the accused “indiscriminately” targeted American civilians on a massive scale.

“The United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decision makers have access to timely, accurate and insightful information,” Barr said. “But we collect information only for legitimate national security purposes. We don’t indiscriminately violate the privacy of ordinary citizens.”

FBI Deputy Director David Bowdich sought to address the criticism about the wisdom of indicting Chinese military officers for attacking U.S. commercial and government interests. Some security experts have charged that such indictments could both lessen the charges’ impact and leave American officials open to parallel criminal allegations from Chinese authorities.

“Some might wonder what good it does when these hackers are seemingly beyond our reach,” Bowdich said. “We answer this question all the time. We can’t take them into custody, try them in a court of law and lock them up. Not today, anyway. But one day these criminals will slip up, and when they do we’ll be there. We in law enforcement will not let hackers off the hook just because they’re halfway around the world.”

The attorney general said the attack on Equifax was just the latest in a long string of cyber espionage attacks that sought trade secrets and sensitive data from a broad range of industries, and including managed service providers and their clients worldwide, as well as U.S. companies in the nuclear power, metals and solar products industries.

“Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret thefts cases in recent years involved some connection with China,” he said.

The indictments come on the heels of a conference held by US government officials this week that detailed the breadth of hacking attacks involving the theft of intellectual property by Chinese entities.

“The FBI has about a thousand investigations involving China’s attempted theft of U.S.-based technology in all 56 of our field offices and spanning just about every industry and sector,” FBI Director Christopher Wray reportedly told attendees at the gathering in Washington, D.C., dubbed the “China Initiative Conference.”

At a time when increasingly combative trade relations with China combined with public fears over the ongoing Coronavirus flu outbreak are stirring Sinophobia in some pockets of the U.S. and other countries, Bowdich was quick to clarify that the DOJ’s beef was with the Chinese government, not its citizenry.

“Our concern is not with the Chinese people or with the Chinese American,” he said. “It is with the Chinese government and the Chinese Communist Party. Confronting this threat directly doesn’t mean we should not do business with China, host Chinese students, welcome Chinese visitors or co-exist with China as a country on the world stage. What it does mean is when China violates our criminal laws and international norms, we will hold them accountable for it.”

A copy of the indictment is available here.

ANALYSIS

DOJ officials praised Equifax for their “close collaboration” in sharing data that helped investigators piece together this whodunnit. Attorney General Barr noted that the accused not only stole personal and in some cases financial data on Americans, they also stole Equifax’s trade secrets, which he said were “embodied by the compiled data and complex database designs used to store personal information.”

While the DOJ’s announcement today portrays Equifax in a somewhat sympathetic light, it’s important to remember that Equifax repeatedly has proven itself an extremely poor steward of the highly sensitive information that it holds on most Americans.

Equifax’s actions immediately before and after its breach disclosure on Sept 7, 2017 revealed a company so inept at managing its public response that one couldn’t help but wonder how it might have handled its internal affairs and security. Indeed, Equifax and its leadership careened from one feckless blunder to the next in a series of debacles that KrebsOnSecurity described at the time as a complete “dumpster fire” of a breach response. Continue reading →


20
Jan 20

DDoS Mitigation Firm Founder Admits to DDoS

A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others.

Tucker Preston, 22, of Macon, Ga., pleaded guilty last week in a New Jersey court to one count of damaging protected computers by transmission of a program, code or command. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors.

Preston was featured in the 2016 KrebsOnSecurity story DDoS Mitigation Firm Has History of Hijacks, which detailed how the company he co-founded — BackConnect Security LLC — had developed the unusual habit of hijacking Internet address space it didn’t own in a bid to protect clients from attacks.

Preston’s guilty plea agreement (PDF) doesn’t specify who he admitted attacking, and refers to the target only as “Victim 1.” Preston declined to comment for this story.

But that 2016 story came on the heels of an exclusive about the hacking of vDOS — at the time the world’s most popular and powerful DDoS-for-hire service.

KrebsOnSecurity exposed the co-administrators of vDOS and obtained a copy of the entire vDOS database, including its registered users and a record of the attacks those users had paid vDOS to launch on their behalf.

Those records showed that several email addresses tied to a domain registered by then 19-year-old Preston had been used to create a vDOS account that was active in attacking a large number of targets, including multiple assaults on networks belonging to the Free Software Foundation (FSF).

The 2016 story on BackConnect featured an interview with a former system administrator at FSF who said the nonprofit briefly considered working with BackConnect, and that the attacks started almost immediately after FSF told the company’s owners they would need to look elsewhere for DDoS protection.

Perhaps having fun at the expense of the FSF was something of a meme that the accused and his associates seized upon, but it’s interesting to note that the name of the FSF’s founder — Richard Stallmanwas used as a nickname by the co-author of Mirai, a potent malware strain that was created for the purposes of enslaving Internet of Things (IoT) devices for large-scale DDoS attacks.

Ultimately, it was the Mirai co-author’s use of this nickname that contributed to him getting caught, arrested, and prosecuted for releasing Mirai and its source code (as well as for facilitating a record-setting DDoS against this Web site in 2016).

According to a statement from the U.S. Justice Department, the count to which he pleaded guilty is punishable by a maximum of 10 years in prison and a fine of up to $250,000, or twice the gross gain or loss from the offense. He is slated to be sentenced on May 7.


16
Dec 19

Inside ‘Evil Corp,’ a $100M Cybercrime Menace

The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insider’s look at the back-end operations of this gang.

Image: FBI

The $5 million reward is being offered for 32 year-old Maksim V. Yakubets, who the government says went by the nicknames “aqua,” and “aquamo,” among others. The feds allege Aqua led an elite cybercrime ring with at least 16 others who used advanced, custom-made strains of malware known as “JabberZeus” and “Bugat” (a.k.a. “Dridex“) to steal banking credentials from employees at hundreds of small- to mid-sized companies in the United States and Europe.

From 2009 to the present, Aqua’s primary role in the conspiracy was recruiting and managing a continuous supply of unwitting or complicit accomplices to help Evil Corp. launder money stolen from their victims and transfer funds to members of the conspiracy based in Russia, Ukraine and other parts of Eastern Europe. These accomplices, known as “money mules,” are typically recruited via work-at-home job solicitations sent out by email and to people who have submitted their resumes to job search Web sites.

Money mule recruiters tend to target people looking for part-time, remote employment, and the jobs usually involve little work other than receiving and forwarding bank transfers. People who bite on these offers sometimes receive small commissions for each successful transfer, but just as often end up getting stiffed out of a promised payday, and/or receiving a visit or threatening letter from law enforcement agencies that track such crime (more on that in a moment).

HITCHED TO A MULE

KrebsOnSecurity first encountered Aqua’s work in 2008 as a reporter for The Washington Post. A source said they’d stumbled upon a way to intercept and read the daily online chats between Aqua and several other mule recruiters and malware purveyors who were stealing hundreds of thousands of dollars weekly from hacked businesses.

The source also discovered a pattern in the naming convention and appearance of several money mule recruitment Web sites being operated by Aqua. People who responded to recruitment messages were invited to create an account at one of these sites, enter personal and bank account data (mules were told they would be processing payments for their employer’s “programmers” based in Eastern Europe) and then log in each day to check for new messages.

Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.

One of several sites set up by Aqua and others to recruit and manage money mules.

When it came time to transfer stolen funds, the recruiters would send a message through the mule site saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”

Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.

Here’s where it got interesting. Each of these mule recruitment sites had the same security weakness: Anyone could register, and after logging in any user could view messages sent to and from all other users simply by changing a number in the browser’s address bar. As a result, it was trivial to automate the retrieval of messages sent to every money mule registered across dozens of these fake company sites.

So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.

My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”

Messages to and from a money mule working for Aqua’s crew, circa May 2011.

In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.

Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations. Needless to say, the victims that spun their wheels chasing after me usually suffered far more substantial financial losses (mainly because they delayed calling their financial institution until it was too late).

Collectively, these notifications to Evil Corp.’s victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I don’t believe I ever wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies. Continue reading →


24
Jan 18

Expert: IoT Botnets the Work of a ‘Vast Minority’

In December 2017, the U.S. Department of Justice announced indictments and guilty pleas by three men in the United States responsible for creating and using Mirai, a malware strain that enslaves poorly-secured “Internet of Things” or IoT devices like security cameras and digital video recorders for use in large-scale cyberattacks.

The FBI and the DOJ had help in their investigation from many security experts, but this post focuses on one expert whose research into the Dark Web and its various malefactors was especially useful in that case. Allison Nixon is director of security research at Flashpoint, a cyber intelligence firm based in New York City. Nixon spoke with KrebsOnSecurity at length about her perspectives on IoT security and the vital role of law enforcement in this fight.

Brian Krebs (BK): Where are we today with respect to IoT security? Are we better off than were a year ago, or is the problem only worse?

Allison Nixon (AN): In some aspects we’re better off. The arrests that happened over the last year in the DDoS space, I would call that a good start, but we’re not out of the woods yet and we’re nowhere near the end of anything.

BK: Why not?

AN: Ultimately, what’s going with these IoT botnets is crime. People are talking about these cybersecurity problems — problems with the devices, etc. — but at the end of the day it’s crime and private citizens don’t have the power to make these bad actors stop.

BK: Certainly security professionals like yourself and others can be diligent about tracking the worst actors and the crime machines they’re using, and in reporting those systems when it’s advantageous to do so?

AN: That’s a fair argument. I can send abuse complaints to servers being used maliciously. And people can write articles that name individuals. However, it’s still a limited kind of impact. I’ve seen people get named in public and instead of stopping, what they do is improve their opsec [operational security measures] and keep doing the same thing but just sneakier. In the private sector, we can frustrate things, but we can’t actually stop them in the permanent, sanctioned way that law enforcement can. We don’t really have that kind of control.

BK: How are we not better off?

AN: I would say that as time progresses, the community that practices DDoS and malicious hacking and these pointless destructive attacks get more technically proficient when they’re executing attacks, and they just become a more difficult adversary.

BK: A more difficult adversary?

AN: Well, if you look at the individuals that were the subject of the announcement this month, and you look in their past, you can see they’ve been active in the hacking community a long time. Litespeed [the nickname used by Josiah White, one of the men who pleaded guilty to authoring Mirai] has been credited with lots of code.  He’s had years to develop and as far as I could tell he didn’t stop doing criminal activity until he got picked up by law enforcement.

BK: It seems to me that the Mirai authors probably would not have been caught had they never released the source code for their malware. They said they were doing so because multiple law enforcement agencies and security researchers were hot on their trail and they didn’t want to be the only ones holding the source code when the cops showed up at their door. But if that was really their goal in releasing it, doing so seems to have had the exact opposite effect. What’s your take on that?

AN: You are absolutely, 100 million percent correct. If they just shut everything down and left, they’d be fine now. The fact that they dumped the source was a tipping point of sorts. The damages they caused at that time were massive, but when they dumped the source code the amount of damage their actions contributed to ballooned [due to the proliferation of copycat Mirai botnets]. The charges against them specified their actions in infecting the machines they controlled, but when it comes to what interested researchers in the private sector, the moment they dumped the source code — that’s the most harmful act they did out of the entire thing.

BK: Do you believe their claimed reason for releasing the code?

AN: I believe it. They claimed they released it because they wanted to hamper investigative efforts to find them. The problem is that not only is it incorrect, it also doesn’t take into account the researchers on the other end of the spectrum who have to pick from many targets to spend their time looking at. Releasing the source code changed that dramatically. It was like catnip to researchers, and was just a new thing for researchers to look at and play with and wonder who wrote it.

If they really wanted to stay off law enforcement’s radar, they would be as low profile as they could and not be interesting. But they did everything wrong: They dumped the source code and attacked a security researcher using tools that are interesting to security researchers. That’s like attacking a dog with a steak. I’m going to wave this big juicy steak at a dog and that will teach him. They made every single mistake in the book.

BK: What do you think it is about these guys that leads them to this kind of behavior? Is it just a kind of inertia that inexorably leads them down a slippery slope if they don’t have some kind of intervention?

AN: These people go down a life path that does not lead them to a legitimate livelihood. They keep doing this and get better at it and they start to do these things that really can threaten the Internet as a whole. In the case of these DDoS botnets, it’s worrying that these individuals are allowed to go this deep before law enforcement catches them. Continue reading →


17
Jan 18

Some Basic Rules for Securing Your IoT Stuff

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

-Rule #1: Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

-Rule #2: If you can, change the thing’s default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important. Continue reading →


8
Jul 14

Feds Charge Carding Kingpin in Retail Hacks

The U.S. Justice Department on Monday announced the arrest of a Russian hacker accused of running a network of online crime shops that sold credit and debit card data stolen in breaches at restaurants and retailers throughout the United States.

The government alleges that the hacker known in the underground as “nCux” and “Bulba” was Roman Seleznev, a 30-year-old Russian citizen who was recently arrested by the U.S. Secret Service.

Seleznev was initially identified by the government in 2012, when it named him as part of a conspiracy involving more than three dozen popular merchants on carder[dot]su, a bustling fraud forum where Bulba and other members openly marketed various cybercrime-oriented services.

According to Seleznev’s own indictment, which was filed in 2011 but made public this week, he was allegedly part of a group that hacked into restaurants between 2009 and 2011 and planted malicious software to steal card data from store point-of-sale devices.

The indictment further alleges that Seleznev and unnamed accomplices used his online monikers to sell stolen credit and debit cards at bulba[dot]cc and track2[dot]name. Customers of these services paid for their cards with virtual currencies, including WebMoney and Bitcoin. As explained in the screen shot below, the track2[dot]name site stopped accepting new members in 2011, and new applicants were directed to bulba[dot]cc, which claimed to be an authorized reseller.

Bulba[dot]cc, as it looked in May 2011.

Bulba[dot]cc, as it looked in May 2011.

Recently, however, track2[dot]name began accepting new members who agreed to pay up-front deposits. The deposits ranged from one bitcoin (about $624 USD) for a basic account, to 20 bitcoins (roughly $12,484 USD) for a “corporate” account that is eligible for generous volume discounts and lengthy replacement times for purchased cards that turn out later to be canceled by issuing banks. Continue reading →