Wednesday, 31 December 2008

Boffins bust web authentication with game consoles

Source: The Register

Researchers using a modest cluster of PS3 game consoles running Linux have demonstrated the ability to generate domain names which hash to arbitrary MD5 digests. This allows them to get the MD5 hash signed by a legitimate digital certificate supplier, then use it as though it were a credential for the domain name with which it shares an MD5 digest.

Friday, 19 December 2008

Hundreds of Stolen Data Dumps Found

Source: Security Fix

Researchers using honeynets have gained access to a significant number of data drop sites used by various keyloggers and other data-gathering trojans. The resultant data is estimated at being worth several hundred to several thousand dollars per day when sold on the black market.

Friday, 12 December 2008

Retail Fraud Rates Plummeted the Night McColo Went Offline

Source: Security Fix

Spam wasn't the only Internet nuisance which ebbed somewhat with the disconnection of McColo: according to Ori Eisen, founder of 41st Parameter (a fraud detection and prevention service), "close to a quarter of a million dollars worth of fraudulent charges that his customers battle every day came to a halt" at the same time.

Tuesday, 9 December 2008

Malware now including DHCP server functionality

Source: Security Fix

The latest version of the DNSChanger malware (which alters local DNS resolver settings to point at a hostile DNS server) also includes DHCP server functionality. This potentially allows it to pass on the bad DNS settings to any host on the local network which is requesting configuration via DHCP. This could be particularly effective at public WiFi spots unless appropriate countermeasures are taken.

Sunday, 7 December 2008

Online payment site hijacked by notorious crime gang

Source: The Register

The Register breaks the news that the domain, an online bill payment service, was hijacked and redirected to a phishing site on Tuesday, 2nd December. Brian Krebs at Security Fix has a deeper analysis which suggests that the phishers had the correct credentials to authorise the DNS change at Network Solutions, the registrar through which the domain name is published.

Tuesday, 25 November 2008

New Symantec Report Reveals Booming Underground Economy

Source: Symantec

Symantec has released a report on the underground online economy. The report is derived from data gathered by Symantec’s Security Technology and Response (STAR) organization, from underground economy servers between July 1, 2007 and June 30, 2008. The potential value of total advertised goods observed by Symantec was more than $276 million for the reporting period.

Friday, 21 November 2008

Web Fraud 2.0: Faking Your Internet Address

Source: Security Fix

Security Fix provides a brief look at "Fraudcrew": an Internet proxy service which caters to the phishing community, recently taken offline with the disconnection of McColo (their hosting provider). One of the features offered by Fraudcrew is geographically located IP addresses. This aids in circumventing geographic checks that banks may put on Internet banking to detect abnormal use.

Wednesday, 12 November 2008

Spamalytics: An Empirical Analysis of Spam Marketing Conversion

Source: International Computer Science Institute

Researchers at the University of California, San Diego, and the International Computer Science Institute, Berkeley, have produced a very useful and highly empirical paper [1.9MB PDF] which provides an interesting inside view into the operation of the Storm botnet. The research involved actively hijacking a portion of the botnet and gathering data on its behaviour and the behaviour of spam recipients. This paper is receiving quite a lot of attention, including BBC news coverage.

Saturday, 1 November 2008

RSA on the Sinowal Trojan

Source: Speaking of Security (RSA Blog)

The RSA FraudAction Research Lab shares its findings on the Sinowal Trojan, also known as Torpig and Mebroot. Dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. The criminals behind Sinowal have not only created highly-advanced and malicious crimeware, but have also maintained one of the most hidden and reliable communication infrastructures, which has now been operating for nearly three years.

Wednesday, 29 October 2008

Yahoo and Microsoft take aim at lottery scams


"Yahoo and Microsoft are teaming up in an effort to stop lottery e-mail scams. ... The campaign will establish a new service which allows victims of the scams to share police reports. ... The hope is that the database will better enable both the companies and law enforcements to link the lottery scam cases and track down the criminals behind the fraud operations. INTERPOL will also contribute to the project by spreading awareness of the site and encouraging law enforcement groups to utilize the database in investigations."

Tuesday, 28 October 2008

Parcel mules scam exposed

Source: The Register

The Register has a small report on a primarily West African scam where people are being recruited as reshippers ("parcel mules") for goods purchased with stolen credit cards. The victims in this case are all women who have been recruited by online boyfriends who claim to be working for an African orphanage.

EU pushes for central IT crime reporting platform


"The EU Council of Justice and Home Affairs is calling for a single communications network to be created to improve the circulation of information on online crime. ... [T]he European Police Office (Europol) is the best body to host and run this type of centralised platform and help combat international cybercrime more effectively."

Saturday, 18 October 2008

Alleged Hackers Charged With Highway Robbery, Literally

Source: Threat Level from

Here's an interesting twist on identity theft. US-based Russian cybercriminals were able to modify the contact details of trucking companies on a US Department of Transportation website, and thereby conduct fraud by impersonating the trucking companies. The pair of crooks would accept transportation jobs while posing as a reputable trucking company, then outsource the job to a smaller company. The crooks would be paid by the customer, and the smaller trucking company would ultimately bill the real trucking company (who then deny all knowledge of the job, of course).

Tuesday, 14 October 2008

Cybercrime Supersite 'DarkMarket' Was FBI Sting

Source: Threat Level from

According to documents from the German national police, an FBI agent gained an administrator position on the cybercrime marketplace website "" in a long-running sting operation. The FBI used DarkMarket to build "intelligence briefs" on its members, complete with their internet IP addresses and details of their activities on the site.

Sunday, 12 October 2008

Fraud Ring Funnels Data From Cards to Pakistan


A sophisticated organised crime gang has been bugging credit card terminals at a number of large British retailers, forwarding the card and PIN data to Pakistan. The bugs are very subtle, and there is no external evidence of tampering. They maintain a low profile, stealing only small numbers of credit cards rather than indiscriminately copying everything.

Thursday, 18 September 2008

Notorious Crime Forum DarkMarket Goes Dark

Source: Threat Level from

There is much ironic gnashing of teeth in the cybercrime black market with the closure of, a popular marketplace for cybercrime-related services and data. The voluntary closure of the site follows the arrest of one of the site's administrators, among other events. Forum participants lamented the destructive influence of law enforcement agencies on their lives and families. Oh, the irony.

Wednesday, 10 September 2008

Recovering (someone else's) Email Password

Source: Frequency X Blog

This article provides an interesting insight into email account hacking as a (black market) service.

Saturday, 6 September 2008

Crimeware giants form botnet tag team

Source: The Register

"The Rock Phish gang - one of the net's most notorious phishing outfits - has teamed up with another criminal heavyweight called Asprox in overhauling its network with state-of-the-art technology, according to researchers from RSA."

Monday, 1 September 2008

The Bank Account That Sprang a Leak

The New York Times

Although there's no evidence (yet) that the fraud reported in this NYTimes article is Internet-related, it serves as a reminder that the financial targets which are increasingly the subject of cybercrime are only as strong as the weakest link protecting them. Certain systems, such as the clearing house system in use for US checks, were designed in a relatively low threat environment, and are becoming increasingly problematic as they are exposed to an ever wider audience of participants and increasing volumes of transactions.

Sunday, 31 August 2008

Inside India’s CAPTCHA solving economy

Source: ZDNet "Zero Day" Blog

"The bottom line - is text based CAPTCHA dead? It’s definitely in pain thanks to evil marketers recruiting low-waged Indian data processing workers, who according to some of the statistics obtained, earn over ten times more while solving CAPTCHAs, than through their legitimate data processing jobs."

Friday, 29 August 2008

Atrivo: Cyber Crime USA

Source: Russian Business Network Blog

"In a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers."

The Atrivo White Paper is available from

Saturday, 23 August 2008

Anatomy of a malware scam

Source: The Register

Security researchers have been documenting fake antivirus programs for quite some time, but this article is one of the more detailed ones you will find on "XP Antivirus". The only regrettable omission from this article is any documentation as to the structure of the organised crime behind it, which is admittedly difficult to determine with any degree of assurance.

Thursday, 14 August 2008

Chip-and-PIN fraud operation busted in Birmingham

Source: APACS

"The Dedicated Cheque and Plastic Crime Unit (DCPCU)... has raided a sophisticated counterfeit card factory in Birmingham. ... Equipment needed to steal card details and make counterfeit cards on a massive scale - including stolen chip and PIN terminals, card account numbers, a card reader/writer, computer software and fake magnetic stripe cards - was found in the premises. Early indications are that these criminals have been tampering with retailers’ chip and PIN terminals in order to steal card transaction data and PINs from these machines. With these details, criminals are able to create fake magnetic stripe cards that can be used fraudulently in countries that have yet to roll out chip and PIN."

See also commentary at The Register

Sunday, 10 August 2008

RBN and Georgia CyberWarfare

Source: Russian Business Network Blog

The RBNexploit blog is reporting that armed conflict between Russia and Georgia is having parallels in cyberspace. Simultaneously with exchange of fire on the ground, the country's routing and nameserver infrastructure is coming under attack from networks known to harbour the Russian Business Network.

Tuesday, 5 August 2008

Feds accuse bank insider of massive data heist

Source: The Register

According to documents filed in federal court in Los Angeles, Rene Rebollo (age 36) copied data from 20,000 customer profiles (including names and SSNs) onto removable flash drives just about every week for about two years. He would then sell the information for about $500 per 20,000 profiles to various buyers. Prosecutors allege that he netted as much as $70,000 through the scheme.

Dutch botnet herders arrested

Source: The Register

"Dutch police have arrested two Dutch brothers suspected of running a botnet controlling 40,000 to 100,000 computers..."

The report says they come from "the Frisian town of Sneek". Does that make them Sneekers?

Thursday, 17 July 2008

Romanian cops cuff 24 cybercrime suspects

Source: The Register

"Romanian police have arrested 24 people, all thought to belong to a single cybercrime gang. The group is suspected of involvement in various identity theft, credit card and auction fraud scams said to have raked in an estimated €400,000 ($634,000) from foreign victims, according to Romanian news reports. Targets of the scams reportedly included eBay, and"

Soloway case reveals big business behind spam

Source: Network World

This summary of testimony from the Soloway sentencing hearing provides some information on the scope of black market business behind spam. For example, testimony from Adam Sweaney, a botnet broker (just a middle man, intermediating between various botherders and spammers) reveals, "a typical week might involve selling three or four botnets to any of his six regular customers".

Wednesday, 16 July 2008

Cybercrime Organizational Structures and Modus Operandi

Source: Finjan

"In its Q2 2008 Web Security Trends Report, Finjan outlines the latest developments in the cybercrime commercialization economy."

"The report includes real documented discussions conducted by Finjan’s researchers with resellers of stolen data and their “bosses”, confirming Finjan’s analysis of the current state of the cybercrime economy."

Thursday, 3 April 2008

Tibetan unrest extends to cyberspace

Source: F-Secure Weblog

In conjunction with the unrest in Tibet, a spam campaign has been underway in which pro-Tibet messages are accompanied by PDFs with malicious payloads that attempt to install keylogger software. F-Secure concludes, "somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups to spy on their actions."

Hannaford supermarket compromised; 4.2m credit cards exposed

Source: Sophos

The Hannaford Bros supermarket chain (USA) has announced that its computer systems were compromised between December 2007 and early March 2008, resulting in details of up to 4.2 million credit and debit cards being leaked to a malicious third party. "According to media reports, the Secret Service is investigating and approximately 1800 fraud cases have already been reported as a result of the incident."

Saturday, 15 March 2008

Three dollars a day to solve CAPTCHAs

Source: The Register

There have been suggestions of late that miscreants have found an automated way to solve GMail's CAPTCHA protection during the sign-up process. Brad Taylor, a Google software engineer, claims that it is more likely to be done manually as a paid service. Certain Russian-language documents have been found containing instructions on CAPTCHA-solving, and stating that workers are paid upwards of three dollars per day.

Friday, 14 March 2008

Another mass website compromise

Source: McAfee Avert Labs Blog

McAfee breaks the news of another mass website compromise being used to disseminate malware (similar to this earlier incident), which includes many reputable sites. "More than ten thousand" sites have been maliciously altered to include a Javascript file which triggers a cascade of attempts to install a mixed bag of malware. Frequency X suggests that the compromise vector was a combination of IIS+ASP+SQL.

Tuesday, 11 March 2008 active under new domain

Source: Sunbelt BLOG is a malware gang which sells zombies (compromised hosts). Last year, PC World published an article which claimed that the going rate for compromising a typical Windows-based host was twenty cents. was taken offline in late January this year after suffering a DDoS attack launched by a rival gang which utilised Barracuda anti-spam appliances. The gang is now back under a new domain name, and is currently disseminating malware through 3D screensaver Trojan horses.

Saturday, 1 March 2008

Botnets and their spam output

Source: Marshal TRACE Blog

Marshal has released spam statistics for February 2008, showing a breakdown by source botnet. Of note is the fact that botnet size and spam quantity output are not closely related. Although the Storm botnet is renowned for being quite large, it was responsible for only 2% of spam for the month. Contrast this with the Srizbi botnet, which was responsible for nearly 40%.

On the worth of EV SSL

Source: The Register

The Register has a brief but useful analysis of Extended Verification SSL and its efficacy as an anti-phishing mechanism. Problems with the technology include user ignorance (in relation to the convention of turning the address bar green when verified by EV SSL), and the vulnerability of such verified sites to compromise of various sorts (which EV SSL can not prevent, and which is made more serious by the presence of the trust seal).

Friday, 29 February 2008

Online casino phishing on the rise

Source: The Register

Symantec is reporting an increase in phishing activity related to online casinos. Cashing out of a casino is relatively easy, not requiring the use of mules, since the stolen money can be gambled through an arbitrary array of intermediate accounts on the casino.

Pandex Trojan uproots rival rootkits

Source: Channel Register

Various strains of malware have, from time to time, removed other strains of malware from hosts that they infect. The "Pandex Trojan" takes this to new heights by removing rival rootkits and installing its own.

Device flaws make Chip and PIN vulnerable


Researchers at the University of Cambridge have found vulnerabilities in two widely deployed PIN entry devices for chip and PIN cards which could enable the production of counterfeit cards. The attack involves tapping data from key vulnerable points in the devices, but the physical modifications necessary to compromise a device are neither sophisticated or conspicuous. The researchers say the vulnerability is introduced by manufacturing design errors.

Monday, 25 February 2008

FDIC Technology Incident Report shows phishing growth

Source: The Washington Post

US banks are required to file Suspicious Activity Reports (SAR) with the Federal Deposit Insurance Corporation (FDIC) for fraudulent activity of or exceeding $5,000 per incident.
"While the number of reported computer intrusion-related SARs (536) paled in comparison to the leading SARs categories - mortgage loan fraud (12,554) and check fraud (17,558) - the FDIC said financial crime aided by computer intrusions is growing at a rapid pace. Further, it noted that the mean (average) loss per SAR from computer intrusions was roughly $29,630 -- almost triple the estimated loss per SAR during the same time period in 2006 ($10,536)."

Friday, 22 February 2008

Seventeen alleged botherders arrested in Canada

Source: various, including and The Register

Sixteen males and one female ranging from seventeen to twenty-six years old have been arrested in Canada on various charges relating to cybercrime and the operation of a botnet. The gang, which has been under investigation since 2006, allegedly operates a botnet on the order of a million hosts, and has netted tens of millions of dollars in cybercrime activities.

Thursday, 14 February 2008

Botnet evolution

Source: The Register

The Register has a summary of new trends in botnet technology as reported by various researchers. One particularly stealthy botnet dubbed "MayDay" allegedly uses the HTTP proxy settings of the host as one communications channel, and coded ICMP messages as another. A different botnet called "Mega-D" employs spamming techniques designed to thwart greylisting, which the researchers say is the first time such a capability has been observed in the wild.

Tuesday, 12 February 2008

Money Mule pleads guilty in Brisbane, Australia

Source: Sydney Morning Herald

Neena Maree McNair-Swirski, 27, of Brisbane, has pleaded guilty to charges relating to her activity as a money mule. According to the prosecutor, she and her former de facto husband (already tried and sentenced to fifteen months jail last year) actively sought the employment, and received almost $100,000 in fraudulent transactions between them. McNair-Swirski received a two-year jail term.

SoBe pleads guilty

Source: The Register

A black-hat known by the handle "SoBe" has pleaded guilty to criminal charges in relation to a botnet used to infect computers with affiliate-fee-paying adware. SoBe worked in concert with Jeanson James Ancheta, who was, in May 2006, sentenced to 57 months in federal prison on related charges. SoBe was a minor at the time the crimes were committed; "his plea agreement contemplates a sentence of one year to 18 months in prison."

Thursday, 24 January 2008

CIA claims utilities are extortion targets

Source: SANS NewsBites

The CIA claims that power generation facilities (outside the United Sates) have been the target of disruption and associated extortion demands via the Internet.

"We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

Wednesday, 23 January 2008

"Vishing" on the rise


The FBI is warning of an increase in the number of "vishing" attacks in which victims are directed to a phony telephone contact point rather than a phony website. Victims are sent SMS or email asking them to call the target bank to reactivate a credit or debit card.

Friday, 18 January 2008

Sophisticated Credit Card Fraud Syndicate

Source: DSLReports forum (via Sunbelt Blog)

A cybercrime researcher has written an extensive report on a sophisticated credit card fraud syndicate. The scam is complex, involving the creation of bogus online shop-fronts, the hiring of mules in the USA to set up companies and merchant accounts, and some means of obtaining credit card details so as to create large numbers of small fraudulent transactions. The researcher has been investigating this fraud and its increasing sophistication for some years, and it is still very much a going concern.

Wednesday, 16 January 2008

Sophisticated phishing malware: "Silentbanker"


Researchers have discovered a new strain of malware called "Silentbanker", specifically designed to compromise online banking facilities and able to extract user data from over four hundred banks worldwide. The software is also capable of altering transactions in progress between the bank and the compromised end user computer.

Saturday, 12 January 2008

Mysterious mass website compromise spreads malware

Source: The Register

A sophisticated mass-compromise of websites ("hundreds") is posing both a serious threat and an inscrutable puzzle at this time. Unlike other mass compromises, there is no recognisable common technology through which the sites may have been breached, and the associated hostile Javascript is stored on the site itself rather than at a third party site. The incident includes a sophisticated technique to make searching for compromised sites difficult. The associated malware installs a backdoor on vulnerable systems, and is quite stealthy about it.

Chip-and-PIN card vulnerability demonstrated

Source: ZDNet Australia

Security researchers from Cambridge University have demonstrated a "chess grandmaster attack" against chip-and-PIN cards. The cards can't be duplicated using any known technique, and are thus considered highly secure, but the payment system is still vulnerable to attack from a hostile or compromised card-reader terminal. Such an attack would take serious planning and execution on the part of criminals, putting it in the domain of serious organised crime rather than opportunistic theft.

Malware spread through mass SQL injection attack

Source: The Register

A massive number of websites ("tens of thousands") have fallen victim to an SQL injection attack. The affected websites were modified with links to a domain (uc8010 dot com) which contained a cocktail of browser and media player exploits (all known and patchable) and associated key-logging malware.

Barclays chairman becomes ID fraud victim


An ID fraudster persuaded a call-centre worker at Barclays Bank that he was Marcus Agius, the chairman of Barclays Bank, and acquired a "replacement" Barclaycard in his name. Using this card, the fraudster withdrew ten thousand pounds from a high street branch of the bank. The bank says that the breach happened because procedures were not followed fully, and has taken measures to prevent a repeat incident.

Thursday, 10 January 2008

Five years of botnets

Source: The Register

The Register has a short article on the SoBig malware, first distributed as a Trojan email attachment five years ago. Compromised computers became part of a botnet -- a novelty at the time, but now a staple of cybercrime.

Tuesday, 8 January 2008

Jeremy Clarkson provides object lesson in ID fraud

Source: BBC News

TV presenter Jeremy Clarkson (from "Top Gear") has discovered -- the hard way -- what a problem identity theft can be. In reaction to media fuss over the loss of discs containing a database of child benefits claimants in the UK, Clarkson said the fuss was for nothing, since the data would only allow deposits into the accounts. To prove his point, he published his own bank details in two newspapers, along with a hint as to how to find his home address. Subsequently, someone has used the information to transfer five hundred pounds out of his account to the charity Diabetes UK. Clarkson has now reversed his position on the seriousness of the data leak.

Saturday, 5 January 2008

Ralsky and others charged re stock scam spam

Source: US Department of Justice

Notorious spammer, Alan Ralsky, and ten others have been indicted on various charges relating to the alleged operation of a pump-and-dump stock spam scheme after a three year investigation by the FBI and other agencies. The operation involved the manipulation of the stock prices of thinly traded Chinese penny stocks, and certain Chinese companies to whom the stocks belonged were allegedly complicit in this activity.

Wednesday, 2 January 2008

EBay fights fraud in Romania

Source: Los Angeles Times

The LA Times has a modestly detailed article on how EBay is fignting cybercrime in Romania -- the largest source of fraudulent activity directed against their service. This effort involves actually working with authorities in Romaina, and the EBay agent is protected by U.S. Secret Service agents while operating in the country.