Tuesday, 1 December 2009

Hackers attempt to take $1.3 million from D.C. firm

Source: Security Fix

Brian Krebs reports on a new twist in cybercrime in the USA: attackers are using direct debit facilities to transfer money from third party accounts to compromised accounts, then forwarding it on to mules. It seems that the banking system places far too much trust in the participants, such that a security breach at any participant is potentially disastrous for everyone.

Tuesday, 27 October 2009

Social Engineering in Real-World Computer Attacks

Source: SANS Internet Storm Centre Diary

A useful collection of ways in which social engineering has been utilised in recent attacks. More diverse than you may think.

FBI: Cyber Crooks Stole $40M From U.S. Small, Mid-Sized Firms

Source: Security Fix

"Normally, the FBI isn't eager to discuss losses, or even acknowledge the existence of specific cases. What's more, the agency is keen to avoid making any statements that might spook consumers or businesses away from online banking. But Chabinsky said the FBI is taking the unusual step of floating financial loss figures in order to grab the attention of those most at risk so they can adopt safeguards."

Saturday, 10 October 2009

Malware Distributors Mastering News SEO

Source: eWeek Security Watch

This particular problem has been on the rise for a while, but this article provides a useful snapshot of the status quo. Malware authors, particularly fake antivirus peddlers, are using Search Engine Optimisation techniques (SEO) to place their wares high on the search results for breaking news stories such as the recent Samoan Tsunami. These techniques are proving quite powerful, giving the miscreants "five or six of the top ten results on the Google search results page".

Tuesday, 6 October 2009

Bank Botnet Serves Fake Info to Thwart Researchers

Source: Threat Level

The URLZone trojan mentioned in the previous post has another interesting feature. When researchers attempted to install the trojan on their own system and use it to obtain account details of mules, they were sent red herring account details. These misleading accounts are genuine accounts which have been used as the targets of legitimate funds transfers on URLZone-compromised systems.

Wednesday, 30 September 2009

New Malware Re-Writes Online Bank Statements to Cover Fraud

Source: Threat Level

The URLZone trojan not only performs money transfers out of a victim's bank account, but also re-writes HTML from the bank website on the fly so that the victim can't see the transfer in the account statement. This gives the criminals a larger window in which to cash out.

Friday, 11 September 2009

Cyber Thieves Steal $447,000 From Wrecking Firm

Source: Security Fix

In his continuing coverage of phishing and money mules in the USA, Brian Krebs gives details of a wrecking firm that was hit for a massive $447,000, not all of which was successfully looted. The interesting fact in this case was that the bank used a form of two-factor authentication -- a USB key fob which generates a new six-digit code every minute. Unfortunately, this kind of authentication is vulnerable to a man-in-the-browser attack, which is how the crooks operate, using malware called "Zeus".

Saturday, 5 September 2009

More Business Banking Victims Speak Out

Source: Security Fix

In a follow-up to earlier reporting about account-siphoning and money mules in the US, Brian Krebs gives us another report which includes names of Western Union transfer recipients in the Ukraine, and quotes from one of the mules in question. Note that this mule was soft-recruited by first being given text-correction work, then offered promotion to mule status when it was time to be paid for that work. "Be paid for correcting text" is the new money mule lure.

Thursday, 27 August 2009

Malware via Snail Mail

Source: National Credit Union Administration

The (American) National Credit Union Administration has released a warning that one of its members was sent fraudulent "training materials" on CD, laced with malware. The attack is notable for the fact that it is both highly targeted and uses low tech methods in an attempt to bypass network security.

Wednesday, 26 August 2009

Investigations on a Cybercrime Hub in Estonia

Source: TrendLabs Malware Blog

Trend Micro has published a white paper on an Estonian ISP and its subsidiaries which specialise in providing service to the cybercrime community. The researchers "gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu."

Tuesday, 25 August 2009


Source: TrendLabs Malware Blog

Trend Micro has published a white paper on the Ilomo stealth botnet. This botnet features the ability to piggyback transactions on banking sessions initiated normally by the end user, and is primarily used for information gathering and anonymous proxy services.

Friday, 24 July 2009

The economics of Botnets

Source: Viruslist.com

Yury Namestnikov of Kaspersky Lab has published an informative white paper on the current economics of botnets and related cybercrime, including the going rates for various cybercrime services.

Tuesday, 21 July 2009

The Growing Threat to Business Banking Online

Source: Security Fix

Brian Krebs reports that phishing and money mule problems are escalating in the USA -- to about the level we experienced in Australia back in 2006 or earlier. There are some differences: phishing is now accomplished primarily by keystroke-monitoring rootkits rather than social engineering, and American businesses are discovering that their banks don't offer them much in the way of protection from this kind of fraud. Losses per incident are frequently six-figure sums.

Thursday, 16 July 2009

Signed Malware Coming To A Phone Near You?

Source: Trend Micro

The Trend Micro Malware Blog reports that there is a signed Symbian application in the wild which sends the user's "subscriber, phone, and network information" back to a central website, and is also capable of receiving instructions (from the same website) to send SMS spam to the user's contacts. This is very similar to the behaviour of many traditional PC botnets -- yet the application has been vetted and signed by the certifying agent, Symbian Signed.

Wednesday, 8 July 2009

High Crimes Using Low-Tech Attacks

Source: Security Fix

A new and relatively low tech attack against bank customers has been reported in the wild. A fraudster posing as a bank employee phones up a bank customer and informs them of fraudulent activity on the account, then asks the customer to hold while the call is transferred to a fraud specialist. The scammer then phones the genuine bank, creating a conference call in which he acts as an eavesdropper. This gives the scammer access to various secrets revealed in the conversation between bank and customer.

Friday, 3 July 2009

PC Invader Costs Ky. County $415,000

Source: Security Fix

Cybercriminals from the Ukraine were able to compromise a PC belonging to the treasurer of Bullitt County, Kentucky, USA, and initiate bank transfers in excess of four hundred thousand dollars. Money mules were used to receive the payments and forward them. The mules in question were initially recruited into performing grammar correction and checking work, and only offered the "money mule" aspect of the job after performing that work reliably. The attack also involved some creativity on the part of the attackers to circumvent fraud detection schemes installed by the bank: see the source article for details.

Thursday, 2 July 2009

A Bustling Week for Cyber Justice

Source: Security Fix

This Brian Krebs article summarises recent activity in the US legal system relating to cybercrime issues, including FTC action against "scareware" companies and prosecution of Max Ray Butler for mass credit card fraud.

Thursday, 11 June 2009

Amazon, Apple dish up $300,000 to 'musical crims'

Source: The Register

Nine people are being held in custody in the UK on suspicion of conspiracy to commit fraud and money laundering. The alleged scam involved the fraudsters purchasing their own recordings from Apple iTunes and Amazon using stolen credit cards. Approximately $750,000 was processed through 1,500 compromised UK and USA credit cards, undetected by the merchants in question as fraudulent.

Friday, 5 June 2009

FTC Sues, Shuts Down N. Calif. Web Hosting Firm

Source: Security Fix

"In an unprecedented move, the Federal Trade Commission has taken legal steps to shut down a Web hosting provider in Northern California that the agency says was directly involved in managing massive global spam operations."

Thursday, 4 June 2009

Data-sniffing trojans burrow into Eastern European ATMs

Source: The Register

Analysts from SpiderLabs, the research arm of security firm Trustwave, have been tracking the development of a specialised malware tool designed for installation on ATMs running the Windows XP operating system, describing it as highly capable, and written with professional standards. The malware contains a data logger to track user card and PIN data, which can then be retrieved by inserting a control card into the ATM, bringing up a menu which allows the data to be printed via the ATM receipt printer. The control cards also enable functions to extract cash, remove log files, and so on. Physical access to the machine is required to install the malware, and reports of its use have been limited to Eastern Europe so far.

Wednesday, 27 May 2009

The Scrap Value of a Hacked PC

Source: Security Fix

Brian Krebs of Security fix has published a brief but useful article outlining the purposes for which attackers can use a compromised PC.

Thursday, 7 May 2009

PDF most common file type in targeted attacks

Source: F-Secure Weblog

F-Secure has measured a significant shift in file types used in targeted malware attacks between 2008 and 2009. Of the four file types PowerPoint, Excel, Word, and PDF, 2008 saw a fairly even spread of targeted malware, ranging from 17% (PowerPoint) to 35% (Word). So far in 2009, PDF is way out in front (49%), along with Word (39%), while PowerPoint and Excel also ran (12% combined).

Tuesday, 5 May 2009

Hackers Break Into Virginia Health Professions Database, Demand Ransom

Source: Security Fix

"Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records..."

Monday, 4 May 2009

Taking over the Torpig botnet

Source: The Computer Security Group at UCSB

"At the beginning of 2009, we took control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected."

A report has been published: Your Botnet is My Botnet: Analysis of a Botnet Takeover (PDF), UCSB Technical Report, Santa Barbara, CA, April 2009.

Tuesday, 28 April 2009

CAPTCHA me if you can!

Source: F-Secure Weblog

F-Secure has a brief report showing that Russian CAPTCHA cracking services offer a thousand CAPTCHA solutions for $1. These services are used to mass-register things like Gmail accounts, protected by CAPTCHA, for abuse purposes. And, ironically, Google's sponsored links include advertisements for CAPTCHA cracking services when you perform a search for terms like "crack captcha" or "break captcha". So, if Google's CAPTCHA fails to stop abuse, then they are at least getting a slice of the black-hat profits.

Friday, 24 April 2009

Temporal Correlations between Spam and Phishing Websites

Source: Light Blue Touchpaper

Tyler Moore and Richard Clayton of the University of Cambridge have released new research into whether the on-going availability of a phishing website results in on-going spam in relation to that site. The short answer is yes, meaning that prompt removal of phishing sites is important. Also, phishing seems to be divided into two main groups: "a cottage industry of fairly disorganized phishing attacks", and "a small number of organized gangs who use botnets for hosting, send most of the spam, and are extremely efficient on every measure we consider."

Thursday, 16 April 2009

Glut of Stolen Banking Data Trims Profits for Thieves

Source: Security Fix

"A massive glut in the number of credit and debit cards stolen in data breaches at financial institutions last year has flooded criminal underground markets that trade in this material, driving prices for the illicit goods to the lowest levels seen in years, experts have found."

Tuesday, 31 March 2009

Foreign Phisher Sentenced to 50 Months in U.S. Prison

Source: Threat Level from Wired.com

"The first foreigner convicted of phishing in the United States was sentenced to 50 months in federal prison Monday."

Monday, 30 March 2009

Vast Spy System Loots Computers in 103 Countries

Source: NYTimes.com

Researchers have obtained an inside look into a vast, strategic network of computers which have been compromised in targeted attacks (rather than the usual opportunistic attacks). The network consists of "at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York." The back doors in the computers are being controlled by computers based almost exclusively in China, leading to speculation that the Chinese government is behind the espionage.

Saturday, 28 March 2009

'Cybercrime exceeds drug trade' myth exploded

Source: The Register

Ed Amoroso, Senior Vice President and Chief Security Officer of AT&T, recently told a Congressional Committee that cybercrime was a trillion dollar a year business. This was supposed to be based on an FBI report, but the FBI has made no such claim. Instead, it seems to be more of an urban myth. This article attempts to put some perspective on the inflated claim, and find out how the myth got started.

Wednesday, 25 March 2009

'The Analyzer' Hack Probe Widens; $10 Million Allegedly Stolen From U.S. Banks

Source: Threat Level from Wired.com

Threat Level has an interesting article covering the cybercrime activities of Ehud Tenenbaum, also known as "The Analyzer", who was arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks. He also allegedly hacked two U.S. banks, a credit and debit card distribution company and a payment processor in what U.S. authorities are calling a global "cashout" conspiracy. The U.S. hacks have resulted in at least $10 million in losses, and are just part of a larger international conspiracy to hack financial institutions in the United States and abroad.

Tuesday, 24 March 2009

Web Fraud 2.0: Data Search Tools for ID Thieves

Source: Security Fix

"Cyber crooks are providing cheap, instant access to detailed consumer databases, offering identity thieves the ability to find missing data as they compile dossiers on targeted individuals." "It's unclear how these sites are obtaining this kind of information. It may be that they're relying on insiders at companies with access to this data. Alternatively, perhaps the services are making use of using stolen credentials needed to access sensitive online databases. More likely, it is a mixture of both."

Monday, 23 March 2009

Hacked page hauls estimated at $10,000 a day

Source: vnunet.com

Fake antivirus products continue to prove themselves the Next Big Thing in cybercrime. Security firm Finjan estimates that search engine gaming techniques on popular search terms can earn the perpetrators more than ten thousand US dollars per day in referral fees.

Saturday, 21 March 2009

Rogue Antivirus Distribution Network Dismantled

Source: Security Fix

Hot on the heels of a report on TrafficConverter2.biz by Security Fix earlier this week, the site has lost its ability to receive payments through Visa and MasterCard thanks to investigations being conducted by those companies. Traffic Converter is an affiliate program for the fake antivirus program AntiVirus2009 and others. These programs extort money out of those parties unfortunate enough to find them installed on their computer by throwing up increasingly alarming error messages, and requesting that the user pay for the "full version" of the software to fix the problem.

Costly Online Organ-Transplant Scam Results in Death, Arrest

Source: Threat Level from Wired.com

Advance fee fraud is nothing new, but this could well be a new low. The site liver4you.org sells organ transplants, or so it claims. A Canadian man paid $70,000 and was told he'd receive a liver transplant at a hospital in the Philippines. There was no liver, and no transplant, and the man died in the hospital where he thought his life would be saved. Jerome Feldman, age 67, has been arrested on charges of operating the scam.

Friday, 20 March 2009

Antivirus2009 Holds Victim's Documents for Ransom

Source: Security Fix

The fake anti-virus program Antivirus2009 is now using its deceptive error messages to frighten users into downloading a program called FileFixerPro, under the pretext that certain files in the "My Documents" folder are corrupt. Antivirus2009 actually encrypts the files in question, and FileFixerPro will decrypt them only after a $50 fee is paid. File encryption has been used in the past, attracting the name "ransomware", but this is perhaps the first time that the technique has been used stealthily in conjunction with "scareware" like Antivirus2009, as opposed to blatant blackmail.

2008 fraud figures announced by APACS

Source: APACS

The UK payments association, APACS, has announced UK fraud figures for 2008. "The two main areas of fraud were on transactions not protected by chip and PIN: specifically internet, phone and mail order fraud; and fraud abroad - committed by criminals using stolen UK card details in countries yet to upgrade to chip and PIN - which has nearly doubled in two years." "Online banking fraud losses totalled £52.5m in 2008 – a 132 per cent increase from 2007 losses. Although phishing incidents continue to increase, online banking customers are increasingly being targeted by malware..."

Friday, 13 March 2009

Hacking iTunes Gift Cards, and an iTunes Update

Source: Security Fix

There is some question as to whether the iTunes voucher code system has actually been broken (as reported recently). The basis for doubt is that the vouchers must be activated at the point of sale before they can be redeemed. Even so, the iTunes codes offered for sale are definitely working. One theory is that the codes are simply being purchased online using stolen credit card data, then on-sold.

Police in Romania detain 20 alleged hackers

Source: International Herald Tribune

Police in Romania on Wednesday detained 20 people on suspicion of phishing. The phishing incidents in question targeted victims in Italy and Spain.

Wednesday, 11 March 2009

The Chinese iTunes Gift Voucher Trick

Source: Outdustry

Hackers have cracked the iTunes gift voucher code and are selling the codes so generated to Chinese counterfeiters who then on-sell to the public. Current market rates result in $200 gift card codes being obtainable for around $2.60.

Thursday, 5 March 2009

German cops bust cybercrime forum

Source: The Register

"German police have arrested several members of a hacking forum linked to the distribution of Trojan horse software that infected 80,000 computers."

Wednesday, 4 February 2009

FBI Investigates $9 Million ATM Scam

Source: myfoxny.com

A security compromise at payment processor RBS WorldPay has enabled the attackers to clone debit cards issued by that company. In a coordinated, distributed effort (spanning more than 130 ATMs in 49 cities in several countries), one hundred such cards with significantly raised withdrawal limits were used to make multiple withdrawals on November 8, 2008. Nine million dollars was taken in the process -- an average of $90,000 per card.

Wednesday, 28 January 2009

Hackers steal details of 4.5 million in attack on Monster jobs site

Source: Times Online

The user database of online recruitment site, Monster.co.uk, has been compromised, exposing the credentials (and other personal details such as names and telephone numbers) of around 4.5 million people. This is the third time in two years that Monster has suffered such a security breach.

Wednesday, 21 January 2009

Payment Processor Breach May Be Largest Ever

Source: Security Fix

Payment processor, Heartland Payment Systems, has discovered malware on its infrastructure which was leaking out card data. The compromised data includes names, credit and debit card numbers, and expiration dates. The extent of compromise is unknown, but assumed to be very large because the company processes on the order of a hundred million transactions per month. The existence of the breach has been known since late last year, but the malware was only recently discovered as the cause.