David Kirkpatrick

May 5, 2010

US Treasury hacked and serving malware

Not good. Looks like the attack originated in Ukraine.

From the link:

Three Web sites belonging to the U.S. Department of the Treasury have been hacked to attack visitors with malicious software, security vendor AVG says.

AVG researcher Roger Thompson discovered the issue Monday on three Web domains associated with the home page of the U.S. Bureau of Engraving and Printing. As of late Monday, all three Web sites were still actively serving malicious software and the Bureau of Engraving and Printing Web site should be avoided until it’s clear that they’ve been cleaned up, Thompson said in an interview via instant message.

Although the Treasury Department could not be reached for comment, IT staff there appear to be aware of the problem. On Tuesday morning, all three sites had apparently been taken offline and were returning a “page not found” error.

According to Thompson, hackers had added a small snippet of virtually undetectable iframe HTML code that redirected visitors to a Web site in the Ukraine that then launched a variety of Web-based attacks based on a commercially available attack-kit called the Eleonore Exploit pack.

March 10, 2010

Online banking scams hit businesses hard

Cybercrime against companies is particularly damaging for the victims because commercial bank accounts don’t have the reimbursement protection of consumer accounts. The $25M cited below in small business losses in Q3 2009 were due to wire transfer fraud and ACH. The takeaway here? Make sure you close control over any commercial banking function, particularly if you are a small business that regularly carries a large bank balance.

From the link:

Ongoing computer scams targeting small businesses cost U.S. companies US$25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation.Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over US$120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC.

The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said.

Almost all of the incidents reported to the FDIC “related to malware on online banking customers’ PCs,” he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions.

March 4, 2010

Microsoft wants to tax you …

Filed under: Business, Technology — Tags: , , , , , — David Kirkpatrick @ 1:03 pm

… to help pay for correcting its sieve-like OS and application coding. Now I’m not saying Microsoft is the only reason malware, phishing, botnets and other cybercrime goes on out there, but its shoddy and ubiquitous products are to blame for a very large majority. And that statement comes from a Microsoft user and supporter.

This internet usage tax idea from MS’s “trustworthy computing” veep is the height of stupidly ballsy statements. Maybe Microsoft should remunerate every computer user whose identity has been stolen, data compromised or computer files corrupted or lost due to yet another security fix that came a little too late.

Taxing internet usage to fix a problem largely caused by a single entity? Not a good idea. Try again, Scott Charney.

From the link:

How will we ever get a leg up on hackers who are infecting computers worldwide? Microsoft’s (MSFT) security chief laid out several suggestions Tuesday, including a possible Internet usage tax to pay for the inspection and quarantine of machines.Today most hacked PCs run Microsoft’s Windows operating system, and the company has invested millions in trying to fight the problem.

Microsoft recently used the U.S. court system to shut down the Waledac botnet, introducing a new tactic in the battle against hackers. Speaking at the RSA security conference in San Francisco, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney said that the technology industry needs to think about more “social solutions.”

Update 3/8/10 — Looks like I’m not alone in condemning this crazy idea.

March 3, 2010

Dirty ISPs better watch out

A new ranking system from the Oak Ridge National Laboratory and Indiana University will ferret out providers run by cybercriminals.

From the link (goes to Oak Ridge National Laboratory story tips for March 2010):

Cybercrime—Exposing hackers . . .

Unscrupulous Internet service providers will have no place to hide because of a ranking system conceived by researchers at Oak Ridge National Laboratory and Indiana University. “Criminal enterprises have created entire Internet service providers dedicated to sending spam, phishing messages or spreading viruses,” said Craig Shue of ORNL’s Computational Sciences and Engineering Division. While some have been caught by the Federal Trade Commission or other Internet service providers unwilling to do business with them, many are able to escape detection. “These other Internet service providers have customers whose machines become infected and can be used to launch attacks or steal the customer’s data,” Shue said. This work, which creates a ranking system Shue likened to grading systems for comparing school districts, is funded in part by the National Science Foundation and Indiana University.

February 23, 2010

Point-and-click botnet creation kit

Filed under: Business, Technology — Tags: , , , , , , , , , — David Kirkpatrick @ 1:50 pm

Just the thing for the technically challenged wanna-be cybercriminal. It’s bad enough having to deal with nefarious coders, but these tools (and various “virus making for dummies” tools have been around forever) allow bored kids and garden variety criminals in on the lucrative world of botnets.

From the link:

In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet. Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information.

Last week, the security firm NetWitness, based in Herndon, VA, released a report highlighting the kind of havoc the software can wreak. It documents a Zeus botnet that controlled nearly 75,000 computers in more than 2,400 organizations, including the drug producer Merck, the network equipment maker Juniper Networks, and the Hollywood studio Paramount Pictures. Over four weeks, the software was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo e-mail log-ins.

“They had compromised systems inside both companies and government agencies,” says Alex Cox, a principal analyst at NetWitness.

A survey conducted by another security firm–Atlanta-based Damballa–found Zeus-controlled programs to be the second most common inside corporate networks in 2009. Damballa tracked more than 200 Zeus-based botnets in enterprise networks. The largest single botnet controlled using the Zeus platform consisted of 600,000 compromised computers.

February 3, 2010

Cybercrime affiliate programs

Filed under: Business, Technology — Tags: , , , , , — David Kirkpatrick @ 12:23 pm

Looks like malware purveyors have added affiliate programs to the business model. The upside of this activity is the longer the chain of unrelated participants — particularly with the paper trail of payments added to the mix — the more likely the chain breaks down somewhere and the legal system catches up with the entire bunch.

From the link:

Sites like Amazon offer affiliate programs that pay users for sending them new customers. And now, malware authors, always quick to adopt tactics that work elsewhere, have developed their own affiliate program, which was described in a talk given today at the Black Hat DC computer security conference in Washington, DC.

Kevin Stevens, an analyst at Atlanta-based security consulting company SecureWorks, says sites with names like “Earnings4U” offer to pay users for each file they can install on someone else’s PC; the practice is called “pay per install.” Stevens found sites offering rates ranging from $180 per 1,000 installs on PCs based in the U.S. to $6 per 1,000 installs on PCs based in Asian countries.

As he researched the practice, Stevens says he discovered a number of companies engaged in pay per install. These companies periodically change their names to dodge the authorities. He also found forums where users shared tips for making more money, and a variety of sophisticated tools developed to make it easier for them to install malware. “It’s almost like a real, legitimate business,” he said.

December 28, 2009

Tech threats v.2010 — scareware and smartphone exploits

Filed under: Business, Media, Technology — Tags: , , , , , — David Kirkpatrick @ 2:51 pm

All the usual suspects — phishing, trojan virii, et.al. — will be around, but the proliferation of smartphones make that device a very enticing target for cybercriminals, and fake anitvirus scareware looks like a growth industry of sorts.

Smartphone security is going to be a major issue, particularly as mobile devices take over sensitive data functions, such as access to personal bank accounts, from larger, and hopefully quite secure, platforms like desktop and laptop computers.

As always, it’s a good idea to take a bit of time to understand the threats out there for any device you use and make sure to implement appropriate security measures for that device. The bad guys aren’t going away, they’re just adapting to the changing technology world.

From the link:

Another accelerating security trend is the wave of criminals selling rogue antivirus software. Fake antivirus software is often called “scareware,” since frightening the PC owner is often part of the scam. Rogue antivirus, which Symantec counts as a top threat going into 2010, is not only thriving, but criminals selling it are starting to display new tricks.

December 9, 2009

The sophistication of cybercrime

Filed under: Business, Media, Technology — Tags: , , , , , , — David Kirkpatrick @ 2:02 pm

It’s not about DDoS, phishing and Nigerian 419 scams any more. Now the main targets for these criminals are your data and social networking sites.

From the link:

What do phishing, instant messaging malware, DDoS attacks and 419 scams have in common? According to Cisco Systems, they’re all has-been cybercrimes that were supplanted by slicker, more menacing forms of cybercrime over the past year.In its 2009 Annual Security Report, due to be released Tuesday, Cisco says that the smart cyber-criminals are moving on.

“Social media and the data-theft Trojans are the things that are really in their ascent,” said Patrick Peterson, a Cisco researcher. “You can see them replacing a lot of the old-school things.”

Peterson is talking about attacks such as the Koobface worm, which spreads via Facebook and Twitter. Koobface asks victims to look at a fake YouTube video, which ultimately leads to a malicious download. Cisco estimates that Koobface has now infected more than 3 million computers, and security vendors such as Symantec expect social network attacks to be a major problem in 2010.

Another sneaky attack: the Zeus password-stealing Trojan. According to Cisco, Zeus variants infected almost 4 million computers in 2009. Eastern European gangs use Zeus to hack into bank accounts. They then use their networks of money mules to wire stolen funds out of the U.S. They have been linked to about $100 million in bank losses, some of which have been recovered, the U.S. Federal Bureau of Investigation said last month.

March 27, 2009

Watch out for FileFix Pro 2009

Filed under: Business, et.al., Media, Technology — Tags: , , , , , , — David Kirkpatrick @ 5:16 pm

This is a new, and disturbing, twist on malware/virus attacks. It’s an encryption trojan horse that extorts money from you to decrypt the files (.doc, .pdf, etc.) in your My Documents folder.

If you have a problem with FileFix Pro 2009 do keep in mind there are no-cost fixes (read: file decrypters) out there so don’t send these cybercriminals any money.

If you need a fix, here are options from the link:

Users who have fallen for the FileFix Pro 2009 con do not have to fork over cash to restore their files, according to other researchers, who have figured out how to decrypt the data. The Bleeping Computer site, for instance, has a free program called “Anti FileFix” available for download that unscrambles files corrupted by the Trojan. And security company FireEye Inc. has created a free online decrypter that also returns files to their original condition.

Also from the link:

The new scam takes a different tack: It uses a Trojan horse that’s seeded by tricking users into running a file that poses as something legitimate like a software update. Once on the victim’s PC, the Trojan swings into action, encrypting a wide variety of document types — ranging from Microsoft Word .doc files to Adobe Reader .pdf documents — anytime one’s opened. It also scrambles the files in Windows’ “My Documents” folder.

When a user tries to open one of the encrypted files, an alert pops up saying that a utility called FileFix Pro 2009 will unscramble the data. The message poses as an semi-official notice from the operating system: “Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application,” the message reads.

Clicking on the alert downloads and installs FileFix Pro, but the utility is anything but legit. It will decrypt only one of the corrupted files for free, then demands the user purchase the software. Price? $50.

August 14, 2008

Efficient and polite cyber criminals

Filed under: Business, et.al., Technology — Tags: , , , — David Kirkpatrick @ 11:31 am

The government presented a number of instant messages during the indictments of the eleven people accused of stealing millions of credit card numbers from companies such as Dave and Buster’s, Boston Market and Barnes and Noble, among others.

These messages exposed an operation high on specialization, ready-to-please tech support and abundant praise. Some messages included emoticons. Take away the criminality and the group was running a pleasant, and very efficient, workplace.

From the CIO.com (second) link:

But little time was wasted on chitchat: Tech support was needed to modify sniffer software for an intrusion. According to the DOJ, Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine, in a message to Gonzalez, briefly discussed the need and finished by asking: “… could you, please recompile it 🙂 Thanks.”

Gonzalez’s alleged response: “I can compile right now.” There was no tech support whining in these messages—just professional interest, and perhaps some pride, in how the software worked: “Did your guy use or say anything about my sniffer for dandb [i.e., Dave & Buster’s]?”

“My guy told me to tell you big thanks and etc. ;-)” was Yastremskiy’s reply, the DOJ claimed. Some 5,000 credit card numbers were allegedly taken from the chain by the hacker group.

For some employees, praise is as important as money, and this group evidently had both, according to what’s in the federal charging documents. They made millions until the feds closed their operations this year, according to the indictment.

“These guys collaborate,” said Sam Curry, vice president of the identity access and assurance at RSA Security, a division of EMC Corp. “They even have [service-level agreements] and support numbers to reach other. They have specialized roles, sophisticated economics [and] worldwide reach.”

It’s the degree of specialization that’s a tip-off as to how big these organizations are. It took focus and organization to allegedly attack nine major retailers, steal some 40 million credit and debit card numbers, decrypt PINs, withdraw cash and sell the numbers on black markets.

The main targets were retailers. The thieves parked their cars near retail outlets, searched for open networks and installed programs to capture the wanted data.