PROJET AUTOBLOG


Krebs on Security

Site original : Krebs on Security

⇐ retour index

Mise à jour

Mise à jour de la base de données, veuillez patienter...

Alleged Counterfeiter “Willy Clock” Arrested

lundi 22 décembre 2014 à 17:17

In September 2014, I wrote about receiving a package of $500 in counterfeit U.S. currency from an unknown sender, after mentioning in a blog post about a rash of funny money resellers flooding underground cybercrime markets. Last week, U.S. authorities announced the arrest of a Texas man charged with leading the international counterfeit currency operation from a location in the Republic of Uganda.

Counterfeit $100s and $50s from "Willy Clock," allegedly the online alias of a Texas man living in Uganda.

Counterfeit $100s and $50s from “Willy Clock,” allegedly the online alias of a Texas man living in Uganda.

U.S. prosecutors say 27-year-old Ryan Andrew Gustafson – a.k.a. “Jack Farrel” and “Willy Clock” — is a U.S. citizen currently residing in Kampala, Uganda. Gustafson was arrested on Dec. 16 by Ugandan authorities and charged with conspiracy, counterfeiting, and unlawful possession of ammunition.

The defendant and his alleged accomplices are suspected of passing approximately $270,000 in fake U.S. currency in Uganda. In total, Ugandan authorities say they seized some $1.8 million in funny money from Gustafson’s operation.

The U.S. Secret Service, which investigates currency counterfeiting, said the investigation began in December 2013 when agents were alerted to the passing of counterfeit notes at retail stores and businesses in the Pittsburgh area. A press release from the Justice Department outlines the rest of the investigation:

“Agents determined that an individual identified as J.G. had passed these notes and was renting a postal box at The UPS Store on Pittsburgh’s South Side.  On Feb 19, 2014, law enforcement learned that J.G. received three packages addressed from Beyond Computers, located in Kampala, Uganda.  Agents executing a search warrant on the packages found $7,000 in counterfeit $100, $50 and $20 FRNs located in two hidden compartments within the packaging envelopes.  A fingerprint on a document inside one of the packages was identified as belonging to Ryan Andrew Gustafson.”

Jack Farrel's Facebook page. The U.S. Secret Service alleges that Farrel is Gustafson, a.k.a. counterfeiter "Willy Clock."

Jack Farrel’s Facebook page. The U.S. Secret Service alleges that Farrel is Gustafson, a.k.a. counterfeiter “Willy Clock.”

“The Secret Service subsequently worked with Ugandan authorities to identify the source of the counterfeit [cash].  Their efforts led to A.B., who admitted to sending the packages, explaining that an American named “Jack Farrel,” and another person, provided him the counterfeit notes to ship.  Based on information provided by A.B., the Secret Service used facial recognition to identify Jack Farrel as Ryan Andrew Gustafson.”

The government says Gustafson sold the bills through the Tor Carding Forum, a cybercrime shop that is unreachable from the regular Internet. Rather, visiting the Tor Carding Forum requires the visitor to route his communications through Tor, a free software-based service that helps users maintain anonymity by obfuscating their true location online.

Willy Clock’s phony currency wasn’t only available via Tor. By the middle of 2014, ads for his funny money were showing up on regular, Internet-based cybercrime forums. One reseller of Willy Clock’s notes even set up his own sales thread on Reddit.

Once again, it appears that sloppy operational security contributed to an arrest of an alleged bad guy. According to the government’s complaint (PDF), the email address that Gustafson provided on his U.S. passport application was the same one he allegedly used to maintain a Facebook account under the Jack Farrel alias. Investigators found that Gustafson also used the same Internet address to access his real Facebook page and the Farrel account. Another Facebook page tied to the Jack Farrel identity says the accused was in Uganda as a project associate at the U.N. refugee shelter program.

Gang Hacked ATMs from Inside Banks

lundi 22 décembre 2014 à 14:00

An organized gang of hackers from Russia and Ukraine has broken into internal networks at dozens of financial institutions and installed malicious software that allowed the gang to drain bank ATMs of cash. While none of the victim institutions were in the United States or Western Europe, experts say the stealthy methods used by the attackers in these heists would likely work across a broad range of western banks.

robotrobkbMost cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards. But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.

A number of the gang’s members are believed to be tied to a group of Eastern European hackers accused of stealing more than USD $2 million from Russian banks using a powerful, custom-made banking trojan known as Carberp. Eight men in Moscow were arrested in 2012 and accused of building and using Carberp, but sources say the core members of the gang were out of jail within hours after their arrest and have been busy rebuilding their crime machine ever since.

According to report released today by Fox-IT and Group-IB, security firms based in The Netherlands and Russia, respectively, the Carberp guys have since changed their tactics: Instead of stealing from thousands of bank account holders, this gang has decided to focus on siphoning funds right out of banks’ coffers. So far, the security firms report, the gang has stolen more than $15 million from Eastern European banks.

To gain a foothold inside financial institutions, this crime group — dubbed the “Anunak group” — sent bank employees targeted, malware-laced emails made to look like the missives were sent by Russian banking regulators. The phishing emails contained malicious software designed to exploit recently-patched security holes in Microsoft Office products.

Incredibly, the group also reportedly bought access to Windows PCs at targeted banks that were already compromised by opportunistic malware spread by other cyber criminals. Indeed, Fox-IT and Group-IB report that the Anunak gang routinely purchased installations of their banking malware from other cybercriminals who operated massive botnets (collections of hacked PCs).

Once inside a financial institution, the criminals typically abused that access to launch even more convincing spear-phishing attacks against other banks. They also gained access to isolated bank network segments that handled ATM transactions, downloading malicious programs made to work specifically with Wincor ATMs. The hackers used that malware — along with a modified legitimate program for managing ATM cash trays — to change the denomination settings for bank notes in 52 different ATMs.

As a result, they were able to make it so that when co-conspirators went to affected ATMs to withdraw 10 bills totaling 100 Russian rubles, they were instead issued 10 bank notes with the denomination of 5,000 rubles, the report notes.

The Anunak gang reportedly modified this legitimate program for managing bill denominations in ATMs.

The Anunak gang reportedly modified this legitimate program for managing bill denominations in ATMs.

It was bad enough that this group is believed to have hacked into more than 50 Russian banks, but nasty messages encoded into the malware tools employed by the thieves suggest they hold utter contempt for their targets. One malware component the group used to infect targeted systems carried inside of itself the text string “LOL BANK FUCKIUNG”. Another strain of malware deployed by this group’s targeted email campaigns and used to build their own botnet of more than a quarter-million PCs was encrypted with a key that is the MD5 hash of the string “go fuck yourself.”

While they appear to have developed a penchant for stealing directly from banks, these crooks aren’t above going after easy money: Sources tell KrebsOnSecurity that this group of hackers is thought to be the same criminal gang responsible for several credit and debit card breaches at major retailers across the United States, including women’s clothier Bebe Stores Inc., western wear store Sheplers, and office supply store Staples Inc.

A separate source previously told this author that there was a connection between the point-of-sale malware used in the breach at Michaels and the Staples incident, which means this group may also have been involved in the Michaels breach. In any case, Group-IB and Fox-IT note that the Anunak gang has hit a total of 16 retailers so far.

The attacks from Anunak showcase once again how important it is for organizations to refocus more resources away from preventing intrusions toward detecting intrusions as quickly as possible and stopping the bleeding. According to the report, the average time from the moment this group breaks into bank internal networks and the successful theft of cash is a whopping 42 days.

The full report on the Anunak group is available here (PDF).

SpamHaus, CloudFlare Attacker Pleads Guilty

dimanche 14 décembre 2014 à 04:55

A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare, KrebsOnSecurity has learned.

narko-stophausIn late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers. When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare’s network. The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it “the attack that almost broke the Internet.”

In April 2013, an unnamed then-16-year-old male from London identified only by his hacker alias “Narko,” was arrested and charged with computer misuse and money laundering in connection with the attack.

Sources close to the investigation now tell KrebsOnSecurity that Narko has pleaded guilty to those charges, and that Narko’s real name is Sean Nolan McDonough. A spokesman for the U.K. National Crime Agency confirmed that a 17-year-old male from London had pleaded guilty to those charges on Dec. 10, but noted that “court reporting restrictions are in place in respect to a juvenile offender, [and] as a consequence the NCA will not be releasing further detail.”

During the assault on SpamHaus, Narko was listed as one of several moderators of the forum Stophaus[dot]com, a motley crew of hacktivists, spammers and bulletproof hosting providers who took credit for organizing the attack on SpamHaus and CloudFlare.

WHO RUNS STOPHAUS?

It is likely that McDonough/Narko was hired by someone else to conduct the attack. So, this seems as good a time as any to look deeper into who’s likely the founder and driving force behind the Stophaus movement itself. All signs point to an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good.

cocg-fbNot long after McDonough’s arrest, a new Facebook page went online called “Freenarko,” which listed itself as “a solidarity support group to help in the legal defense and media stability for ‘Narko,’ a 16-yr old brother in London who faces charges concerning the Spamhaus DDoS attack in March.”

Multiple posts on that page link to Stophaus propaganda, to the Facebook page for the Church of the Common Good, and to a now-defunct Web site called “WeAreHomogeneous.org” (an eye-opening and archived copy of the site as it existed in early 2013 is available at archive.org; for better or worse, the group’s Facebook page lives on).

The Church of Common Good lists as its leader a Gulfport, Fla. man named Andrew J. Stephens, whose LinkedIn page says he is a “media mercenary” at the same organization. Stephens’ CV lists a stint in 2012 as owner of an email marketing firm variously called Digital Dollars and IBT Inc, moneymaking schemes which Stephens describes as a “beginner to intermediate level guide to successful list marketing in today’s email environment. It incorporates the use of both white hat and some sketchy techniques you would find on black hat forums, but has avoided anything illegal or unethical…which you would also find on black hat forums.”

More recent entries in Andrew’s LinkedIn profile show that he now sees his current job as a “social engineer.” From his page:

“I am a what you may call a “Social Engineer” and have done work for several information security teams. My most recent operation was with a research team doing propaganda analysis for a media firm. I have a unique ability to access data that is typically inaccessible through social engineering and use this ability to gather data for research purposes. I have a knack for data mining and analysis, but was not formally trained so am able to think outside the box and accomplish goals traditional infosec students could not. I am proficient at strategic planning and vulnerability analysis and am often busy dissecting malware and tracking the criminals behind such software. There’s no real title for what I do, but I do it well I am told.”

Turns out, Andrew J. Stephens used to have his own Web site — andrewstephens.org. Here, the indispensable archive.org helps out again with a cache of his site from back when it launched in 2011 (oddly enough, the same year that Stophaus claims to have been born). On his page, Mr. Stephens lists himself as an “internet entrepreneur” and his business as “IBT.” Under his “Featured Work” heading, he lists “The Stophaus Project,” “Blackhat Learning Center,” and a link to an spamming software tool called “Quick Send v.1.0.”

Stephens did not return requests for comment sent to his various contact addresses, although a combative individual who uses the Twitter handle @Stophaus and has been promoting the group’s campaign refused to answer direct questions about whether he was in fact Andrew J. Stephens.

Helpfully, the cached version of Andrewstephens.org lists a contact email address at the top of the page: stephensboy@gmail.com (“Stephensboy” is the short/informal name of the Andrew J. Stephens LinkedIn profile). A historic domain registration record lookup purchased from Domaintools.com shows that same email address was used to register more than two dozen domains, including stophaus.org and stopthehaus.org. Other domains and businesses registered by that email include (hyperlinked domains below link to archive.org versions of the site):

-“blackhatwebhost.com“;
-“bphostingservers.com” (“BP” is a common abbreviation for “bulletproof hosting” services sold to -spammers and malware purveyors);
-“conveyemail.com”;
-“datapacketz.com” (another spam software product produced and marketed by Stephens);
-“emailbulksend.com”;
-“emailbulk.info”;
-“escrubber.info” (tools to scrub spam email lists of dummy or decoy addresses used by anti-spam companies);
-“esender.biz”;
-“ensender.us”;
-“quicksendemail.com“;
-“transmitemail.com”.

The physical address on many of the original registration records for the site names listed above show an address for one Michelle Kellison. The incorporation records for the Church of Common Good filed with the Florida Secretary of State list a Michelle Kellison as the registered agent for that organization.

Putting spammers and other bottom feeders in jail for DDoS attacks may be cathartic, but it certainly doesn’t solve the underlying problem: That the raw materials needed to launch attacks the size of the ones that hit SpamHaus and CloudFlare last year are plentiful and freely available online. As I noted in the penultimate chapter of my new book — Spam Nation (now a New York Times bestseller, thank you dear readers!), the bad news is that little has changed since these ultra-powerful attacks first surfaced more than a decade ago.

Rodney Joffe, senior vice president and senior technologist at Neustar –a security company that also helps clients weather huge online attacks — estimates that there are approximately 25 million misconfigured or antiquated home and business routers that can be abused in these digital sieges. From the book:

Most of these are home routers supplied by ISPs or misconfigured business routers, but a great many of the devices are at ISPs in developing countries or at Internet providers that see no economic upside to spending money for the greater good of the Internet.

“In almost all cases, it’s an option that’s configurable by the ISP, but you have to get the ISP to do it,” Joffe said. “Many of these ISPs are on very thin margins and have no interest in going through the process of protecting their end users— or the rest of the Internet’s users, for that matter.”

And therein lies the problem. Not long ago, if a spammer or hacker wanted to launch a massive Internet attack, he had to assemble a huge botnet that included legions of hacked PCs. These days, such an attacker need not build such a huge bot army. Armed with just a few hundred bot- infected PCs, Joffe said, attackers today can take down nearly any target on the Internet, thanks to the millions of misconfigured Internet routers that are ready to be conscripted into the attack at a moment’s notice.

“If the bad guys launch an attack, they might start off by abusing 20,000 of these misconfigured servers, and if the target is still up and online, they’ll increase it to 50,000,” Joffe said. “In most cases, they only need to go to 100,000 to take the bigger sites offline, but there are 25 million of these available.”

If you run a network of any appreciable size, have a look for your Internet addresses in the Open Resolver Project, which includes a searchable index of some 32 million poorly configured or outdated device addresses that can be abused to launch these very damaging large-scale attacks.

‘Security by Antiquity’ Bricks Payment Terminals

vendredi 12 décembre 2014 à 17:12

Last week, several thousand credit card payment terminals at various retailers across the country suddenly stopped working, their LCD displays showing blank screens instead of numbers and letters. Puzzled merchants began to worry that this was perhaps part of some sophisticated hacker attack on their cash registers. It turns out that the incident was indeed security-related, but for once it had nothing to do with cyber thieves.

Hypercom L4250 payment terminal.

Hypercom L4250 payment terminal.

On Dec. 7, 2014, certain older model payment terminals made by Hypercom stopped working due to the expiration of a cryptographic certificate used in the devices, according to Scottsdale, Ariz.-based Equinox Payments, the company that owns the Hypercom brand.

“The security mechanism was triggered by the rollover of the date and not by any attack on or breach of the terminal,” said Stuart Taylor, vice president of payment solutions at Equinox. “The certificate was created in 2004 with a 10 year expiry date.”

Taylor said Equinox is now working with customers, distributors and channel partners to replace the certificate to return terminals to an operational state. The company is pointing affected customers who still need assistance to this certificate expiry help page.

“Many of these terminals have been successfully updated in the field,” Taylor said. “Unfortunately, a subset of them can’t be fixed in the field which means they’ll need to be sent to our repair facility.  We are working with our customers and distribution partners to track down where these terminals are and will provide whatever assistance we can to minimize any disruption as a result of this matter.”

According to two different merchants impacted by the incident that reached out to KrebsOnSecurity, the bricking of these payment terminals occurs only after the affected devices (in the 4x version of the terminals) are power-cycled or rebooted, which some merchants do daily.

Michael Rochette, vice president at Spencer Technologies, a Northborough, Mass.-based technology installation and support company, said his firm heard last week from an East Coast supermarket chain that opened for business on Monday morning only to find all of their payment terminals unresponsive. Rochette said that the supermarket chain and other retailers impacted by the incident across the country were immediately worried that the incident was part of a hacker attack on their payment infrastructure.

“Not all stores power cycle overnight, but for those that do, they came up all blank and inoperative,” Rochette said. “If that’s something that a retail chain does as a matter of policy across a whole chain of stores, that can be pretty damaging.”

One retailer that contacted KrebsOnSecurity but asked to remain anonymous said technicians at its locations had spent three days trying without success to restore the devices.

“I use two different generations of their terminals and have spent the last three days trying to understand completely why I had zero impact,” a reader from the retailer said. “Mass extinction of my POS devices at the manufacturer level was never on my list of scenarios that would wreck my day at retail.  It is now.”

While designing your products so that they fail after 10 years seems like a less than brilliant idea, this incident is a reminder of just how much of the payments infrastructure in the United States relies on rapidly aging technology.

According to Rochette, at least one of the affected Hypercom devices is no longer allowed to be used in retail installations after 2014, per sunset provisions set out by the PCI Council, an industry group that sets security standards for payment systems. Other Hypercom models affected by this incident are perfectly acceptable to use for years to come.

As for why Equinox failed to warn its customers of the impending meltdown of these payment terminals? Rochette posits that it might have something to do with Hypercom’s rocky corporate history.

“I’ve never seen this before where a particular product all crashed on the same day, and as far as I can tell there was no advance warning about this from Equinox,” Rochette said. “Over the last few years, they were Hypercom, then part of Equinox, then part of Verifone for a while, so I suspect there’s been a lot of turnover in personnel there, and frankly they just lost sight of the fact that they had a pretty important expiration date coming.”

‘Poodle’ Bug Returns, Bites Big Bank Sites

jeudi 11 décembre 2014 à 19:06

Many of the nation’s top banks, investment firms and credit providers are vulnerable to a newly-discovered twist on a known security flaw that exposes Web site traffic to eavesdropping. The discovery has prompted renewed warnings from the U.S. Department of Homeland Security advising vulnerable Web site owners to address the flaw as quickly as possible.

chasepoodleIn mid-October, the world learned about “POODLE,” an innocuous acronym for a serious security flaw in a specific version (version 3.0) of Secure Sockets Layer (SSL), the technology that most commercial Web sites use to protect the privacy and security of communications with customers.

When you visit a site that begins with “https://” you can be sure that the data that gets transmitted between that site and your browser cannot be read by anyone else. That is, unless those sites are still allowing traffic over SSL 3.0, in which case an attacker could exploit the POODLE bug to decrypt and extract information from inside an encrypted transaction — including passwords, cookies and other data that can be used to impersonate the legitimate user.

On Dec. 8, researchers found that the POODLE flaw also extends to certain versions of a widely used SSL-like encryption standard known as TLS (short for Transport Layer Security).

“The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute,” wrote Ivan Ristic, director of engineering at security firm Qualys, which made available online a free scanning tool that evaluates Web sites for the presence of the POODLE vulnerability, among other problems. “The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack.”

A cursory review using Qualys’s SSL/TLS scanning tool indicates that the Web sites for some of the world’s largest financial institutions are vulnerable to the new POODLE bug, including Bank of AmericaChase.comCitibankHSBC, Suntrust — as well as retirement and investment giants Fidelity.com and Vanguard (click links to see report). Dozens of sites offering consumer credit protection and other services run by Experian also are vulnerable, according to SSL Labs. Qualys estimates that about 10 percent of Web servers are vulnerable to the POODLE attack against TLS.

According to an advisory from the U.S. Computer Emergency Readiness Team (US-CERT), a partnership run in conjunction with the U.S. Department of Homeland Security, although there is currently no fix for the vulnerability SSL 3.0 itself, disabling SSL 3.0 support in Web applications is the most viable solution currently available. US-CERT notes that some of the same researchers who discovered the Poodle vulnerability also developed a fix for the TLS-related issues.

Until vulnerable sites patch the issue, there isn’t a lot that regular users can do to protect themselves from this bug, aside from exercising some restraint when faced with the desire to log in to banking and other sensitive sites over untrusted networks, such as public Wi-Fi hotspots.

 

Error happened! 0 - SQLite3::exec(): database disk image is malformed In: /home/cochisebee/www/autoblog/autoblogs/autoblog.php:285 http://autoblog.cochi.se/autoblogs/krebsonsecuritycom_4eab703a256df265f3abda6134d777218e00ffe9/?99 #0 [internal function]: exception_error_handler(2, 'SQLite3::exec()...', '/home/cochisebe...', 285, Array) #1 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(285): SQLite3->exec('INSERT INTO art...') #2 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(418): VroumVroum_Blog->insertOrUpdateArticle('https://krebson...', 'Chinese Antivir...', 'https://krebson...', 1600380201, '

The ...') #3 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(932): VroumVroum_Blog->update() #4 /home/cochisebee/www/autoblog/autoblogs/krebsonsecuritycom_4eab703a256df265f3abda6134d777218e00ffe9/index.php(1): require_once('/home/cochisebe...') #5 {main}