Internet Domain Registry

Sunday, 17 July 2011

My Friend's Been Hacked!

Posted on 04:42 by Unknown

Have you ever received an email like this?

Subject: RE: URGENT RESPOND NEEDED‏

Hello,
I am sorry I didn't inform you about my traveling to Europe for a program called Empowering Youth to Fight Racism,HIV/AIDS,and Lack of Education,the program is taking place in three major countries in Europe which are Dublin,Scotland and England,I am persently in England,London.

I misplaced my wallet on my way to the hotel where my money,and other valuable things were kept.I will like you to assist me with a soft loan urgently with the sum of $2,800 US Dollars to sort-out my hotel bills and get myself back home.

I will appreciate whatever you can afford to send the money today.i'll pay you back as soon as i return,Let me know if you can assist. please use this information to send the money to me.I wait your quickly respond

I posted a copy of that email on my blog in February of 2009 (See: Traveler Scams: Email Phishers Newest Scam). Since that time ALMOST EVERY DAY I receive an email from someone thanking me for my post and telling me that one of their friends seems to have fallen victim. Then they say "What do I do next?"

Normally I tell them they need to contact their friend and have their friend report to their email provider that they have had their password stolen.

Please note that this is DIFFERENT than just getting a weird email that says it came from a friend. In this traveler scam, if you reply to the email, the bad guy will often reply with personal information about you "that only your friend could know." That's because they are actually in your friend's email account reading emails from you to try to find a way to convince you to wire them money.

Another indicator that someone may have had their email hacked is when there are several people on the "To:" or "CC:" line that you know your friend knows. When spammers randomly forge a "from" address, it doesn't necessarily mean they have stolen your friend's password, but when SEVERAL of your friend's acquaintances are in the "To:" line, it means the criminal has access to your friend's address book or email messages.

Hotmail: My Friend's Been Hacked!

Microsoft has just announced this week a new way that you can help your friend (if both of you use hotmail.) Dick Craddock writes in the "Inside Windows Live" blog on July 14th, Hey! My Friend's Account Was Hacked! about a new feature that is being offered to hotmail and live.com customers.

With the new feature, when you are reading the offending email, you can pull down the "Mark As" menu and choose "My Friend's Been Hacked!:

When you take the time to mark the message like that, it sends a high priority request to Microsoft to put this account "on hold." Now, there has to be some OTHER circumstances true as well, you can't use this to just cause trouble for people who annoy you, but when your report is combined with other factors about your friend's email usage -- such as sending an unusually high number of messages, or logging in from an IP in another country -- the account will be placed on hold.

That immediately stops the criminal from being able to use the account to send spam, AND let's your friend begin an Account Recovery Process the next time they try to log in.

Yahoo! and Gmail?

What if your friend doesn't use Hotmail?

Microsoft has now begun pushing the "My Friend's Been Hacked!" reports to Yahoo! and Gmail as well. So if YOU are a hotmail user, and your hacked friend is using Yahoo! or Gmail using the reporting mechanism on hotmail will still send an alert to Yahoo! or Google and let them know of the suspicious email you've received.

Hopefully this will become a new industry standard practice and we'll be able to send reports from any of our mail clients!

Here's some advice from other providers on what to do if a Friend seems to be compromised:

- Gmail: Report A Security Problem

- Google: How to Recover Your Email Account

- Facebook Security

- Yahoo! Account Helper

(If you have a suggestion of a better link, please let me know . . .)

Posted in | No comments

Friday, 15 July 2011

FBI + Romanian DIICOT = 117 Search warrants and 100+ arrests

Posted on 09:26 by Unknown

In one of the largest international cybercrime enforcement actions in history, the FBI and the Romanian DIICOT (Directorate for Investigating Infractions of Organized Crime and Terrorism) have performed at least 117 searches and arrested 21 in America and more than 90 in Romania.

All across Romania, scenes such as this were being conducted:

The Romanian news source that provided the photos above shared this quote with Adrian Hood, Chief Prosecutor of DIICOT, Craiova Territorial Service:

"Specifically, defendants are charged for activities from 2009 to 2011 involving posting notices of sale of fictitious, non-existent goods such as cars, motorcycles, boats, and electronics on e-commerce platforms such as www.eBay.com and www.craigslist.org through advertisements made with false information."

(See the Original story for the Romanian original of that quote...

The FBI has issued a press release on the matter today, Organized Romanian Criminal Groups Targeted by DOJ and Romanian Law Enforcement.

The case centers on criminals in Romania who would post luxury items and vehicles for sale on Internet auction websites, such as eBay. They would then instruct the potential buyer that for safety of the transaction they would be using an escrow service and provide them instructions to wire the funds to the escrow service, rather than making their payment through the auction company. US-based co-conspirators would then go pick up the money from American bank accounts. These intermediaries are called "money mules" in the US, but in Romanian cybercrime parlance they are referred to as "arrows."

According to the FBI Press Release . . . "Since May 2010, the FBI and the U.S. Attorney’s Office for the Southern District of Florida have arrested and prosecuted numerous individuals from Romania, Moldova and the United States allegedly involved in this fraud scheme. Vadim Gherghelejiu, 29, of Moldova; Anatolie Bisericanu, 25, of Moldova; Jairo Osorno, 22, of Surfside, Fla.; Jason Eibinder, 22, of Sunny Isles Beach, Fla.; and Ciprian Jdera, 25, of Romania, have been convicted in the Southern District of Florida of conspiracy to commit wire fraud."

On February 22, 2010, a Miami court returned an indictment against "Pedro Pulido, 41, of Pembroke Pines, Fla.; Ivan Boris Barkovic, 19, of Sunny Isles Beach; Beand Dorsainville, 20, of North Miami Beach, Fla.; Sergiu Petrov, aka “Serogia,” 27, of Moldova; Oleg Virlan, 32, of Moldova; Marian Cristea, 22, of Romania; and Andrian Olarita, 26, of Moldova, with conspiracy to commit wire fraud and substantive counts of wire fraud. Pulido, Barkovic, Dorsainville and Olarita have pleaded guilty to conspiracy to commit wire fraud. Petrov, Virlan and Cristea remain at large and are considered fugitives."

Romanian news is buzzing today with news of many search warrants being issued all over Romania.

FBI Searches Romania - 20 million dollars stolen by hackers in eight countries

Photographers were present at many of today's Romanian arrests . . .

Here a dentist, Horace Balanescu, and his wife are being arrested in Bumbesti-Jiu Romania:

(photos from "adevarul.ro")

Romanian news says that there were more than 1,000 victims who collectively lost more than $20 million USD.

We'll have more details here in the near future . . .

Congratulations to all of the fine agents in Romania and the FBI who took part in this historical arrest, and to those at eBay and Craigslist and other companies who assisted with information.

Posted in | No comments

Saturday, 25 June 2011

A New Car! (or Zeus spam Campaign)

Posted on 06:11 by Unknown

If you believe my email today, everyone is getting a new car but me.

There are actually many different spam message subjects that make up this campaign. Those like the one above use a random person name in the subject line, like these:

Remember [name]?
It's [name]'s new car!
Saw new [name]'s car?
Do you remember [name]?

There were also quite a few "non-random" ones. Here's a sampling from yesterday's spam, when we received a total of more than 60,000 emails that are part of this malware distribution campaign:

count | subject
-------+------------------------------------
1398 | info
1389 | Hello
1357 | look
1344 | Hello!
1343 | Hi!
1341 | hello!
1333 | Look!
1328 | hello
1320 | hello.
1314 | Hello.
1305 | hey buddy!
1286 | hi buddy!
1282 | Hey!
590 | Is this your boyfriend?
580 | Do you remember me?
577 | Remember me?
549 | Is This Your Boyfriend?
539 | Is this your girlfriend bro?
538 | Is This Your Girl Bro?
533 | Is This Your Boy?
529 | Is this your boy?
507 | Is this your girl bro?
487 | Is This Your Girlfriend Bro?
482 | Is this your girlfriend buddy?
480 | Is This your Girlfriend?

Those numbers are the count of the email messages we received from that portion of the campaign that pretended to be related to LinkedIn. In the graphic above, you can see that the "From" address is on "live.com" and the "Reply-To" is on "linkedin.com". Actually neither one of those things were true.

Here are the actual mail headers (although I've redacted a couple things from this one):

In this image, the "fake" values are highlighted in green while the "real" values are highlighted in yellow. This email did NOT come from LinkedIn's IP 63.211.90.176. It really came from 173.200.78.57. (Many hundreds of IPs were used.)

We actually saw this same style of mail-header faking beginning last November, especially during a rampant USAA Phishing campaign where the destination websites were all on '.tk' domains. Although I didn't focus on that aspect in the story (instead we found the REAL sender IP addresses and wrote about those) it was partly because at the time I didn't understand how it was possible!

All of the spam messages listed above, whether they are the "New Car" version or the "Is that Your Boyfriend?" or even the "Hello!" versions have a common website location being advertised. They use random numbers in the hostname portion of the website address, but the all point to:

arcid_[RND#].oposumcruiser.com/arc/file/

That website looks like this:

UPDATE!!

I've received an update from my friend Steven Burn who runs the websites of Ur I.T. Mate Group. He pointed out to me that even if you don't download the .exe file from this page, you are still at risk just by visiting the site. There is an IFRAME hidden in the source code of the page that directs all visitors to load the Blackhole Exploit Kit from another location. As of this writing that other location is:

http://motorssmonito.com/forum.php?tp=778973f6b2977050

(Visit at your own risk - it WILL try to infect you! )

The excellent folks at UCSB's Wepawet project provide this decoding of the page:

Wepawet decode of the MotorSSMonito blackhole exploit kit

which shows all the little tricks it tries to use to infect you, including loading malicious .jar files, .pdf files, .avi files,

/End Update - Thank you, Mr. Burn!

One of the characteristics of the "Avalanche" botnet that we believed was associated with the USAA phish back in November was that the destination website is "Fast Flux" hosted -- meaning that the IP address is being constantly changed by modifying the nameserver to resolve the domain name to many different locations.

The first time I looked at this website, it was resolving to the IP address 112.71.69.76 in Japan. But when I asked the nameserver for its location, it gave back eight different IP addresses:

80.171.37.243
81.203.1.104
82.159.38.56
85.86.48.130
91.117.147.33
112.71.69.76
114.183.247.117
217.50.208.196

Only a few minutes later when I rechecked, I found the additional IP addresses:

83.213.31.242
90.168.201.126
95.125.232.109
212.225.173.8

all resolving the "oposumcruiser.com" random hostnames.

One of the many projects we have at the UAB Computer Forensics Research Lab is a Fast Flux tracker. Some of the other domains that are currently fluxing on this same space include perfectcheck2011.com, safeyourwork.net, personalsyscheck.com and safetylife2011.org which use the nameservers ns1.lonfd.net and ns1.cazonet.com. Most of those are autoforwarders for pharmaceutical websites such as sportsmedsrxpills.net which purports to be the "Canadian Health & Care Mall".

The fake website offers a download for you as an executable file "archive.exe"

According to the AV products on the VirusTotal website, this is either the Zbot trojan (commonly known as Zeus) or Kazy.

(Click the image to go to the VirusTotal Report for this malware

MD5: a653ef80a47f5ec646a2ce0fdbc1068d

Trojan-Spy.Win32.Zbot.buax, Gen:Variant.Kazy.28222, Win32/Spy.Zbot.YW, Trojan/Win32.Zbot

I put the malware in our Malware Analysis VM and watched to see what it would do.

The version of the malware that I self-infected with made DNS calls for
the following domains, many of which have not yet been registered.

lrnsxmztnqiomiq.com
rqnorekziuhmsxr.biz
rqnorekziuhmsxr.org
vlolhmcjlpqntm.net
vlolhmcjlpqntm.com
zqpyuykzovrsjw.info
zqpyuykzovrsjw.biz
wzmkrojrutomsg.net
wzmkrojrutomsg.org
nnpgpskekyrtyoq.info
nnpgpskekyrtyoq.com
stqbbjuqsoefcpcq.biz
stqbbjuqsoefcpcq.com
xljpkdlnzniocjpu.info

It also modified many registry keys, primary related to Outlook Express, which means there was probably going to be some spamming going on if I left the infection up.

The only one of these I can tell that WAS registered was here...using a
privacy service.

Domain Name: LRNSXMZTNQIOMIQ.COM

Administrative Contact:
Reinecker, Beverly ap9cm76v4sv@nameprivacy.com
ATTN:
P.O. Box 430 c/o NameSecure
Herndon, VA 20171-430
US
570-708-8782

When it was live, it was hosted on 72.249.171.121.

Also seen on that IP, according to bfk.de, are:

www.realgirlfights.org CNAME realgirlfights.org
lrnsxmztnqiomiq.com A 72.249.171.121
wqonlrwkuswjzmm.net A 72.249.171.121
lmnqnxypfulhgxo.biz A 72.249.171.121
kmxpiylvojgjcus.biz A 72.249.171.121

That IP is Colo4Dallas LP (AS36024) in Dallas, Texas.

Steven Burn provided the following list of related domains, as well as the path which hosts their respective badness. Again, please don't follow these links unless you are a malware researcher in a safe environment.

cgywgtcwpngrzgk.net/news/?s=195341
cpgfkybtkljjwvsk.org/news/?s=195341
futplqwsqqiopntn.com/news/?s=195341
ijqrqinymhjsvr.net/news/?s=195341
imwftfprsbxzgiy.info/news/?s=195341
iruwoekurjzrpko.biz/news/?s=195341
jptptmlpqnzdnpl.biz/news/?s=195341
jtpknvosaiwoxqs.info/news/?s=195341
jwqqrkosoqqglvpk.biz/news/?s=195341
jxatmxeojvhwhvd.com/news/?s=195341
ktznowypsmswqtjl.net/news/?s=195341
kxzjfqomtyjhhhzr.com/news/?s=195341
lhourmoptjoejd.info/news/?s=195341
lqwryghqqpiujsp.com/news/?s=195341
mjeqpkukusnkkhtm.info/news/?s=195341
mpwpxgmpjqkrpfzd.biz/news/?s=195341
mrjuqpqqzqikin.org/news/?s=195341
nfumumsidtqtynr.com/news/?s=195341
oopmeozgtsxerenn.com/news/?s=195341
orelrxnwtuiuplhn.biz/news/?s=195341
ounwukdlrpflento.com/news/?s=195341
pluufpyllzrqpnot.com/news/?s=195341
ppjjvmomiiwtkyn.com/news/?s=195341
prminhfvfmsckzjw.info/news/?s=195341
psiscguokswppvys.biz/news/?s=195341
pxcoprkgsoeyoiej.info/news/?s=195341
quujzvhhutfvtlq.info/news/?s=195341
rcjemwpzhygppmuo.net/news/?s=195341
rggfymzrkzpnpsjl.com/news/?s=195341
rheovalxkdmspe.net/news/?s=195341
rhtjdemtypbpow.com/news/?s=195341
rnosovkotqwbk.info/news/?s=195341
rpjrewwqsditwtky.org/news/?s=195341
rwfstvftrzwwtjxu.info/news/?s=195341
rxtrpjvcuikyipt.net/news/?s=195341
sklyzjonvkikpjt.org/news/?s=195341
soilvjyksytnfp.net/news/?s=195341
ssmkoqkrgimsnwe.com/news/?s=195341
tjtoehpzjmtnigs.net/news/?s=195341
ttzoxhbzvgpijlwk.biz/news/?s=195341
twsrnyyfnvrqhht.org/news/?s=195341
ydvkmqunnnnwqop.info/news/?s=195341
yjlmfeinqhupvtnh.info/news/?s=195341
yphxjkymmnqynogh.com/news/?s=195341

Posted in | No comments

Monday, 16 May 2011

ACH Spammer switches to Shortened URLs

Posted on 06:41 by Unknown

For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domains in place for a campaign that we have been calling "NACHA Spam".

In this campaign, which we first wrote about in November 2009 (see: Newest Zeus: NACHA Electronic Payments, the criminals send emails suggesting that an Automated Clearing House (ACH) payment has failed. It is thought that this may be a method of screening recipients as only people who deal with money transfer on a regular basis would be familiar with NACHA as having authority over ACH payments.

In more recent versions of the campaign, including the one we wrote about in March 2011 (see: More ACH Spam from NACHA) we have seen dozens or even hundreds of newly created domain names used to host the malicious content.

Here's a sample of the email body:

The ACH transfer (ID: 1514969569958), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Rejected transaction
Transaction ID: 1514969569958
Reason for rejection See details in the report below
Transaction Report report_1514969569958.pdf.exe (self-extracting archive, Adobe PDF)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2011 NACHA - The Electronic Payments Association

Posted in | No comments

Wednesday, 4 May 2011

Help stop the Osama bin Laden Videos on Facebook

Posted on 18:15 by Unknown

If you have teenage friends, or friends with poor security practices, you will probably notice that your wall has recently filled up with invitations to watch a video of Osama bin Laden being killed.

The behavior of this particular scam is too cause a link to be posted BY YOU on all of your friends' walls. (There is another popular one going around -- "See Who Viewed Your Profile" -- that behaves in the same way. Facebook confirms that there is no app that can do that, and encourages us to use the "REPORT" feature when we see that.

If you click the link, many geeky "redirections" (described at end of article) happen before you end up on a page that looks like this:

The danger starts if you click "Watch Video". DON'T DO IT!

While it would be interesting to explore the Cross Site Scripting vulnerability that allows this to happen, the more important thing to share is "what should a FaceBook user who sees this activity do about this offending post on their wall?"

Whenever you see something objectionable on your wall, the thing to do is REPORT IT!

Hover your mouse over a message on your wall, and a grey "X" will appear at the top right of the message.

When you click the "X" by the top right corner of the wall post, you are presented with a drop down menu. We're going to choose the bottom item -- "Report As Abuse"

Since the post is not "about me", we go to the lower section and choose "Spam or scam"

When we click "OK" we get an option to block the user. Since this is an innocent mistake by our friend, we don't want to "block" the friend, so just check the bottom box that says "Report to Facebook." If our friend is the sort of helpless, clueless individual that clicks on everything they see, eventually we would want to block this friend.

We get a nice "Thank you" from our friends at Facebook Security! These really help the team! They get the messages and use them to prioritize what things need to be addressed. If many reports are received for the same link, or about the same user, those things get addressed more quickly. Different types of reports go to different sub-groups so just because they are busy helping fight something like today's report doesn't mean that they ignore cyber-bullying.

Facebook WANTS YOU to report things that bother you. That's how they keep a clean neighborhood.

Help them help you. REPORT SCAMS!

Then take a moment more and send your friend a friendly message letting them know what's going on. They might want to let the rest of their friends know.

Facebook security has several recommendations, including a couple that I honestly wouldn't have thought of. (I'll put those first)

Unlike the page which tricked you into showing fake video and report them immediately to Facebook. -- in addition to posting the message to your friends' walls, this tricky Facebook worm causes you to "Like" its page. The more "Likes" a page has, the more people are convinced it's real, so it is helpful to go "UNLIKE" the page. (if you've liked it, it will be a choice on the left side menu.)
If a friend is posting suspicious messages to your wall, they may have malicious software on their computer, or may have clicked something bad themselves. Facebook Help says the best thing to do is tell your friend to contact Facebook Help.
If YOU are the one posting the message, this Facebook Help post is for you: Wall posts were sent from my account, and I didn’t send them. It has helpful hints about anti-virus, not clicking on spam, and how to reset your password.
Have up-to-date anti-virus software
Keep an eye for messages that often feature misspellings, poor grammar and nonstandard English. If it doesn't look like a message your friend would type, REPORT IT! It may be related to malware or a malicious app that is using your friend's account!
Do not open spam mails, including clicking links contained within those messages.
Don’t copy and paste any scripts in your Facebook profile. Several scams have worked by encouraging you to paste something odd in your profile. Some of those scripts install apps, grant permissions, or make you do things you wouldn't want to do!
If you’re using Chrome, make sure you don’t paste any scripts in your browser bar, as the browser tries to preload anything you type in the ‘awesome’ bar.

Geek Alert!

Here's an example stream of what happens if you click one of these links ...
In this case, the link is going to pass through several rounds of redirection, which we can see by doing a "wget" of the destination URL. A "301" command makes your browser move on to another web address without really adding any new content.

In the top example, the destination URL is tinyurl.com/3b8uayr

wget http://tinyurl.com/3b8uayr
Resolving tinyurl.com... 64.62.243.89, 64.62.243.90
Connecting to tinyurl.com|64.62.243.89|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://zamakoko.mo.tl/ [following]
--19:51:27-- http://zamakoko.mo.tl/
=> `index.html'
Resolving zamakoko.mo.tl... 174.122.44.67
Connecting to zamakoko.mo.tl|174.122.44.67|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://on.fb.me/jM9tNF [following]
--19:51:47-- http://on.fb.me/jM9tNF
=> `jM9tNF'
Resolving on.fb.me... 168.143.174.97
Connecting to on.fb.me|168.143.174.97|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.facebook.com/pages/0sama-tape/121566207922629 [following]
--19:51:59-- http://www.facebook.com/pages/0sama-tape/121566207922629
=> `121566207922629'
Resolving www.facebook.com... 69.63.189.16
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.facebook.com/common/browser.php [following]
--19:52:05-- http://www.facebook.com/common/browser.php
=> `browser.php'
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 11,771 --.--K/s
19:52:24 (1.40 MB/s) - `browser.php' saved [11771]

Which leaves us sitting here:

Posted in | No comments

Wednesday, 13 April 2011

Bold FBI Move Shutters COREFLOOD Bot

Posted on 21:25 by Unknown

In February 2005, John Leyden told the story of Joe Lopez a 42 year old businessman in Miami Florida who sued his bank after having $90,348 wired out of his account to Parex Bank in Riga, Latvia. The US Secret Service examined his computer and found that his system was infected with the Coreflood trojan.

Where did the money go? According to USA Today's Byron Acohido, someone named Yanson Arnold withdrew $20,000 of the money three days later.

The story was featured on NBC Nightly News on December 14, 2004, in a story called The Fleecing Of America which indicated the money had been stolen via the CoreFlood Virus.

In June of 2008, Joe Stewart, International Grandmaster of Malware Reverse Engineering, released a report called Coreflood/AFcore Trojan Analysis. He started his report by calling attention to five highlights:

1. One of the oldest botnets in continuous operation (+6 years)
2. Motive turned from DDoS to selling anonymity services to full-fledged bank fraud
3. Entire Windows domains infected at once (thousands of computers at some organizations)
4. Over 378,000 computers infected during 16-month time frame
5. Infected businesses, hospitals, government organizations, and even a state police agency

When Joe worked with Spamhaus back then to investigate an active C&C they found FIFTY GIGABYTES of compressed data, stolen over the course of two years, with a MySQL database that the criminal was using to track which information it had stolen from 378,758 unique bots over a period of 16 months. At one point, Joe's report shows "a major hotel chain" with over 7,000 infected computers, and a State Police agency with over 110 infected computers! Among the data stolen were 8,485 bank passwords, 3,233 credit card passwords, 151,000 email passwords, and 58,391 social networking site passwords. At that time, in 2008, the controller domains were: mcupdate.net, joy4host.com, and antrexhost.com.

Here we are in April 2011 -- almost three years later, and "antrexhost.com" is still an active C&C for the domain, which is still stealing money, despite being featured on NBC Nightly News, USA Today, and discussed by name by the White House's Howard Schmidt.

All of that may have come to an end today, as announced by today's FBI Press Release headline was Department of Justice Takes Action to Disable International Botnet. The botnet in question is known as Coreflood, and according to court papers released by the FBI's New Haven Field Office, a pair of Command & Control servers, located at 207.210.74.74 and 74.63.232.233 were controlling 2,336,542 infected computers as of February 2010. Of those, 1,853,005 were located in the United States.

207.210.74.74 is a server on the Global Net Access system, that hosted a domain called jane.unreadmsg.net. vaccina.medinnovation.org was the C&C name on 74.63.232.233

From the request for a Temporary Restraining Order filed by Assistant US Attorney Edward Chang:

12. The Coreflood Botnet was used, among other things,
to commit financial fraud. Infected computers in the Coreflood
Botnet automatically recorded the keystrokes and Internet
communications of unsuspecting users, including online banking
credentials and passwords. The stolen data was then sent to one
or more Coreflood C&C servers, where it was stored for review by
the Defendants and their co-conspirators. The Coreflood C&C
servers also stored the network and operating system
characteristics of the infected computers. The Defendants and
their co-conspirators used the stolen data, including online
banking credentials and passwords, to direct fraudulent wire
transfers from the bank accounts of their victims.

13. The victims of the fraud scheme described above
included, inter alia:

a. A real estate company in Michigan, from whose bank
account there were fraudulent wire transfers made in a
total amount of approximately $115,771;

b. A law firm in South Carolina, from whose bank account
there were fraudulent wire transfers made in a total
amount of approximately $78,421;

c. An investment company in North Carolina, from whose
bank account there were fraudulent wire transfers made
in a total amount of approximately $151,201; and

d. A defense contractor in Tennessee, from whose bank
account there were fraudulent wire transfers attempted
in a total amount of approximately $934,528, resulting
in an actual loss of approximately $241,866.

The full extent of the financial loss caused by the Coreflood
Botnet is not known, due in part to the large number of infected
computers and the quantity of stolen data.

Here are some of the hostnames that were used by Coreflood -- some dates are in the future, indicating that the bot had the ability to change to new names over time, to prevent just the sort of shutdown that occurred today:

C&C SERVER ASSIGNED 207.210.74.74
Month Primary Domain Alternate Domain
1/2011 a-gps.vip-studions.net old.antrexhost.com
2/2011 dru.realgoday.net marker.antrexhost.com
3/2011 brew.fishbonetree.biz spamblocker.antrexhost.com
4/2011 jane.unreadmsg.net ads.antrexhost.com
5/2011 exchange.stafilocox.net cafe.antrexhost.com
6/2011 ns1.diplodoger.com coffeeshop.antrexhost.com
7/2011 a-gps.vip-studions.net old.antrexhost.com
8/2011 dru.realgoday.net marker.antrexhost.com
9/2011 brew.fishbonetree.biz spamblocker.antrexhost.com
10/2011 jane.unreadmsg.net ads.antrexhost.com
11/2011 exchange.stafilocox.net cafe.antrexhost.com
12/2011 ns1.diplodoger.com coffeeshop.antrexhost.com

C&C SERVER ASSIGNED 74.63.232.233

Month Primary Domain Alternate Domain
1/2011 taxadvice.ehostville.com taxfree.nethostplus.net
2/2011 ticket.hostnetline.com accounts.nethostplus.net
3/2011 flu.medicalcarenews.org logon.nethostplus.net
4/2011 vaccina.medinnovation.org imap.nethostplus.net
5/2011 ipadnews.netwebplus.net onlinebooking.nethostplus.net
6/2011 acdsee.licensevalidate.net imap.nethostplus.net
7/2011 wellness.hostfields.net pop3.nethostplus.net
8/2011 savupdate.licensevalidate.net schedules.nethostplus.net
9/2011 wiki.hostfields.net mediastream.nethostplus.net
10/2011 taxadvice.ehostville.com taxfree.nethostplus.net
11/2011 ticket.hostnetline.com accounts.nethostplus.net
12/2011 flu.medicalcarenews.org logon.nethostplus.net

In addition to the affidavit for the TRO, FBI Special Agent Kenneth Keller got a most unusual Seizure Warrant. With the warrant, they requested that the court compel the Registrars of the 24 domain names posted above to change the DNS settings for the servers, so that they would resolve to SINKHOLE-00.SHADOWSERVER.ORG and SINKHOLE-01.SHADOWSERVER.ORG.

To maximize the difficult of taking down this bot, the criminal spread his domain registrations all over the world. He used Wild West Domains (US-AZ), Above.com (of Australia), Big Rock Solutions (of Mumbai), LiquidNet (UK), Network Solutions (US-Virginia), Active Registrar (SIngapore), 1&1 Internet (Germany), TuCows (Toronto), Dotster (US-Washington), MyDomain, Inc (US-Washington), DomainRegistry.com (US-New Jersey), and Melbourne IT (which is Yahoo!'s registrar of choice), Mesh Digital (UK), Misk.com (US-NY), Moniker (US-Florida), and Directi (India).

Obviously a US court order has little impact in Mumbai or Singapore, so it was important to get this done when the "active" domains were US-based.

A "SinkHole" in the cyber security world is a trick that is invoked to cause botnets who are trying to talk to a criminal server to instead talk to a computer owned by a researcher or investigator. Its a great way for both measuring levels of infection and also for preventing the bad guy from being able to talk to his bots.

In this case, the sinkhole went beyond this though. Here comes the cool part from this Temporary Restraining Order issued by the Honorable (and very smart!) Vanessa L. Bryant.

WHEREAS the Government has shown good cause to believe: (a) that hundreds of thousands of computers are infected by Coreflood, known collectively as the "Coreflood Botnet"; (b) that the computers infected by Coreflood can be remotely controlled by the
Defendants, using certain computer servers known as the "Coreflood C&C Servers" and certain Domains"; (c) that, on or about April 12, 2011, the Government will execute seizure warrants for the Coreflood C&C Servers and the Coreflood Domains; (d) that the Government's seizuer of the Coreflood C&C Servers and the Coreflood Domains will leave the infected computers still running Coreflood; (e) that allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions; and (f) that it is feasible to stop Coreflood from running on infected computers by establishing a substitute command and control server;

WHEREAS the Coreflood Domains are listed in Schedule A, together with the corresponding registry, registar, and domain name service ("DNS") provider (collectively, the "Domain Service Providers") used by the Defendants with respect to each of the Coreflood Domains;

WHEREAS the Government has shown good cause to believe that: (a) it is reasonably likely that the Government can show that the Defendants are committing wire fraud and bank fraud and are engaging in unauthorized interception of electronic communications, as alleged; (b) it is reasonably likely that the Government can show a continuing and substantial injury to a class of persons, viz., the owners and users of computers infected by Coreflood; and (c) it is reasonably likely that the Government can show that the requested restraining order will prevent or ameliorate injury to that class of persons;

(etc...)

Pursuant to the authority granted by 28 U.S.C. $ 566, the United States Marshal for the District of Connecticut ("USMS") shall execute and enforce this Order, with the assistance of the Federal Bureau of Investigation ("FBI") if needed, by establishing a substitute server at the Internet Systems Consortium...that will respond to requests addressed to the Coreflood DOmains by issuing instructions that will cause the Coreflood software on infected computers to stop running, subject to the limitation that such instructions shall be issued only to computers reasonably determined to be in the United States.

The Restraining Order gave blanket permission for anything that was using the DNS servers "NS1.CYBERWATCHFLOOR.COM" (204.74.66.143) or "NS1.CYBERWATCHFLOOR.COM" (204.74.67.143) to instead point to Special Agent Kenneth Keller's server 149.20.51.124.

Of course, some people may not want the Department of Justice telling their computer what to do. Because of that possibility, the FBI Press Release offers the option:

The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood. Identified owners of infected computers will also be told how to "opt out" from the TRO, if for some reason they want to keep Coreflood running on their computers.

Posted in | No comments

Friday, 8 April 2011

The Epsilon Phishing Model

Posted on 08:17 by Unknown

There is a saying "if you give a man a fish, he'll eat for a day, but if you teach a man to fish, he can feed himself for a lifetime."

In the case of the Epsilon email breach the saying might be "if you teach a man to be phished, he'll be a victim for a lifetime."

In order to illustrate my point, let's look at a few of the security flaws in the business model of email-based marketing, using Epsilon Interactive and their communications as some examples.

NOTE: Epsilon has released another Press Release to assure the public that no Personally Identifiable Information was released. The point of this article is not to argue that point, but rather to say there is something flawed in training users to click on links in emails.

Targeted Mailing Lists Help Avoid Detection

One of the advantages to phishers in using destination email addresses from the Epsilon Breach is that it helps keep their emails out of the hands of the security research and anti-phishing communities. Phishers, especially the less-skilled ones, tend to buy or steal large email address lists. Many researchers and anti-phishers (including us!) have managed to get their "spam-trap" email addresses onto those lists, which gives us visibility to spam campaigns. At UAB, as an example, we receive more than a million spam email messages each day. Some of these emails are phishing emails, which we then share with law enforcement and our strategic partners. Using a combination of automated and manual tools, we review tens of thousands of URLs each day to learn the addresses of the criminals new phishing sites. But what if a phisher only sends his phishing email to "confirmed" customer email addresses? This greatly reduces the ability of the anti-phishing community to respond to these phishing sites.

Guaranteed Delivery "From:" Addresses

Another thing a phisher would like to accomplish is to make sure that his message arrives without being blocked. Perhaps his victim is running spam filtering software. What is the first things that would be desirable? He would like his email to be sent from an address that will guarantee delivery. The easiest way to make sure that spam is delivered is to make sure that the "From:" address is in the potential victim's address book. This is why so many email messages arrive with the "from" and "to" addresses being the same. The spammers assume that you will have your own address in your address book, and therefore spam-filtering rules will not be applied to that address.

How else could they do that? Epsilon helpfully instructs their customers to add their email addresses to their address book. If a phisher now imitates those addresses, their email will bypass many phishing filters:

This email was sent to you by Ethan Allen.
Please add ethanallenstyle@email.ethanallen.com to your address book. This will ensure delivery to your inbox.

You are receiving this e-mail because you have requested information about CRESTOR(R) (rosuvastatin calcium) Tablets. Add CRESTOR@email.CRESTOR.com to your address book so future e-mails from us will not be marked as spam.

Add citicards@info.citibank.com to your address book to ensure delivery.

To ensure delivery to your inbox, please add Walgreens@email.walgreens.com to your address book.

This e-mail was sent to you by Eddie Bauer Friends. To ensure delivery to your inbox (not junk or bulk), please add info@eddiebauerfriends.com to your address book.

To ensure receipt of your Red Roof RediCard emails, please add redicard@redroofinn.bfi0.com to your address book.

To ensure receipt of our emails, please add targetdailydeals@targetnewsletter.bfio.com to your Contacts or Address Book.

etc . . .

So if the phisher makes his "from" address one of these "trusted" addresses, what happens?

Teach a man (or woman) to Click

One of the main pieces of advice that security professionals give to audiences and readers when they are speaking or writing about the topic of phishing is DO NOT CLICK ON LINKS IN YOUR EMAIL!

This is exactly the opposite advice that customers in the Epsilon databases receive. Epsilon and other email senders work on the theory of full-visibility communications. They know which email messages they send to which users, and they prove their value to the companies they represent by providing deep intelligence on the "click behavior" of the customers they email on behalf of those companies. Each link in an Epsilon email is customized with a URL that tells Epsilon who clicked on the link.

The whole point of emails from Epsilon is to get customers to click on links! I've truncated the URLs to protect privacy, but here's an example of one from Target. Clicking on this one takes me to their "Daily Deals. One Day Only. Always Free Shipping."

http://target.bfi0.com/145d56598layfousibljoi2iaaaaaaq5mirqsi2bcpuyaaaaa/C?V=bF9pbmRleAEBcHJvZmlsZV9pZAExMTM1MzYzMTY5AXppcF9jb2RlAQFfV0FWRV9JRF8BNjEwODA0MzQ5AV9QTElTVF9JRF8BMjE1NDI2MjUBZ19pbmRleAEBZW1haWxfYWRkcgFnYXJAYXNrZ2FyLmNvbQFfU0NIRF9UTV8BMjAxMTA0MDMxMjAwMDABcHJvZmlsZV9rZXkBMjU4NTkyMDM%3D&k2hXe6YFbcPUoDxGzFz1FA

which means I can get "juniors" denim skinny jeans for $12.49 today only! (which also means my daughter probably gave my email account to Target....hmmmm.....)

Here's a few examples:

Greetings from the National Geographic Online Store!

You are invited to join an exclusive community of individuals interested in National Geographic. As a member, you will...
* Help us choose catalog covers.
* Get sneak peeks at new products we=92re considering.
* Give valuable advice to people at National Geographic who decide what products we should offer.
* Get an insider=92s view of how our catalog and online store help fund the Society's Mission programs in the areas of research,

conservation, exploration, and education.

Click here to join the NG Store Insider panel. http://newsletters.nationalgeographic.com/1####....

Now through April 10, 2011

$50 OFF YOUR PURCHASE OF $250 OR MORE*
ENTER CODE > =

Txx3-4xxxxx-xx3xx2

HAUTE SALE
HURRY, ENDS TODAY!
40% OFF select styles. In-store & online.

http://bebeonline.bebe.com/#####...

Introducing the NY DEAL of the DAY! Extra savings on a must have style! In stores & online. Today only! The Hudson wide leg pant,
only $14.99 today only! Check our homepage every day of this sale for our new DEAL!

Shop now >
http://email.nyandcompany.com/1####...

Today Only! Save 30% at Gap Outlet

To get this coupon, copy and paste this url:
http://mail.goAAA.com/1#####...

------------------------
DAILY DEALS. ALWAYS FREE SHIPPING.
------------------------

Fun, cool stuff at amazing prices, available for one day only.

Shop Now:
http://targetenewsletter.bfi0.com/####...

BBC AMERICA NEWSLETTER
Doctor Who in America for the Very First Time
April 6, 2011
Doctor Who: Brand New Season
The Tardis is hopping the pond and the stakes have never been higher. =

WATCH THE EXTENDED TRAILER
http://bbcamerica.bfi0.com/1####...

The statement for your account ending in 4616 is now available online.
Log in to Online Banking to view your statement and pay your bill.
Please visit
http://email.capitalone.com/1####...

The point of every one of those emails is HEY YOU! CLICK ON THIS LINK!!!

The Warnings & The Future

If you live in the United States and you have ever used a credit card, your inbox is already flooded with Epsilon notices, so I hesitate to show you very many. We've heard of warnings from more than fifty companies, and personally seen the warnings from at least:

1-800-Flowers begin_of_the_skype_highlighting 1-800-Flowers end_of_the_skype_highlighting
Abe Books
AIR MILES Reward Program
Ameriprise Financial
Barclays Bank of Delaware (US Airways Dividend Miles MasterCard, DIRECTV Rewards, iTunes Rewards, LLBean etc... )
Beachbody
Brookstone
Capital One
Citibank (AT&T Universal Card, Exxon Mobile, Home Depot, Shell)
Disney Destinations
Eddie Bauer
Ethan Allen
Hilton Honors
Krogers
Lacoste USA
Marriott
McKinsey Quarterly
M&T Bank
New York & Company
Red Roof Inn
Soccer.com
Target
Tastefully Simple
TD Ameritrade
TIAA-CREF
Tivo
Verizon
World Financial Network National Bank (WFNNB) (Ann Taylor, Catherine's, Chadwick's, Eddie Bauer, Gander Mountain, HSN, Maurice's, Newport News, Peeble's, The RoomPlace, United Retail Group, Victoria's Secret, Woman Within)
Walgreens

The warnings are missing the point of MY warning. All of them assure you that they aren't going to ask you for your personal information, and that your personal information hasn't been lost, "only your email address."

They tell you though NOT TO OPEN EMAILS FROM PEOPLE YOU DON'T KNOW. I don't know anyone named "shellcreditcard@info.accountonline.com" and I certainly don't know anyone named "TargetNews@target.bfio.com"

Of course that also misses entirely the fact that ANYONE can make their "From:" email anything they would like it to be! Email is not a form of trusted communication! So, how does the end-user know that the email really came from a real sender? Its a growing problem. Certain vendors have had luck with certain large mail providers -- for example eBay and Gmail. Because eBay signs all of their outbound email with a "digital signature" and Gmail knows what digital signature eBay uses, Gmail will reject any email that claims to be from eBay but really isn't.

There is a whole association, The Online Trust Alliance, filled with great companies dedicated to trying to fix this problem, but where they stand right now is that acceptance has been limited, and "traditional" email solutions don't come out of the box with the ability to interact richly with these forms of signatures and authentications.

Imagine for example that you are a global brand with more than 500,000 employees. In order to "turn on" digital authentication, you have to make sure that every single email sent by any of your 500,000 employees has a valid "digital signature" that proves the email really came from you! On the other end of the spectrum, if everyone locks down their email clients to only allow emails that are signed and certified, emails from individuals like you and me are likely to be thrown away!

In the meantime, we're stuck with imperfect solutions -- the need of the corporation to get their messages delivered and clicked on -- and the need of the consumer to NOT CLICK on messages that may lead to malware infections.

One-Click Malware - Drive-By Infections

Kaspersky Labs had a recent headline on this topic: Malware in February: Cybercriminals Perfect Drive-By Tactics.

In most of the top reported malware for February, the infection method was to convince a user to click on a link which took them to a "poisoned" webpage -- one on which some hostile code was present that could take advantage of security flaws in the webpage visitor's browser, PDF reader, flash player, or other code to place malware on the visitor's computer. Kasperky's February Report showed more than 70 million times where a Kaspersky customer had tried to visit a website that would have infected their computer if they had not been blocked!

The Warnings in the Epsilon Breaches can't warn you of that though. If they gave you the advice I would give you, they would be saying "Please don't click on the things our marketing department sends you!" which would result in them losing their jobs.

I have to say that the Citibank group of warnings do have a form that I appreciate.

As a means of proving email is REALLY from them, they provide the final four digits of your account number, your name, and the year you joined their card program on all of their official emails. I have to say that I find this very effective.

Unfortunately, yet another problem at Bigfoot/Epsilon ruined my joy on this one for today:

The error tells me "Secure Connection Failed" "images.bigfootinteractive.com:443 uses an invalid security certificate ... This could be a problem with the server's configuration or it could be someone trying to impersonate the server."

It's probably just something wrong as they try to re-issue security certificates related to tightening up their shop, but still it sends the wrong message at a critical time for their company!

Posted in | No comments

Internet Domain Registry

Sunday, 17 July 2011

My Friend's Been Hacked!

Hotmail: My Friend's Been Hacked!

Yahoo! and Gmail?

Friday, 15 July 2011

FBI + Romanian DIICOT = 117 Search warrants and 100+ arrests

Saturday, 25 June 2011

A New Car! (or Zeus spam Campaign)

UPDATE!!

/End Update - Thank you, Mr. Burn!

Monday, 16 May 2011

ACH Spammer switches to Shortened URLs

Wednesday, 4 May 2011

Help stop the Osama bin Laden Videos on Facebook

Wednesday, 13 April 2011

Bold FBI Move Shutters COREFLOOD Bot

Friday, 8 April 2011

The Epsilon Phishing Model

Targeted Mailing Lists Help Avoid Detection

Guaranteed Delivery "From:" Addresses

Teach a man (or woman) to Click

The Warnings & The Future

One-Click Malware - Drive-By Infections

Popular Posts

Categories

Blog Archive

About Me