Slashdot Mirror

An anonymous reader writes "Brian Krebs has posted a deep dive through more than a year worth of emails leaked from ChronoPay, Russia's largest online credit card processor. The ... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam."

hellkyng writes "The online dating site PlentyofFish was hacked, and purportedly 30 million customer records were stolen. The site's founder, Markus Frind, is blaming the security researcher who discovered the vulnerability and the journalist who confirmed the issue." The researcher who reported the vulnerability is Chris Russo, one of the guys who hacked The Pirate Bay last year. He explained his side of the story as well. Mr. Frind says he tracked down Russo's Facebook page and emailed his mom.

Khopesh writes "Imperva blogged today about the sale of compromised .gov, .mil, and .edu sites, illustrating that cyber-criminals are getting bolder. Krebs on Security has an unredacted view of the site list. Perhaps the biggest threat is yet to come; if an industrious criminal can break into top government and military sites, so too can government-backed teams, proving that GhostNet and Stuxnet are just the beginning."

tsu doh nimh writes "Security experts from several different organizations are tracking an increase in Windows malware compromises via Java, although not from a vulnerability in Windows itself: the threat comes from a feature of Java that prompts the user to download and run a Java applet. Kaspersky said it saw a huge uptick in PCs compromised by Java exploits in December, but that the biggest change was the use of this Java feature for social engineering. Brian Krebs writes about this trend, and looks at two new exploit packs that are powered mainly by Java flaws, including one pack that advertises this feature as an exploit that works on all Java versions."

tsu doh nimh writes "A run-of-the-mill malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters, writes krebsonsecurity.com. The story looks at several victims who fell for the attack, and suggests it may be related to a series of similar document-harvesting runs throughout 2010. Government security vendor NetWitness notes that these types of incidents are blurring the lines between online financial fraud and espionage attacks."

tsu doh nimh sends in a report that criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers. These are devices designed to be attached to cash machines to siphon card +PIN data. "The European ATM Security Team (EAST) found that a new type of analogue skimming device — using audio technology — has been reported by five countries, two of them 'major ATM deployers' (defined as having more than 40,000 ATMs)... The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37)."

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

tsu doh nimh writes "Credit card giant VISA International has suspended its business with ePassporte, an Internet payment system widely used to pay adult Webmasters and a raft of other affiliate programs. A number of adult Webmaster forums are up in arms over the move because many of their funds are now stranded. Visa has been silent on the issue so far, but KrebsOnSecurity.com points to an e-mail from ePassporte founder Christopher Mallick saying the unexpected move by Visa wouldn't strand customers indefinitely. Mallick co-directed Middle Men, a Paramount film released in August that tells the story of his experience building one of the world's first porn site payment processing firms, as well as the Russian mobsters, porn stars and FBI agents he ran into along the way. Interestingly, the speculation so far is that Visa cut ties with ePassporte due to new anti-money laundering restrictions in the Credit Card Act of 2009, which affects prepaid cards and other payment card instruments that can be reloaded with funds at places other than financial institutions."

tsu doh nimh writes "There is a security conference being held in Mumbai later this year called MalCon, and the organizers say it's the first ever conference dedicated to the 'malcoder community.' Brian Krebs interviewed one of them and got this gem: 'Just like the concept of "ethical hacking" has helped organizations to see that hackers are not all that bad, it is time to accept that "ethical malcoding" is required to research, identify and mitigate newer malwares in a "proactive" way.' Bruce Schneier is speaking at a sister MalCon event in Pune, India two days later, and he said he doesn't agree with the organizer's premise that more malware is needed to build better security tools."

krebsonsecurity writes "One big reason why rogue anti-virus continues to make major bucks for scam artists: relatively few victims ever ask their credit card company or bank to reverse the charges for the phony security software — even when the victims don't even receive the worthless software they were promised. I recently found several caches of data for affiliates of a rogue anti-virus distribution program, and the data showed that in one set of attacks only 367 out of more than 2,000 scammed disputed the charge. A second rogue anti-virus campaign scammed more than 1,600 people, and yet fewer than 10 percent fought the charges."

tsu doh nimh writes "Anti-virus researchers have discovered a new strain of malicious software that spreads via USB drives and takes advantage of a previously unknown vulnerability in the way Microsoft Windows handles '.lnk' or shortcut files. Belarus-based VirusBlokAda discovered malware that includes rootkit functionality to hide the malware, and the rootkit drivers appear to be digitally signed by Realtek Semiconductor, a legitimate hi-tech company. In a further wrinkle, independent researcher Frank Boldewin found that the complexity and stealth of this malware may be due to the fact that it is targeting SCADA systems, or those designed for controlling large, complex and distributed control networks, such as those used at power and manufacturing plants. Meanwhile, Microsoft says it's investigating claims that this malware exploits a new vulnerability in Windows."

tsu doh nimh writes "A group of hackers from Argentina recently broke into the database for thepiratebay.org, the Internet's largest torrent search engine, exposing user names, Internet addresses, and (MD5) hashed password data on more than 4 million users, according to Brian Krebs. He interviewed the leader of the group, Ch Russo, who said they briefly considered what the information would be worth to the RIAA and MPAA before going public with the breach. From the story: 'Probably these groups would be very interested in this information, but we are not [trying] to sell it,' Russo said. 'Instead we wanted to tell people that their information may not be so well protected.'"

eldavojohn writes "The latest versions of Microsoft Windows have some good security options available — now if only they could get their most popular third-party applications to use them. A report from Secunia takes a look at two such options — DEP and ASLR — and Brian Krebs breaks down who is using them and who is not. A security specialist noted, 'If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly. While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms (PDF). If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.' Among those with neither DEP or ASLR: Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, and AOL's Winamp. While Flash player can't implement DEP, it does have ASLR. Google Chrome is the only popular third-party application listed with stars across the board." It's worth noting that several apps highlighted in the Secunia research paper have added support for those security options in recent patches, or are in the process of doing so. Examples include Firefox, VLC, and Foxit Reader.

Trailrunner7 sends in this excerpt from Threatpost (Adobe announcement here): "Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac, and Unix users to malicious hacker attacks. The update, which affects Adobe Reader/Acrobat 9.3.2 and earlier versions, includes a fix for the outstanding PDF '/Launch' functionality social engineering attack vector that was disclosed by researcher Didier Stevens. As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file." Relatedly, Brian Krebs blogs about the downsides of Adobe's increasingly Byzantine update process.

eldavojohn writes with this report from Brian Krebs: "Authorities have moved in on 178 people accused of working in credit card cloning labs across the USA and Europe, but with the bulk of the work apparently operating out of Spain. The source states that 'Police in 14 countries participated in a two-year investigation, initiated in Spain, where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, and arrested 76 people and dismantled six cloning labs. The raids were made primarily in Romania, France, Italy, Germany, Ireland, and the United States, with arrests also made in Australia, Sweden, Greece, Finland, and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation, and money-laundering, the police said.' Krebs notes a new credit card debuting at Turkish banks that appears to have a built-in LCD that has a random six-digit number associated with each transaction much like RSA SecurID keys used for computer logins."

scamdetect pointed us to an interesting bit of news about a new security risk called tabnapping that was recently outlined by Aza Raskin. The short story is that background tabs are updated with login forms impersonating the sites they originally contained, but hosted by helpful third parties primarily interested in your password. (CT:Original writeup removed at request of submitter)

Keith noted that Krebs has an interesting story on a Russian businessman being accused of running a spam ring while serving as an anti-spam adviser to the Russian government. It's a strange tale including an investigation in 2007 that was abandoned when the chief investigator was actually hired to work for the spammer. Not suspicious at all, no way.

An anonymous reader writes "A top FBI official said today that the agency is planning a law enforcement sweep against so-called 'money mules,' individuals willingly or unwittingly roped into helping organized computer crooks launder money stolen through online banking fraud, writes Krebsonsecurity.com. The author says he has interviewed more than 150 money mules, and find most fit into one of two camps: the not-so-bright, and those who suspect something's not right, but do it anyway. From the story: 'I find most mules fit into the latter group, and you can usually tell because these individuals often will admit to having set up a new account for the job separate from where they keep their meager savings or checking. When pressed as to why they did this, if they're honest most will say they weren't sure about the whole arrangement and wanted to protect their investments just in case their employers turned out to be less-than-honest.'"

An anonymous reader writes "Two of the three Spanish men arrested in February for their alleged role in operating the massive Mariposa botnet later sought jobs at the Spanish security firm that previously had helped get them arrested. From Krebsonsecurity.com: 'Corrons, a technical director and blogger for Spanish security firm Panda Security, said he received a visit from the hackers on the morning of March 22. The two men, known by the online nicknames "Netkairo" and "Ostiator," were arrested in February by Spanish police for their alleged role in running the "Mariposa" botnet, a malware distribution platform that spread malicious software to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for "butterfly"). Now, here the two Mariposa curators were at Panda's headquarters in Bilbao, their resumes in hand, practically begging for a job, Corrons said.' The story concludes with a brief response from Netkairo, who acknowledges seeking the job at Panda because he is broke now that his moneymaking machine has been dismantled."

An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."

An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."

Krebsonsecurity.com has a writeup on the decision of UK anti-fraud activist site bobbear.co.uk to retire from the fray. The 66-year-old fraud fighter said he was getting too old for the work, which takes him about 15 hours a day. "We had so many messages of thanks, and congratulations on the site, but it is so stressful and takes so much out of you, and there is always the worry of litigation hanging over your head." "The owner and curator of bobbear.co.uk, a site that specializes in exposing Internet fraud scams and phantom online companies, announced Saturday that he will be shuttering the site at the end of April. Bobbear and its companion site bobbear.com are creations of [the pseudonomous] Bob Harrison, a 66-year-old UK resident who for the last four years has tirelessly chronicled and exposed a myriad of fraud and scam Web sites. The sites, which are well-indexed by Google and other search engines and receive about 2,000 hits per day, often are among the first results returned in a search for the names of fly-by-night corporations advertised in spam and aimed at swindling the unsuspecting or duping the unwitting." Any ideas on who might want to take over the domains and carry on the work would be appreciated by the Internet community at large.

An anonymous reader writes "A proposal to let Internet service providers conceal the contact information for their business customers is drawing fire from a number of experts in the security community, who say the change will make it harder to mitigate the threat from spam and malicious software, according to a story at Krebsonsecurity.com. From the piece: 'The American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses — later this month will consider a proposal to ease rules that require ISPs to publish address and phone number information for their business customers. Proponents of the plan couch it in terms of property rights and privacy, but critics say it will only lead to litigation and confusion, while aiding spammers and other shady actors who obtain blocks of addresses by posing as legitimate businesses.'"

jc_chgo writes "Brian Krebs over at the must-read KrebsOnSecurity.com writes about the rivalry between two competing authors of nasty credential-stealing malware. The newer (SpyEye) can remove the older (Zeus) on any system it infects. Meanwhile, Zeus is so successful prices have gone way up for the new version. These 'crimeware kits' are freely available for purchase, and have enabled millions of dollars in thefts. The buyers of the kits prey primarily on small businesses by using wire transfers out of bank accounts. This is a problem that is only going to get bigger over time."

An anonymous reader writes "Brian Krebs takes a provocative look at ISP reputations, collecting data from 10 different sources that track 'badness' from a multitude of angles, from phishing to malware to botnet command and control centers. Some of the lists show very interesting and useful results; the ISPs that are most common among the various reputation services are some of the largest ISPs and hosting providers, including ThePlanet and Softlayer. The story has generated quite a bit of discussion in the security community as to whether these various efforts are measuring the wrong things, or if it is indeed valid and useful to keep public attention focused on the bigger providers, since these are generally US-based and have the largest abuse problems in terms of overall numbers."

krebsonsecurity writes "Organized cyber-criminal gangs stole $25 million in the 3rd quarter alone last year, by pilfering the online bank accounts of small to midsized businesses, the FDIC reported last week. In contrast, traditional bank robbers hauled just $9.4 million in 1,184 bank robberies during that same period, according to an analysis of FBI bank crime statistics by krebsonsecurity.com. From that story: 'The federal government sure publishes a lot more information about physical bank robberies than it makes available about online stick-ups. Indeed, the FBI's bank crime stats are extraordinarily detailed. For example, they can tell you that in the 3rd quarter of last year, bank robbers were more likely to hold up their local branch between the hours of 9 a.m. and 11 a.m. on a Wednesday than at any other time or day of the week; they can tell you the number of tear gas and dye packs taken with the loot, the number of security cameras activated, the number of food stamps taken, even what percentage of suspected perpetrators had illegal drug habits at the time of the robberies. About the only thing the stats don't tell you is what brand of jeans the perpetrators were wearing and whether the getaway car had cool vanity plates. What do we get about e-crime statistics from the federal government? One guy from the FDIC giving a speech at the RSA conference."

krebsonsecurity writes "Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber-crime legislation in Spain. 'It is almost impossible to be sent to prison for these kinds of crimes in Spain, where prison is mainly for serious crime cases,' said Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. ... Spain is one of nearly three dozen countries that is a signatory to the Council of Europe's cybercrime treaty, but Spanish legislators have not yet ratified the treaty by passing anti-cybercrime laws that would bring its judicial system in line with the treaty's goals."

krebsonsecurity writes "The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide. The incident is still under investigation, but city officials say the attack may have been the result of a computer time bomb planted in advance by an insider or employee and designed to trigger at a specific date, according to krebsonsecurity.com. 'We don't believe it came in from the Internet. We don't know how it got into our system,' the city's IT director said. 'We speculate it could have been a time bomb waiting until a date or time to trigger. Whatever it was, it essentially destroyed these machines.'"

krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."

krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."

krebsonsecurity writes "Criminal hackers apparently involved in break-ins at several US financial institutions also appear to have dug up dirt on Robert Allen Stanford, a man slated to go on trial this month for his alleged part in an $8 billion Ponzi scheme. Quoting: 'In early 2008, while federal investigators were busy investigating disgraced financier Robert Allen Stanford for his part in an alleged $8 billion fraudulent investment scheme, Eastern European hackers were quietly hoovering up tens of thousands customer financial records from the Bank of Antigua, an institution formerly owned by the Stanford Group.'"

An anonymous reader writes "Former Washington Post Security Fix blogger Brian Krebs has launched a new blog at krebsonsecurity.com, and his first story highlights a pair of underground antivirus scanning services that cater to virus writers. Scanning services like virustotal.com scan submitted files against dozens of antivirus products, and share the results with each of the vendors so that all benefit from learning about threats they don't yet detect. But there are number of budding online services that allow customers to pay per scan, and promise that the results will never get reported back to the antivirus companies. One service even tests how well web site 'exploit packs' are detected, while others promise additional layers of protection. 'The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine.'"