"Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards," Reports Brian Krebs, at Krebs on Security
blog. Read the rest
Security researcher Brian Krebs reported yesterday that Target was investigating a data breach "potentially involving millions of customer credit and debit card records." Target confirmed this morning that 40 million such records were stolen.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
Since this was apprently being leaked to security researchers before they admitted it publicly, I guess Target's idea of "moved swiftly" is a little different to that of, oh, say, a quarter of the adult population of America. Read the rest
Brian Krebs proposes that software vendors should be forced to pay a bounty on all newly discovered vulnerabilities
in their products at rates that exceed those paid by spy agencies and criminal gangs. He says that the bill for this would be substantially less than one percent of gross revenues, and that it would represent a massive overall savings when you factor in the cost to all the businesses and individuals who are harmed by security vulnerabilities. He doesn't explain what to do with popular, free/open software though. Read the rest
Experian, the massive data-broker with far-reaching influence over your ability to get a mortgage, credit-card, or job, sold extensive consumer records to an identity thieves' service called Superget.info. Superget specialized in supplying identity thieves with "fullz" -- full records of their victims, useful for impersonating them and for knowing where their assets are. Experian sold the data through a third part called "Court Ventures" -- which they later acquired -- and the sales continued for about a year. Experian bills itself as a service for people worried about identity theft. It's not clear whether Experian will face any penalty for the wrongdoing.
Read the rest
What users who attempt to connect to the Silk Road marketplace see now (HT: Adrian Chen)
Looks like the government shutdown didn't stop federal agents from shutting down the most popular "deep web" illegal drug market. In San Francisco, federal prosecutors have indicted Ross William Ulbricht, who is said to be the founder of Silk Road. The internet marketplace allowed users around the world to buy and sell drugs like heroin, cocaine, and meth.
The government announced that it seized about 26,000 Bitcoins worth roughly USD$3.6 million, making this the largest Bitcoin bust in history. There were nearly 13,000 listings for controlled substances on the Silk Road site as of Sept. 23, 2013, according to the FBI, and the marketplace did roughly USD$1.2 billion in sales, yielding some $80 million in commissions.
According to the complaint, the service was also used to negotiate murder-for-hire: "not long ago, I had a clean hit done for $80k," the site's founder is alleged to have messaged an associate.
Ulbricht, 29, is also known as "Dread Pirate Roberts." Read the rest
Security researcher Brian Krebs has had a look at the contents of "BestRecovery" (now called "PrivateRecovery") a service used by Nigerian 419 scammers to store the keystrokes of victims who have been infected with keyloggers. It appears that many of the scammers -- known locally as "Yahoo Boys" -- also plant keyloggers on each other, and Krebs has been able to get a look at the internal workings of these con artists. He's assembled a slideshow of the scammers' Facebook profiles and other information.
Read the rest
A pair of researchers -- one a grad student working at Twitter -- bought $5,000 worth of fake Twitter accounts (with Twitter's blessing) and developed a template for identifying spam Twitter accounts. The spammers were using cheap overseas labor to solve Twitter's CAPTCHAs, registering the new accounts with automatically created email boxes from Hotmail and Mail.ru, and spreading the registrations out across a range of IP addresses, courtesy of massive botnets of infected computers. Twitter nuked zillions of spam accounts and prevented new ones from signing up -- for a while. Quickly, the spammers adapted their tactics and went back to registering new accounts. The researchers, Kurt Thomas and Vern Paxson, presented their results today at Usenix Security DC, in a paper called Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse (PDF).
Update: Here's the full research team: "Kurt Thomas is a grad student at UC Berkeley who works at Twitter; Alek Kolz works at Twitter, Damon McCoy is a professor at GMU, Chris Grier is a researcher at ICSI and UC Berkeley and Vern Paxson is a lead researcher at ICSI and a professor at UC Berkeley."
Read the rest
Brian Krebs is a security expert and investigative journalist who has published numerous ground-breaking stories about the online criminal underground, much to the consternation of the criminal underground. Krebs has been the victim of much harassment, including a dangerous SWATting (where someone called a SWAT team to Krebs's door, having told them that an armed gunman was inside).
Most recently, a Russian crook called Flycracker crowdfunded the purchase of a gram of heroin on the Silk Road, which he mailed to Krebs, having first called the cops to alert them that Krebs was a narcotics trafficker. Luckily for Krebs, he lurks in the same forums in which this was planned, and knew of it in advance and tipped off the local cops and the FBI.
Read the rest
A pair of crooks in Oklahoma made more than $400,000 with a whisper-thin gas-pump credit-card skimmer that they installed in Wal-Mart gas stations, using rental cars while they were doing the installation. Kevin Konstantinov and Elvin Alisuretove allegedly harvested their skimmers every two months or so, creating bogus credit cards with the data and then withdrawing cash at ATMs or sharing it with crooks in Russia and the former USSR. Brian Krebs details the technology, as well as a series of next-gen gas-pump skimmers that use tiny, unobtrusive Bluetooth bugs to harvest credit-card data.
Read the rest
Defcon is an astounding hacker convention held annually in Las Vegas, and is known as an extraordinary environment in which spooks and hackers mix freely -- last year, the head of the NSA gave a keynote in which he called for cooperation between security professionals and America's spies. That cooperation is being paused, and may be coming to an end. In Feds, we need some time apart, a posting on the Defcon site, The Dark Tangent (AKA Jeff Moss -- Defcon's owner and hacker-in-chief) says:
Read the rest
For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.
When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a "time-out" and not attend DEF CON this year.
This will give everybody time to think about how we got here, and what comes next.
Brian Krebs reports on the Russian arrest of Pavel Vrublevsky, owner of the ChronoPay service (about whom Krebs has written an upcoming book) for witness intimidation. Vrublevsky is on trial for hiring hackers to attack a ChronoPay competitor called Assist, and he admitted that he phoned a witness in the trial and offered that person money; the witness said "he felt pressured and threatened by the offer."
Where this gets good is where Krebs recounts his own conversation with Vrublevsky, when the Russian businessman offered Krebs money as well:
“My proposition to you is to come to Moscow, and if you don’t have money….I realize journalists are not such wealthy people in America, we’re happy to pay for it,” Vrublevsky said in a phone conversation on May 8, 2010.
When I politely declined his invitation, Vrublevsky laughed and said I was wrong to feel like I was being bribed or intimidated.
“It’s quite funny that you think somehow when you fly to meet me in Moscow or ChronoPay offices that you are in any possible danger from me for being murdered,” Vrublevsky said. “Come to Moscow and see for yourself. Take your notebook, come to my office. Sit in front of me and look around. Because you’re getting information, which, to be honest, is not factual.”
As you can see, Vrublevsky is a master of putting people at their ease with his warm and cuddly demeanor, as is evidenced by his official Facebook profile photo, above.
Vrublevsky Arrested for Witness Intimidation
Read the rest
Brian Krebs offers an in-depth look at a "cashout" service used by ransomware crooks to get money from their victims. Ransomware is malicious software that encrypts your personal files and demands that you pay a ransom for the key to decrypt them; the crooks who run the attacks demand that their victims buy prepaid MoneyPak cards and send the numbers for them by way of payment. But converting MoneyPaks to cash is tricky -- one laundry, which pipes the money through a horse/dog-track betting service -- charges a 60% premium.
Read the rest
* The ransomware victims who agree to purchase MoneyPak vouchers to regain control over their PCs.
* The guys operating the botnets that are pushing ransomware, locking up victim PCs, and extracting MoneyPak voucher codes from victims.
* The guy(s) running this cashout service.
* The “cashiers” or “cashers” on the back end who are taking the Moneypak codes submitted to the cashing service, linking those codes to fraudulently-obtained prepaid debit cards, and then withdrawing the funds via ATMs and wiring the proceeds back to the cashing service, minus their commission. The cashing service then credits a percentage of the MoneyPak voucher code values to the ransomware peddler’s account.
How much does the cashout service charge for all this work? More than half of the value of the MoneyPaks, it would seem. When a user logs in to the criminal service, he is greeted with the following message:
“Dear clients, due to decrease of infection rate on exploits we are forced to lift the price.
Last week, I blogged Brian Krebs's amazing piece on AsylumBooter, a cheesy denial-of-service-for-hire site apparently run by a 17-year-old Chicago-area honor-roll student named Chandler Downs, whose PayPal account was flush with more than $30,000 paid by people who'd launched more than 10,000 online attacks.
Now, Krebs has uncovered an even weirder booter story: Ragebooter is another DoS company, but this one is run by a guy who claims to be working part time for the FBI, and who says that the FBI has its own login to his site, and review all the IP addresses and other traffic data it logs.
Read the rest
Ragebooter.net’s registration records are hidden behind WHOIS privacy protection services. But according to a historic WHOIS lookup at domaintools.com, that veil of secrecy briefly fell away when the site was moved behind Cloudflare.com, a content distribution network that also protects sites against DDoS attacks like the ones Ragebooter and its ilk help to create (as I noted in Monday’s story, some of the biggest targets of booter services are in fact other booter services). For a brief period in Oct. 2012, the WHOIS records showed that ragebooter.net was registered by a Justin Poland in Memphis...
“I also work for the FBI on Tuesdays at 1pm in memphis, tn,” Poland wrote. “They allow me to continue this business and have full access. The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.”
When I asked Poland to provide more information that I might use to verify his claims that he was working for the FBI, the conversation turned combative, and he informed me that I wasn’t allowed to use any of the information he’d already shared with me.
Brian Krebs delves into the world of "booter" services, low-level, amateurish denial-of-service websites where you can use PayPal to have your video-game enemies' computers knocked off the Internet by floods of traffic. Many booter services run off the same buggy codebase, and Krebs was apparently able to get inside the administrative interfaces for them and get some insight into their business.
One such is "Asylum," which appears to be run by Chandler Downs, a 17-year-old Chicago-area honor-roll student who reportedly made $35,000 in PayPal payments in exchange for denial-of-service attacks. Asylum even has an ad (narrated by an actor hired through the casual labor exchange site Fiverr) where, for $18/month, you can launch unlimited DoSes against "skids on Xbox live."
Young Mr Downs claimed that his service was not used to attack people, but only for legitimate stress-testing, then he changed his story and said he was only managing the service for someone else, and "You are able to block any of the 'attacks' as you say with rather basic networking knowledge. If you're unable to do such a thing you probably shouldn't be running a website in the first place."
Read the rest
Nixon noted that all of the packets incoming from the traffic she ordered to her test machines appeared to have been sent from spoofed IP addresses. However, when she used the “Down or Not?” host checker function on Asylum, the site responded from what appears to be the real Internet address of one of the servers that are used to launch the attacks: 188.8.131.52.
ATM skimming isn't limited to ATMs! There are lots of terminals that ask you to swipe your card and/or enter a PIN, and many of them are less well-armored and -policed than actual cashpoints. Skimmers have been found on train-ticket machines, parking meters and other payment terminals. Once a crook has got your card number and sign-on data, they can use that to raid a your account at an ATM. Brian Krebs has a look at some of these devices, including a full-on fascia for a cheapie ATM discovered in latinamerica.
The organization also is tracking a skimming trend reported by three countries (mainly in Latin America) in which thieves are fabricating fake ATM fascias and placing them over genuine ATMs, like the one pictured below. After entering their PIN, cardholders see an ‘out-of-order’ message. EAST said the fake fascias include working screens so that this type of message can be displayed. The card details are compromised by a skimming device hidden inside the fake fascia, and the PINs are captured via the built-in keypad, which overlays the real keypad underneath.
This reminds me a little of the evolution of payphones -- the armadillos of the device world! -- and the look-alike COCOTS (customer-owned coin-operated telephones) that presented very soft targets if you could scry through their camouflage.
Cash Claws, Fake Fascias & Tampered Tickets
Read the rest