Skype's IP-leaking security bug creates denial-of-service cottage industry

It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.

Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Privacy 101: Skype Leaks Your Location Read the rest

Brian Krebs talks to hacker who may have SWATted him and attacked Wired's Mat Honan

Last week, Brian Krebs (a respected security researcher and journalist who often publishes details about high-tech crime) was SWATted -- that is, someone defrauded his local police department into sending a SWAT team to his house, resulting in his getting confronted by gun-wielding, hair-trigger cops who had him lie on the ground and cuffed him before it was all sorted out.

Krebs, being a talented investigator, is hot on the trail of the people or person responsible for this. And a variety of sources point to a 20-year-old hacker who goes by "Phobia," and whose real name, according to Krebs, is Ryan Stevenson. Phobia was implicated in the attack on Wired reporter Mat Honan, wherein his laptop drive and online backup were deleted, including irreplaceable photos of his child's first year, and eight years' worth of email.

Krebs phoned "Phobia" up and ended up speaking to Phobia and his father. Phobia denied attacking Krebs and insisted that he had nothing to do with the gamer/fraudster clan behind it (though Krebs pointed out that Phobia can be heard speaking in the group's YouTube videos, which document their attacks), but admitted that he had been the culprit in hacking Honan (his father then came onto the line to deny this). The transcript is the most interesting part of the piece:

BK: Uh huh. And is Honan referring to you in this article?

RS: Yeah.

BK Yes?

RS: Uh huh.

BK: Did anything bad ever happen to you because of this?

RS: No.

Read the rest

Exploit was active on LA Times site for 6 weeks

"The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks," reports Brian Krebs. The paper's statement on the matter is a model of how not to handle security clusterfucks. Read the rest

Once your PC is hacked, your ecommerce passwords go on sale at $2 a pop

Brian Krebs writes about how hackers have expanded the ways they extract value from compromised PCs. No longer is a compromised machine merely good for forming part of a botnet or forwarding spam. New strains of malware extract all your login/passwords for ecommerce sites, and these are then put on sale at $2 a throw on sites like Freshtools.

Increasingly, miscreants are setting up their own storefronts to sell stolen credentials for an entire shopping mall of online retail establishments. Freshtools, for example, sells purloined usernames and passwords for working accounts at,,, all for $2 each. The site also sells and accounts for $5 a pop, no doubt to enable fraudulent reshipping schemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.

Another store widely advertised in the Underweb (see screenshot above) pimps credentials for a far broader array of retailers, most of which can be had for $2, including,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, and Accounts at these retailers that have credit cards or bank accounts tied to them command higher prices.

This a glimpse into the complex ecosystem of online crime. The person who writes the malware sells it to someone who's got a useful vector (a hacked website, say) for distributing it. The distributor extracts the ecommerce logins and flogs them to someone else who has access to a stooge who does freight forwarding. Read the rest

Point of Sale skimmer that prints out real-seeming receipts

Brian Krebs reports on a terrifyingly real-seeming Point of Sale skimmer.

Spam kingpin chatter

Security researcher Brian Krebs picks out some choice exchanges out of a dump from an elite Russian spammer message-board, and suggests that this contains clues to the identities of the world's most prolific spammers.

“Everything is all right with John. We drank with him recently in Europe. He is getting married soon. He is no longer spamming stocks. He got squeezed [arrested/questioned] once very badly some time ago. Now he is all clean. His friend – SP – screwed him and also is not working with stocks now. Rin is in total shit. He is going to be in jail (or he is going to be hiding) for a long time. He calls me pretty often, so he is alive so far. I am helping his wife with money from time to time.”

The two exchange recommendations about their favorite nightclubs in St. Petersburg, Russia. Tarelka inquires how Severa is doing, which elicits the following reply:

“I am okay. Damn, where to find sponsors? I am sure I can spin off stocks even in the current market. Are there any more contacts? Maybe I will ask Apple. Maybe he can give me some referrals. Who could think two years ago that this “theme” would die, huh? Give my regards to Igor [possibly Igor Gusev, the co-curator of SpamIt]. I wish you luck and patience.”

Tarelka says he tried to convince John/Apple that there was still money to be made in stock spam, but that John insisted the market was dead, and that no one was coming forward to pay spammers to send pump-and-dump spam anymore.

Read the rest

Ad for freelance Russian bank-robbers

Brian Krebs has published an ad from "Foreign Agents," a notorious Russian crime service. They're advertising the availability of foot soldiers in the USA who can help cash out hacked bank accounts and credit cards. Unlike traditional bank-fraud mules, who don't know that they're part of a scam, these "associates" are "неразводные" ("nerazvodni" or "not deceived").

The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees).

According to the advertisement, customers of this service get their very own login to a remote panel, where they can interact with the cashout service and monitor the progress of their thievery operations. The service also can be hired to drain bank accounts using counterfeit debit cards obtained through ATM skimmers or hacked point-of-sale devices. The complicit mules will even help cash out refunds from phony state and federal income tax filings — a lucrative form of fraud that, according to the Internal Revenue Service, cost taxpayers $5.2 billion last year.

Say what you will about their criminal tendencies, those bank robbers have excellent art direction. Read the rest

How crooks turn even crappy hacked PCs into money

Brian Krebs revisits his must-see chart on the ways that hacked PCs can be valuable to criminals, which is meant to help explain the importance of security to people who think that their old PCs aren't worth enough for crooks to bother with. As Krebs points out, even low-powered antiques can be used to get up to all sorts of mischief that can compromise your privacy, finance and data, as well as the integrity of the Internet itself.

One of the ideas I tried to get across with this image is that nearly every aspect of a hacked computer and a user’s online life can be and has been commoditized. If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetize it. I haven’t yet found an exception to this rule.

The Scrap Value of a Hacked PC, Revisited Read the rest

HOWTO protect yourself from ATM skimmers

Brian Krebs, who has written many excellent investigative pieces on ATM skimmers, spent several hours watching footage seized from hidden skimmer cameras, and has concluded that covering your hand while you enter your PIN really works in many cases -- and that many people don't bother to take this elementary step.

Some readers may thinking, “Wait a minute: Isn’t it more difficult to use both hands when you’re withdrawing cash from a drive-thru ATM while seated in your car?” Maybe. You might think, then, that it would be more common to see regular walk-up ATM users observing this simple security practice. But that’s not what I found after watching 90 minutes of footage from another ATM scam that was recently shared by a law enforcement source. In this attack, the fraudster installed an all-in-one skimmer, and none of the 19 customers caught on camera before the scheme was foiled made any effort to shield the PIN pad.

Krebs goes on to note that this doesn't work in instances where the skimmer includes a compromised PIN pad, and it seems likely that if covering PINs became more routine that crooks would take up this technique more broadly. But for now, covering your PIN with your free hand is a free, effective means of protecting yourself from ATM skimmers.

A Handy Way to Foil ATM Skimmer Scams Read the rest

Report: complexity of cyberspying botnets greater than previously known

Brian Krebs interviews Joe Stewart, a security researcher "who’s spent 18 months cataloging and tracking malicious software that was developed and deployed specifically for spying on governments, activists and industry executives." Speaking at Defcon in Las Vegas, Stewart says the "complexity and scope of these cyberspy networks now rivals many large conventional cybercrime operations. Read the rest

ATM skimmers that fit in the card-slot

Police in an unidentified European nation have retrieved wafer-thin ATM skimmers that are so small that they can be fitted inside the credit-card insertion slot. Brian Krebs describes the finding:

That’s according to two recent reports from the European ATM Security Team (EAST), an organization that collects ATM fraud reports from countries in the region. In both reports, EAST said one country (it isn’t naming which) alerted them about a new form of skimming device that is thin enough to be inserted directly into the card reader slot. These devices record the data stored on the magnetic stripe on the back of the card as it is slid into a compromised ATM.

Another EAST report released this week indicates that these insert skimmers are continuing to evolve. Below are two more such devices. Insert skimmers require some secondary component to record customers entering their PINs, such as a PIN pad overlay or hidden camera.

ATM Skimmers Get Wafer Thin Read the rest

Commercial spamflooding used by crooks to tie up their victims at key moments

Security expert Brian Krebs was the target of a malicious email flood, and writes firsthand about the experience. These floods -- which can be directed at any and all of your phone (voice or SMS) and email -- are used by crooks who want to busy-out all their victims' communications channels while they are ripping them off electronically. This kind of flooding is available as a (surprisingly cheap) commercial service.

Used mostly in private for myself and now offered to the respected public.

Spam using bots, having decent SMTP accounts.

Doing email floods using bots. Complete randomization of the letter, so the user could not block the flood by the signatures.

Flooder is capable of the following functionality:

Huge wave of emails is being instantly sent to the victim. (depending on the server load and amount of emails to be flooded)

Delivery rate of 60-65% — depending on the SMTP servers.

Limit for flooding single email account on this server is 100,000 emails.

Plan – Children – 25,000 emails — $25 Plan – Medium – 50,000 emails — $40 Plan – Hard – 75,000 emails — $55 Plan – Monster – 100,000 emails — $70

Cyberheist Smokescreen: Email, Phone, SMS Floods Read the rest

Weird medical history, ripped from the archives of Doonesbury

My introduction to Gary Trudeau's Doonesbury happened around the age of 8, when I discovered my father's anthology collections. (I was extraordinarily up on early 1970s pop culture for a late 1980s grade schooler.) Reading the new strip and the daily archives is still part of my morning routine. But, given that I was born in 1981, I don't always get all the references. Sometimes, that leads me to discover weird bits pop history.

For instance, the strip above ran on July 19, 1977. My first response this morning, "What the hell is Laetrile?" I mean, it's Duke, so I assumed it was a drug. But I wasn't expecting it to turn out to be a quack cancer treatment, the promotion of which led to a strange bedfellows situation where alt-med proponents joined forces with the John Birch Society to fight the federal government for the right to sell desperate cancer patients a potentially dangerous treatment that had never been tested for effectiveness or safety. Read the rest

HOWTO become a security expert, Bruce Schneier style

Brian Krebs is conducting a series of interviews with computer experts on how they got into the field and what they'd advise others to do if they want to break in themselves. The first one, an interview with Thomas Ptacek, ran last month. The latest is from Bruce Schneier:

In general, though, I have three pieces of advice to anyone who wants to learn computer security:

* Study: Studying can take many forms. It can be classwork, either at universities or at training conferences like SANS and Offensive Security. (These are good self-starter resources.) It can be reading; there are a lot of excellent books out there — and blogs — that teach different aspects of computer security out there. Don’t limit yourself to computer science, either. You can learn a lot by studying other areas of security, and soft sciences like economics, psychology, and sociology.

* Do: Computer security is fundamentally a practitioner’s art, and that requires practice. This means using what you’ve learned to configure security systems, design new security systems, and — yes — break existing security systems. This is why many courses have strong hands-on components; you won’t learn much without it.

* Show: It doesn’t matter what you know or what you can do if you can’t demonstrate it to someone who might want to hire you. This doesn’t just mean sounding good in an interview. It means sounding good on mailing lists and in blog comments. You can show your expertise by making podcasts and writing your own blog.

Read the rest

HOWTO securely hash passwords

In the wake of a series of very high-profile password leaks, Brian Krebs talks to security researcher Thomas H. Ptacek about the best practices for securing passwords. The trick isn't to merely hash with a good salt -- you must use a slow password hash that takes a lot of work, so that making rainbow tables is impractical.

Ptacek: The difference between a cryptographic hash and a password storage hash is that a cryptographic hash is designed to be very, very fast. And it has to be because it’s designed to be used in things like IP-sec. On a packet-by-packet basis, every time a packet hits an Ethernet card, these are things that have to run fast enough to add no discernible latencies to traffic going through Internet routers and things like that. And so the core design goal for cryptographic hashes is to make them lightning fast.

Well, that’s the opposite of what you want with a password hash. You want a password hash to be very slow. The reason for that is a normal user logs in once or twice a day if that — maybe they mistype their password, and have to log in twice or whatever. But in most cases, there are very few interactions the normal user has with a web site with a password hash. Very little of the overhead in running a Web application comes from your password hashing. But if you think about what an attacker has to do, they have a file full of hashes, and they have to try zillions of password combinations against every one of those hashes.

Read the rest

Previous PageNext page