krebs

Where Twitter spam-accounts come from

A pair of researchers -- one a grad student working at Twitter -- bought $5,000 worth of fake Twitter accounts (with Twitter's blessing) and developed a template for identifying spam Twitter accounts. The spammers were using cheap overseas labor to solve Twitter's CAPTCHAs, registering the new accounts with automatically created email boxes from Hotmail and Mail.ru, and spreading the registrations out across a range of IP addresses, courtesy of massive botnets of infected computers. Twitter nuked zillions of spam accounts and prevented new ones from signing up -- for a while. Quickly, the spammers adapted their tactics and went back to registering new accounts. The researchers, Kurt Thomas and Vern Paxson, presented their results today at Usenix Security DC, in a paper called Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse (PDF).

Update: Here's the full research team: "Kurt Thomas is a grad student at UC Berkeley who works at Twitter; Alek Kolz works at Twitter, Damon McCoy is a professor at GMU, Chris Grier is a researcher at ICSI and UC Berkeley and Vern Paxson is a lead researcher at ICSI and a professor at UC Berkeley." Read the rest

Cyber-crooks mail heroin to Brian Krebs

Brian Krebs is a security expert and investigative journalist who has published numerous ground-breaking stories about the online criminal underground, much to the consternation of the criminal underground. Krebs has been the victim of much harassment, including a dangerous SWATting (where someone called a SWAT team to Krebs's door, having told them that an armed gunman was inside).

Most recently, a Russian crook called Flycracker crowdfunded the purchase of a gram of heroin on the Silk Road, which he mailed to Krebs, having first called the cops to alert them that Krebs was a narcotics trafficker. Luckily for Krebs, he lurks in the same forums in which this was planned, and knew of it in advance and tipped off the local cops and the FBI. Read the rest

Whisper-thin gas-pump credit-card skimmers

A pair of crooks in Oklahoma made more than $400,000 with a whisper-thin gas-pump credit-card skimmer that they installed in Wal-Mart gas stations, using rental cars while they were doing the installation. Kevin Konstantinov and Elvin Alisuretove allegedly harvested their skimmers every two months or so, creating bogus credit cards with the data and then withdrawing cash at ATMs or sharing it with crooks in Russia and the former USSR. Brian Krebs details the technology, as well as a series of next-gen gas-pump skimmers that use tiny, unobtrusive Bluetooth bugs to harvest credit-card data. Read the rest

Defcon de-invites the spooks

Defcon is an astounding hacker convention held annually in Las Vegas, and is known as an extraordinary environment in which spooks and hackers mix freely -- last year, the head of the NSA gave a keynote in which he called for cooperation between security professionals and America's spies. That cooperation is being paused, and may be coming to an end. In Feds, we need some time apart, a posting on the Defcon site, The Dark Tangent (AKA Jeff Moss -- Defcon's owner and hacker-in-chief) says:

For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a "time-out" and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next.

Read the rest

Scary Russian business-man insists he isn't scary: "you are in no possible danger of being murdered if you come to Moscow!"

Brian Krebs reports on the Russian arrest of Pavel Vrublevsky, owner of the ChronoPay service (about whom Krebs has written an upcoming book) for witness intimidation. Vrublevsky is on trial for hiring hackers to attack a ChronoPay competitor called Assist, and he admitted that he phoned a witness in the trial and offered that person money; the witness said "he felt pressured and threatened by the offer."

Where this gets good is where Krebs recounts his own conversation with Vrublevsky, when the Russian businessman offered Krebs money as well:

“My proposition to you is to come to Moscow, and if you don’t have money….I realize journalists are not such wealthy people in America, we’re happy to pay for it,” Vrublevsky said in a phone conversation on May 8, 2010.

When I politely declined his invitation, Vrublevsky laughed and said I was wrong to feel like I was being bribed or intimidated.

“It’s quite funny that you think somehow when you fly to meet me in Moscow or ChronoPay offices that you are in any possible danger from me for being murdered,” Vrublevsky said. “Come to Moscow and see for yourself. Take your notebook, come to my office. Sit in front of me and look around. Because you’re getting information, which, to be honest, is not factual.”

As you can see, Vrublevsky is a master of putting people at their ease with his warm and cuddly demeanor, as is evidenced by his official Facebook profile photo, above.

Vrublevsky Arrested for Witness Intimidation Read the rest

How ransomware creeps cash out their payments

Brian Krebs offers an in-depth look at a "cashout" service used by ransomware crooks to get money from their victims. Ransomware is malicious software that encrypts your personal files and demands that you pay a ransom for the key to decrypt them; the crooks who run the attacks demand that their victims buy prepaid MoneyPak cards and send the numbers for them by way of payment. But converting MoneyPaks to cash is tricky -- one laundry, which pipes the money through a horse/dog-track betting service -- charges a 60% premium.

* The ransomware victims who agree to purchase MoneyPak vouchers to regain control over their PCs.

* The guys operating the botnets that are pushing ransomware, locking up victim PCs, and extracting MoneyPak voucher codes from victims.

* The guy(s) running this cashout service.

* The “cashiers” or “cashers” on the back end who are taking the Moneypak codes submitted to the cashing service, linking those codes to fraudulently-obtained prepaid debit cards, and then withdrawing the funds via ATMs and wiring the proceeds back to the cashing service, minus their commission. The cashing service then credits a percentage of the MoneyPak voucher code values to the ransomware peddler’s account.

How much does the cashout service charge for all this work? More than half of the value of the MoneyPaks, it would seem. When a user logs in to the criminal service, he is greeted with the following message:

“Dear clients, due to decrease of infection rate on exploits we are forced to lift the price.

Read the rest

Denial-of-Service attacker tells Brian Krebs he's working for the FBI

Last week, I blogged Brian Krebs's amazing piece on AsylumBooter, a cheesy denial-of-service-for-hire site apparently run by a 17-year-old Chicago-area honor-roll student named Chandler Downs, whose PayPal account was flush with more than $30,000 paid by people who'd launched more than 10,000 online attacks.

Now, Krebs has uncovered an even weirder booter story: Ragebooter is another DoS company, but this one is run by a guy who claims to be working part time for the FBI, and who says that the FBI has its own login to his site, and review all the IP addresses and other traffic data it logs.

Ragebooter.net’s registration records are hidden behind WHOIS privacy protection services. But according to a historic WHOIS lookup at domaintools.com, that veil of secrecy briefly fell away when the site was moved behind Cloudflare.com, a content distribution network that also protects sites against DDoS attacks like the ones Ragebooter and its ilk help to create (as I noted in Monday’s story, some of the biggest targets of booter services are in fact other booter services). For a brief period in Oct. 2012, the WHOIS records showed that ragebooter.net was registered by a Justin Poland in Memphis...

... “I also work for the FBI on Tuesdays at 1pm in memphis, tn,” Poland wrote. “They allow me to continue this business and have full access. The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.”

When I asked Poland to provide more information that I might use to verify his claims that he was working for the FBI, the conversation turned combative, and he informed me that I wasn’t allowed to use any of the information he’d already shared with me.

Read the rest

Inside the world of "booters" -- cheesy DoS-for-hire sites

Brian Krebs delves into the world of "booter" services, low-level, amateurish denial-of-service websites where you can use PayPal to have your video-game enemies' computers knocked off the Internet by floods of traffic. Many booter services run off the same buggy codebase, and Krebs was apparently able to get inside the administrative interfaces for them and get some insight into their business.

One such is "Asylum," which appears to be run by Chandler Downs, a 17-year-old Chicago-area honor-roll student who reportedly made $35,000 in PayPal payments in exchange for denial-of-service attacks. Asylum even has an ad (narrated by an actor hired through the casual labor exchange site Fiverr) where, for $18/month, you can launch unlimited DoSes against "skids on Xbox live."

Young Mr Downs claimed that his service was not used to attack people, but only for legitimate stress-testing, then he changed his story and said he was only managing the service for someone else, and "You are able to block any of the 'attacks' as you say with rather basic networking knowledge. If you're unable to do such a thing you probably shouldn't be running a website in the first place."

Nixon noted that all of the packets incoming from the traffic she ordered to her test machines appeared to have been sent from spoofed IP addresses. However, when she used the “Down or Not?” host checker function on Asylum, the site responded from what appears to be the real Internet address of one of the servers that are used to launch the attacks: 93.114.42.28.

Read the rest

ATM skimming comes to non-ATM payment terminals in train stations, etc

ATM skimming isn't limited to ATMs! There are lots of terminals that ask you to swipe your card and/or enter a PIN, and many of them are less well-armored and -policed than actual cashpoints. Skimmers have been found on train-ticket machines, parking meters and other payment terminals. Once a crook has got your card number and sign-on data, they can use that to raid a your account at an ATM. Brian Krebs has a look at some of these devices, including a full-on fascia for a cheapie ATM discovered in latinamerica.

The organization also is tracking a skimming trend reported by three countries (mainly in Latin America) in which thieves are fabricating fake ATM fascias and placing them over genuine ATMs, like the one pictured below. After entering their PIN, cardholders see an ‘out-of-order’ message. EAST said the fake fascias include working screens so that this type of message can be displayed. The card details are compromised by a skimming device hidden inside the fake fascia, and the PINs are captured via the built-in keypad, which overlays the real keypad underneath.

This reminds me a little of the evolution of payphones -- the armadillos of the device world! -- and the look-alike COCOTS (customer-owned coin-operated telephones) that presented very soft targets if you could scry through their camouflage.

Cash Claws, Fake Fascias & Tampered Tickets Read the rest

Skype's IP-leaking security bug creates denial-of-service cottage industry

It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.

Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Privacy 101: Skype Leaks Your Location Read the rest

Brian Krebs talks to hacker who may have SWATted him and attacked Wired's Mat Honan

Last week, Brian Krebs (a respected security researcher and journalist who often publishes details about high-tech crime) was SWATted -- that is, someone defrauded his local police department into sending a SWAT team to his house, resulting in his getting confronted by gun-wielding, hair-trigger cops who had him lie on the ground and cuffed him before it was all sorted out.

Krebs, being a talented investigator, is hot on the trail of the people or person responsible for this. And a variety of sources point to a 20-year-old hacker who goes by "Phobia," and whose real name, according to Krebs, is Ryan Stevenson. Phobia was implicated in the attack on Wired reporter Mat Honan, wherein his laptop drive and online backup were deleted, including irreplaceable photos of his child's first year, and eight years' worth of email.

Krebs phoned "Phobia" up and ended up speaking to Phobia and his father. Phobia denied attacking Krebs and insisted that he had nothing to do with the gamer/fraudster clan behind it (though Krebs pointed out that Phobia can be heard speaking in the group's YouTube videos, which document their attacks), but admitted that he had been the culprit in hacking Honan (his father then came onto the line to deny this). The transcript is the most interesting part of the piece:

BK: Uh huh. And is Honan referring to you in this article?

RS: Yeah.

BK Yes?

RS: Uh huh.

BK: Did anything bad ever happen to you because of this?

RS: No.

Read the rest

Internet security writer DDOS'd, visited by armed police SWAT team who'd been hoaxed

Holy moly, Brian Krebs:
It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.

Well, as one gamer enthusiast who follows me on Twitter remarked, I guess I’ve now “unlocked that level.”

Read the whole sordid tale. Image: Fairfax County Police outside Krebs' home on 3/14/13. He'd even warned police in advance of this possibility, and filed a report with Fairfax County Police in 2012 after receiving threats.

[Krebs on Security] Read the rest

Exploit was active on LA Times site for 6 weeks

"The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks," reports Brian Krebs. The paper's statement on the matter is a model of how not to handle security clusterfucks. Read the rest

Once your PC is hacked, your ecommerce passwords go on sale at $2 a pop

Brian Krebs writes about how hackers have expanded the ways they extract value from compromised PCs. No longer is a compromised machine merely good for forming part of a botnet or forwarding spam. New strains of malware extract all your login/passwords for ecommerce sites, and these are then put on sale at $2 a throw on sites like Freshtools.

Increasingly, miscreants are setting up their own storefronts to sell stolen credentials for an entire shopping mall of online retail establishments. Freshtools, for example, sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $2 each. The site also sells fedex.com and ups.com accounts for $5 a pop, no doubt to enable fraudulent reshipping schemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.

Another store widely advertised in the Underweb (see screenshot above) pimps credentials for a far broader array of retailers, most of which can be had for $2, including amazon.com, apple.com, autotrader.co.uk, bestbuy.com, bloomgingdales.com, bol.com, cdw.com, drugstore.com, ebay.co.uk, ebay.com, facebook.com, gamestop.com, gumtree.com, kohls.com, logmein.com, lowes.com, macys.com, mylikes.com, newegg.com, next.co.uk.com, okpay.com, paypal.com, payza.com, runescape.com, sephora.com, skype.com, target.com, toysrus.com, ukash.com, verizon.com, walmart.com, xoom.com and zappos.com. Accounts at these retailers that have credit cards or bank accounts tied to them command higher prices.

This a glimpse into the complex ecosystem of online crime. The person who writes the malware sells it to someone who's got a useful vector (a hacked website, say) for distributing it. The distributor extracts the ecommerce logins and flogs them to someone else who has access to a stooge who does freight forwarding. Read the rest

Point of Sale skimmer that prints out real-seeming receipts

Brian Krebs reports on a terrifyingly real-seeming Point of Sale skimmer.

Spam kingpin chatter

Security researcher Brian Krebs picks out some choice exchanges out of a dump from an elite Russian spammer message-board, and suggests that this contains clues to the identities of the world's most prolific spammers.

“Everything is all right with John. We drank with him recently in Europe. He is getting married soon. He is no longer spamming stocks. He got squeezed [arrested/questioned] once very badly some time ago. Now he is all clean. His friend – SP – screwed him and also is not working with stocks now. Rin is in total shit. He is going to be in jail (or he is going to be hiding) for a long time. He calls me pretty often, so he is alive so far. I am helping his wife with money from time to time.”

The two exchange recommendations about their favorite nightclubs in St. Petersburg, Russia. Tarelka inquires how Severa is doing, which elicits the following reply:

“I am okay. Damn, where to find sponsors? I am sure I can spin off stocks even in the current market. Are there any more contacts? Maybe I will ask Apple. Maybe he can give me some referrals. Who could think two years ago that this “theme” would die, huh? Give my regards to Igor [possibly Igor Gusev, the co-curator of SpamIt]. I wish you luck and patience.”

Tarelka says he tried to convince John/Apple that there was still money to be made in stock spam, but that John insisted the market was dead, and that no one was coming forward to pay spammers to send pump-and-dump spam anymore.

Read the rest

Ad for freelance Russian bank-robbers

Brian Krebs has published an ad from "Foreign Agents," a notorious Russian crime service. They're advertising the availability of foot soldiers in the USA who can help cash out hacked bank accounts and credit cards. Unlike traditional bank-fraud mules, who don't know that they're part of a scam, these "associates" are "неразводные" ("nerazvodni" or "not deceived").

The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees).

According to the advertisement, customers of this service get their very own login to a remote panel, where they can interact with the cashout service and monitor the progress of their thievery operations. The service also can be hired to drain bank accounts using counterfeit debit cards obtained through ATM skimmers or hacked point-of-sale devices. The complicit mules will even help cash out refunds from phony state and federal income tax filings — a lucrative form of fraud that, according to the Internal Revenue Service, cost taxpayers $5.2 billion last year.

Say what you will about their criminal tendencies, those bank robbers have excellent art direction. Read the rest

Previous PageNext page