Identity theft marketplace sells mothers' maiden names, dates of birth, etc

Many websites will allow you to "recover a lost password" if you (or a crook) can supply your date of birth, mother's maiden name, etc. So, of course, crooks buy and sell data like dates of birth, mothers' maiden names, Social Security Numbers, and other easily mined minutae. Brian Krebs reports from, a site that sells would-be fraudsters this information, and also has a wholesale program so that entrepreneurial crooks can resell your personal information to their friends.

Superget lets users search for specific individuals by name, city, and state. Each “credit” costs USD$1, and a successful hit on a Social Security number or date of birth costs 3 credits each. The more credits you buy, the cheaper the searches are per credit: Six credits cost $4.99; 35 credits cost $20.99, and $100.99 buys you 230 credits. Customers with special needs to can avail themselves of the “reseller plan,” which promises 1,500 credits for $500.99, and 3,500 credits for $1000.99.

“Our Databases are updated EVERY DAY,” the site’s owner enthuses. “About 99% nearly 100% US people could be found, more than any sites on the internet now.”

Customers who aren’t choosy about the identities they’re stealing can get a real bargain. Among the most trafficked commodities in the hacker underground are packages called “fullz infos,” which include the full identity information on dozens or hundreds of individuals.

How Much Is Your Identity Worth? Read the rest

Who else was targeted by attack on RSA?

Brian Krebs posts a list of additional organizations said to have been targeted in the RSA attack, that massive data breach disclosed back in March. How many additional targets? Nearly 800 of them. Read the rest

Epic Blackberry outage leads to epic turd-FUD headlines like "Welcome to the World Of Cyber-Terror Vulnerability"

I didn't think it was possible to think any less of disgraced former New York Times reporter Judith Miller. But then, sweet fancy Jesus, I read her analysis of the Great Blackberry Outage of 2011. For Fox News.

I present to you the pull quote:

Cyber- and germ terrorism are quiet killers, and therefore, threats that are easy to underestimate. We ignore them at our peril.

Never attribute to mysterious cyberterrorism plots what can be traced to poor network management decisions. (via Brian Krebs) Read the rest

How online crooks use "work from home" patsies to launder goods and forward them offshore

Brian Krebs continues his excellent investigative series on the inner workings of online ripoffs, today with a deep look at underground freight-forwarders, so-called "Drops for stuff." These services use patsies recruited on Craigslist through a "work at home" scam to receive goods bought with stolen credit card numbers and forward them on to crooks.

A typical drop will receive and reship between two and four packages per day. The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.

One drops operation,, allows “clients” to “rent” drops who have signed up for reshipping jobs. “Managers,” those who facilitate drop recruitment scams, can earn money by purchasing merchandise that the reshipping operation can quickly resell. Most reshipping operations seek consumer electronics that can be easily sold for cash, including laptop computers, cameras, smart phones and parts for sports cars. pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products.

Read the rest

Phished PayPal accounts selling on the criminal underground for $0.50 apiece

Security researcher Brian Krebs got a look at the auction prices at, a criminal marketplace where you can buy hacked and phished PayPal accounts; he discovered that the going account for 100 zero-balance verified PayPal accounts is a mere $50 -- that's 50 cents per account.

Accounts are sold with or without email access (indicated by the “email” heading in the screenshot above): Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.

Read the rest

LulzSec suspect arrested in Arizona wanted a job at DoD

“I hope that I’ll be able to work for the Department of Defense. From what I hear, they’re pretty good at what I want to do."— Cody Andrew Kretsinger, the LulzSec/Anonymous suspect arrested this week in Arizona. Read the rest

ATM skimmer gang invested proceeds in 3D printer to make better ATM skimmers

Last February, i.materialise reported that they'd declined an offer to 3D print a new fascia for an ATM, because they suspected it was part of an ATM skimmer (a device used to capture peoples' ATM PINs and card numbers). The news may have inspired another ATM skimmer gang, four men from South Texas who were indicted in June. Prosecutors say the crooks had saved their pennies from earlier ATM ripoffs and invested in a 3D printer that they used to print their own fascia without having to go through an intermediary like i.materialise.
“When [Lall was] put in jail, we asked, ‘What are we going to do?’ and we had to figure it out and that’s when we came up with this unit,” Paz allegedly told the undercover officer.

The government alleges Paz also was the guy who encoded the stolen card data onto counterfeit cards. The feds say Albert Richard of Missouri City, Texas prepared ATMs at numerous banks where the skimming devices were installed, by covering the ATM cameras or spray-painting over them, and by acting as a lookout.

A fourth defendant, John Griffin, is alleged to have used the counterfeit cards to withdraw funds at different ATMs around Texas. Prosecutors allege the group stole more than $400,000 between Aug. 2009 and June 2011. Prior to their arrest this summer, the gang started making decent money but they split the profits between them. Federal prosecutors say the men stole $57.808.14 in month of April 2011 alone (yes, that’s an odd amount to have come out of ATMs, but I digress).

Read the rest

Coordinated multinational ATM fraud nets $13M in one night

Crooks who compromised Fidelity National Information Services's prepaid debit card database were able to draw out $13 million in one night, working with co-conspirators in several countries in one weekend night, after the banks had closed:
Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.

Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.

Coordinated ATM Heist Nets Thieves $13M

(Image: ATM in a cage, a Creative Commons Attribution Share-Alike (2.0) image from yuval_y's photostream) Read the rest

Should you use public cell-phone charging kiosks?

Beware of Juice-Jacking, warns security researcher Brian Krebs. Those cell-phone charging kiosks in airports and other public places amount to an "unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware." Read the rest

Following the money: how spammers do their banking

Brian Krebs is continuing to report on the latest research on spammers and scammers, today naming and shaming the banks that process payments for fake anti-virus and rogue pharmacy affiliate networks, and on the system used by scammers to prevent being cut off by Visa and Mastercard.
Researchers from the University of California, Santa Barbara spent several months infiltrating three of the most popular fake antivirus (fake AV) "affiliate" networks, organized criminal operations that pay hackers to deploy the bunk software. The researchers uncovered a peculiar credit card processing pattern that was common to these scams; a pattern that Visa and MasterCard could use to detect and blacklist fake AV processors.

The pattern reflects each fake AV program's desire to minimize the threat from "chargebacks," which occur when consumers dispute a charge. The fake AV networks the UCSB team infiltrated tried to steer unhappy buyers to live customer support agents who could be reached via a toll-free number or online chat. When customers requested a refund, the fake AV firm either ignored the request or granted a refund. If the firm ignored the request, then the buyer could still contact their credit card provider to obtain satisfaction by initiating a chargeback; the credit card network grants a refund to the buyer and then forcibly collects the funds from the firm by reversing the charge.

Excessive chargebacks (more than 2-3 percent of sales) generally raise red flags at Visa and MasterCard, which employ a sliding scale of financial penalties for firms that generate too many chargebacks.

Read the rest

Spam is way down, but new malware is really tough

Brian Krebs looks at the remarkable drop in spam that the Internet has experienced this year (25-50 billion spams/day today, down from a peak of 225 billion spams/day last July), and at the vicious new malware that's appearing as spam-crooks get more desperate. One such vector is TDSS (AKA "TLd-4"), a rootkit that infects your computer, kicks out all the other malware running on it, and then helps hackers distribute malware. Krebs says that there's plenty of gains to be realized by attacking the financial instruments used by criminals and he's promised a series on how these work.
The evolution of the TLd-4 bot is part of the cat-and-mouse game played by miscreants and those who seek to thwart their efforts. But law enforcement agencies and security experts also are evolving by sharing more information and working in concert, said Alex Lanstein, a senior security researcher at FireEye, a company that has played a key role in several coordinated botnet takedowns in the past two years.

"Takedowns can have an effect of temporarily providing relief from general badness, be it click fraud, spam, or credential theft, but lasting takedowns can only be achieved by putting criminals in silver bracelets," Lanstein said. "The Mega-D takedown, for example, was accomplished through trust relationships with registrars, but the lasting takedown was accomplished by arresting the alleged author, who is awaiting trial. In the interim, security companies are getting better and better about working with law enforcement, which is what happened with Rustock."

Where Have All the Spambots Gone? Read the rest

Russia: head of online payments company arrested over cyber-attack on rival

Authorities in Russia have arrested Pavel Vrublevsky, co-founder of Russia's biggest online payment processor ChronoPay, over charges that he paid a hacker to attack his company's competitors. More: Joe Menn in the Financial Times, and Brian Krebs at Krebs on Security. Read the rest

In-depth look at SpyEye crimeware

Brian Krebs has an in-depth look at SpyEye, a "crimeware" trojan horse that is used to harvest personal information (especially banking credentials) from infected Windows machines. SpyEye's keylogger is capable of prioritizing the information it grabs by paying special attention to information from browser forms, including Chrome and Opera.
Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard, but this kind of tracking usually creates too much extraneous data for the attackers, who mainly are interested in financial information such as credit card numbers and online banking credentials. Form grabbers accomplish this by stripping out any data that victims enter in specific Web site form fields, snarfing and recording that data before it can be encrypted and sent to the Web site requesting the information.

Both SpyEye and ZeuS have had the capability to do form grabbing against Internet Explorer and Firefox for some time, but this is the first time I've seen any major banking trojans claim the ability to target Chrome and Opera users with this feature.

SpyEye Targets Opera, Google Chrome Users Read the rest Indian site services Internet scam artists

Brian Krebs has a good investigative piece on, an India-based website servicing Nigerian fraudsters and other Internet scam artists. They offer curiously targetted email lists ("6 million prospective work-at-home USA residents for just $99"), untraceable bulk email, and direct payment schemes from Nigerian banks, and (hilariously) they don't accept credit cards or Paypal because of all the fraud they've suffered. They also hold US patents on sending spam, but they lost one the first time they tried to use it against a competitor in a US court (the judge said that "sending and re-sending of spam until all of the mail is delivered" was "obvious"). The parent company of is Perfect Web Technologies Inc.
The site sells dozens of country-specific email lists. Other lists are for oddly specific groups. For example, you can buy a list of one million insurance agent emails for $250. 300 beans will let you reach 1.5 million farmers; $400 closes on 4 million real estate agents. Need to recruit a whole mess of money mules right away? No problem: You can buy the email addresses of 6 million prospective work-at-home USA residents for just $99. A list of 1,041,977 USA Seniors (45-70 years old) is selling for $325.

If you don't care much about who gets your emails, or if you want to target recipients based on their email provider, the price per address goes way down. Consider these offerings:

50 million AOL addresses: $500 30 million Hotmail addresses: $450 30 million Yahoo addresses: $400 5 million Gmail addresses: $350

Where Did That Scammer Get Your Email Address? Read the rest

Marketplace for hijacked computers

Brian Krebs went browsing in an underground proxy marketplace, where criminals rent time on hijacked computers to other criminals who want to use the compromised machines as launching-grounds for untraceable networked attacks. Krebs traced down some of the people whose computers were up for rent and let them know that they were being bought and sold on the underground.
Michelle Trammell, associate director of Kirby Pines and president of TSG, said she was unaware that her computer systems were being sold to cyber crooks when I first contacted her this week. I later heard from Steve Cunningham from ProTech Talent & Technology, an IT services firm in Memphis that was recently called in to help secure the network.

Cunningham said an anti-virus scan of the TSG and retirement community machines showed that one of the machines was hijacked by a spam bot that was removed about two weeks before I contacted him, but he said he had no idea the network was still being exploited by cyber crooks. "Some malware was found that was sending out spam," Cunningham said, "It looks like they didn't have a very comprehensive security system in place, but we're going to be updating [PCs] and installing some anti-virus software on all of the servers over the next week or so."

Is Your Computer Listed "For Rent"? Read the rest

Samsung deliberately infecting new laptops with keyloggers?

According to Mohamed Hassan (a security expert and IT professor) Samsung has admitted to shipping laptops with covert, undisclosed keyloggers installed, there to "monitor the performance of the machine and to find out how it is being used." Their PR department refuses to discuss the issue: "In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners." (via /.)

Update:: Samsung denies it.

Update 2: Brian Krebs believes them Read the rest

World's largest spam botnet goes down (for now?)

Brian Krebs reports on the takedown of the command-and-control servers for Rustock, the largest and most successful spam botnet. The botnet's output has fallen from thousands of spams per second to one or two spams per second:
It may yet be too soon to celebrate the takedown of the world's largest spam botnet. For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd. In previous takedowns, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers.

Stewart said that whoever is responsible for this takedown clearly has done their homework, and that the backup domains hard-coded into Rustock appear to also have been taken offline. But, he said, Rustock also appears to have a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster to regain control over the pool of still-infected PCs. Stewart said Rustock-infected machines routinely reach out to a variety of popular Web sites, such as Wikipedia, Mozilla, Slashdot, MSN and others, and that it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains.

Read the rest

Previous PageNext page