Last February, i.materialise reported that they'd declined an offer to 3D print a new fascia for an ATM, because they suspected it was part of an ATM skimmer (a device used to capture peoples' ATM PINs and card numbers). The news may have inspired another ATM skimmer gang, four men from South Texas who were indicted in June. Prosecutors say the crooks had saved their pennies from earlier ATM ripoffs and invested in a 3D printer that they used to print their own fascia without having to go through an intermediary like i.materialise.
“When [Lall was] put in jail, we asked, ‘What are we going to do?’ and we had to figure it out and that’s when we came up with this unit,” Paz allegedly told the undercover officer.
The government alleges Paz also was the guy who encoded the stolen card data onto counterfeit cards. The feds say Albert Richard of Missouri City, Texas prepared ATMs at numerous banks where the skimming devices were installed, by covering the ATM cameras or spray-painting over them, and by acting as a lookout.
A fourth defendant, John Griffin, is alleged to have used the counterfeit cards to withdraw funds at different ATMs around Texas. Prosecutors allege the group stole more than $400,000 between Aug. 2009 and June 2011. Prior to their arrest this summer, the gang started making decent money but they split the profits between them. Federal prosecutors say the men stole $57.808.14 in month of April 2011 alone (yes, that’s an odd amount to have come out of ATMs, but I digress).
Crooks who compromised Fidelity National Information Services's prepaid debit card database were able to draw out $13 million in one night, working with co-conspirators in several countries in one weekend night, after the banks had closed:
Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.
Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.
Beware of Juice-Jacking, warns security researcher Brian Krebs. Those cell-phone charging kiosks in airports and other public places amount to an "unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware." Read the rest
Brian Krebs is continuing to report on the latest research on spammers and scammers, today naming and shaming the banks that process payments for fake anti-virus and rogue pharmacy affiliate networks, and on the system used by scammers to prevent being cut off by Visa and Mastercard.
Researchers from the University of California, Santa Barbara spent several months infiltrating three of the most popular fake antivirus (fake AV) "affiliate" networks, organized criminal operations that pay hackers to deploy the bunk software. The researchers uncovered a peculiar credit card processing pattern that was common to these scams; a pattern that Visa and MasterCard could use to detect and blacklist fake AV processors.
The pattern reflects each fake AV program's desire to minimize the threat from "chargebacks," which occur when consumers dispute a charge. The fake AV networks the UCSB team infiltrated tried to steer unhappy buyers to live customer support agents who could be reached via a toll-free number or online chat. When customers requested a refund, the fake AV firm either ignored the request or granted a refund. If the firm ignored the request, then the buyer could still contact their credit card provider to obtain satisfaction by initiating a chargeback; the credit card network grants a refund to the buyer and then forcibly collects the funds from the firm by reversing the charge.
Excessive chargebacks (more than 2-3 percent of sales) generally raise red flags at Visa and MasterCard, which employ a sliding scale of financial penalties for firms that generate too many chargebacks.
Brian Krebs looks at the remarkable drop in spam that the Internet has experienced this year (25-50 billion spams/day today, down from a peak of 225 billion spams/day last July), and at the vicious new malware that's appearing as spam-crooks get more desperate. One such vector is TDSS (AKA "TLd-4"), a rootkit that infects your computer, kicks out all the other malware running on it, and then helps hackers distribute malware. Krebs says that there's plenty of gains to be realized by attacking the financial instruments used by criminals and he's promised a series on how these work.
The evolution of the TLd-4 bot is part of the cat-and-mouse game played by miscreants and those who seek to thwart their efforts. But law enforcement agencies and security experts also are evolving by sharing more information and working in concert, said Alex Lanstein, a senior security researcher at FireEye, a company that has played a key role in several coordinated botnet takedowns in the past two years.
"Takedowns can have an effect of temporarily providing relief from general badness, be it click fraud, spam, or credential theft, but lasting takedowns can only be achieved by putting criminals in silver bracelets," Lanstein said. "The Mega-D takedown, for example, was accomplished through trust relationships with registrars, but the lasting takedown was accomplished by arresting the alleged author, who is awaiting trial. In the interim, security companies are getting better and better about working with law enforcement, which is what happened with Rustock."
Brian Krebs has an in-depth look at SpyEye, a "crimeware" trojan horse that is used to harvest personal information (especially banking credentials) from infected Windows machines. SpyEye's keylogger is capable of prioritizing the information it grabs by paying special attention to information from browser forms, including Chrome and Opera.
Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard, but this kind of tracking usually creates too much extraneous data for the attackers, who mainly are interested in financial information such as credit card numbers and online banking credentials. Form grabbers accomplish this by stripping out any data that victims enter in specific Web site form fields, snarfing and recording that data before it can be encrypted and sent to the Web site requesting the information.
Both SpyEye and ZeuS have had the capability to do form grabbing against Internet Explorer and Firefox for some time, but this is the first time I've seen any major banking trojans claim the ability to target Chrome and Opera users with this feature.
Brian Krebs has a good investigative piece on BuyEmails.org, an India-based website servicing Nigerian fraudsters and other Internet scam artists. They offer curiously targetted email lists ("6 million prospective work-at-home USA residents for just $99"), untraceable bulk email, and direct payment schemes from Nigerian banks, and (hilariously) they don't accept credit cards or Paypal because of all the fraud they've suffered. They also hold US patents on sending spam, but they lost one the first time they tried to use it against a competitor in a US court (the judge said that "sending and re-sending of spam until all of the mail is delivered" was "obvious"). The parent company of BuyEmails.org is Perfect Web Technologies Inc.
The site sells dozens of country-specific email lists. Other lists are for oddly specific groups. For example, you can buy a list of one million insurance agent emails for $250. 300 beans will let you reach 1.5 million farmers; $400 closes on 4 million real estate agents. Need to recruit a whole mess of money mules right away? No problem: You can buy the email addresses of 6 million prospective work-at-home USA residents for just $99. A list of 1,041,977 USA Seniors (45-70 years old) is selling for $325.
If you don't care much about who gets your emails, or if you want to target recipients based on their email provider, the price per address goes way down. Consider these offerings:
50 million AOL addresses: $500
30 million Hotmail addresses: $450
30 million Yahoo addresses: $400
5 million Gmail addresses: $350
Brian Krebs went browsing in an underground proxy marketplace, where criminals rent time on hijacked computers to other criminals who want to use the compromised machines as launching-grounds for untraceable networked attacks. Krebs traced down some of the people whose computers were up for rent and let them know that they were being bought and sold on the underground.
Michelle Trammell, associate director of Kirby Pines and president of TSG, said she was unaware that her computer systems were being sold to cyber crooks when I first contacted her this week. I later heard from Steve Cunningham from ProTech Talent & Technology, an IT services firm in Memphis that was recently called in to help secure the network.
Cunningham said an anti-virus scan of the TSG and retirement community machines showed that one of the machines was hijacked by a spam bot that was removed about two weeks before I contacted him, but he said he had no idea the network was still being exploited by cyber crooks. "Some malware was found that was sending out spam," Cunningham said, "It looks like they didn't have a very comprehensive security system in place, but we're going to be updating [PCs] and installing some anti-virus software on all of the servers over the next week or so."
Brian Krebs reports on the takedown of the command-and-control servers for Rustock, the largest and most successful spam botnet. The botnet's output has fallen from thousands of spams per second to one or two spams per second:
It may yet be too soon to celebrate the takedown of the world's largest spam botnet. For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd. In previous takedowns, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers.
Stewart said that whoever is responsible for this takedown clearly has done their homework, and that the backup domains hard-coded into Rustock appear to also have been taken offline. But, he said, Rustock also appears to have a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster to regain control over the pool of still-infected PCs. Stewart said Rustock-infected machines routinely reach out to a variety of popular Web sites, such as Wikipedia, Mozilla, Slashdot, MSN and others, and that it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains.
The Guardian reports that three UK teenagers who created and ran "one of the world's largest English-language internet crime forums," described in court as "Crimebook", have been sentenced to up to 5 years in jail. Authorities estimated that losses from credit card data traded over Gh0stMarket.net totaled more than $26 million dollars. Threatening to blow up the head of the police unit in charge of internet crimes after an earlier arrest was probably an unwise move:
The web forum, which had 8,000 members worldwide, has been linked to hundreds of thousands of pounds of registered losses on 65,000 bank accounts. Nicholas Webber, the site's owner and founder, was arrested in October 2009 with the site's administrator, Ryan Thomas, after trying to pay a £1,000 hotel bill using stolen card details. They were then 18 and 17. Webber was jailed for five years on Wednesday and Thomas for four years.
After seizing Webber's laptop, police discovered details of 100,000 stolen credit cards and a trail back to the Gh0stMarket website. Webber and Thomas jumped bail that December, fleeing to Majorca, but were rearrested when they flew back to Gatwick airport on 31 January 2010.
Southwark crown court was told how public-school-educated Webber, the son of a former Guernsey politician, was using an offshore bank account in Costa Rica to process funds from the frauds. After his initial arrest, Webber threatened on a forum to blow up the head of the police e-crimes unit in retaliation, and used his hacking skills to trace officers' addresses.
Security reporter Brian Krebs has a fascinating piece up on Pavel Vrublevsky, founder of Russia's biggest online payment processor, ChronoPay. Krebs reports that this man also co-owns Rx-Promotion, an online pharmacy that sells tens of millions of US dollars worth of controlled pills to Americans each year: Valium, Percocet, Tramadol, Oxycodone, and other substances with high street resale value. Just before Krebs arrived in Russia to meet with Vrublevsky, "several truckloads of masked officers from Russian drug enforcement bureaus" raided a private party thrown for the top moneymakers of Rx-Promotion (that's their promotional banner, above). Snip:
I hadn't told Vrublevsky that I was coming to Russia before I arrived on Feb. 8. But I wasted no time in phoning him via Skype, using the line he normally calls me on several times a week.
"Duuuuuuuudddde!," he answers. "It's 7 a.m. where you are, who died?"
I reply that I am in fact in his time zone and that we should meet. After another long "Duuuuuuuuddde!" Vrublevsky promises to send a car if I will wait in the hotel lobby. He tells me he'll be sending along with the driver his receptionist, named Vera. He proceeds to describe Vera as this grossly overweight, unattractive older lady but, hey, she speaks English and knows how to deal with Westerners, so she's coming, he says.
Fifteen minutes later, I am seated in the lobby waiting for Vera, watching incoming guests as they stomp off snow and trudge through the hotel's revolving door. I find it difficult to avoid staring at this unusually attractive, slender, dark-haired young woman standing nervously just beside the door.
ImageShack discovered that they were being used by fake pharmacy scammers to host images for their crappy websites and spam. So ImageShack now serves this warning image for all the pharma referrers they can find.
Brian Krebs reports on a new wrinkle in ATM skimmer design: if the ATM is in its own lobby, crooks can steal your card number and PIN without ever touching the ATM. Instead, they attach the skimmer to the door-lock (you know those doors that only open if you swipe your card?) and then use a hidden camera to record you keying in your PIN. Clever, in a horrible way, especially since ATMs in their own lobby feel more secure.
On July 24, 2009, California police officers responded to a report that a customer had uncovered a camera hidden behind a mirror that was stuck to the wall above an ATM at a bank in Sherman Oaks, Calif. There were two ATMs in the lobby where the camera was found, and officers discovered that the thieves had placed an "Out of Order" sign on the ATM that did not have the camera pointed at its PIN pad. The sign was a simple ruse designed to trick all customers into using the cash machine that was compromised.
Bank security cameras at the scene of the crime show the fake mirror installed over the ATM on the right...
The attackers hitting this ATM were either very persistent, or varied: A source familiar with the July 24 incident said this particular door lock would be stolen and modified a total of nine times in 2009.
The camera used in this attack retails for about $150, can record up to 2 GB (about two hours worth) of video, and runs on a rechargeable lithium ion battery.
Brian Krebs tracked down a black-market retailer of mobile-phone-based ATM skimmers that capture your PIN and transmit it to fraudsters over the GSM network. The vendor gave him the whole sales-pitch for the efficiency and safety (for the criminals) of GSM-based skimmers. It's a fascinating read, unless you use ATMs, in which case, it's a terrifying one.
So we potentially have already about 20k dollars. Also imagine that if was not GSM sending SMS and to receive tracks it would be necessary to take the equipment from ATM, and during this moment, at 15:00 there comes police and takes off the equipment.
And what now? All operation and your money f#@!&$ up? It would be shame!! Yes? And with GSM the equipment we have the following: Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer - you lose equipment, and tracks, and money.
That's not all: There is one more important part. We had few times that the police has seen the device, and does not take it off, black jeeps stays and observe, and being replaced by each hour. But the equipment still not removed. They believe that our man will come for it. And our observers see this circus, and together with it holders go as usual, and tracks come with PINs as usual.