Spam is way down, but new malware is really tough

Brian Krebs looks at the remarkable drop in spam that the Internet has experienced this year (25-50 billion spams/day today, down from a peak of 225 billion spams/day last July), and at the vicious new malware that's appearing as spam-crooks get more desperate. One such vector is TDSS (AKA "TLd-4"), a rootkit that infects your computer, kicks out all the other malware running on it, and then helps hackers distribute malware. Krebs says that there's plenty of gains to be realized by attacking the financial instruments used by criminals and he's promised a series on how these work.
The evolution of the TLd-4 bot is part of the cat-and-mouse game played by miscreants and those who seek to thwart their efforts. But law enforcement agencies and security experts also are evolving by sharing more information and working in concert, said Alex Lanstein, a senior security researcher at FireEye, a company that has played a key role in several coordinated botnet takedowns in the past two years.

"Takedowns can have an effect of temporarily providing relief from general badness, be it click fraud, spam, or credential theft, but lasting takedowns can only be achieved by putting criminals in silver bracelets," Lanstein said. "The Mega-D takedown, for example, was accomplished through trust relationships with registrars, but the lasting takedown was accomplished by arresting the alleged author, who is awaiting trial. In the interim, security companies are getting better and better about working with law enforcement, which is what happened with Rustock."

Where Have All the Spambots Gone? Read the rest

Russia: head of online payments company arrested over cyber-attack on rival

Authorities in Russia have arrested Pavel Vrublevsky, co-founder of Russia's biggest online payment processor ChronoPay, over charges that he paid a hacker to attack his company's competitors. More: Joe Menn in the Financial Times, and Brian Krebs at Krebs on Security. Read the rest

In-depth look at SpyEye crimeware

Brian Krebs has an in-depth look at SpyEye, a "crimeware" trojan horse that is used to harvest personal information (especially banking credentials) from infected Windows machines. SpyEye's keylogger is capable of prioritizing the information it grabs by paying special attention to information from browser forms, including Chrome and Opera.
Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard, but this kind of tracking usually creates too much extraneous data for the attackers, who mainly are interested in financial information such as credit card numbers and online banking credentials. Form grabbers accomplish this by stripping out any data that victims enter in specific Web site form fields, snarfing and recording that data before it can be encrypted and sent to the Web site requesting the information.

Both SpyEye and ZeuS have had the capability to do form grabbing against Internet Explorer and Firefox for some time, but this is the first time I've seen any major banking trojans claim the ability to target Chrome and Opera users with this feature.

SpyEye Targets Opera, Google Chrome Users Read the rest Indian site services Internet scam artists

Brian Krebs has a good investigative piece on, an India-based website servicing Nigerian fraudsters and other Internet scam artists. They offer curiously targetted email lists ("6 million prospective work-at-home USA residents for just $99"), untraceable bulk email, and direct payment schemes from Nigerian banks, and (hilariously) they don't accept credit cards or Paypal because of all the fraud they've suffered. They also hold US patents on sending spam, but they lost one the first time they tried to use it against a competitor in a US court (the judge said that "sending and re-sending of spam until all of the mail is delivered" was "obvious"). The parent company of is Perfect Web Technologies Inc.
The site sells dozens of country-specific email lists. Other lists are for oddly specific groups. For example, you can buy a list of one million insurance agent emails for $250. 300 beans will let you reach 1.5 million farmers; $400 closes on 4 million real estate agents. Need to recruit a whole mess of money mules right away? No problem: You can buy the email addresses of 6 million prospective work-at-home USA residents for just $99. A list of 1,041,977 USA Seniors (45-70 years old) is selling for $325.

If you don't care much about who gets your emails, or if you want to target recipients based on their email provider, the price per address goes way down. Consider these offerings:

50 million AOL addresses: $500 30 million Hotmail addresses: $450 30 million Yahoo addresses: $400 5 million Gmail addresses: $350

Where Did That Scammer Get Your Email Address? Read the rest

Marketplace for hijacked computers

Brian Krebs went browsing in an underground proxy marketplace, where criminals rent time on hijacked computers to other criminals who want to use the compromised machines as launching-grounds for untraceable networked attacks. Krebs traced down some of the people whose computers were up for rent and let them know that they were being bought and sold on the underground.
Michelle Trammell, associate director of Kirby Pines and president of TSG, said she was unaware that her computer systems were being sold to cyber crooks when I first contacted her this week. I later heard from Steve Cunningham from ProTech Talent & Technology, an IT services firm in Memphis that was recently called in to help secure the network.

Cunningham said an anti-virus scan of the TSG and retirement community machines showed that one of the machines was hijacked by a spam bot that was removed about two weeks before I contacted him, but he said he had no idea the network was still being exploited by cyber crooks. "Some malware was found that was sending out spam," Cunningham said, "It looks like they didn't have a very comprehensive security system in place, but we're going to be updating [PCs] and installing some anti-virus software on all of the servers over the next week or so."

Is Your Computer Listed "For Rent"? Read the rest

Samsung deliberately infecting new laptops with keyloggers?

According to Mohamed Hassan (a security expert and IT professor) Samsung has admitted to shipping laptops with covert, undisclosed keyloggers installed, there to "monitor the performance of the machine and to find out how it is being used." Their PR department refuses to discuss the issue: "In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners." (via /.)

Update:: Samsung denies it.

Update 2: Brian Krebs believes them Read the rest

World's largest spam botnet goes down (for now?)

Brian Krebs reports on the takedown of the command-and-control servers for Rustock, the largest and most successful spam botnet. The botnet's output has fallen from thousands of spams per second to one or two spams per second:
It may yet be too soon to celebrate the takedown of the world's largest spam botnet. For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd. In previous takedowns, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers.

Stewart said that whoever is responsible for this takedown clearly has done their homework, and that the backup domains hard-coded into Rustock appear to also have been taken offline. But, he said, Rustock also appears to have a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster to regain control over the pool of still-infected PCs. Stewart said Rustock-infected machines routinely reach out to a variety of popular Web sites, such as Wikipedia, Mozilla, Slashdot, MSN and others, and that it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains.

Read the rest

3 teens behind internet crime forum Gh0stMarket get jail

The Guardian reports that three UK teenagers who created and ran "one of the world's largest English-language internet crime forums," described in court as "Crimebook", have been sentenced to up to 5 years in jail. Authorities estimated that losses from credit card data traded over totaled more than $26 million dollars. Threatening to blow up the head of the police unit in charge of internet crimes after an earlier arrest was probably an unwise move:

The web forum, which had 8,000 members worldwide, has been linked to hundreds of thousands of pounds of registered losses on 65,000 bank accounts. Nicholas Webber, the site's owner and founder, was arrested in October 2009 with the site's administrator, Ryan Thomas, after trying to pay a £1,000 hotel bill using stolen card details. They were then 18 and 17. Webber was jailed for five years on Wednesday and Thomas for four years.

After seizing Webber's laptop, police discovered details of 100,000 stolen credit cards and a trail back to the Gh0stMarket website. Webber and Thomas jumped bail that December, fleeing to Majorca, but were rearrested when they flew back to Gatwick airport on 31 January 2010.

Southwark crown court was told how public-school-educated Webber, the son of a former Guernsey politician, was using an offshore bank account in Costa Rica to process funds from the frauds. After his initial arrest, Webber threatened on a forum to blow up the head of the police e-crimes unit in retaliation, and used his hacking skills to trace officers' addresses.

Read the rest

Tracing the pill-trails to America from Russia's e-pharmacy underworld

Security reporter Brian Krebs has a fascinating piece up on Pavel Vrublevsky, founder of Russia's biggest online payment processor, ChronoPay. Krebs reports that this man also co-owns Rx-Promotion, an online pharmacy that sells tens of millions of US dollars worth of controlled pills to Americans each year: Valium, Percocet, Tramadol, Oxycodone, and other substances with high street resale value. Just before Krebs arrived in Russia to meet with Vrublevsky, "several truckloads of masked officers from Russian drug enforcement bureaus" raided a private party thrown for the top moneymakers of Rx-Promotion (that's their promotional banner, above). Snip:

I hadn't told Vrublevsky that I was coming to Russia before I arrived on Feb. 8. But I wasted no time in phoning him via Skype, using the line he normally calls me on several times a week.

"Duuuuuuuudddde!," he answers. "It's 7 a.m. where you are, who died?"

I reply that I am in fact in his time zone and that we should meet. After another long "Duuuuuuuuddde!" Vrublevsky promises to send a car if I will wait in the hotel lobby. He tells me he'll be sending along with the driver his receptionist, named Vera. He proceeds to describe Vera as this grossly overweight, unattractive older lady but, hey, she speaks English and knows how to deal with Westerners, so she's coming, he says.

Fifteen minutes later, I am seated in the lobby waiting for Vera, watching incoming guests as they stomp off snow and trudge through the hotel's revolving door. I find it difficult to avoid staring at this unusually attractive, slender, dark-haired young woman standing nervously just beside the door.

Read the rest

ImageShack serves dire warnings to victims of pharmaceutical spams

ImageShack discovered that they were being used by fake pharmacy scammers to host images for their crappy websites and spam. So ImageShack now serves this warning image for all the pharma referrers they can find.

Imageshack Swaps Spam Pages for Scam Alerts  What it costs to host a malware site - Boing Boing Pharmacist-affiliated going after online ... Service helps Africans spot fake drugs Boing Boing Counterfeit drugs - Boing Boing Read the rest

ATM skimmer that doesn't require any modifications to the ATM

Brian Krebs reports on a new wrinkle in ATM skimmer design: if the ATM is in its own lobby, crooks can steal your card number and PIN without ever touching the ATM. Instead, they attach the skimmer to the door-lock (you know those doors that only open if you swipe your card?) and then use a hidden camera to record you keying in your PIN. Clever, in a horrible way, especially since ATMs in their own lobby feel more secure.
On July 24, 2009, California police officers responded to a report that a customer had uncovered a camera hidden behind a mirror that was stuck to the wall above an ATM at a bank in Sherman Oaks, Calif. There were two ATMs in the lobby where the camera was found, and officers discovered that the thieves had placed an "Out of Order" sign on the ATM that did not have the camera pointed at its PIN pad. The sign was a simple ruse designed to trick all customers into using the cash machine that was compromised.

Bank security cameras at the scene of the crime show the fake mirror installed over the ATM on the right...

The attackers hitting this ATM were either very persistent, or varied: A source familiar with the July 24 incident said this particular door lock would be stolen and modified a total of nine times in 2009.

The camera used in this attack retails for about $150, can record up to 2 GB (about two hours worth) of video, and runs on a rechargeable lithium ion battery.

Read the rest

What does the front-end of an online hacker store look like?

This. Note the dot-mil and dot-govs, and good heavens, the affordable pricing. Fascinating story behind the screengrab over at Krebs on Security. Read the rest

Sales pitch from an ATM-skimmer vendor

Brian Krebs tracked down a black-market retailer of mobile-phone-based ATM skimmers that capture your PIN and transmit it to fraudsters over the GSM network. The vendor gave him the whole sales-pitch for the efficiency and safety (for the criminals) of GSM-based skimmers. It's a fascinating read, unless you use ATMs, in which case, it's a terrifying one.

So we potentially have already about 20k dollars. Also imagine that if was not GSM sending SMS and to receive tracks it would be necessary to take the equipment from ATM, and during this moment, at 15:00 there comes police and takes off the equipment.

And what now? All operation and your money f#@!&$ up? It would be shame!! Yes? And with GSM the equipment we have the following: Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer - you lose equipment, and tracks, and money.

That's not all: There is one more important part. We had few times that the police has seen the device, and does not take it off, black jeeps stays and observe, and being replaced by each hour. But the equipment still not removed. They believe that our man will come for it. And our observers see this circus, and together with it holders go as usual, and tracks come with PINs as usual.

Read the rest

What it costs to host a malware site

Brian Krebs reports on "bulletproof hosting" providers that offer malware/spyware creeps, spammers, rip-off artists and other Mos Eisley cantina-dwellers a place to park a website where takedown notices, search warrants, and the law can't reach.

Of course, just how insulated this particular provider's services are and how much illicit activity you can get away with while using them depends largely on how much you're willing to shell out each month. For example, an entry level "default bulletproof server" allows customers to host things like rogue online pharmacies, replica, gambling, and MP3 sites for $270 per month. But this service level bars customers from hosting nastier content, such as malware, spyware, adware, exploits, viruses, and phishing sites.

Upgrade to the "Super BulletProof Virtual Dedicated Servers in China" -- and pay almost $500 a month -- and the only activities that are prohibited are sending spam and hosting any type of porn.

The provider pictured here also upsells potential customers by offering a variety of handy add-on services. For extra coin each month, one can rent a bulletproof server with a license for XRumer, a black hat search engine manipulation tool that automates the registration of new Web forum accounts and the spamming of links on those forums, all in a bid to boost the search engine rankings of the spamvertized site. If you operate a blog and have had to deal with what appear to be automated, link-filled comments, chances are good that XRumer was involved in some way.

Body Armor for Bad Web Sites Phishing as a day-job Phishing scheme goes after carbon credits New eBay phishing trick How I got phished Verified by Visa: British banks phish their own customers - Boing ... Read the rest

U.S. Mobsters, Behind in Cybercrime, Could Win Tuesday

[image: PartyPoker founder Ruth Parasol]

I know what patriotic Americans reading about the lucrative feats being pulled off by organized cyber criminals in Russia, Ukraine and elsewhere are thinking. Can't mobsters from the good old U.S. of A. compete in today's fast-moving global marketplace?

It's a sad fact that the West is lagging behind in giant-scale Internet fraud. But I don't think we need to lobby for a Five Families bailout just yet, especially if the Republicans capture the House tomorrow and kill Rep. Barney Frank's effort to legalize online gambling.

True, the other side has unfair advantages, including stunningly corruptible business-oriented law enforcement and the lack of a Silicon Valley to siphon off programming talent with high-paying straight jobs. In fact, some countries essentially sport a pre-fabbed mob infrastructure. Even legitimate enterprises typically hire their own mafia patron to negotiate cop-shakedowns and fend off other mobsters wanting handouts, so a greater union is pretty much the natural course of things once a hacking group gets big.

Read the rest

How (not) to exterminate a book.

As a book freak (bibliophile is just too refined to describe my love for certain bound publications) I have been researching the case of a particular poetry volume for a few years now. Recently, Xeni posted on the U.S. government's purchase and destruction of upwards of 10,000 books that reminded me of the case I am researching and I found the parallels between the two instances eerie. I am going to request a suspension of Godwin's law for the time that you read this piece as the unintentional but unavoidable comparison to the Nazis cannot be hidden. Gottfried Benn: German poet, medical doctor, and Nazi sympathizer, published a collection of his poems in May 1936 entitled "Selected Poems - Ausgewählte Gedichte". Although authorized for publication under the Nazis, upon a closer reading of the poems the authorities quickly changed their minds. The Black Corps - Das Schwarze Korps, the official weekly propaganda newspaper of the SS, vilified the publication by calling Benn a Selbsterrreger (Self-agitator or Masturbator). Some of his early expressionist poems were deemed to be inappropriate for a Nazi audience and the newspaper advised him, "Give it up, poet Benn, the times for such disgusting things (Ferkeleien - literally 'acts of piglets') are permanently gone". This created such a furor over the poetry volume that the book was banned at the beginning of the summer of 1936. The copies in existence were systematically rounded up and destroyed by the government. Unlike previous instances of Nazi book burning that were largely symbolic but did not represent a complete extermination of a particular work, this instance of publication, review, recall, and destruction eliminated almost all of the original first editions printed. Read the rest

Inside a stolen credit-card site

Brian Krebs brings us a fascinating look at the inner workings of a site that sells stolen credit card numbers to fraudsters; the site is structured like a bizarro-world PayPal, with soft come-ons, hidden fees, and lots of upsell pressure.
The trouble is, the minute you seek to narrow your search using the built-in tools, the site starts adding all these extra convenience fees (sound familiar?). For example, if I were going to buy a card stolen from anyone around the Washington, D.C. area, it would probably be from a resident of McLean, Va., which is more or less a tony place where plenty of well-to-do folk reside. Anyway, the site found me a card (a MasterCard) belonging to a McLean resident alright, but then the service wanted to tack on an extra $.60 just because I isolated my search by city and state -- raising the cost in my shopping cart to $2.10! No way, Jose. Not this bargain shopper.
I'll Take 2 MasterCards and a Visa, Please World's "most prolific" bank card broker busted in France, says ... How to stop restaurant tip fraud Inside organized credit-card fraud Visa claims teen spent $23148855308184500.00 on prepaid credit ... What really happens when you select "debit" or "credit" with your ... Chip-and-PIN is broken Beware of FYE's VIP Backstage Pass program Read the rest

Previous PageNext page