Police in an unidentified European nation have retrieved wafer-thin ATM skimmers that are so small that they can be fitted inside the credit-card insertion slot. Brian Krebs describes the finding:
That's according to two recent reports from the European ATM Security Team (EAST), an organization that collects ATM fraud reports from countries in the region.
— Read the rest
Security expert Brian Krebs was the target of a malicious email flood, and writes firsthand about the experience. These floods — which can be directed at any and all of your phone (voice or SMS) and email — are used by crooks who want to busy-out all their victims' communications channels while they are ripping them off electronically. — Read the rest
Brian Krebs is conducting a series of interviews with computer experts on how they got into the field and what they'd advise others to do if they want to break in themselves. The first one, an interview with Thomas Ptacek, ran last month. — Read the rest
In the wake of a series of very high-profile password leaks, Brian Krebs talks to security researcher Thomas H. Ptacek about the best practices for securing passwords. The trick isn't to merely hash with a good salt — you must use a slow password hash that takes a lot of work, so that making rainbow tables is impractical. — Read the rest
If the previous ATM skimmer posts didn't scare the pants off you, this one from San Fernando Valley, which Brian Krebs reports on, might. It has a near-undetectable pinhole camera for recording timestamped footage of your PIN entry, and apart from that indicator, the only way to spot it is to yank hard on the front of the ATM before you start using it. — Read the rest
Brian Krebs has been through the support forums for the "Citadel" trojan, a piece of commercial malicious software (spun out from the notorious ZeuS trojan) you can buy and use to take over other peoples' computers to make botnets for sending spam or taking down websites with traffic-floods. — Read the rest
Brian Krebs reports on a new cybercrime service that will max-out a company's switchboard with fake phone calls as a diversionary tactic while their servers are being plundered:
For just $5 an hour, or $40 per day, you can keep anyone's phone so tied up with incoming junk calls that the number is unable to receive legitimate calls.
— Read the rest
Brian Krebs documents a sophisticated offline/online attack on banks. Thieves combine a fraudulent wire-transfer to an innocent jewelry store with a denial-of-service attack on the bank that ties up the IT and other staff. The jeweler has been told that the money is to buy expensive jewels and watches, which are given to a stooge recruited as a courier and reshipper. — Read the rest
Brian Krebs reports: "The U.S. Department of Homeland Security today took aim at widespread media reports about a hacking incident that led to an equipment failure at a water system in Illinois, noting there was scant evidence to support any of the key details in those stories — including involvement by Russian hackers or that the outage at the facility was the result of a cyber incident." — Read the rest
Many websites will allow you to "recover a lost password" if you (or a crook) can supply your date of birth, mother's maiden name, etc. So, of course, crooks buy and sell data like dates of birth, mothers' maiden names, Social Security Numbers, and other easily mined minutae. — Read the rest
Brian Krebs posts a list of additional organizations said to have been targeted in the RSA attack, that massive data breach disclosed back in March. How many additional targets? Nearly 800 of them.
I didn't think it was possible to think any less of disgraced former New York Times reporter Judith Miller. But then, sweet fancy Jesus, I read her analysis of the Great Blackberry Outage of 2011. For Fox News.
I present to you the pull quote:
Cyber- and germ terrorism are quiet killers, and therefore, threats that are easy to underestimate.
— Read the rest
Brian Krebs continues his excellent investigative series on the inner workings of online ripoffs, today with a deep look at underground freight-forwarders, so-called "Drops for stuff." These services use patsies recruited on Craigslist through a "work at home" scam to receive goods bought with stolen credit card numbers and forward them on to crooks. — Read the rest
Security researcher Brian Krebs got a look at the auction prices at iProfit.su, a criminal marketplace where you can buy hacked and phished PayPal accounts; he discovered that the going account for 100 zero-balance verified PayPal accounts is a mere $50 — that's 50 cents per account. — Read the rest
Beware of Juice-Jacking, warns security researcher Brian Krebs. Those cell-phone charging kiosks in airports and other public places amount to an "unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware."
Brian Krebs is continuing to report on the latest research on spammers and scammers, today naming and shaming the banks that process payments for fake anti-virus and rogue pharmacy affiliate networks, and on the system used by scammers to prevent being cut off by Visa and Mastercard. — Read the rest
Brian Krebs looks at the remarkable drop in spam that the Internet has experienced this year (25-50 billion spams/day today, down from a peak of 225 billion spams/day last July), and at the vicious new malware that's appearing as spam-crooks get more desperate. — Read the rest
Authorities in Russia have arrested Pavel Vrublevsky, co-founder of Russia's biggest online payment processor ChronoPay, over charges that he paid a hacker to attack his company's competitors. More: Joe Menn in the Financial Times, and Brian Krebs at Krebs on Security.
Brian Krebs has an in-depth look at SpyEye, a "crimeware" trojan horse that is used to harvest personal information (especially banking credentials) from infected Windows machines. SpyEye's keylogger is capable of prioritizing the information it grabs by paying special attention to information from browser forms, including Chrome and Opera. — Read the rest
Brian Krebs has a good investigative piece on BuyEmails.org, an India-based website servicing Nigerian fraudsters and other Internet scam artists. They offer curiously targetted email lists ("6 million prospective work-at-home USA residents for just $99"), untraceable bulk email, and direct payment schemes from Nigerian banks, and (hilariously) they don't accept credit cards or Paypal because of all the fraud they've suffered. — Read the rest