Friday, October 09, 2009

Kaspersky Labs: The Cash Factory

Hat-tip to Donna.

Kaspersky Lab announces the publication of its latest article, The Cash Factory. The article looks at the methods used by cyber criminals to create and run botnets in order to generate large profits.

The Cash Factory unveils the cyclical process used to create botnets from computers infected by the bot Backdoor.Win32.Bredolab. First, cyber criminals hack a site's content management system and modify its pages with tags that redirect to websites containing malicious exploits. These exploits pave the way for infection and penetration by other bots, which then join to form a botnet and obey commands issued from a remote command and control center.

The bots download malicious programs from the Internet, including a Trojan designed to steal passwords to FTP clients used to manage website content. These passwords can then be used by cyber criminals to modify websites and place malicious tags on their pages.

The process is essentially a vicious circle that can be repeated and extended, and is used by cyber criminals to ensure the smooth running of their "cash factory."

The full version of "The Cash Factory" is available on the Kaspersky Labs Blog.

Thursday, October 08, 2009

Mark Fiore: ACORN

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

Updated: Yahoo! Provided Iranian Regime With Names of 200,000 Users?

Richard Koman writes on ZDNet Government:

Yahoo collaborated with the Iranian regime during the election protests, providing to the authorities the names and emails of some 200,000 Iranian Yahoo users. This is according to a post on the Iranian Students Solidarity (Farsi) blog. My sources indicate the information comes from a group of resisters who have infiltrated the administration and are leaking out important information.

These sources say that Yahoo representatives met with Iranian Internet authorities after Google and Yahoo were shut down during the protests and agreed to provide the names of Yahoo subscribers who also have blogs in exchange for the government lifting the blocks on Yahoo.

More here.

Update: 14:38 PDT, 10 Oct. 2009: ZDNet has retracted this post. -ferg

Classic xkcd: Scary

Click for larger image.

We love xkcd.

- ferg

Cyber Thieves Find Workplace Networks Are Easy Pickings

Byron Acohido writes on USA Today:

It took only a modicum of skill for a cybergang to steal 94 million credit and debit card payment records from the TJX retail chain — and follow that up by hauling in 130 million records from credit card processor Heartland Payment Systems.

Court records reveal that those record-setting break-ins were almost too easy. Even more surprising: The thieves were able to take their sweet time extracting the data, in each case going undetected for more than a year.

What happened to TJX and Heartland was not unusual. And details unveiled in the prosecution of gang members involved in both thefts have shed fresh light on a business truism demanding more scrutiny: Workplace networks have turned out to be much more porous and difficult to defend than anyone ever anticipated.

Overly complex IT systems are producing endless opportunities for cyberthieves, who need only to master simple hacking techniques to get their hands on sensitive data. The result: Data breaches continue to plague companies, hospitals, universities and government agencies — any entity that collects data and conducts business on a digital network.

More here.

Telephone Company is Arm of Government, Feds Admit in Spy Suit

Ryan Singel writes on Threat Level:

The Department of Justice has finally admitted it in court papers: the nation’s telecom companies are an arm of the government — at least when it comes to secret spying.

Fortunately, a judge says that relationship isn’t enough to squash a rights group’s open records request for communications between the nation’s telecoms and the feds.

The Electronic Frontier Foundation wanted to see what role telecom lobbying of Justice Department played when the government began its year-long, and ultimately successful, push to win retroactive immunity for AT&T and others being sued for unlawfully spying on American citizens.

The feds argued that the documents showing consultation over the controversial telecom immunity proposal weren’t subject to the Freedom of Information Act since they were protected as “intra-agency” records...

More here.

Australia: NSW Police - Don't Use Windows for Internet Banking

Munir Kotadia writes on

Consumers wanting to safely connect to their internet banking service should use Linux or the Apple iPhone, according to a detective inspector from the NSW Police, who was giving evidence on behalf of the NSW Government at the public hearing into Cybercrime today in Sydney.

Detective Inspector Bruce vad der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online.

The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows.

More here.

Microsoft Plans Monster Patch Tuesday Next Week

Gregg Keizer writes on ComputerWorld:

Microsoft today said it will deliver its largest-ever number of security updates on Tuesday to fix flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and the enterprise-grade Forefront Security client software.

Among the updates will be the first for the final, or release to manufacturing, code of Windows 7, Microsoft's newest operating system.

The company will ship a total of 13 updates next week, eight of them pegged "critical," the highest threat ranking in its four-step scoring system, beating the previous record of 12 updates shipped in February 2007 and again in October 2008.

"Thirteen is not a lucky number," said Andrew Storms, director of security operations at nCircle Network Security, reacting to the massive slate scheduled for Oct. 13. "They've been a busy bunch at Microsoft, that's for sure."

More here.

Exposing Bad Actor Sites That Support Cyber Crime

Alex Lanstein of FireEye writes on ComputerWorld:

Today, cyber criminals who operate the most sophisticated stealth malware and botnets rely on a remarkably small number of network and hosting service providers, known to the industry as bad actors. These bad actors supply the infrastructure needed to host drive-by download exploits, command-and-control servers, stolen data drop sites, and other more functional network needs such as DNS and reliable uplinks. Having a stable, controllable network allows malware operators to remove one difficult piece of the puzzle and Internet Service Providers (ISPs) are lining up to take their money. Even given that these networks are very well known, it has proven difficult -- in some cases impossible -- to stop cyber criminals and these bad actors due to legal, economic and technical hurdles.

The cyber crime spree that is underway is supported by bad actors that turn a blind eye to the questionable and criminal activities transpiring over their networks. Research from FireEye and others have exposed notorious examples like McColo, ZlKon, HostFresh and many more. The Federal Trade Commission scored a rare victory when it took down 3fn based on findings that 3fn, "recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content."

However, these bad actors are difficult to bring to justice due to the international nature of their crimes, the slow response time with which they react to shutdowns and the general lack of funding and focus for cyber law enforcement.

More here.

Wednesday, October 07, 2009

Google Robbed By 'Bahama' Botnet

Thomas Claburn writes on InformationWeek:

The "Bahama botnet," a collection of thousands of compromised computers that has been defrauding online advertisers lately, has also been stealing revenue from Google.

Beyond its efforts to cash in on fraudulent clicks, the botnet has been acting as "a sort of perverted Robin Hood," according to Click Forensics, an online ad auditing company. It robs from the rich -- Google, for instance -- and gives to the scammers and to the ad networks that don't care about Web traffic legitimacy.

The botnet relies on malware distributed through fake antivirus scams to take over more computers. Compromised PCs have their DNS settings secretly changed, an attack known as DNS poisoning. Thereafter, attempts to reach, say, on a compromised computer lead to a fake Google site that presents ads from which Google derives no benefit.

As a Click Forensics blog post scheduled for publication on Thursday explains, "When a user with an infected machine performs a search on what they think is, the query actually goes to the Canadian computer, which pulls real search results directly from Google, fiddles with them a bit, and displays them to the searcher. Now the searcher is looking at a page that looks exactly like the Google search results page, but it's not."

More here.

Citing Cyber Crime, FBI Director Doesn't Bank Online

Robert McMillan writes on PC World:

The head of the U.S. Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt.

FBI Director Robert Mueller said he recently came "just a few clicks away from falling into a classic Internet phishing scam" after receiving an e-mail that appeared to be from his bank.

"It looked pretty legitimate," Mueller said Wednesday in a speech at San Francisco's Commonwealth Club. "They had mimicked the e-mails that the bank would ordinarily send out to its customers; they'd mimicked them very well."

In phishing scams, criminals send spam e-mails to their victims, hoping to trick them into entering sensitive information such as usernames and passwords at fake Web sites.

Though he stopped before handing over any sensitive information, the incident put an end to Mueller's online banking.

More here.

Federal Investigation Nets 100 in Phishing Scheme

Brian Prince writes on eWeek:

The FBI partnered with Egyptian law enforcement to shutdown a phishing ring authorities say was targeting American banks. The investigation, which began in 2007, represents the biggest cyber-crime roundup thus far in the U.S.

Authorities in the U.S. and Egypt have charged 100 people with participating in a sophisticated phishing ring authorities say defrauded two banks in the United States.

Early today, police in cities across the U.S. arrested 33 of the 53 suspects named in a federal indictment in Los Angeles last week. Overseas, Egyptian authorities charged another 47 defendants for participating in the scheme.

The charges were the result of a two-year probe known as Operation Phish Phry, which started when FBI agents working with United States financial institutions began working to identify and disrupt white collar criminals targeting the financial infrastructure in the United States . Using intelligence developed during the initiative, the FBI partnered with Egyptian law enforcement to investigate multiple suspects based in Egypt . By the time it was over, the effort resulted in the largest cyber-crime investigation to date in the U.S., FBI officials said.

More here.

Tuesday, October 06, 2009

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Glove (AP).

As of Tuesday, Oct. 6, 2009, at least 4,348 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes nine military civilians killed in action. At least 3,474 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is three fewer than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

As of Tuesday, Oct. 6, 2009, at least 791 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Tuesday at 10 a.m. EDT.

Of those, the military reports 611 were killed by hostile action.

More here and here.

Honor the Fallen.

Zeus Trojan Infiltrates Bank Security Firm

Brian Krebs writes on Security Fix:

On Sept. 1, security industry start-up Silver Tail Systems held an in-depth online seminar for its bank and e-commerce clients that examined the stealth and sophistication of Zeus, a data-stealing Trojan horse program that organized thieves have used in a string of lucrative cyber heists this year.

A week later, Silver Tail learned that Zeus had infiltrated its own network defenses.

Silver Tail founder Laura Mather said she believes her company was targeted by criminals wielding Zeus specifically because of the recent webinar, which spotlighted the myriad ways in which Zeus can defeat online banking security measures. Still, she said the incident shows this family of malware can be a threat to any business - even security companies.

"Luckily, we were vigilant enough and had things locked down to a degree that the attackers weren't able to get anything of value to them," Mather said.

More here.

Monday, October 05, 2009

Australia: RailCorp Wrestles With Conficker

Suzanne Tindal writes on ZDNet Australia:

RailCorp has confirmed that some of its workstations had been infected with the Conficker virus, although it insisted that the virus had caused no operational impact.

"Instances of the virus were detected on some workstations on various networks. However, there has been no wide scale outbreak," a spokesperson for the corporation told

The organisation's security and patching stance made sure that the "bulk" of its computing network wasn't susceptible to the virus, they continued.

The antivirus had also paid its way. "Instances where the virus was able to infect a machine were isolated and resulted in no loss of service to commuters or operational capacity for RailCorp," the spokesperson said.

More here.

Bankers Gone Bad: Financial Crisis Making The Threat Worse

Kelly Jackson Higgins writes on Dark Reading:

A former Wachovia Bank executive who had handled insider fraud incidents says banks are in denial about just how massive the insider threat problem is within their institutions. Meanwhile, the economic crisis appears to be exacerbating the risk, with 70 percent of financial institutions saying they have experienced a case of data theft by one of their employees in the past 12 months, according to new survey data.

Shirley Inscoe, who spent 21 years at Wachovia handling insider fraud investigations and fraud prevention, says banks don't want to talk about the insider fraud, and many aren't aware that it's an "epic problem."

"There needs to be more training around this issue," says Inscoe, who co-authored a book about bank insider fraud called Insidious -- How Trusted Employees Steal Millions and Why It's So Hard for Banks to Stop Them, which publishes later this month. "We are seeing a huge increase in this country of organized crime rings threatening individuals who work in financial institutions and making them [commit fraud on their behalf]," she says.

More here.

Nasty Banking Trojan Makes Mules of Victims

Robert McMillan writes on PC World:

A sophisticated Trojan horse program designed to empty bank accounts has a new trick up its sleeve: It lies to investigators about where the money is going.

First uncovered by Finjan Software last week, the URLzone Trojan is already known to be very advanced. It rewrites bank pages so that the victims don't know that their accounts have been emptied, and it also has a sophisticated command-and-control interface that lets the bad guys pre-set what percentage of the account balance they want to clear out.

But Finjan isn't the only company looking into URLzone. RSA Security researchers say the software uses several techniques to spot machines that are run by investigators and law enforcement. Researchers typically create their own programs that are designed to mimic the behavior of real Trojans. When URLzone identifies one of these, it sends it bogus information, according to Aviv Raff, RSA's FraudAction research lab manager.

Security experts have long published research into the inner workings of malicious computer programs such as URLzone, Raff said. "Now the other side knows that they are being watched and they're acting," he said.

More here.

With No Plan to Respond to Cyber Attacks, U.S. Risks Reliving 9/11

Jill R. Aitoro writes on

The United States, in the wake of a widespread cyberattack, could face the same lack of coordination and preparedness the nation experienced after the Sept. 11 terrorist attacks because the government has not developed clear policies for how to respond, a panel of current and former federal security officials said on Monday.

"In terms of terrorism response, I think that we're getting well practiced and well organized. We are an efficient nation," said Gen. Michael Hayden, principal at consulting firm Chertoff Group and former director of the CIA. "Not so with the new-age threat of cyberattacks, [where] we are not well organized. It's very unclear who would be in charge of response."

As a result, the federal response to a cyberattack might resemble what happened on Sept. 12, 2001, the day after the World Trade Center and Pentagon were attacked, said Hayden, The government would pull together people to "frankly act like a committee, because we don't have any other alternative" strategy in place to define how federal, state and local government and the private sector will respond, he added.

More here.

TA Associates Buys Stake in AVG Technologies

Via The Boston Globe Business News.

TA Associates, a private equity firm with offices in Boston, said it has paid more than $200 million for a minority stake in AVG Technologies, a company focused on providing home and business computer users with comprehensive and proactive protection against computer security threats.

AVG Technologies is based in Amsterdam, with US operations headquartered in Chelmsford. Of the company's roughly 550 employees, nearly 60 are in Chelmsford, a spokesman for TA Associates said.

More here.

Hacker Leaks Thousands of Hotmail Passwords

Gregg Keizer writes on ComputerWorld:

More than 10,000 usernames and passwords for Windows Live Hotmail accounts were leaked online late last week, according to a report by, which claimed that they were posted by an anonymous user on last Thursday.

The post has since been taken down.

Neowin reported that it had seen part of the list. "Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe," said the site. "The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists."

Hotmail usernames and passwords are often used for more than logging into Microsoft's online e-mail service, however. Many people log onto a wide range of Microsoft's online properties -- including the trial version of the company's Web-based Office applications, the Connect beta test site and the Skydrive online storage service -- with their Hotmail passwords.

It was unknown how the usernames and passwords were obtained, but Neowin speculated that they were the result of either a hack of Hotmail or a massive phishing attack that had tricked users into divulging their log-on information.

More here.