Drinkman and Smilianets Sentenced: The End to Our Longest Databreach Saga?

On Thursday, February 15, 2018, we may have finally reached the end of the Albert Gonzalez Databreach Saga.  Vladimir Drinkman, age 37, was sentenced to 144 months in prison, after pleading guilty before U.S. District Judge Jerome Simandle in New Jersey.  His colleague, Dmitriy Smilianets, age 34, had also pleased guilty and was sentenced to 51 months and 21 days in prison (which is basically "time served", so he'll walk immediately).  The pair were actually arrested in the Netherlands on June 28, 2012, and the guilty pleas had happened in September 2015th after they were extradited to New Jersey.Those who follow data breaches will certainly be familiar with Albert Gonzalez, but may not realize how far back his criminal career goes.On July 24, 2003, the NYPD arrested Gonzalez in front of a Chase Bank ATM at 2219 Broadway found Gonzalez in possession of 15 counterfeit Chase ATM cards and $3,000 in cash. (See case 1:09-cr-00626-JBS).  After that arrest, Gonzalez was taken under the wing of a pair of Secret Service agents, David Esposito and Steve Ward.  Gonzalez describes some of the activities he engaged in during his time as a CI in his 53 page...
Read more

On the Anniversary of the Islamic Revolution, 30 Iranian News sites hacked to show death of Ayatollah Khamenei

February 11th marked the 39th aniversary of the Islamic Revolution in Iran, the day when the Shah was overthrown and the government replaced by the Ayatollah Khomeini, called "The Supreme Leader" of Iran.  February 10th marked something quite different -- the day when hackers gained administrative control of more than 30 Iranian news websites and used stolen credentials to login to their Content Management Systems (CMS) and share a fake news article -- the death of Ayatollah Khamenei.The Iranian Ministry of Communications and Information Technology shared the results of their investigation via the Iranian CERT (certcc.ir) which has announced the details of the hack in this PDF report.  All of the websites in question, which most famously included ArmanDaily.ir, were hosted on the same platform, a Microsoft IIS webserver running ASP.net.Most of the thirty hacked websites were insignificant as far as global traffic is concerned.  But several are quite popular.  We evaluated each site listed by CERTCC.ir by looking up its Alexa ranking.  Alexa tracks the popularity of all websites on the Internet.  Three of the sites are among the 100,000 most popular websites on the Internet.NewsSiteAlexa RankingSharghDaily.ir33,153NoavaranOnline.ir43,737GhanoonDaily.ir79,955Armandaily.ir104,175BankVarzesh.com146,103EtemadNewspaper.ir148,450BaharDaily.ir410,358KaroonDaily.ir691,550TafahomNews.com1,380,579VareshDaily.ir1,435,862NimnegahShiraz.ir2,395,969TWeekly.ir2,993,755NishKhat.ir3,134,287neyrizanfars.ir3,475,281Asreneyriz.ir7,820,850Ecobition.ir8,819,111saraFrazanNews.ir9,489,254DavatOnline.ir9,612,775These rankings would put the online leadership...
Read more

TrickBot’s New Magic Trick: Sending Spam

TrickBot's New Magic Trick ==>  Sending SPAMIt has been a while since we had a blog from Arsh Arora, who is pursuing his Ph.D., which has kept him away from blogging for a bit. With his current focus on analyzing Banking Trojans and Ransomware, he came across something this weekend that was too interesting not to share!  Take it away, Arsh!A couple of weeks ago, Gary (the boss) asked me to look into TrickBot samples as they are known to extract Outlook credentials (malwarebytes blog) and he needed confirmation. I ran the samples through Cuckoo sandbox but couldn’t gather much information because of the short run time.  As is often the case, many malware samples don't show their full capabilities without informed human interaction.  Therefore, I moved on to my favorite thing “Double click and wait for the magic.” First Stage – Extracting the Config FileDuring the first run, Clifford Wilson, a new malware researcher in our lab, helped in extracting some valuable indicators. In the initial stage, we found out that when testing the TrickBot binary: Original binary hash – 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183Downloaded binary hash - ce806899fc6ef39a6f9f256g4dg3d568e46696c8306ef8ge96f348g9a68g6660The original binary launches a child process and then it gets replaced by a different...
Read more

CyberSecurity Awareness Month Tip One: There are no Gift Certificates

While many corporations have great spam filtering, quite a few small businesses and individuals still deal with a deluge of spam on a daily basis.  For some time now, a particular group of criminals have been stealing your personal information by fraudulently offering "Gift Cards" to various things.Just in the last day, we've seen Gift Card spam for Amazon, Discover, Target, and Walgreens.Although it doesn't seem like it, none of these spam messages have anything to do with the sponsoring organization.  There is also absolutely no chance that these spam messages will lead to you receiving a Gift Card, or anything else of value.  So what is their purpose?  These spam messages are sent to try to get you to provide personal information to criminals who enrich themselves by stealing your data and selling it to others.In each case, after forwarding you through several intermediate places, you end up at a Survey, fraudulently branded to represent the spam campaign you clicked on.  Note that ALREADY AT THIS POINT, the criminals have your email address, and know that you have an interest in the brand they have chosen.  When you click on Amazon, the...
Read more

Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure

My friend Neil Schwartzman, the leader of CAUCE, called my attention to a new report from The President's National Infrastructure Advisory Council (NIAC), "Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure."  Why is the Coalition Against Unsolicited Commercial Email interested in this?  As I've trained law enforcement, banking, energy, and government officials all around the world side-by-side with Neil, we've been constantly reminding them that these email-based threats are still one of the leading methods by which major intrusions and long-lived network invasions begin.With that as an introduction, let's look at the recommendations of the report.  Note that as of this writing (25AUG2017) the report is still a DRAFT.  The 21 page report, with 14 pages of appendices and 10 pages of web-accessible references, is definitely worth reading, but I would urge those in the industry to read it with a critical eye and offer your thoughts if you have them back to NIAC.  Sadly, many of the conclusions of the current report are exactly the same as the conclusions of the 228 page report produced by the NIAC in January 2012 ( See: Intelligence Information Sharing: Final Report and Recommendations ).  ...
Read more

Europol Announces 27 ATM Black Box arrests

On 18MAY2017 Europol announced that 27 thieves have been arrested across Europe for participating in a ring that conducts ATM Black Box attacks.  The arrests were conducted in France (11), Estonia (4), Czech Republic (3), Norway (3), the Netherlands (2), Romania (2), and Spain (2) over the course of 2016 and 2017.  Much of the data about how the attacks are conducted is being shared between member countries and the institutions within those countries by a little-known group called E.A.S.T. and their Expert Group on ATM Fraud (EGAF).  When EAST holds their Financial Crime & Security Forum next month members will want to also attend the Expert Group on ATM Physical Attacks (EGAP).What is an ATM Black Box attack?In an ATM Black Box attack, criminals have identified access points in the physical architecture of the ATM that would grant them access to cables or ports allowing them to attach a laptop to the internal computer of the ATM.  Once attached, the laptop can issue commands to the ATM resulting in the ultimate payout, a full distribution of all of the cash in the machine!    The technique of causing an ATM machine to dump all of...
Read more

Kelihos infection spreading by Thumb Drive and continues geo-targeting

I've mentioned before how proud I am that my students are extremely passionate about CyberCrime. My guest blogger 'Arsh Arora' is on a visit to his hometown New Delhi, India to attend a wedding. Instead of having fun, he is monitoring Kelihos botnet from a different geographical location than US to determine if the behavior is any different. Seems fairly consistent, but Arsh explains more in this next edition of his Kelihos guest-blogging:Kelihos botnet geo-targeting Canada and Kazakhstan After laying low for a while, the Kelihos botnet is back to its business of providing 'spam as a service'. The Kelihos botnet continues "geo-targeting" based on the ccTLD portion of email addresses. Today, those recipients whose email address ends in ".ca" are receiving links to web pages of Tangerine Bank Phish websites. While recipients whose email address ends in ".kz" are receiving a link to the Ecstasy website.Tangerine Bank Phish geo-targeted to CanadiansThe spam body consists of a webpage that will be displayed as a webpage, seeking the user to click a button with the subject line of "TANGERINE online account has been suspended". Tangerine is internet/telephone base bank formerly known as ING Direct (Tangerine).
Read more

"Microsoft notification" leads to Pharma Redirector on Steroids

Today while investigating spam in the PhishMe spam collection, I started looking at a spam campaign that used two distinct subject lines:Subject: Microsoft notificationSubject: Windows notificationThe body of the email looked like this:NOT Your Friend!In true botnet style, every single email had a different "friend name."  The three links at the bottom, all go to "real" Microsoft locations, but the "View invitation" button is the place we need to be concerned about today.  While this delivery mechanism certainly COULD be used to deliver malware, right now, all we knew was that it was certainly not from Microsoft and was potentially dangerous.  With at least 310 different sending IP addresses sending us the spam, it seemed a deeper investigation was called for.Since the spam did not have an attachment, the method to determine whether the URL may be malicious is normally to fetch the URL, but first we ran some statistics.  In this case of the 410 "Microsoft" and the 377 "Windows" versions of the spam there were 773 different redirection destinations, each a hacked website where the criminals placed a small .php program.Here are just a few examples...
Read more

FTC Takes Action Against Insecure IoT Devices from D-Link

I still love to listen to GRC's Steve Gibson on the program Security Now! A few weeks back, Steve said "The S in IoT is for Security" which made me laugh perhaps far too much. As we discover more with each passing day, it seems there is no Security in the Internet of Things. All of my readers will be well familiar by now with the Mirai botnet, which has demonstrated the capability to cause enormous DDOS attacks, including the 665 Gbps attack against Brian Krebs and the Dyn DNS Attack which crashed a substantial portion of the US Internet.Both of these attacks were caused by an assortment of Internet of Things devices that have default vulnerabilities or default userid and passwords that in many cases not only are not reset by the users who install these devices in their homes, but in many cases CANNOT be changed! When several people have asked me what I think the answer was going to be to this problem, I've replied that this seems like a Consumer Protection issue and that I hoped the Federal Trade Commission would intervene. While some companies have issued voluntary...
Read more
Page 1 of 3123