WikiLeaks Exposes "Vast Hacking by a China Fearful of the Web"

We began covering the Chinese hack into Google and other western companies on our blog last March. An article in the New York Times based on an analysis of cables released by WikiLeaks provides a fascinating look at Chinese cyber espionage as seen through the eyes of the American government.

The Great Cyberheist

The New York Times Magazine: "One night in July 2003, a little before midnight, a plainclothes N.Y.P.D. detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man with long, stringy hair and a nose ring into the A.T.M. lobby of a bank. Pretending to use one of the machines, the detective watched as the man pulled a debit card from his pocket and withdrew hundreds of dollars in cash. Then he pulled out another card and did the same thing. Then another, and another. The guy wasn’t stealing cars, but the detective figured he was stealing something."

"Indeed, the young man was in the act of “cashing out,” as he would later admit. He had programmed a stack of blank debit cards with stolen card numbers and was withdrawing as much cash as he could from each account. He was doing this just before 12 a.m., because that’s when daily withdrawal limits end, and a “casher” can double his take with another withdrawal a few minutes later. To throw off anyone who might later look at surveillance footage, the young man was wearing a woman’s wig and a costume-jewelry nose ring. The detective asked his name, and though the man went by many aliases on the Internet — sometimes he was cumbajohny, sometimes segvec, but his favorite was soupnazi — he politely told the truth. “Albert Gonzalez,” he said."

...

"Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America: OfficeMax, BJ’s Wholesale Club, Dave & Buster’s restaurants, the T. J. Maxx and Marshalls clothing chains. They hacked into Target, Barnes & Noble, JCPenney, Sports Authority, Boston Market and 7-Eleven’s bank-machine network. In the words of the chief prosecutor in Gonzalez’s case, 'The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled.'"


Click here to read the fascinating story of master cyber-thief, Albert Gonzalez. 

Thanks to Dr. Andrea Belz for alerting us to this story.

Fake LinkedIn Emails Deliver Online Bank Theft Trojan Horse

KrebsOnSecurity reports that a "major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a kitchen sink of browser exploits in a bid to install the password-stealing ZeuS Trojan," a well-known Trojan horse used in online bank thefts.

Krebs continues: "The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com. ... On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS."

This spam campaign is another illustration of how cybercriminals use social engineering to get users to take action (in this case clicking a link in an email) that bypasses normal defenses. As a general rule, it's a good idea to refuse to click on email links unless the sender is known to you. And even when you know the sender, you still must develop a new kind of "common sense" that recognizes the dangers associated with the Internet.

Interpol Says Cybercrime is "World's Most Dangerous Criminal Threat"

Concerned with the growing threat from an estimated $105-billion-dollar illegal business, 300 top law enforcement officials from 56 countries met in Hong King for the first ever national police anti-cybercrime conference.

Ronald K. Noble, secretary general of the Interpol, told the assembled law enforcement officials that "considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face."

More on this story is available from Yahoo News.

Network Solutions Once Again Serves Up Malware

KrebsOnSecurity is reporting that hundreds of thousands of Web sites parked at NetworkSolutions.com have been serving up malicious software thanks to a tainted widget embedded in their pages. The problem has been traced to the “Small Business Success Index” widget, an application that Network Solutions makes available to site owners through its GrowSmartBusiness.com blog. Network Solutions has a history of weak security controls that put visitors to its customers web sites at risk of malware infection. See, e.g., our April 19 blog post.

The report is a reminder to employ defense-in-depth on business and home computer systems, including

1. Keep operating system and all applications patched and up-to-date
2. Keep anti-malware software up-to-date with current data files
3. Consider switching from less-effective anti-malware solutions to more powerful intrusion detection and prevention systems
4. Run Firefox instead of Internet Explorer; Run Firefox with the No-Script add-on if you're technical

While nothing you do will make you 100% secure, there's a lot you can do to minimize the risk of attack.

Another Survey Tells Same Sad Story of Growing Internet Dangers

McAfee released a report today showing that incidents of malware (malicious software) reached its highest levels ever in the first half of 2010. The company identified 6 million malicious files in the second quarter, making for a total of 10 million malicious files over the first six months of the year. Among the most common attack vectors were attacks targeted to social media users. Password stealing Trojan horses — commonly used used in online bank thefts — were among the most common payloads.

The report reconfirms everything we've been saying since we began our blog 18 months agoThere has been a sea change in cybercrime. Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.

The report is a reminder to every organization to take a critical look at its defenses — everything from policies and employee awareness training to modern intrusion prevention systems. It needs to make sure it's employing a cost-effective defense-in-depth strategy covering all three critical information security management domains:

1. Corporate security management
2. Security management of the IT infrastructure
3. Point-in-Time security of the IT infrastructure

It's also a time to talk to your attorney and your insurance broker. Your attorney can make sure you're aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.

Thanks to Terry Corbell for alerting us to this story.

Digital Forensics Association Research Report: Five Years of Data Breaches

A new report from the Digital Forensics Association confirms the need for organizations to pay careful attention to all aspects of information security.The report "The Leaking Vault - Five Years of Data Breaches" analyzes over 2,800 data loss incidents from publicly accessible sources, with a known disclosure of 271.9 million records.  This study—the largest of its kind to date—provides analysis on which breach vectors carry the most risk, and should help provide organizations with more accurate information when combating this problem.


Key findings include:

• Business, government, educational and medical organizations have been responsible for losing on average over 395,000 people's data per day every day for five years.  
• Hacking was responsible for 45% of all exposed records with an average loss of 716,000 records
• Stolen laptops were responsible for 49% of breaches but only 6% of lost records per incident.
• The fastest growing attack vector is social engineering
• Social Security Numbers (SSNs) are the most frequent data element reported.
• The Business sector accounted for 70% of breach incidents

e-Banking Bandits Target Title and Escrow Companies

KrebsOnSecurity.com reports that in March, computer criminals broke into the network of Redondo Beach, California based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.The escrow firm has been the victim of on-line bank theft. Cybercriminals hijacked the firm's online bank account and stole $465,000.

In discussions we've had with law enforcement and bank security personnel, we find that this is a cybercrime trend. Cybercriminals seem to have discovered that title and escrow companies are regular users of the ACH system while their security controls are too often easily bypassed by the advanced hacker tools now in use.

We continue to recommend extreme caution in online banking, including

1. When possible, have separate computer(s) used exclusively for online banking
2. Utilize 'out-of-band' confirmation for all online bank transactions
3. Keep systems patched and all anti-malware software up-to-date
4. Diligently check bank accounts daily
5. Limit use of social networking sites
6. Be on guard for phishing and other social networking attacks

IBM Distributes Malware-Infected USBs at Conference

Last August we blogged that an IBM study concluded: Trust No One. Well, I guess that even includes IBM. Several sources including SC Magazine are reporting that USB drives given out by IBM at the Australian Computer Emergency Response Team (AusCERT) 2010 conference were infected with malware.

Thanks to David Nardoni for this post.

Infamous Spam-Sending "Storm Worm" Stages a Comeback

Brian Krebs reports that the Storm Worm has once again surfaced. 18 months ago Storm Worm was responsible for approximately 20% of all spam. According to Krebs, "It remains unclear whether this Storm 2.0 strain will be as successful and prolific as its predecessor. But according to a blog post by security firm CA, the curators of the new Storm worm are very actively using the collection of PCs infected with this malware to once again relay junk e-mail advertising male enhancement pills and adult Web sites."

Read the story at KrebsOnSecurity.com ...

Report Shows Weaknesses in Anti-Virus Engines

Brian Krebs reports on a research report just released by Google on the increasing difficulty defenses have in countering cybercriminals spreading fake anti-virus programs, commonly known as scareware. Using data provided by Google, purveyors of scareware programs have aggressively stepped up their effort to evade detection by legitimate anti-virus programs, both anti-virus software and Google's own detection efforts.

According to Google's Niels Provos, "We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates. It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads."

As to the danger, Krebs writes: "Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What’s more, victims end up handing their credit or debit card information over to the people most likely to defraud them."

Read the story and link to the Google report at KrebsOnSecurity.com ...

For what to do if you become a scareware victim, read Brian Krebs tutorial here ...

Money Mules: The Final Link in Getting Your Money to the Cyberthief Who Stole It

One of the ways a cybercriminal steals money from a business is to transfer the money in amounts less than $10,000 to the bank accounts of money mules. These money mules then withdraw the money, keep a percentage for themselves and send the rest to the cybercriminal via a money order or other non-bank method. Brian Krebs provides a fascinating glimpse into how money mules are recruited.

Read the story at KrebsOnSecurity.com ...

Cybercriminals Learn to Hide Their Malware From Search Engines

By now you may have seen security alerts on web-listings returned in a Google or Yahoo search. It's one of the ways that search engines alert their users that the web site contains malicious software. Now Brian Krebs reports that cybercriminals have learned how to 'stealth' their malware so it becomes invisible to the search engines.


Read the whole story at KrebsOnSecurity.com ... 

Symantec 2009 Global Internet Security Threat Report

Symantec has published their 2009 Global Internet Security Threat Report. According to the report, the top web-based attacks in 2009 were on Internet Explorer and Adobe Acrobat/Reader. The report notes the growth in PDF attacks, from 11% of web-based attacks in 2008 to 49% in 2009. The report covers topics like threat activities, vulnerability trends, phishing and the underground economy.


Download the Executive Summary from Symantec ... 

Download the entire Report ...

Cybercriminals Take Advantage of McAfee Snafu

Brian Krebs reports about McAfee's bad update (see yesterday's blog post: McAfee Anti-Virus Software Locks up PCs)  that searching for information about the update returns pages of results that when visited launch the come-ons that try to frighten visitors into purchasing bogus (if not also malicious) anti-virus products. The pages are also capable of being booby-trapped so that unsuspecting users will download and install malicious software on their PCs. Internet Explorer users are most at risk of booby-traps, as the booby-trapped pages simply would not load if users follow our recommendation to use Firefox with the noscript add-on enabled.

Read more at KrebsOnSecurity.com ... 
 

Rent-a-Fraudster: A Fascinating Look at the Cybercrime Underworld

KrebsOnSecurity.com reports that a call service catering to online bank and identity thieves has been busted by U.S. and international authorities. The takedown provides a fascinating look at a special niche of service providers in the cybercrime underworld. Suppose, for example, you're a cybercriminal with a thick Russian accent, you have all the appropriate information about David Smith that his bank requires to transfer money, and you want to move $250,000 from David Smith's bank account but Smith's bank requires an out-of-band phone call with the bank before they'll release the money. To get your $250,000, you rent an English-speaking fraudster who calls the bank for you! Another rent-a-fraud service provides a password-protected Web site catering to customers with stolen credit cards. Yet a third Web site, appropriately named the "Fraud Shop," manages cybercriminal transactions at legitimate Web sites, even arranging for shipping stolen merchandise to mules.

Read the story at KrebsOnSecurity.com ...

A Security Flaw in Palm Pre Demonstrates Need for Caution

Intrepidus Group announced that they've identified dangerous vulnerabilities in the Palm Pre WebOS. The vulnerabilities illustrate one more reason why we would NEVER use an off-the-shelf mobile device for online banking or anything else really sensitive. Even if the on-line bank app was written without security flaws [which is more than doubtful], flaws in the underlying OS [or Trojan horses embedded in other apps] just make it way too dangerous. Don't be lulled by the fact that Palm has already released an update to WebOS. Remember the mantra: All complex software is flawed and has vulnerabilities.

Read more at V3.co.uk ...

Visitors to Web Sites Hosted by Network Solutions Again at Risk

KrebsOnSecurity.com reports that Network Solutions has again been hacked by cybercriminals. The cybercriminals installed malicious software on web sites hosted by Network Solutions. This put visitors to these sites at risk that cybercriminals could take control of their computers, allowing them to steal online credit and bank account passwords and other sensitive information.


Read the story at KrebsOnSecurity.com ...

$500 Buys Entry-Level Cybercrime Exploit Pack

The iPack may sound like Steve Jobs' next great product but don't be fooled. It's a new custom exploit pack for sale to cybercriminals at prices starting at $500. Like many other exploit kits, the iPack make it easy for hackers to booby-trap Web sites with code that installs malicious software.Other exploit kits are available to cybercriminals to make it easy to exploit workstation weaknesses such as missing patches.

Read the story at KrebsOnSecurity.com ...

ISP Privacy Proposal Draws Fire

Brian Krebs reports that the American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses – is considering a proposal to ease rules that require ISPs to publish address and phone number information for their business customers. The proposal is drawing strong criticism from information systems security professionals as it will make it harder to fight spam, malware and other forms of cybercriminal activity.

Read more at KrebsOnSecurity.com ...