http://news.yahoo.com/s/pcworld/20070328/tc_pcworld/130203
Hackers have built their own encrypted IM (instant-message) program to shield themselves from law enforcement trying to spy on their communication channels.
ADVERTISEMENT
The application, called CarderIM, is a sophisticated tool hackers are using to sell information such as credit-card numbers or e-mail addresses, part of an underground economy dealing in financial data, said Andrew Moloney, business director for financial services for RSA, part of EMC Corp., during a presentation at the International e-crime Congress in London on Wednesday.
CarderIM exemplifies the increased effort hackers are making to obscure their activities while continuing to use the Internet as a means to communicate with other criminals. "They're even investing in their own custom tools, their own places to work," Moloney said.
CarderIM's logo is humorous: two overlapping half suns in the same red-and-yellow tones as MasterCard International Inc.'s logo. The name, CarderIM, is a reference to the practice of "carding," or converting stolen credit-card details into cash or goods.
Often, the hackers who obtain credit-card numbers aren't interested in trying to convert the data into cash. But other people are. On the Internet, the two can meet. But the data buyers and sellers are constantly on the lookout for the "rippers"-- security experts or police who are gathering data on them, Moloney said.
It's not known how widely CarderIM is being used, but its distribution appears to be limited, Moloney said. Searches through Google uncover a few passing but incomplete references to the program. It's also not easy to find a copy of it.
"To get ahold of it [CarderIM] you need to be part of one of the trusted groups, which we have agents within," Moloney said.
During his presentation, Moloney showed a screenshot of an advertisement for CarderIM, which addressed the need to "secure the scene." The application supposedly uses encrypted servers that are "offshore" and does not record IM conversations.
Hackers may have needed a more secure IM application, since most of the free ones, such as ICQ, transmit messages in clear text, which can be intercepted, Moloney said.
"They know that we watch and listen," Moloney said.
vendredi 30 mars 2007
jeudi 29 mars 2007
TJX breach involved 45.7m cards, company reports
TJX breach involved 45.7m cards, company reports: "At least 45.7 million credit and debit card numbers were stolen by hackers who broke into the computer systems at the TJX Cos. in Framingham and the United Kingdom and siphoned off data over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists. TJX, the Framingham discounter that operates the T.J. Maxx and Marshalls clothing chains, also reported in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including drivers' license numbers. "It's the biggest card heist ever," said Avivah Litan, vice president of Gartner Inc. "This was obviously done over a long period of time, in many locations. It's done considerable damage.""
lundi 26 mars 2007
Le Google Hack Honeypot repère les pirates d'applications web
Le Google Hack Honeypot repère les pirates d'applications web
Les applications web, du fait de leur nombre important, de l’immaturité de leur code et de leur utilisation croissante sont des cibles de choix pour les pirates. En effet, celles-ci étant en général installées sur des serveurs, elles sont une cible particulièrement intéressante pour un attaquant.
Ainsi, selon un article de Jamie Riden, Ryan McGeehan, Brian Engert et Michael Mueter du Honeynet Project, un botnet rassemblant 400 serveurs pourrait offrir une bande passante particulièrement importante, équivalente à un réseau rassemblant des dizaines de fois plus de systèmes appartenant à des utilisateurs.
Ces 4 chercheurs, livrent dans cette étude les résultats des expériences qu’ils ont menés à l’aide de pots de miels imitant des applications web vulnérables, dans le courant de l’année 2006.
Plusieurs imitations d’applications vulnérables sont proposées par GHH. On retrouve plusieurs interfaces de type php shell (ou backdoor php, selon l’utilisation qui en est faite). Des versions vulnérables d’applications comme Squirrel Mail sont également imitées.
Les chercheurs ont effectué une typologie des tentatives d’exploitation de leurs pots de miel. Celles-ci peuvent être le fait de simples curieux, mais aussi de pirates à la recherches de serveurs pour leurs botnet ou de spammeurs.
Les tentatives de defacement ont également été nombreuses. Quelques tentatives d’utiliser ces serveurs comme hébergement de fichiers illégaux ont également eu lieu, tout comme des essais d’utiliser ces machines comme rebond pour scanner des hôtes vulnérables. Enfin, deux tentatives de phishing ont eu lieu, contre les sites Paypal et Orkut.
Au niveau des applications attaquées, Mambo prend la tête du classement, qui est dominé durant la première moitié de l’année par AWStats. L’outil de forum PHPBB est également régulièrement attaqué.
Enfin, les auteurs signalent que seule une faible partie des tentatives d’attaque utilisait un proxy (6%). Les connexions en provenance du système d’anonymisation Tor n’ont représenté que 0,01% des attaques (40 dont 7 uniques et 2 ayant lancé des commandes).
Ils concluent que les applications web représentent un risque important, du fait de la qualité du code, qui est en général assez faible, de la possibilité de réaliser des attaques en PHP et de celle d’utiliser des moteurs de recherche pour trouver rapidement des applications vulnérables à une faille donnée.
Les applications web, du fait de leur nombre important, de l’immaturité de leur code et de leur utilisation croissante sont des cibles de choix pour les pirates. En effet, celles-ci étant en général installées sur des serveurs, elles sont une cible particulièrement intéressante pour un attaquant.
Ainsi, selon un article de Jamie Riden, Ryan McGeehan, Brian Engert et Michael Mueter du Honeynet Project, un botnet rassemblant 400 serveurs pourrait offrir une bande passante particulièrement importante, équivalente à un réseau rassemblant des dizaines de fois plus de systèmes appartenant à des utilisateurs.
Ces 4 chercheurs, livrent dans cette étude les résultats des expériences qu’ils ont menés à l’aide de pots de miels imitant des applications web vulnérables, dans le courant de l’année 2006.
Plusieurs imitations d’applications vulnérables sont proposées par GHH. On retrouve plusieurs interfaces de type php shell (ou backdoor php, selon l’utilisation qui en est faite). Des versions vulnérables d’applications comme Squirrel Mail sont également imitées.
Les chercheurs ont effectué une typologie des tentatives d’exploitation de leurs pots de miel. Celles-ci peuvent être le fait de simples curieux, mais aussi de pirates à la recherches de serveurs pour leurs botnet ou de spammeurs.
Les tentatives de defacement ont également été nombreuses. Quelques tentatives d’utiliser ces serveurs comme hébergement de fichiers illégaux ont également eu lieu, tout comme des essais d’utiliser ces machines comme rebond pour scanner des hôtes vulnérables. Enfin, deux tentatives de phishing ont eu lieu, contre les sites Paypal et Orkut.
Au niveau des applications attaquées, Mambo prend la tête du classement, qui est dominé durant la première moitié de l’année par AWStats. L’outil de forum PHPBB est également régulièrement attaqué.
Enfin, les auteurs signalent que seule une faible partie des tentatives d’attaque utilisait un proxy (6%). Les connexions en provenance du système d’anonymisation Tor n’ont représenté que 0,01% des attaques (40 dont 7 uniques et 2 ayant lancé des commandes).
Ils concluent que les applications web représentent un risque important, du fait de la qualité du code, qui est en général assez faible, de la possibilité de réaliser des attaques en PHP et de celle d’utiliser des moteurs de recherche pour trouver rapidement des applications vulnérables à une faille donnée.
Trojan Analysis Leads To Russian Data Hoard
Trojan Analysis Leads To Russian Data Hoard: "Stolen Identity writes 'An attack by a single Trojan variant compromises thousands, circumvents SSL, and uploads the results to a Russian dropzone server. A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy.'"
jeudi 22 mars 2007
Stolen TJX Data Used in $8M Scheme Before Breach Discovery
http://www.eweek.com/article2/0,1895,2106149,00.asp
Information stolen from the systems of massive retailer TJX was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials.
The significance of this new TJX detail—discovered as Florida authorities issued arrest warrants for 10 suspects and took six of them into custody—is not clear, but it might yield clues as to how TJX learned of the breach.
ADVERTISEMENT
The $16 billion retail chain has officially said that a huge amount of information was accessed as early as 2005 (with some of the captured data dating back to 2003), but that TJX officials didn't learn of the breach until December 2006. The company didn't announce the breach until mid-January 2007 due to—according to one credit-card source—a request from the Secret Service because it was actively pursuing a suspect.
PointerRead more here about the TJX probe.
The Florida information raises the possibility that whoever took the data had decided to start using it late last year. Law enforcement pursuing those cases would have found TJX as the common link, potentially prompting TJX to more closely examine its systems.
In the Florida case, a group used TJX credit- and debit-card information to do a low-tech clone scam to the tune of about $8 million. The group is accused of taking credit cards and applying new magstripes containing the stolen data. It is not clear if the credit cards displayed the same numbers in plastic embossing that were in the magstripe, said Dominick Pape, the special agent in charge for the Florida Department of Law Enforcement.
TJX Security Breach: Suspect Arrest Warrant Photos
Florida officials released the names of the six suspects who were arrested: Irving Escobar, 18; Reinier Camaraza Alvarez, 27; Julio Oscar Alberti, 33; Dianelly Hernandez, 19; Nair Zuleima Alvarez, 40; and Zenia Mercedes Llorente, 23. Four others are still at large, Pape said.
The group has been charged with an organized scheme to defraud, and they are also being investigated by the Secret Service, which participated in the arrests.
Florida officials said the group used the increasingly common tactic of using the bogus credit cards to purchase gift cards and then cashing them at Wal-Mart and Sam's Club stores. The group usually purchased $400 gift cards because when the gift cards were valued at $500 or more, they were required to go to customer service and show identification, Pape said.
The gift card float technique is attractive to thieves because it buys them more time. When a credit card is stolen and detected by the victim, it's only a matter of hours before the card will be invalidated.
But if the thief immediately uses the card to purchase gift cards, it buys the thief a significant amount of time. Once the credit card is deactivated, it may take days or weeks before authorities learn what was purchased—down to the exact identification number of those gift cards—and then start invalidating those gift cards.
PointerClick here to read more about the extent of the TJX data theft.
Florida authorities have video of their suspects from both inside the store and outside. Videotape captured the license plate of a rented vehicle one of the suspects was driving. Items purchased included computers, gaming devices and big-screen televisions, police said.
eWEEK.com Special Report: Privacy
At this stage, authorities are hoping to press the group to identify where they got the card data, in hopes that it will ultimately lead them to the cyberthieves who struck TJX. Pape said it is unlikely that the 10 suspects are the ones who attacked TJX. "We do not have information today that they were at the high end of the compromise," he said.
In other TJX news this week, a TJX shareholder—the Arkansas Carpenters Pension Fund—is suing TJX to access records showing how TJX handled data security.
Information stolen from the systems of massive retailer TJX was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials.
The significance of this new TJX detail—discovered as Florida authorities issued arrest warrants for 10 suspects and took six of them into custody—is not clear, but it might yield clues as to how TJX learned of the breach.
ADVERTISEMENT
The $16 billion retail chain has officially said that a huge amount of information was accessed as early as 2005 (with some of the captured data dating back to 2003), but that TJX officials didn't learn of the breach until December 2006. The company didn't announce the breach until mid-January 2007 due to—according to one credit-card source—a request from the Secret Service because it was actively pursuing a suspect.
PointerRead more here about the TJX probe.
The Florida information raises the possibility that whoever took the data had decided to start using it late last year. Law enforcement pursuing those cases would have found TJX as the common link, potentially prompting TJX to more closely examine its systems.
In the Florida case, a group used TJX credit- and debit-card information to do a low-tech clone scam to the tune of about $8 million. The group is accused of taking credit cards and applying new magstripes containing the stolen data. It is not clear if the credit cards displayed the same numbers in plastic embossing that were in the magstripe, said Dominick Pape, the special agent in charge for the Florida Department of Law Enforcement.
TJX Security Breach: Suspect Arrest Warrant Photos
Florida officials released the names of the six suspects who were arrested: Irving Escobar, 18; Reinier Camaraza Alvarez, 27; Julio Oscar Alberti, 33; Dianelly Hernandez, 19; Nair Zuleima Alvarez, 40; and Zenia Mercedes Llorente, 23. Four others are still at large, Pape said.
The group has been charged with an organized scheme to defraud, and they are also being investigated by the Secret Service, which participated in the arrests.
Florida officials said the group used the increasingly common tactic of using the bogus credit cards to purchase gift cards and then cashing them at Wal-Mart and Sam's Club stores. The group usually purchased $400 gift cards because when the gift cards were valued at $500 or more, they were required to go to customer service and show identification, Pape said.
The gift card float technique is attractive to thieves because it buys them more time. When a credit card is stolen and detected by the victim, it's only a matter of hours before the card will be invalidated.
But if the thief immediately uses the card to purchase gift cards, it buys the thief a significant amount of time. Once the credit card is deactivated, it may take days or weeks before authorities learn what was purchased—down to the exact identification number of those gift cards—and then start invalidating those gift cards.
PointerClick here to read more about the extent of the TJX data theft.
Florida authorities have video of their suspects from both inside the store and outside. Videotape captured the license plate of a rented vehicle one of the suspects was driving. Items purchased included computers, gaming devices and big-screen televisions, police said.
eWEEK.com Special Report: Privacy
At this stage, authorities are hoping to press the group to identify where they got the card data, in hopes that it will ultimately lead them to the cyberthieves who struck TJX. Pape said it is unlikely that the 10 suspects are the ones who attacked TJX. "We do not have information today that they were at the high end of the compromise," he said.
In other TJX news this week, a TJX shareholder—the Arkansas Carpenters Pension Fund—is suing TJX to access records showing how TJX handled data security.
Jikto
http://jeremiahgrossman.blogspot.com/2007/03/jikto-crossing-line.html
I think most security professionals would agree that releasing information about vulnerabilities, attack techniques (what I'm known for), and tools is generally positive. People should have information they need to defend themselves should they choose to. For example nessus, nmap, whisker and even metasploit have the distinction of evening the playing field. The good guys and bad guys can both use it. Industry ethics would say you wouldn't want to release a virus or phishing toolkit for real-world use because it only helps the bad guys. Then I see this:
"Billy Hoffman, lead research and development engineer at Atlanta-based SPI Dynamics Inc., has developed a tool called Jikto that can use XSS flaws and JavaScript to create a distributed botnet without any kind of user interaction at all. Hoffman plans to discuss the tool and publish the source code for it at the upcoming Shmoocon conference in Washington ."
Sounds like a nicely packaged script kiddie tool, usable in the real world, and only helpful to the bad guys. Without getting my hands on the code or the slide... am I'm reading way too much into this? Apparently I wasn't the only person who saw something strange about this as Don Park and RSnake weighed in with their thoughts.
"Yes, I understand these tools can be used to protect but what about tools that use questionable means? Jikto, for example, uses unsuspecting website visitors' browser to scan other websites for holes. Would any businesses use such tools to protect their sites? If not, who does it benefit? Is it security researchers' job to push the envelope of black hat's state of art?"
Don Park
"One very narrow line that we all must face is where the distinction between security research and building script kiddy tools comes into play. I think a lot of us have fallen victim to writing tools to make our own lives easier, while also making script kiddie’s lives easier. In this case Jikto doesn’t make a security researcher’s life easier, except perhaps to demonstrate how bad script kiddies can be if given that exact tool."
RSnake
RSnake asks is it for Good or for Evil. I'd say neither, just unnecessary. Being a SPI competitor, I don't presume to tell they or Billy what to do. Its probably good that Billy hasn't spoken yet or released the code at ShmooCon. Maybe he'd reconsider releasing this code into the wild. Or perhaps he'll get pissed and say myself or RSnake or others have done the same thing with all our PoC. To which I of course disagree entirely.
I think most security professionals would agree that releasing information about vulnerabilities, attack techniques (what I'm known for), and tools is generally positive. People should have information they need to defend themselves should they choose to. For example nessus, nmap, whisker and even metasploit have the distinction of evening the playing field. The good guys and bad guys can both use it. Industry ethics would say you wouldn't want to release a virus or phishing toolkit for real-world use because it only helps the bad guys. Then I see this:
"Billy Hoffman, lead research and development engineer at Atlanta-based SPI Dynamics Inc., has developed a tool called Jikto that can use XSS flaws and JavaScript to create a distributed botnet without any kind of user interaction at all. Hoffman plans to discuss the tool and publish the source code for it at the upcoming Shmoocon conference in Washington ."
Sounds like a nicely packaged script kiddie tool, usable in the real world, and only helpful to the bad guys. Without getting my hands on the code or the slide... am I'm reading way too much into this? Apparently I wasn't the only person who saw something strange about this as Don Park and RSnake weighed in with their thoughts.
"Yes, I understand these tools can be used to protect but what about tools that use questionable means? Jikto, for example, uses unsuspecting website visitors' browser to scan other websites for holes. Would any businesses use such tools to protect their sites? If not, who does it benefit? Is it security researchers' job to push the envelope of black hat's state of art?"
Don Park
"One very narrow line that we all must face is where the distinction between security research and building script kiddy tools comes into play. I think a lot of us have fallen victim to writing tools to make our own lives easier, while also making script kiddie’s lives easier. In this case Jikto doesn’t make a security researcher’s life easier, except perhaps to demonstrate how bad script kiddies can be if given that exact tool."
RSnake
RSnake asks is it for Good or for Evil. I'd say neither, just unnecessary. Being a SPI competitor, I don't presume to tell they or Billy what to do. Its probably good that Billy hasn't spoken yet or released the code at ShmooCon. Maybe he'd reconsider releasing this code into the wild. Or perhaps he'll get pissed and say myself or RSnake or others have done the same thing with all our PoC. To which I of course disagree entirely.
mercredi 21 mars 2007
Stealing domain name research
http://feeds.feedburner.com/~r/domaintools/~3/103105589/
Got an idea for a new company? Well don’t be so quick to check if the domain name is available. Rogue companies are out there stealing domain research. The act of typing the domain name in the wrong place may allow these squatters to register the domain before you. Here is how these companies spy on people and some good tips to avoiding them.
We have been investigating domain name research theft crimes for the last two years and talking with the many victims. If you are a victim, please contact us - the more technical a description of the event the better. We are collating events of all the victims and we will update everyone if there is a common thing to avoid. We will also be passing our evidence on to local authorities in the proper jurisdictions. Name Intelligence/DomainTools has many three letter government agencies and large law firms that use our whois service and users can be 100% guaranteed that research done on our web sites will not get shared with third parties. We still want to share some tips so that domain owners are more aware.
Top Tips:
Avoid address bar guessing.
Avoid search engines that don’t make a billion dollars a year in revenue.
Avoid browser plug-ins that send data back to the Internet.
Go directly to trusted registrars and whois companies.
Address bar guessing
It is such a strong urge to type the domain name into the address bar and see what website comes up. Most users think perhaps there is already a company using the name and this will be a quick end to the question. Wrong! This is the most dangerous thing to do. Internet Service Providers (ISP) sell NXD data. You may be asking yourself “What is NXD data and how does that effect my domain research?” Non-eXistent Domain (NXD) Data is a response the DNS system tells the asking computer if resolution on an IP address fails because the domain doesn’t exist. Yes, ISPs sell this data. I personally talked with a representative that gave me her business card and quoted me a six figure number for access to their NXD data. These domain name research companies actually buy this data and register those domains to see what generates money. Their hope is that if people at one ISP represent 1/5000th of the Internet, they might receive 5000 visitors a month from all the other ISPs around the world according to that ratio. So by testing a theory with DNS, people are telling these companies what domains to ‘taste’. Ironically, this type of behavior will have a chilling effect on direct navigation which actually hurts the domain parking industry as a whole.
Avoid non-billion dollar search engines
Datamining firms have struck deals with smaller search engines and meta search engines. These companies are looking for more revenue, and revealing what people are searching for is one of their revenue sources. I love when I see search engines like Google stick their neck out and tell the US Government that not even Uncle Sam can have access to user’s search data. To sum this up, don’t trust search engines that don’t have a privacy policies that protects user’s data from being turned over to third parties. And even then, don’t type domains into search engines. Search Engines are for ideas and concepts, the address bar is for REGISTERED domains.
Excerpt from WordTracker.com
“We compile a database of terms that people search for … we tell you how often people search for them…“
Excerpt from HitWise.com
“Hitwise has developed proprietary software that Internet Service Providers (ISPs) use to analyze website usage logs created on their network. The anonymous data sent to Hitwise from the ISPs include a range of industry standard metrics relating to the viewing of websites including page requests, visits and average visit length. Hitwise also combines this rich ISP data with a worldwide opt-in panel to overlay demographic, lifestyle and transactional behavior across the thousands of websites that are reported on every day.“
Browser plug-ins
For any browser plug-in that is free, ask yourself why is it free and whether they send data back to a server. Avoid software on computers that reports data back to the Internet. Of course this is the most obvious advice, but I need to mention it. The likelihood of someone datamining domain name research from spyware is small. If they have spyware on your computer, it’s more likely they are going after credit cards numbers and social security numbers instead of domain research.
Trusted Whois Websites
I have interviewed the CEOs and CTOs of many large registrars. Tim Ruiz, the CTO of GoDaddy, has assured me they have never once abused their position and they would fire any employee caught abusing data inside their company. Pat Kane, the Director of Business Operations of Verisign, has told me they can’t even log their servers because the log files would fill up too fast and the data wouldn’t be valuable unless they sell it. Since Verisign is a public company, they may sell the data in the future but they currently don’t because ISPs can do it better, and the ISPs sample sizes are large enough. It is just too costly to gather, and Verisign would need to file a service plan with ICANN before would be allowed to sell data like this. Paul Stahura, the President of eNom, has told me they don’t allow datamining either.
DomainTools.com is a division of Name Intelligence, and I, Jay Westerdal, the President and CEO of the Name Intelligence, have a strict policy against domain name research theft. People’s queries are never used to register domain names, period. I serve as the secretary of the ICANN Registars Consistency, and although we are not a tiny company, we are still a relatively small company. We enjoy building tools for Domainers and anyone seeking more knowledge about domains.
Closing thoughts
There are very few companies that register over 50K domains a day just to perform Domain Name Tasting on them. I have no problem with Domain Tasting, but I do have a problem with tasting other people’s ideas right before they were about to register them. If companies are going to Domain Taste, they should generate the domain names from computer algorithms and not from mining queries. As a footnote, Moniker and Pool.com offer such a service commercially for a small price and actually market it as the poor Domainers chance to taste too. Yes, you too can taste domains for 5 days at 5 cents a domain. There are only a handful of companies that are actually Domain Tasters. Most of these companies hide/shield their identities by setting up Whois Proxy services or setting up paper companies. However, only registrars can effectively perform domain tasting, so it is easy to guess who they are without looking at the whois most of the time.
Got an idea for a new company? Well don’t be so quick to check if the domain name is available. Rogue companies are out there stealing domain research. The act of typing the domain name in the wrong place may allow these squatters to register the domain before you. Here is how these companies spy on people and some good tips to avoiding them.
We have been investigating domain name research theft crimes for the last two years and talking with the many victims. If you are a victim, please contact us - the more technical a description of the event the better. We are collating events of all the victims and we will update everyone if there is a common thing to avoid. We will also be passing our evidence on to local authorities in the proper jurisdictions. Name Intelligence/DomainTools has many three letter government agencies and large law firms that use our whois service and users can be 100% guaranteed that research done on our web sites will not get shared with third parties. We still want to share some tips so that domain owners are more aware.
Top Tips:
Avoid address bar guessing.
Avoid search engines that don’t make a billion dollars a year in revenue.
Avoid browser plug-ins that send data back to the Internet.
Go directly to trusted registrars and whois companies.
Address bar guessing
It is such a strong urge to type the domain name into the address bar and see what website comes up. Most users think perhaps there is already a company using the name and this will be a quick end to the question. Wrong! This is the most dangerous thing to do. Internet Service Providers (ISP) sell NXD data. You may be asking yourself “What is NXD data and how does that effect my domain research?” Non-eXistent Domain (NXD) Data is a response the DNS system tells the asking computer if resolution on an IP address fails because the domain doesn’t exist. Yes, ISPs sell this data. I personally talked with a representative that gave me her business card and quoted me a six figure number for access to their NXD data. These domain name research companies actually buy this data and register those domains to see what generates money. Their hope is that if people at one ISP represent 1/5000th of the Internet, they might receive 5000 visitors a month from all the other ISPs around the world according to that ratio. So by testing a theory with DNS, people are telling these companies what domains to ‘taste’. Ironically, this type of behavior will have a chilling effect on direct navigation which actually hurts the domain parking industry as a whole.
Avoid non-billion dollar search engines
Datamining firms have struck deals with smaller search engines and meta search engines. These companies are looking for more revenue, and revealing what people are searching for is one of their revenue sources. I love when I see search engines like Google stick their neck out and tell the US Government that not even Uncle Sam can have access to user’s search data. To sum this up, don’t trust search engines that don’t have a privacy policies that protects user’s data from being turned over to third parties. And even then, don’t type domains into search engines. Search Engines are for ideas and concepts, the address bar is for REGISTERED domains.
Excerpt from WordTracker.com
“We compile a database of terms that people search for … we tell you how often people search for them…“
Excerpt from HitWise.com
“Hitwise has developed proprietary software that Internet Service Providers (ISPs) use to analyze website usage logs created on their network. The anonymous data sent to Hitwise from the ISPs include a range of industry standard metrics relating to the viewing of websites including page requests, visits and average visit length. Hitwise also combines this rich ISP data with a worldwide opt-in panel to overlay demographic, lifestyle and transactional behavior across the thousands of websites that are reported on every day.“
Browser plug-ins
For any browser plug-in that is free, ask yourself why is it free and whether they send data back to a server. Avoid software on computers that reports data back to the Internet. Of course this is the most obvious advice, but I need to mention it. The likelihood of someone datamining domain name research from spyware is small. If they have spyware on your computer, it’s more likely they are going after credit cards numbers and social security numbers instead of domain research.
Trusted Whois Websites
I have interviewed the CEOs and CTOs of many large registrars. Tim Ruiz, the CTO of GoDaddy, has assured me they have never once abused their position and they would fire any employee caught abusing data inside their company. Pat Kane, the Director of Business Operations of Verisign, has told me they can’t even log their servers because the log files would fill up too fast and the data wouldn’t be valuable unless they sell it. Since Verisign is a public company, they may sell the data in the future but they currently don’t because ISPs can do it better, and the ISPs sample sizes are large enough. It is just too costly to gather, and Verisign would need to file a service plan with ICANN before would be allowed to sell data like this. Paul Stahura, the President of eNom, has told me they don’t allow datamining either.
DomainTools.com is a division of Name Intelligence, and I, Jay Westerdal, the President and CEO of the Name Intelligence, have a strict policy against domain name research theft. People’s queries are never used to register domain names, period. I serve as the secretary of the ICANN Registars Consistency, and although we are not a tiny company, we are still a relatively small company. We enjoy building tools for Domainers and anyone seeking more knowledge about domains.
Closing thoughts
There are very few companies that register over 50K domains a day just to perform Domain Name Tasting on them. I have no problem with Domain Tasting, but I do have a problem with tasting other people’s ideas right before they were about to register them. If companies are going to Domain Taste, they should generate the domain names from computer algorithms and not from mining queries. As a footnote, Moniker and Pool.com offer such a service commercially for a small price and actually market it as the poor Domainers chance to taste too. Yes, you too can taste domains for 5 days at 5 cents a domain. There are only a handful of companies that are actually Domain Tasters. Most of these companies hide/shield their identities by setting up Whois Proxy services or setting up paper companies. However, only registrars can effectively perform domain tasting, so it is easy to guess who they are without looking at the whois most of the time.
Gozi Trojan leads to Russian data hoard
Gozi Trojan leads to Russian data hoard
March 20, 2007 (Computerworld) -- A Russian Trojan program named Gozi that remained largely undetected for more than 50 days earlier this year has stolen more than 10,000 records containing confidential information belonging to about 5,200 home users.
The compromised information included about 2,000 Social Security numbers, account numbers, user names and passwords that the individuals used to log into bank accounts as well as online retail and e-commerce sites.
The stolen data also included employee log-in information to applications from more than 300 companies and government organizations -- including several law enforcement agencies at the federal and state level -- as well as medical information of health care employees and patients whose usernames and passwords were compromised via their home PCs.
All of the information was sent by Gozi to a server in St. Petersburg, where it was then sold on a subscription basis to an unknown number of individuals. The black market street value of the stolen data: $2 million.
Details of the Trojan and the stolen information were uncovered in January by Don Jackson, a security researcher at SecureWorks Inc., an Atlanta-based managed security service provider. Jackson noted that there are at least two more known variants of Gozi, meaning new attacks are likely.
According to Jackson, an acquaintance reported that several accounts on Web sites he visited from work and home had been hijacked. An investigation of the PC used to access the sites uncovered a previously unclassified malware executable that appeared to have been installed last December.
An analysis of the Trojan program showed that it was designed to steal data from encrypted Secure Sockets Layer (SSL) streams and send it to a server based in Russia. The Trojan took advantage of a vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer. The buffer overflow flaw basically allows attackers to take complete control of a compromised system. In this case, the users compromised by the Gozi Trojan appear to have visited several hosted Web sites, community forums, social networking sites and those belonging to small businesses.
The server to which the information was being sent had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters. Each customer-generated query had a price associated with it, Jackson said. The currency unit used on the site was WMZ, which is a WebMoney unit roughly equivalent to the U.S. dollar, Jackson said.
When Jackson first discovered the Trojan in January, not one of the 30 antivirus products he tested detected the malware specifically. Several flagged it as a suspicious file or a generic threat based on the fact that it was using a commonly known packing tool to compress the code. Updated versions of the same 30 products in early February did a better job of picking up Gozi, though even at that point five of the products completely missed it, according to Jackson.
Details of the Trojan and the information on the Russian server have been passed on to law enforcement authorities, and to several of the affected companies, Jackson said. The subscription service offering this stolen information was disabled Match 12, he said. However, the server housing the data is still online and is continuing to receive stolen information, he said.
March 20, 2007 (Computerworld) -- A Russian Trojan program named Gozi that remained largely undetected for more than 50 days earlier this year has stolen more than 10,000 records containing confidential information belonging to about 5,200 home users.
The compromised information included about 2,000 Social Security numbers, account numbers, user names and passwords that the individuals used to log into bank accounts as well as online retail and e-commerce sites.
The stolen data also included employee log-in information to applications from more than 300 companies and government organizations -- including several law enforcement agencies at the federal and state level -- as well as medical information of health care employees and patients whose usernames and passwords were compromised via their home PCs.
All of the information was sent by Gozi to a server in St. Petersburg, where it was then sold on a subscription basis to an unknown number of individuals. The black market street value of the stolen data: $2 million.
Details of the Trojan and the stolen information were uncovered in January by Don Jackson, a security researcher at SecureWorks Inc., an Atlanta-based managed security service provider. Jackson noted that there are at least two more known variants of Gozi, meaning new attacks are likely.
According to Jackson, an acquaintance reported that several accounts on Web sites he visited from work and home had been hijacked. An investigation of the PC used to access the sites uncovered a previously unclassified malware executable that appeared to have been installed last December.
An analysis of the Trojan program showed that it was designed to steal data from encrypted Secure Sockets Layer (SSL) streams and send it to a server based in Russia. The Trojan took advantage of a vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer. The buffer overflow flaw basically allows attackers to take complete control of a compromised system. In this case, the users compromised by the Gozi Trojan appear to have visited several hosted Web sites, community forums, social networking sites and those belonging to small businesses.
The server to which the information was being sent had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters. Each customer-generated query had a price associated with it, Jackson said. The currency unit used on the site was WMZ, which is a WebMoney unit roughly equivalent to the U.S. dollar, Jackson said.
When Jackson first discovered the Trojan in January, not one of the 30 antivirus products he tested detected the malware specifically. Several flagged it as a suspicious file or a generic threat based on the fact that it was using a commonly known packing tool to compress the code. Updated versions of the same 30 products in early February did a better job of picking up Gozi, though even at that point five of the products completely missed it, according to Jackson.
Details of the Trojan and the information on the Russian server have been passed on to law enforcement authorities, and to several of the affected companies, Jackson said. The subscription service offering this stolen information was disabled Match 12, he said. However, the server housing the data is still online and is continuing to receive stolen information, he said.
Brokerage hackers indicted
http://www.caycompass.com/cgi-bin/CFPnews.cgi?ID=1020602
Brokerage hackers indicted
AP
Monday 12th March, 2007 Posted: 16:05 CIT (21:05 GMT)
> Comment on this story
WASHINGTON (AP) – Three men from India have been indicted on federal charges of hacking into online brokerage accounts operated by TD Ameritrade Holding Corp., E–Trade Financial Corp. and others to inflate stock values and their own profits, government investigators said Monday.
The alleged "hack, pump and dump" scheme has cost one brokerage firm at least $2 million in losses, prosecutors said. An estimated 60 customers and nine U.S. brokerage firms, including Ameritrade, E–Trade and OptionsXpress, were duped in the case during a four–month period last year, according to the Justice Department.
The three supects bought stocks through the U.S. online firms with their own accounts, according to the 23–count indictment returned in January and unsealed Monday in Omaha, Nebraska. Operating from Thailand and India, the men then allegedly used stolen identity information to pose as other online share–buyers, inflating the value of myriad securities, including those of search engine giant Google Inc.
The men later sold their own shares at a higher price – turning a profit of more than $121,500 according to the Securities and Exchange Commission, which filed separate civil charges against all three men in federal court in Nebraska.
One victim had $180,000 cash and equity in his account, and five days later returned from a trip to find a negative $200,000 balance, according to the SEC.
A spokesman for OptionsXpress declined to say how much it lost in the scheme or how long the Chicago–based firm had been working with government investigators.
But John Reed Stark, chief of the SEC’s Office of Internet Enforcement, praised the online brokerage community’s cooperation, which included responding to requests for information in real–time since the scammers can manipulate online accounts from nearly anywhere on the planet.
Two of the three suspects – Jaisankar Marimuthu, 32, of Chennai, India, and Thirugnanam Ramanathan, 34, an Indian native who lives in Malaysia – were arrested in recent weeks in Hong Kong, the Justice Department said. The third, Chockalingam Ramanathan, 33, also of Chennai, India, is still at large.
The case marks the first time hackers suspected of defrauding U.S.–based online brokerage firms have been arrested overseas, the Justice Department said. Assistant Attorney General Alice Fisher said such cases "pose serious risks to investors and brokerage firms across the globe."
The SEC has brought two other account intrusion cases since December, involving defendants in Estonia and Latvia.
Officials at Omaha, Nebraska–based Ameritrade and New York–based E–Trade in October said online fraud cases cost the companies a combined $22 million late last year. Ameritrade lost $4 million in the July–September quarter and E–Trade lost about $18 million during its third quarter, but both companies reimbursed the customers involved.
It was not immediately clear if the schemes detailed in the unsealed indictment contributed to those losses, and company representatives did not immediately return calls for comment.
Shares of Ameritrade slipped 29 cents to $15.36 in afternoon trading, while E–Trade shed 9 cents to $22.63, and OptionsXpress dipped 11 cents to $23.04, all on the Nasdaq Stock Market.
Brokerage hackers indicted
AP
Monday 12th March, 2007 Posted: 16:05 CIT (21:05 GMT)
> Comment on this story
WASHINGTON (AP) – Three men from India have been indicted on federal charges of hacking into online brokerage accounts operated by TD Ameritrade Holding Corp., E–Trade Financial Corp. and others to inflate stock values and their own profits, government investigators said Monday.
The alleged "hack, pump and dump" scheme has cost one brokerage firm at least $2 million in losses, prosecutors said. An estimated 60 customers and nine U.S. brokerage firms, including Ameritrade, E–Trade and OptionsXpress, were duped in the case during a four–month period last year, according to the Justice Department.
The three supects bought stocks through the U.S. online firms with their own accounts, according to the 23–count indictment returned in January and unsealed Monday in Omaha, Nebraska. Operating from Thailand and India, the men then allegedly used stolen identity information to pose as other online share–buyers, inflating the value of myriad securities, including those of search engine giant Google Inc.
The men later sold their own shares at a higher price – turning a profit of more than $121,500 according to the Securities and Exchange Commission, which filed separate civil charges against all three men in federal court in Nebraska.
One victim had $180,000 cash and equity in his account, and five days later returned from a trip to find a negative $200,000 balance, according to the SEC.
A spokesman for OptionsXpress declined to say how much it lost in the scheme or how long the Chicago–based firm had been working with government investigators.
But John Reed Stark, chief of the SEC’s Office of Internet Enforcement, praised the online brokerage community’s cooperation, which included responding to requests for information in real–time since the scammers can manipulate online accounts from nearly anywhere on the planet.
Two of the three suspects – Jaisankar Marimuthu, 32, of Chennai, India, and Thirugnanam Ramanathan, 34, an Indian native who lives in Malaysia – were arrested in recent weeks in Hong Kong, the Justice Department said. The third, Chockalingam Ramanathan, 33, also of Chennai, India, is still at large.
The case marks the first time hackers suspected of defrauding U.S.–based online brokerage firms have been arrested overseas, the Justice Department said. Assistant Attorney General Alice Fisher said such cases "pose serious risks to investors and brokerage firms across the globe."
The SEC has brought two other account intrusion cases since December, involving defendants in Estonia and Latvia.
Officials at Omaha, Nebraska–based Ameritrade and New York–based E–Trade in October said online fraud cases cost the companies a combined $22 million late last year. Ameritrade lost $4 million in the July–September quarter and E–Trade lost about $18 million during its third quarter, but both companies reimbursed the customers involved.
It was not immediately clear if the schemes detailed in the unsealed indictment contributed to those losses, and company representatives did not immediately return calls for comment.
Shares of Ameritrade slipped 29 cents to $15.36 in afternoon trading, while E–Trade shed 9 cents to $22.63, and OptionsXpress dipped 11 cents to $23.04, all on the Nasdaq Stock Market.
Hacker trio involved in `pump and dump? stocks scam
Hacker trio involved in `pump and dump? stocks scam
Hacker trio involved in `pump and dump’ stocks scam
by Steve Gold
March 16th, 2007
Pump & Dump...It seems that a trio of hackers from Indonesia and Malaysia have been arrested and charged with operating an international `pump and dump’ scam with a twist - hacking a number of online brokerage accounts.
There’s nothing new about pumping and dumping stock - basically you use whatever means possible to talk up or even buy a stock, having purchased an option to buy at a fixed price and, when the price rises, you sell, making a nice profit.
The trio of hackers apparently decided that they would hack into a number of brokerage accounts and use the accounts to leverage their profits.
Of course, ‘cos the accounts were hacked, it didn’t really matter whether the stocks purchases lost any value, as it wasn’t the hacker’s own dosh involved, was it?
The US Department of Justice says that at least 60 customers and nine brokerage firms across the US have been identified as victims of the scam, and have lost at least $2 million between them.
The DoJ says this is the first case involving people arrested overseas in connection with an online brokerage intrusion scheme carried out in the US.
“These new forms of high-tech identity and securities fraud pose serious risks to investors and brokerage firms across the globe,” Assistant Attorney General Alice Fisher said in a press statement…
Hacker trio involved in `pump and dump’ stocks scam
by Steve Gold
March 16th, 2007
Pump & Dump...It seems that a trio of hackers from Indonesia and Malaysia have been arrested and charged with operating an international `pump and dump’ scam with a twist - hacking a number of online brokerage accounts.
There’s nothing new about pumping and dumping stock - basically you use whatever means possible to talk up or even buy a stock, having purchased an option to buy at a fixed price and, when the price rises, you sell, making a nice profit.
The trio of hackers apparently decided that they would hack into a number of brokerage accounts and use the accounts to leverage their profits.
Of course, ‘cos the accounts were hacked, it didn’t really matter whether the stocks purchases lost any value, as it wasn’t the hacker’s own dosh involved, was it?
The US Department of Justice says that at least 60 customers and nine brokerage firms across the US have been identified as victims of the scam, and have lost at least $2 million between them.
The DoJ says this is the first case involving people arrested overseas in connection with an online brokerage intrusion scheme carried out in the US.
“These new forms of high-tech identity and securities fraud pose serious risks to investors and brokerage firms across the globe,” Assistant Attorney General Alice Fisher said in a press statement…
Microsoft probes possible Xbox Live fraud
Microsoft probes possible Xbox Live fraud: "Microsoft is investigating possible fraud on its Xbox Live online gaming service, the company said Tuesday. The investigation comes after gamers reported having their Xbox Live accounts hijacked and their credit card used to buy 'Microsoft Points,' the virtual currency on Xbox Live, which has more than 6 million users."
mardi 20 mars 2007
Chinese Hackers Stealing Gamers' Identities
Chinese Hackers Stealing Gamers' Identities: "China is becoming a powerhouse in the world of viruses, phishing scams, and botnets. The country?s hackers also are setting their collective sights on the best gamers out there. According to Symamtec?s latest Internet Security Threat Report, China has moved up into second place, behind only the United States, when it comes to the countries with the most amount of malicious cyber activity. Between July 1 and the end of 2006, the United States accounted for 31% of malicious activity, China came in with 10%, and Germany was in third place with 7%."
US Leads the World In Malware Creation
US Leads the World In Malware Creation: "PetManimal writes 'Symantec says that China, Russia, and the other developing countries usually blamed for the increasing amount of malware are not the biggest culprits. The security software company released a report (PDF) claiming that the US leads the world in a number of malware categories, ranging from the 'amount of malicious activity originating from their networks' to 'underground economy servers.' Preston Gralla says the US lead should come as no surprise, considering the capitalist way of life and the high level of technical knowledge. He also suggests that the some of the 'criminals' may actually be Internet entrepreneurs who crossed over to the dark side: 'It's an inevitable result of a thriving free market and tech expertise. An underground economy often mirrors the legal, above-ground one. Scratch a criminal, and sometimes you find a misguided entrepreneur, looking to get rich a little too quick.''"
lundi 19 mars 2007
China displaces Britain as botnet epicentre
China displaces Britain as botnet epicentre
China has displaced Britain as the home of the greatest concentration of compromised (zombie) PCs.
The world's most populous country accounted for 26 per cent of the world's bot-infected computers, a higher density than any other country. Beijing was the city with the most bot-infected computers in the world, accounting for just over five per cent of the worldwide total, according to the latest edition of security firm Symantec's twice-yearly Internet Security Threat Report.
During the second half of 2006 period, Symantec observed an average of 21,707 new active bot-infected computers per day in the EMEA region. More than 2.3 million bot-infected computers in the region were identified as being active at any one time, a 130 per cent increase from the 1m seen during the first half of 2006.
In the EMEA region, France and Germany had the highest number of bot-infected computers, compromised systems used to send spam or other nefarious activities. The number of bots affecting computers in the UK fell from 22 per cent, to 11 per cent during the second six months of 2006, a drop Symantec attributes to the economic cycle of broadband penetration and adoption rather than particular internet security efforts.
Madrid, Spain had the most bot-infected computers of any city in the EMEA region, accounting for six per cent of the total. London came third behind Paris in this zombie league of shame.
Many of these compromised PCs (around 40 per cent) were controlled via bot command-and-control computers located in the US.
Lan of the dead
The US remains both a centre and target of cybercrime. Eighty-six per cent of the credit and debit cards advertised for sale on the digital underground were issued by banks in the US.
Symantec recorded an average of 5,213 denial of service (DoS) attacks per day, down from 6,110 in the first half of the year. Systems in the US were the target of most DoS attacks, accounting for more than half (52 per cent) of the worldwide total.
Ollie Whitehouse, Symantec research scientist and one of the authors of the report, said that hackers are becoming increasingly sophisticated in the tactics they use to gain control of vulnerable systems. He said the increased use of unpatched (zero-day) vulnerabilities, which occurred regularly during the second half of 2006, provided evidence of this trend.
During the second half of 2006, 23 per cent of the 1,318 documented malicious code samples exploited vulnerabilities. Many of these attacks targeted web browser security bugs.
Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera over the report period. Mozilla did the best job of the browser suppliers in fixing flaws, taking an average of two days to develop an update. Internet Explorer was targeted by 77 per cent of attacks specifically targeting Web browsers.
Spam, spam, spam....
Spam and in particular phishing attacks that attempt to trick users into handing over account credentials remained a problem during the reporting period. Symantec blocked over 1.5 billion phishing messages in 2H06, an increase of 19 per cent over the first half of 2006.
Forty-six per cent of all known phishing sites were located in the US, a much higher proportion than in any other country. The UK had the second highest number of phishing Web sites in EMEA and third highest in the world, beyond the US and Germany. Karlsruhe in Germany was the EMEA city which hosted the highest number of phishing Websites.
During the last six months of 2006, 44 per cent of all spam detected worldwide originated in the US. In the EMEA region, spam made up 66 per cent of all monitored email traffic, Symantec reports.
Fortune cookies
Looking ahead, Symantec expects to see more threats begin to appear on Windows Vista, with a focus on vulnerabilities, malware and attacks against the Teredo platform. Symantec also expects that attackers will focus on third-party applications that run on Vista.
The net security giant expects phishing fraudsters to expand beyond the regular targets of online banks and eBay to new industry sectors, such as multiplayer online games. It also reckons that spam and phishing will increasingly target SMS and MMS on mobile platforms. ®
China has displaced Britain as the home of the greatest concentration of compromised (zombie) PCs.
The world's most populous country accounted for 26 per cent of the world's bot-infected computers, a higher density than any other country. Beijing was the city with the most bot-infected computers in the world, accounting for just over five per cent of the worldwide total, according to the latest edition of security firm Symantec's twice-yearly Internet Security Threat Report.
During the second half of 2006 period, Symantec observed an average of 21,707 new active bot-infected computers per day in the EMEA region. More than 2.3 million bot-infected computers in the region were identified as being active at any one time, a 130 per cent increase from the 1m seen during the first half of 2006.
In the EMEA region, France and Germany had the highest number of bot-infected computers, compromised systems used to send spam or other nefarious activities. The number of bots affecting computers in the UK fell from 22 per cent, to 11 per cent during the second six months of 2006, a drop Symantec attributes to the economic cycle of broadband penetration and adoption rather than particular internet security efforts.
Madrid, Spain had the most bot-infected computers of any city in the EMEA region, accounting for six per cent of the total. London came third behind Paris in this zombie league of shame.
Many of these compromised PCs (around 40 per cent) were controlled via bot command-and-control computers located in the US.
Lan of the dead
The US remains both a centre and target of cybercrime. Eighty-six per cent of the credit and debit cards advertised for sale on the digital underground were issued by banks in the US.
Symantec recorded an average of 5,213 denial of service (DoS) attacks per day, down from 6,110 in the first half of the year. Systems in the US were the target of most DoS attacks, accounting for more than half (52 per cent) of the worldwide total.
Ollie Whitehouse, Symantec research scientist and one of the authors of the report, said that hackers are becoming increasingly sophisticated in the tactics they use to gain control of vulnerable systems. He said the increased use of unpatched (zero-day) vulnerabilities, which occurred regularly during the second half of 2006, provided evidence of this trend.
During the second half of 2006, 23 per cent of the 1,318 documented malicious code samples exploited vulnerabilities. Many of these attacks targeted web browser security bugs.
Symantec documented 54 vulnerabilities in Microsoft Internet Explorer, 40 in the Mozilla browsers, and four each in Apple Safari and Opera over the report period. Mozilla did the best job of the browser suppliers in fixing flaws, taking an average of two days to develop an update. Internet Explorer was targeted by 77 per cent of attacks specifically targeting Web browsers.
Spam, spam, spam....
Spam and in particular phishing attacks that attempt to trick users into handing over account credentials remained a problem during the reporting period. Symantec blocked over 1.5 billion phishing messages in 2H06, an increase of 19 per cent over the first half of 2006.
Forty-six per cent of all known phishing sites were located in the US, a much higher proportion than in any other country. The UK had the second highest number of phishing Web sites in EMEA and third highest in the world, beyond the US and Germany. Karlsruhe in Germany was the EMEA city which hosted the highest number of phishing Websites.
During the last six months of 2006, 44 per cent of all spam detected worldwide originated in the US. In the EMEA region, spam made up 66 per cent of all monitored email traffic, Symantec reports.
Fortune cookies
Looking ahead, Symantec expects to see more threats begin to appear on Windows Vista, with a focus on vulnerabilities, malware and attacks against the Teredo platform. Symantec also expects that attackers will focus on third-party applications that run on Vista.
The net security giant expects phishing fraudsters to expand beyond the regular targets of online banks and eBay to new industry sectors, such as multiplayer online games. It also reckons that spam and phishing will increasingly target SMS and MMS on mobile platforms. ®
vendredi 16 mars 2007
Photocopiers: The newest ID theft threat
Photocopiers: The newest ID theft threat: "Photocopiers are the newest threat to identity theft, a copier maker said today, because newer models equipped with hard drives record what's been duplicated. At tax time, when Americans photocopy tax returns, confidential information may be easily available to criminals. 'Consumers and business owners will photocopy highly confidential tax forms containing Social Security numbers, employer identification numbers and other sensitive information in places outside the home, leaving them vulnerable to digital theft,' Ed McLaughlin, president of Sharp Document Solutions Company of America, said in a statement."
Bluetooth as Achilles' heel
Bluetooth as Achilles' heel: "How Bluetooth marketing desensitises users to mobile viruses More and more businesses are experimenting with Bluetooth advertisements. In doing so they are doing consumers a disservice - because it is almost impossible to tell where a Bluetooth message comes from, they are smoothing the way for the distribution of mobile viruses."
mercredi 14 mars 2007
Rustock DDoS Attack - By John Markoff
Rustock DDoS Attack - By John Markoff
On Jan 7, an article by John Markoff titled "Attack of the Zombie Computers Is Growing Threat" was published in the New York Times. In the article was a section detailing how I had tracked the spam sent by the Rustock trojan and had detailed the author's pump-and-dump spam operation, even down to the amount of money being made in a single spam run.
On Jan 8, the server hosting my personal website came under a DDoS attack. The attack occurred at 7:01 AM U.S. Eastern Time , as can be seen in the messages logfile excerpt below. Here we can see the kernel is overloaded with traffic, and begins suppressing error log messages because too many errors are occuring at once.
Jan 8 06:45:57 loggerhead -- MARK --
Jan 8 07:01:24 loggerhead kernel: printk: 3945 messages suppressed.
Jan 8 07:01:29 loggerhead kernel: printk: 196 messages suppressed.
Jan 8 07:01:38 loggerhead kernel: printk: 450 messages suppressed.
Jan 8 07:01:39 loggerhead kernel: printk: 1712 messages suppressed.
Jan 8 07:01:54 loggerhead kernel: printk: 1046 messages suppressed.
Jan 8 07:01:54 loggerhead kernel: printk: 150 messages suppressed.
Jan 8 07:02:07 loggerhead kernel: printk: 4399 messages suppressed.
Jan 8 07:06:25 loggerhead kernel: printk: 2925 messages suppressed.
Jan 8 07:06:30 loggerhead kernel: printk: 12165 messages suppressed.
Jan 8 07:06:35 loggerhead kernel: printk: 13611 messages suppressed.
At this point the server is unreachable due to the excessive bandwidth being used. In the Apache access_log file for my website, at the same time we the very last HTTP request before the site becomes unreachable:
88.198.7.68 - - [08/Jan/2007:07:01:07 -0500] "GET / HTTP/1.0" 200 8649 "-" "Opera/9.02 (Windows NT 5.1; U; ru)"
88.198.7.68 - - [08/Jan/2007:07:01:15 -0500] "GET /favicon.ico HTTP/1.0" 404 209 "http://www.joestewart.org/" "Opera/9.02 (Windows NT 5.1; U; ru)"
88.198.7.68 is cryptobitch.de, an anonymizing service out of Germany. But the visitor is clearly using a Russian language version of Opera. The source, timing and the stealth of this request can mean only one thing - the attacker is testing my website to make sure it goes down.
Working with colleagues in the ISP and security community, I was able to get a list of IP addresses involved in the attack. With the assistance of MyNetWatchman, I was able to obtain the malware involved in the attack from one of the infected users. This malware was compiled specifically to attack my site; it has no other purpose.
The DDoS malware has the following properties:
Path to file on infected machine: %temp%\784E1629.exe (name is randomly-generated)
Size: 15,872 bytes
Md5sum:831d25eb17cef76783f5b60cc7ae4aa8
Compiler:Borland Delphi v6.0/7.0
Anti-virus names:None
Install registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winconf
The executable has the following functionality:
Does a "GlobalFindAtom" API call for the atom name "FDDS3". If that name exists, it exits, otherwise, it uses GlobalAddAtom to create it. This ensures that only one copy of the executable runs in memory at a time.
Checks the system time to see if the date is equal to or earlier than Jan 10, 2007. If it is after that date, the program exits.
Installs the registry key above in order to run at boot.
Tries to resolve the IP address for www.joestewart.org in a loop until it resolves to something other than 0.0.0.0 or 127.0.0.1
Begins to attack that IP address, opening 500 non-blocking connections on port 80, sleeping for 2 seconds, then closing the connections (effectively a syn flood). This loops infinitely, until the process is killed or the machine is rebooted.
Illustration 1: Disassembly of DDoS Attack Tool
I counted 673 IP addresses involved in the attack in one sampling. This is a fairly small amount of computers given modern botnet sizes, but it was more than enough to swamp the bandwidth of the server, hosted on a business-class cablemodem. It leads me to believe the attacker used only a portion of the botnet for the attack, leaving the bulk of the botnet for use in other activities.
The code that is the core of Rustock's spam functionality is also compiled using Borland Delphi. Additionally, one of Rustock's bot commands is "runexe" - this command causes Rustock to download a file from a URL, and save it into the temp directory with a name generated from a random 32-bit number, converted to an upper-case hexadecimal string.
Illustration 2: Disassembly of "runexe" command in Rustock
The use of the GlobalFindAtom/GlobalAddAtom Windows APIs as a means to prevent multiple copies of the same malware from running is somewhat unique - most malware utilizes the Windows CreateMutex to do the same thing.
Illustration 3: Mutual-exclusivity code from DDoS tool
Interestingly, the Rustock dropper EXE utilizes the GlobalFindAtom/GlobalAddAtom API for the same purpose. This is not to say that use of that API is exclusive to Rustock, but simply that it is an interesting correlation. Generally, choosing which API to use when there are multiple ways to accomplish the same task is a matter of habit/preference, and malware authors will reuse code as would any programmer.
Illustration 4: Mutual-exclusivity code from Rustock dropper
Searching the web for the "winconf" registry key name and a file with a similarly formatted exe name turns up many instances of infected users seeking help in anti-malware forums. These users are also very often detected to be infected by Rustock, as can be evidenced by a Google search for the terms "winconf" and "lzx32.sys".
Additionally, other sources noticed that IP addresses on their networks who were attacking my website were also periodically sending DNS requests every 15 minutes, attempting to resolve the IP addresses for certain domain names, including nothingmore.info, stopwatchingme.name, netwide-company.biz, data-connection12.info, ufdsjbndkjfgd.biz, nobodymoving.biz and damnedqueen.name These are some of the same domain names used by the Rustock trojan's command and control servers.
Illustration 5: Names from data section of Rustock
Given all this evidence, there can really only be one logical conclusion - the Rustock author decided to attack my website in retaliation for me speaking out about his illicit activities. Interestingly, during the course of this investigation I came to learn that other anti-spam sites providing information on pump-and-dump spam were also coming under attack. However, the attack signature was completely different, and analysis showed that a completely different malware family was responsible. Another DDoS attack has been carried out against the website of GMER, an anti-rootkit tool. The attacks on researchers and developers simply providing information pertaining to stock spams or malware removal tools is unprecendented - previously we have seen anti-spam services and forums taken down by DDoS attacks, but it seems now that the attacks are becoming more personal.
On Jan 7, an article by John Markoff titled "Attack of the Zombie Computers Is Growing Threat" was published in the New York Times. In the article was a section detailing how I had tracked the spam sent by the Rustock trojan and had detailed the author's pump-and-dump spam operation, even down to the amount of money being made in a single spam run.
On Jan 8, the server hosting my personal website came under a DDoS attack. The attack occurred at 7:01 AM U.S. Eastern Time , as can be seen in the messages logfile excerpt below. Here we can see the kernel is overloaded with traffic, and begins suppressing error log messages because too many errors are occuring at once.
Jan 8 06:45:57 loggerhead -- MARK --
Jan 8 07:01:24 loggerhead kernel: printk: 3945 messages suppressed.
Jan 8 07:01:29 loggerhead kernel: printk: 196 messages suppressed.
Jan 8 07:01:38 loggerhead kernel: printk: 450 messages suppressed.
Jan 8 07:01:39 loggerhead kernel: printk: 1712 messages suppressed.
Jan 8 07:01:54 loggerhead kernel: printk: 1046 messages suppressed.
Jan 8 07:01:54 loggerhead kernel: printk: 150 messages suppressed.
Jan 8 07:02:07 loggerhead kernel: printk: 4399 messages suppressed.
Jan 8 07:06:25 loggerhead kernel: printk: 2925 messages suppressed.
Jan 8 07:06:30 loggerhead kernel: printk: 12165 messages suppressed.
Jan 8 07:06:35 loggerhead kernel: printk: 13611 messages suppressed.
At this point the server is unreachable due to the excessive bandwidth being used. In the Apache access_log file for my website, at the same time we the very last HTTP request before the site becomes unreachable:
88.198.7.68 - - [08/Jan/2007:07:01:07 -0500] "GET / HTTP/1.0" 200 8649 "-" "Opera/9.02 (Windows NT 5.1; U; ru)"
88.198.7.68 - - [08/Jan/2007:07:01:15 -0500] "GET /favicon.ico HTTP/1.0" 404 209 "http://www.joestewart.org/" "Opera/9.02 (Windows NT 5.1; U; ru)"
88.198.7.68 is cryptobitch.de, an anonymizing service out of Germany. But the visitor is clearly using a Russian language version of Opera. The source, timing and the stealth of this request can mean only one thing - the attacker is testing my website to make sure it goes down.
Working with colleagues in the ISP and security community, I was able to get a list of IP addresses involved in the attack. With the assistance of MyNetWatchman, I was able to obtain the malware involved in the attack from one of the infected users. This malware was compiled specifically to attack my site; it has no other purpose.
The DDoS malware has the following properties:
Path to file on infected machine: %temp%\784E1629.exe (name is randomly-generated)
Size: 15,872 bytes
Md5sum:831d25eb17cef76783f5b60cc7ae4aa8
Compiler:Borland Delphi v6.0/7.0
Anti-virus names:None
Install registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winconf
The executable has the following functionality:
Does a "GlobalFindAtom" API call for the atom name "FDDS3". If that name exists, it exits, otherwise, it uses GlobalAddAtom to create it. This ensures that only one copy of the executable runs in memory at a time.
Checks the system time to see if the date is equal to or earlier than Jan 10, 2007. If it is after that date, the program exits.
Installs the registry key above in order to run at boot.
Tries to resolve the IP address for www.joestewart.org in a loop until it resolves to something other than 0.0.0.0 or 127.0.0.1
Begins to attack that IP address, opening 500 non-blocking connections on port 80, sleeping for 2 seconds, then closing the connections (effectively a syn flood). This loops infinitely, until the process is killed or the machine is rebooted.
Illustration 1: Disassembly of DDoS Attack Tool
I counted 673 IP addresses involved in the attack in one sampling. This is a fairly small amount of computers given modern botnet sizes, but it was more than enough to swamp the bandwidth of the server, hosted on a business-class cablemodem. It leads me to believe the attacker used only a portion of the botnet for the attack, leaving the bulk of the botnet for use in other activities.
The code that is the core of Rustock's spam functionality is also compiled using Borland Delphi. Additionally, one of Rustock's bot commands is "runexe" - this command causes Rustock to download a file from a URL, and save it into the temp directory with a name generated from a random 32-bit number, converted to an upper-case hexadecimal string.
Illustration 2: Disassembly of "runexe" command in Rustock
The use of the GlobalFindAtom/GlobalAddAtom Windows APIs as a means to prevent multiple copies of the same malware from running is somewhat unique - most malware utilizes the Windows CreateMutex to do the same thing.
Illustration 3: Mutual-exclusivity code from DDoS tool
Interestingly, the Rustock dropper EXE utilizes the GlobalFindAtom/GlobalAddAtom API for the same purpose. This is not to say that use of that API is exclusive to Rustock, but simply that it is an interesting correlation. Generally, choosing which API to use when there are multiple ways to accomplish the same task is a matter of habit/preference, and malware authors will reuse code as would any programmer.
Illustration 4: Mutual-exclusivity code from Rustock dropper
Searching the web for the "winconf" registry key name and a file with a similarly formatted exe name turns up many instances of infected users seeking help in anti-malware forums. These users are also very often detected to be infected by Rustock, as can be evidenced by a Google search for the terms "winconf" and "lzx32.sys".
Additionally, other sources noticed that IP addresses on their networks who were attacking my website were also periodically sending DNS requests every 15 minutes, attempting to resolve the IP addresses for certain domain names, including nothingmore.info, stopwatchingme.name, netwide-company.biz, data-connection12.info, ufdsjbndkjfgd.biz, nobodymoving.biz and damnedqueen.name These are some of the same domain names used by the Rustock trojan's command and control servers.
Illustration 5: Names from data section of Rustock
Given all this evidence, there can really only be one logical conclusion - the Rustock author decided to attack my website in retaliation for me speaking out about his illicit activities. Interestingly, during the course of this investigation I came to learn that other anti-spam sites providing information on pump-and-dump spam were also coming under attack. However, the attack signature was completely different, and analysis showed that a completely different malware family was responsible. Another DDoS attack has been carried out against the website of GMER, an anti-rootkit tool. The attacks on researchers and developers simply providing information pertaining to stock spams or malware removal tools is unprecendented - previously we have seen anti-spam services and forums taken down by DDoS attacks, but it seems now that the attacks are becoming more personal.
mardi 13 mars 2007
Fish for new employees and get phished?
Fish for new employees and get phished?: "Targeted phishing attacks aiming to plant malware on corporate networks are going out to companies that have posted job openings on CareerBuilder.com, according to reports from one affected party."
Online Accounts Vulnerable to Identity Theft, says Kaspersky Lab
Online Accounts Vulnerable to Identity Theft, says Kaspersky Lab: "A survey released today by information security software vendor, Kaspersky Lab, shows that in the UK, we still don't do enough to keep our personal information secure. Kaspersky Lab - which surveyed 150 PC users about their password habits - found that 62 percent of PC users have up to 10 online accounts that require passwords, with 23 per cent of us having more than 20 password protected accounts. But, shockingly, more than half of us (51 per cent) use only between one and four passwords to access our accounts."
McAfee maps malware risk domains
McAfee maps malware risk domains: "A global road map of the riskiest and safest places to surf online found Russian and Romanian sites among the top-level domains most commonly hosting malicious downloads, browser exploits, and scams. A survey of 265 top-level domains by McAfee, dubbed Mapping the Mal Web, revealed large differences in safety from one domain to another. The complete study, along with an interactive map, can be found by clicking the following URL : http://www.siteadvisor.com/studies/map_malweb_mar2007/"
lundi 12 mars 2007
Symantec: The Evolution of Malicious IRC Bots (pdf)
Symantec: The Evolution of Malicious IRC Bots (pdf): "Symantec: The Evolution of Malicious IRC Bots (pdf)"
jeudi 8 mars 2007
Kuwait hacker haven
Kuwait hacker haven: "InfoSec News: Kuwait hacker haven: http://www.arabtimesonline.com/arabtimes/kuwait/Viewdet.asp?ID=9900
By Sameh Mohammed Special to the Arab Times 8th Mar 2007
KUWAIT CITY: Kuwait has the highest percentage of Internet hacking in the world, says the Chairman of a seminar on Internet Hackers organized [...]"
By Sameh Mohammed Special to the Arab Times 8th Mar 2007
KUWAIT CITY: Kuwait has the highest percentage of Internet hacking in the world, says the Chairman of a seminar on Internet Hackers organized [...]"
mardi 6 mars 2007
'Skype numbers in online bank statements confuse customers'
'Skype numbers in online bank statements confuse customers': "If you were to discover a note saying 'Please Call Skype' decorated with a Senegalese flag in your online banking account overview, you might, given the prevalence of phishing attacks, get a little hot under the collar. This is exactly what recently happened to a customer of the German Sparkasse bank, who, fearing an attempted fraud, worriedly consulted the bank?s security team. The bank, however, were already familiar with the problem - this was not a phishing attack, as the Sparkasse Hannover support centre promptly informed the customer."
AusCERT under sustained DoS Attack - website unreachable for at least three days
AusCERT under sustained DoS Attack - website unreachable for at least three days: "Since late evening on Thursday 1st March, AusCERT has been experiencing a DDOS attack against its web site. AusCERT has been working with relevant Australian organizations, the international CERT community and other trusted international contacts to respond to this attack and to maintain its web presence as much as possible. AusCERT continues to provide services to it?s members and is continuing to perform it?s national CERT functions. Comment E-Secure-IT: The AusCERT website was not reachable from March 2 until March 06. Background: At approximately 21:30 on Thursday, AusCERT detected increased load on its primary web presence which was the result of a large number of automated requests to the web server from hosts located around the globe. A series of countermeasures were taken on Thursday evening with the site mostly available for the duration of the evening and through the early hours of Friday morning. On Friday, the attack intensified with some periods of outage experienced as countermeasures continued to be applied. At around 0800 Saturday morning, the attacked increased significantly, effectively rendering the web site unavailable for several hours. Additional and more severe countermeasures were introduced which reduced access to the web site from overseas hosts. The attack is ?botnet? hosted with several thousands of machines involved in the attack against the AusCERT web site. AusCERT continues to work with various organisations in order to reduce the impact of the botnet. These attacks have been quite significant, with peak throughput reaching in excess of 700 requests per second against the AusCERT web hosting infrastructure."
Alleged ID theft ring head arrested
http://www.theaustralian.news.com.au/story/0,20867,21335546-29277,00.html
FEDERAL police have arrested an alleged boss of a multimillion-dollar identity theft syndicate spanning four states.
Australian Federal Police (AFP) raided a house in Melbourne yesterday and arrested Edy Kuswoyo, 24, who had been on the run for more than five months.
Today, the AFP successfully applied for his extradition from Victoria to NSW.
Mr Kuswoyo will appear in Sydney's Central Local Court tomorrow to face 42 charges, including possessing an implement for making a false instrument, dishonestly obtaining personal financial information and using forged Commonwealth documents.
Police raided Mr Kuswoyo's Waterloo home in Sydney on September 26 last year but missed him by just 30 minutes, federal agent Rod Cooke told Melbourne Magistrates Court today.
Federal agents allegedly uncovered a stolen Australian passport, more than $21,000 in cash and a laptop containing more than 100 templates for false documents.
It is alleged the laptop contained templates for Medicare cards, drivers licences and passports for countries including Australia, the United Kingdom, New Zealand, China and Indonesia.
Mr Cooke said police had uncovered a web of linked smaller syndicates rather than one large syndicate.
He told the court Mr Kuswoyo was the boss of one of the syndicates and worked with two men who were part of another syndicate and are already facing a string of charges relating to identity theft.
Mr Kuswoyo manufactured and supplied fake identification documents to "runners" who would get a cut of money fraudulently obtained from financial institutions including the Commonwealth Bank of Australia, Westpac, and the National Bank of Australia, Mr Cooke alleged.
FEDERAL police have arrested an alleged boss of a multimillion-dollar identity theft syndicate spanning four states.
Australian Federal Police (AFP) raided a house in Melbourne yesterday and arrested Edy Kuswoyo, 24, who had been on the run for more than five months.
Today, the AFP successfully applied for his extradition from Victoria to NSW.
Mr Kuswoyo will appear in Sydney's Central Local Court tomorrow to face 42 charges, including possessing an implement for making a false instrument, dishonestly obtaining personal financial information and using forged Commonwealth documents.
Police raided Mr Kuswoyo's Waterloo home in Sydney on September 26 last year but missed him by just 30 minutes, federal agent Rod Cooke told Melbourne Magistrates Court today.
Federal agents allegedly uncovered a stolen Australian passport, more than $21,000 in cash and a laptop containing more than 100 templates for false documents.
It is alleged the laptop contained templates for Medicare cards, drivers licences and passports for countries including Australia, the United Kingdom, New Zealand, China and Indonesia.
Mr Cooke said police had uncovered a web of linked smaller syndicates rather than one large syndicate.
He told the court Mr Kuswoyo was the boss of one of the syndicates and worked with two men who were part of another syndicate and are already facing a string of charges relating to identity theft.
Mr Kuswoyo manufactured and supplied fake identification documents to "runners" who would get a cut of money fraudulently obtained from financial institutions including the Commonwealth Bank of Australia, Westpac, and the National Bank of Australia, Mr Cooke alleged.
U.S. government's NOAA site hacked by pill pushing spammers
U.S. government's NOAA site hacked by pill pushing spammers: "The U.S. government's NOAA (National Oceanic and Atmospheric Administration) Web site has been hijacked by spammers peddling prescription pills.The news section of NOAA's Climate Monitoring & Diagnostics Laboratory has been rigged with about 70 spam pages touting Soma, a prescription-only muscle relaxer.The spam pages contain Russian-language banner ads,..."
lundi 5 mars 2007
The RootLauncher Kit - The WebAttacker toolkit
The RootLauncher Kit - The WebAttacker toolkit: "After providing more insights on the WebAttacker Toolkit and the Nuclear Grabber, in this post I'll discuss the RootLauncher, a release courtesy of the same group behind WebAttacker. Something else worth mentioning is that a large percentage of the sites I'm monitoring are starting to use authentication, and on a trust-basis login access, perhaps it's due to the enormous coverage recent 'underground' releases, namely phishing kits etc. got in the mainstream media."
Do Financial Crimes and Internet Fraud Fund Terrorism
Do Financial Crimes and Internet Fraud Fund Terrorism: "Many of us wonder exactly how terrorism is funded. Here is a story from the AP, which might lead some to believe that financial crimes (fraud) is a source of funding.
'Five relatives of a U.S. citizen suspected of being a senior Al Qaida operative were arrested in California and Utah on charges of defrauding banks of hundreds of thousands of dollars.'
'The FBI said Omar's relatives netted"
'Five relatives of a U.S. citizen suspected of being a senior Al Qaida operative were arrested in California and Utah on charges of defrauding banks of hundreds of thousands of dollars.'
'The FBI said Omar's relatives netted"
jeudi 1 mars 2007
Scammers Manipulate the Mob
Scammers Manipulate the Mob: "Online recommendation systems are growing up -- and the spammers, fraudsters and thieves are moving in. By Annalee Newitz from Wired magazine."
Inscription à :
Articles (Atom)