Monday, 18 March 2013

Tax Season is Malware Season

In the United States, personal income taxes are due for every worker on April 15th.  The period of time from about January 31st until April 15th is when most of us file our taxes, which means Cyber Criminals love to imitate tax related services during this time.

Each day we review Today's Top Threats for the Malcovery "T3" report.  Quite a few of them have imitated tax related issues, from the Internal Revenue Service (IRS) themselves, to Intuit, the makers of the popular TurboTax software, to assorted warnings that problems have occurred with your filing.

Here are a few of my recent favorites:

Feb 12, 2013:  IRS

Our email subjects for this campaign sounded serious:

 count |                                         subject                                         
-------+------------------------------------------------------------------------------------------
   446 | surcharge for delay of tax return filling
   381 | forfeiture for delay of tax return filling
   363 | forfeit for delay of tax return filling
   361 | pecuniary penalty for delay of tax return filling
   350 | fine for delay of tax return filling
   315 | penalty for delay of tax return filling
   124 | Income Tax Refund TURNED DOWN
   108 | Income Tax Refund NOT ACCEPTED
    94 | Income Tax Refund NOT APPROVED
    90 | Income Tax Refund RETURNED
    87 | Income Tax Refund CANCELED
    74 | Income Tax Refund REJECTED



In this case there were at least 59 hacked websites that were advertised in the spam messages.  Here are some of the top ones:


count machinepath
519www.buyonlineclothing.com//wp-content/themes/mantra/uploads/rjtd_irs.html
361www.stuterisb.se/wp-content/uploads/fgallery/irs_rjtr.html
313www.michaeldauphinais.com//wp-content/themes/mantra/uploads/rjtd_irs.html
200trademarksprotected.com//wp-content/themes/mantra/uploads/irs_rjtr.html
100www.cowcomco.com//wp-content/themes/mantra/uploads/rjtd_irs.html
88www.hugoflores.net//wp-content/themes/mantra/uploads/rjtd_irs.html
79www.dvla-plates.com//wp-content/themes/mantra/uploads/rjtra_irs.html
77energeticfitness.com/wp-content/plugins/mm-forms-community/upload/temp/irs_rjtra.html
66www.electronicsreviewers.com//wp-content/themes/mantra/uploads/rjtra_irs.html
64www.newhavenfreestore.com/wp-content/plugins/mm-forms-community/upload/temp/irs_rjtr.html
63www.ordinarycoder.com//wp-content/themes/trulyminimal/includes/framework/plugins/rjtra_irs.html
62www.100daystochangemylife.com//wp-content/themes/mantra/uploads/rjtd_irs.html
56cliptogive.com/wp//wp-content/themes/mantra/uploads/rjtd_irs.html
53www.jimhyland.com//wp-content/themes/mantra/uploads/rjtra_irs.html
51www.nicejordans23.com/Jordanblog//wp-content/themes/mantra/uploads/rjtd_irs.html
41futurizekorea.com//wp-content/themes/mantra/uploads/irs_rjtr.html
38www.misslulublogs.com//wp-content/themes/trulyminimal/includes/framework/plugins/irs_rjtr.html
37notfatnow.com/irs_rjtr.html
35swanirubber.com/Blog//wp-content/themes/mantra/uploads/rjtra_irs.html
34troutkinglures.com/store-front//wp-content/themes/mantra/uploads/rjtra_irs.html
34www.amir-jafari.com//wp-content/themes/mantra/uploads/rjtd_irs.html
32www.hungergamesreporter.com//wp-content/themes/mantra/uploads/irs_rjtra.html
28www.nolahelper.com//wp-content/themes/mantra/uploads/irs_rjtr.html
28jyaproductora.com//wp-content/themes/mantra/uploads/irs_rjtr.html
22www.shuckabuck.com//wp-content/themes/mantra/uploads/irs_rjtr.html
22www.mamanbandante.com//wp-content/themes/mantra/uploads/irs_rjtr.html
21stjudeintercession.com/prayer/wp-content/plugins/mm-forms-community/upload/temp/rjtra_irs.html

Feb 14, 2013: TurboTax

In this campaign, the spammers hope we will believe that TurboTax is informing us that our "State Tax Return" has been rejected. In reality the "please find information attached" is a zip file with a randomly named file name (tax_RANDNUMBERS.zip). The zip file (MD5 = '44e31cab12de506e9b7e9df3c4414cef') is quite widely detected now, but that was not the case on the day of the campaign.

Mar 13, 2013: Intuit

The poor English in the subject on this spam message: "Payroll Account Holded by Intuit" may have helped prevent victimization.

But there were still 146 hacked websites that were each being used to redirect traffic to the Black Hole Exploit server. Despite the fact that this spam campaign is now six days old, many of these links are still active. A link followed this morning (March 19, 2013) redirects to the website "heelicotper.ru" on the path "forum/links/column.php". This domain resolves to 89.110.131.10, 132.230.75.95, 188.165.202.204, and 50.22.0.2. Even six days after the attack, several of the links sent in the original spam message are still functional, and will stop drop malware from the exploit server. (This morning we got a file that renamed itself to KB01148523.exe, which disguises itself as an "Advanced display adapter" driver update, claiming to be by "Microsoft Corporation". The file has the MD5 8fe6968cab2b12ae486628c1a07cb86. How do you detect which machines in your network might be infected, since the detection rate (currently 9 of 46 at VirusTotal) means that AVG, Avast, F-Prot, Microsoft, Symantec, Sophos, and Trend Micro would not detect this malware. We recommend looking for the BEHAVIOR of this malware in your network or web proxy logs. If someone visited one of the sites below, or more importantly, visited the site they redirect to - heelicotper.ru - then that machine needs to be examined and remediated. 



    19 | www.mysteam.ru                             | /report.htm
    19 | z-la.ru                                    | /report.htm
    12 | www.sellpei.com                            | /report.htm
    11 | cs.4id.lv                                  | /report.htm
    11 | elyospride.snl.su                          | /report.htm
    11 | pokemons.ru                                | /report.htm
    10 | forum.parkourfamilygomel.com               | /report.htm
     9 | www.talkgolf.org                           | /report.htm
     9 | cs.ittf.com.ua                             | /report.htm
     9 | renaults.net                               | /report.htm
     9 | www.netmfdevices.com                       | /report.htm
     9 | bin-cs.ru                                  | /report.htm
     8 | forum.diavolo-rp.ru                        | /report.htm
     8 | deltanineairsoft.com                       | /report.htm
     8 | forum.s1mpluworld.ru                       | /report.htm
     8 | onlyfan.ru                                 | /report.htm
     8 | www.j-hero.com                             | /report.htm
     8 | fr.underworld.alwaysdata.net               | /report.htm
     8 | forum.muapocalypse.ru                      | /report.htm
     8 | mv-forum.free-h.net                        | /report.htm
     7 | forum.gornofwar.ru                         | /report.htm
     7 | skibukovel.ru                              | /report.htm
     7 | stargate-radio.com                         | /report.htm
     7 | forumgg.xost.me                            | /report.htm
     7 | gartepiopv2.altervista.org                 | /report.htm
     7 | evostrike.ro                               | /report.htm
     7 | reprobatessouthwest.co.uk                  | /report.htm
     7 | halo117.com                                | /report.htm
     7 | www.vfpr.ru                                | /report.htm
     7 | www.uobview.com                            | /report.htm
     7 | orioncraft.ru                              | /report.htm
     7 | www.firearmschat.com                       | /report.htm
     7 | konsolowisko.pl                            | /report.htm
     6 | scorpions-wot.tk                           | /report.htm
     6 | www.ultravioletphotography.com             | /report.htm
     6 | la2nebesa.ru                               | /report.htm
     6 | shieldandsword.ru                          | /report.htm
     6 | accademiaminer.altervista.org              | /report.htm
     6 | xn--l1adgmc.xn--80ahx8f.xn--e1apq.xn--p1ai | /report.htm
     6 | isage.nes.org.sg                           | /report.htm
     6 | veni_vidi_vici.byethost14.com              | /report.htm
     6 | h2hproject.in                              | /report.htm
     6 | chronic.bplaced.net                        | /report.htm
     6 | forum.xboxarea.com                         | /report.htm
     6 | zabijamy.pl                                | /report.htm
     6 | forum.patriots-cs.ru                       | /report.htm
     6 | forum.myaion.su                            | /report.htm
     6 | kpoxi.ru                                   | /report.htm
     6 | www.maxhimitalo.com                        | /report.htm
     6 | elitegamer.ru                              | /report.htm
     6 | turbotamil.org                             | /report.htm
     6 | forum.classicgunz.com                      | /report.htm
     6 | forum.mineclub.org                         | /report.htm
     5 | sinto-online.ru                            | /report.htm
     5 | forum.mccxcix.com                          | /report.htm
     5 | fast-break.org                             | /report.htm
     5 | ps-elumination.com                         | /report.htm
     5 | www.survival-soundz.com                    | /report.htm
     5 | forum.gtr-site.info                        | /report.htm
     5 | poker-hunter.ru                            | /report.htm
     5 | forum.vtex.com.br                          | /report.htm
     5 | forumkulturystyka.com                      | /report.htm
     5 | cs.justbe.pro                              | /report.htm
     5 | 20h27.com                                  | /report.htm
     5 | wowfatalityforum.byethost16.com            | /report.htm
     5 | ptw.lv                                     | /report.htm
     5 | l2javelline.ru                             | /report.htm
     5 | darkube.net                                | /report.htm
     5 | wdhe.ru                                    | /report.htm
     5 | chatpat.org                                | /report.htm
     5 | www.medics-corpsmen.com                    | /report.htm
     5 | kompstart40.ru                             | /report.htm
     5 | allstudents.net.ru                         | /report.htm
     5 | forum.darkube.net                          | /report.htm
     5 | cs-gold.net                                | /report.htm
     5 | snails-city.ru                             | /report.htm
     5 | azcsforums.com                             | /report.htm
     5 | nightcore.pl                               | /report.htm
     5 | necroz-team.ru                             | /report.htm
     4 | s13club.ru                                 | /report.htm
     4 | code-projects.com                          | /report.htm
     4 | lamanserlo.com                             | /report.htm
     4 | zym-server.ru                              | /report.htm
     4 | forum.g-o-d.ru                             | /report.htm
     4 | tagyl.web-planet.cz                        | /report.htm
     4 | gpro.ro                                    | /report.htm
     4 | dev.diypedia.ro                            | /report.htm
     4 | playsense.ru                               | /report.htm
     4 | plastidipforum.ru                          | /report.htm
     4 | forum.gzone.info                           | /report.htm
     4 | ots.hmhost.pl                              | /report.htm
     4 | wsat.kz                                    | /report.htm
     4 | www.medforum.md                            | /report.htm
     4 | forum.anivisions.ru                        | /report.htm
     4 | forum.mafiacrafting.ru                     | /report.htm
     4 | www.cso-original.ru                        | /report.htm
     4 | xn--80adfeab9argno2mtb.xn--p1ai            | /report.htm
     4 | www.adminwebmaster.com                     | /report.htm
     4 | corp.spinco.info                           | /report.htm
     4 | fot-cs.p.ht                                | /report.htm
     4 | forums.deimoscorp.eu                       | /report.htm
     4 | homou.org                                  | /report.htm
     4 | www.foxiran.com                            | /report.htm
     4 | starkmuebles.com                           | /report.htm
     4 | myforester.ru                              | /report.htm
     4 | kolosov89.tmweb.ru                         | /report.htm
     4 | forum.nephridie.com                        | /report.htm
     4 | forums.agueraton.net                       | /report.htm
     4 | yachtdream.ru                              | /report.htm
     3 | www.e-treedental.com                       | /report.htm
     3 | www.team-increment.com                     | /report.htm
     3 | forum.hansen-ro.com                        | /report.htm
     3 | www.modernmetal.pl                         | /report.htm
     3 | s382436236.websitehome.co.uk               | /report.htm
     3 | forum.pandaro.ru                           | /report.htm
     3 | spokupki.org                               | /report.htm
     3 | forum.myevoque.ru                          | /report.htm
     3 | sochaczew24h.pl                            | /report.htm
     3 | iiibforever.altervista.org                 | /report.htm
     3 | soft-droid.ru                              | /report.htm
     3 | extradrive.ru                              | /report.htm
     3 | www.lendagames.com                         | /report.htm
     3 | forum.waytotruth.in.ua                     | /report.htm
     3 | www.sosaria.com.br                         | /report.htm
     3 | forum.aion-lightning.su                    | /report.htm
     3 | forum.samp-ml.ru                           | /report.htm
     3 | vipshara.net                               | /report.htm
     3 | art-tm.net                                 | /report.htm
     3 | wst-team.ru                                | /report.htm
     3 | driftnsk.ru                                | /report.htm
     2 | ingameclan.myarena.ru                      | /report.htm
     2 | www.fifa-online.pl                         | /report.htm
     2 | angel-css.ru                               | /report.htm
     2 | www.club2108.com                           | /report.htm
     2 | ostrza.arieth.com                          | /report.htm
     2 | www.coachownersclub.com                    | /report.htm
     2 | abt.id.lv                                  | /report.htm
     2 | foro.ateneahost.com                        | /report.htm
     2 | hohyunworld.com                            | /report.htm
     2 | www.piratas4x4.com                         | /report.htm
     2 | evgamer.com                                | /report.htm
     1 | e-war.ws                                   | /report.htm
     1 | resist.kiev.ua                             | /report.htm
     1 | reamhosting.com                            | /report.htm
     1 | www.sandsofdestiny.net                     | /report.htm

Mar 13, 2013: EFTPS

Last for now, the spam claiming to be from "The Electronic Federal Tax Payment System" (EFTPS) had a different subject for every email, based on a random number stuck in the subject line. "Tax Payment N (RANDOM NUMBER HERE) is failed."

Seventy-eight hacked websites were used by this one to redirect visitors to a Black Hole Exploit Server . . . Just like above, the "loading.htm" pages will redirect to a Black Hole Exploit server, that will drop malware onto your computer. 


 count |                   machine                   |     path     
-------+---------------------------------------------+--------------
    32 | forum.myfaberlic.com.ua                     | /loading.htm
    26 | forum.garudaflyff.web.id                    | /loading.htm
    25 | talk.altrock.us                             | /loading.htm
    24 | l2-fallenlords.16mb.com                     | /loading.htm
    23 | forum.rus-hw.ru                             | /loading.htm
    23 | forum.gorod4217.ru                          | /loading.htm
    23 | forums.farahfa.com                          | /loading.htm
    22 | www.forum.deutschland1.ru                   | /loading.htm
    21 | forum.mumonster.com.br                      | /loading.htm
    20 | forum.xorezm.com                            | /loading.htm
    20 | forum.esthus.ru                             | /loading.htm
    20 | la2reckless.16mb.com                        | /loading.htm
    20 | xn----7sbbhei2a7a0ag3e5ehq.xn--p1ai         | /loading.htm
    19 | forum.vp-css.ru                             | /loading.htm
    19 | forum.sg-wars.com                           | /loading.htm
    19 | la2.under.net.ua                            | /loading.htm
    19 | ambition-bs.bplaced.net                     | /loading.htm
    19 | forum.tiki-online.com                       | /loading.htm
    18 | forum.lin2hero.ru                           | /loading.htm
    18 | forum.bfkc.ru                               | /loading.htm
    18 | cs.franyk.net                               | /loading.htm
    18 | xn--90aefd3alei2i.xn--p1ai                  | /loading.htm
    18 | forum.gr-trophy.ru                          | /loading.htm
    18 | www.rteam.vinfo.fr.nf                       | /loading.htm
    17 | forum.universe-life.ru                      | /loading.htm
    17 | forum.oxuyun.com                            | /loading.htm
    17 | forum.gaming-pro.net.ua                     | /loading.htm
    16 | forum.fnatic.w2c.ru                         | /loading.htm
    16 | forum.mineiros.pt                           | /loading.htm
    16 | xn--l1adgmc.xn--90aicihxbb.xn--p1ai         | /loading.htm
    16 | forum.autoelectric33.ru                     | /loading.htm
    16 | xbox.pp.ua                                  | /loading.htm
    15 | forum.pvp-extreme.ru                        | /loading.htm
    15 | t4-11.mo3gov.net                            | /loading.htm
    15 | forum.100portal.pl                          | /loading.htm
    15 | foro.soranime.net                           | /loading.htm
    15 | info-games.16mb.com                         | /loading.htm
    15 | forum.arva-online.ru                        | /loading.htm
    15 | piton.webuda.com                            | /loading.htm
    15 | forums.egkrinkel.com                        | /loading.htm
    15 | habboinfo.free-h.net                        | /loading.htm
    15 | time-is-now.w2c.ru                          | /loading.htm
    14 | theconfederatestates.net                    | /loading.htm
    14 | forums.bluwavevirtual.org                   | /loading.htm
    14 | forum.thehosthouse.co.uk                    | /loading.htm
    14 | notched.16mb.com                            | /loading.htm
    14 | talk.yumyumpers.ru                          | /loading.htm
    14 | old.zagloba.me                              | /loading.htm
    14 | forum.muzolandia.pl                         | /loading.htm
    14 | ff.xokkeist.ru                              | /loading.htm
    14 | nightcor.cluster015.ovh.net                 | /loading.htm
    14 | rich-rpg.tw1.ru                             | /loading.htm
    13 | forum.prb-fight.dp.ua                       | /loading.htm
    13 | forum.cs-play.org                           | /loading.htm
    13 | letsfiestar.com                             | /loading.htm
    13 | 6.hamming.z8.ru                             | /loading.htm
    13 | forum.l2-virus.net                          | /loading.htm
    13 | elixrr.org                                  | /loading.htm
    13 | easy-host.tw1.ru                            | /loading.htm
    13 | forum.mostpeople.ru                         | /loading.htm
    13 | forum.skygsm.com                            | /loading.htm
    13 | forum.wildspirit.su                         | /loading.htm
    12 | forum.gamer-p.ru                            | /loading.htm
    12 | www.forum.redknife-tm.ru                    | /loading.htm
    12 | www.yozzteam.ru                             | /loading.htm
    12 | 90218.d33a.web.hosting-test.net             | /loading.htm
    12 | forum.illusionsplay.com                     | /loading.htm
    12 | rrp.ct8.pl                                  | /loading.htm
    12 | just-craft.vv.si                            | /loading.htm
    12 | minecraft.fatalforces.com                   | /loading.htm
    11 | forum.filix.ru                              | /loading.htm
    11 | www.forum-csc.pp.ua                         | /loading.htm
    11 | forums.consortiumguild.com                  | /loading.htm
    10 | forum.aresus.ru                             | /loading.htm
    10 | data-direction.hu                           | /loading.htm
     9 | forum.dota-info.ru.yellow.intobservatory.ru | /loading.htm
     8 | forum.lordsofeurope.ru                      | /loading.htm
     7 | volyn.bplaced.net                           | /loading.htm
(78 rows)
Posted by at No comments:
Labels:

Sunday, 12 August 2012

Carder Christopher Schroebel gets Seven Years

21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conference back on June 11, 2012 "People think that cybercriminals cannot be found or apprehended.  Today we know that's not true.  You cannot hide in cyberspace.  We will find you.  We will charge you.  We will extradite you and we will prosecute you." (see: MSNBC: Feds Arrest Alleged Credit Card Fraud Kingpin.) 

Christopher A. Schroebel


Durkan seems to be standing true to her word.  Friday her office successfully sentenced Christopher A. Schroebel, a 21 year old man from Maryland, to seven years in prison. 

The "Official" complaint against Schroebel says that on a date before July 20, 2011 and continuing until August 3, 2011 Schroebel was stealing information from Mondello's Italian Restaurant,  specifically the data from credit cards belonging to K.H., K.W., J.H., V.D., S.J., and M.H..  That gives us the first charge - Obtaining Information From a Protected Computer.

An interview in the Seattle Times explains what Schroebel did, from the perspective of Corino Bonjrada, the owner of Modello Risorante Italiano.  Schroebel had planted spyware in the Point of Sale terminals of dozens of businesses.  Bonjrada told the Times "Some of my customers were saying they didn't know if they wanted to come back.  They were afraid."  Some of the customers were hit with fraudulent charges "within 10 minutes"of swiping out at his restaurant.  (See: Dutch man charged with stealing Washington credit cards.)
  
Schroebel was arrested last November possessing over 84,000 stolen or purchased credit card data stripes and made his first court appearance November 21, 2011.  At that time, he was sentenced to an inpatient substance abuse program, and was released from that program on December 26, 2011.   He was picked up and arrested again on a local warrant, and ordered detained as a flight risk January 24, 2012.  So, he has already been in prison nearly more than eight months at this point.  (Detention order is available at archive.org.

Schroebel entered a plea agreement on May 15, 2012,  and was held pending his August 10, 2012 sentencing.  (See: PACER case number; 180519, Docket 2:2011-cr-00391-RSM.)


The Seattle Police Department describes it a bit better:

The SPD has been actively investigating unauthorized computer intrusions ("hacks") into the computer systems of small businesses located in the Western District of Washington (including Mondello's Italian Restaurant in Magnolia and Seattle Restaurant Store in Shoreline).


The person/s responsible for the hacks installed malicious software ("malware") on the computer systems of the victim businesses.  The malware was designed to, and has collected credit card account numbers belonging to customers/clients of the victim businesses.  The stolen credit card account numbers were then transmitted over the Internet to a computer server under the control of the hacker/s and/or their associations.

USSS ECTF/NCFI Success Story


That's from the affidavit of a SPD Computer Forensics Detective, David Dunn.  He is a member of the USSS Electronic Crimes Task Force, Seattle Field Office.  The Secret Service partners with local police departments all across the country to share their Computer Forensics capability in the form of free training and expertise to help work these cases.  Part of that training is right here in Hoover, Alabama at the National Computer Forensics Institute.  (David actually responded to this post, giving permission to share his name, and confirming that he took AFT (Advanced Forensics Training) and NITRO (Network Intrusion Response) courses at the National Computer Forensics Institute in Hoover.)

Listen to the training and experience this guy got by being a local law enforcement part of the USSS Electronic Crimes Task Force.

In April of 2005, I was transferred to the Seattle Police Department Fraud unit as a Computer Forensic Detective.  I am currently, and since October of 2006 have been assigned as a full time member of the USSS Electronic Crimes Task Force, Seattle Field Office.  I hold a Special Deputation appointment through the United States Marshals Service that permits me to seek and execute arrest and search warrants supporting a federal task force.  As a member of the Seattle USSS E-Crimes Task Force, I investigate violations of federal law in the state of Washington that fall under the responsibility of the USSS, with an emphasis on crimes involving computers, the Internet, and electronic communications.

(...Many local training courses listed, and then... )
My training and experience also specifically includes training and experience regarding computer and network intrusions, commonly known as "hacking."  This includes completion of the 40 hour "Incident Handling and Response" course on network intrusions and incident response through the Department of Homeland Security.  I have experience with packet analysis, malware, and viruses.  I am a Certified Ethical Hacker.  I have attended 104 hours of training in Network Intrusion Response at the National Computer Forensic Institute.  I hold the following certifications: EnCase Certified Examiner, Access Data Certified Examiner, IACIS Computer Forensic Certified Examiner.  I have received advanced training in both network intrusion forensics as well as Point of Sale forensic investigations.

As a member of the USSS ECrimes Task Force, I have worked on numerous computer and network intrusion cases.  These cases have involved a range of hacker techniques and modus operandi, including social engineering, SQL injection attacks, botnet attacks, malware infections and various other menas of computer infection and attack.  I have examined myriad server logs and volumes of  IP address information as part of my investigation of various hacking cases.  I have also created and examined forensic images of dozens of infected and hacked computers and servers.  I have investigated cyber cases involving both national and international victims and suspects.  As a result, I am familiar with schemes involving large scale Internet crimes and network atacks.



(Here's a picture with my summer students from the National Science Foundation Research Experience for Undergraduates at the NCFI - sorry - shameless plug - I think this place is great!)





Back to the Hacking Charges



The Complaint then says that "knowingly and with the intent to defraud, trafficked in and used credit card track data from credit card accounts belonging to (the above) without their knowledge or consent, and by such conduct obtained profits aggregating $1,000 or more, said trafficking affecting interstate and foreign commerce, in that the credit card account numbers that were so trafficked and used by Schroebel and others to make fraudulent purchases in states outside the State of Washington."  That's the second charge - Access Device Fraud.

When Schroebel was arrested, he was in possession of 84,000 credit card numbers that he had stolen or bought from other hackers.

When the SPD investigated the charges made on the cards used by the customers at Mondello's they led them to California. One of the cards, belonging to K.H. was used at Home Depot, Wal-Mart, Jack-n-the-Box, and several other locations.  V.D. and S.J. dined together at Mondello's on July 30, 2011, and BOTH had their cards being used for fraudulent purchases in Southern California on July 31, 2011.

That's where we get to the next interesting member of our trio, GUERILLA BLACK.

GUERILLA BLACK, MRBUSINESSMAN62, BLACKDOLLA, Charles Tony Williamson



(click for press release)

The Indictment of Guerilla Black fills in the California end of the story.



Guerilla Black is described as a "B.I.G. look-alike" (or some would say imitator).  Apparently the record sales needed a bit of supplement to help him live the private jets and limos image he attempted to maintain in his youTube videos.  (Shown above is the track "Compton".)

From at least January 2011 credit cards stolen by Schroebel were showing up in California, being used by Guerilla Black and his crew.  Black's indictment shows many entries such as:

19. On or about February 9, 2011, the coconspirator who hacked the point of sale computer system at the Shoreline, WA business sent an e-mail to CHARLES TONY WILLIAMSON, that contained multiple customer credit card numbers that were stolen through the hack of that business, including at least one credit card number that had been issued by Boeing Employees' Credit Union.

or

32. On or about July 31, 2011, the coconspirator who hacked the point of sale computer system at the Seattle, WA restaurant sent an e-mail to CHARLES TONY WILLIAMSON, that contained multiple customer credit card numbers that were stolen through the hack of that business, including at least two credit card numbers that had been issued by Boeing Employees' Credit Union.


 (Gee, which two would those be?)

The indictment lays out that Williamson "expressed his preference and desire to coconspirators to buy 'dumps' of stolen credit card numbers 'in bulk,' that is, in lots of at least 100, or 500, or more."  and that he "expressed his preference and desire...to obtain credit card numbers that were 'freshly' stolen through 'point of sale system' computer network intrusions rather than card numbers that were skimmed or stolen from credit card databases compiled by others, because the 'fresh' card numbers stolen from point of sale system hacks could be used more successfully for fraudulent transactions."

Williamson "redistributed the stolen card numbers to a network of criminal associates, with the intente and the expectation that these associates would then use the stolen credit card numbers for fraudulent transactions."

But Williamson wasn't the only one Schroebel was selling to . . .


Schrooten / Fortezza


As it turns out, Schroebel would sell the cards he acquired from these POS terminals to another 21 year old, Dutch national David Benjamin Schrooten, who ran a website that sold credit cards to others for their use.

Schrooten will be well-known under his hacker name "Fortezza" to anyone who follows the excellent blog KrebsOnSecurity.com.  Krebs story Feds Arrest Kurupt Carding Kingpin tells us more about the English language carding site run by Fortezza called Kurupt.su.  According to Krebs, Fortezza gained many of his cards by breaking in to a competing carding site.  In retaliation, THOSE carders posted a message announcing that Fortezza "needs to learn not to fuck with Russians !!!" and providing his information, including real name, city, home address, shipping address, telephone number, and fax number.

Krebs has a screen shot of the post on his blog:



Schrooten was arrested as he got off a plane in Romania, and later extradicted to the United States.  He will be tried in September in Seattle.


(click for press release)


According to the Schrooten indictment (also from KrebsOnSecurity) Schrooten is charged with Conspiracy to Commit Access Device Fraud and Bank Fraud, 2 counts of Access Device Fraud, 5 counts of Bank Fraud, 1 count of Intentional Damage to a Protected Computer, and 5 counts of Aggravated Identity Theft.

As we've discussed before, one of the ways our judicial system is not geared up for handling international cybercrime is that wherever these cases are tried, they address only the charges LOCAL TO THAT JURISDICTION.  So, in this case, the trial is in Seattle, which means the only victims who can be named are those with a connection to the Western District of Washington.  Particularly this trio of cases focuses on the charge that the Boeing Employees' Credit Union, and members of the credit union who reside in the Western District of Washington, had money stolen by these criminals.  So, the counts of Bank Fraud against Schrooten specifically refer to transactions on April 25, 2011, August 20, 2011, December 21, 2011, and two on February 1, 2012, where the account holder was a BECU customer who lived within the jurisdiction of this court.



There will likely be more arrests, and more sentences, in this case in the near future.  I wanted to share it now though because it is a great example of what happens when a smart local detective partners with the USSS Electronic Crimes Task Force, and runs down a local crime, along with its international implications.

Posted by at No comments:
Labels: ,

Wednesday, 20 June 2012

Soldier Auto Escrow Scam

Last night I got an email from a student ...
My brother is wanting to buy a car that is in the UK. The seller is claiming she will get free shipping from military affiliation. She wants to conduct the deal through eBay's buyer protection program. She's selling a fairly nice car for 1700 dollars. No money changes hands until the car is in my brother's possession and he has approved of the car (10 days to approve). What do you think?

Sounds pretty good, with the little caveat that the seller doesn't own the car, but he DOES own the escrow service where you are expected to put your money! THIS IS A SCAM, usually tied back to Romania.

A recent headline in Boston was Romanian Mobster Arrested in Lexington May Be Tied To Car Scam (April 4, 2012, CBS Boston). In that story, Catalin Buzea of Romania was opening bank accounts with a fake passport when he was arrested. He was said to be "duping people nationwide who are buying cars online ... a well trained thief working with counterparts in Romania ... they successfully direct online car buyers to bogus yet very real looking online payment systems." Buzea wired more than $100,000 back to Romania in three weeks, all the result of online auto scams.

It is rather amazing that Buzea and his crew are still in operation after last year's news. In July 2011, US and Romanian police arrested more than 100 people who had stolen more than $100 million from online scams similar to this. Romanian police arrested 90 people after doing 117 raids in 9 cities. In the US, "money mules" (called "arrows" by the Romanians) would retrieve money from US bank accounts using fake identities, such as Buzea did. In the July 2011 action the case was developed by arresting "arrows" in Florida, Kentucky, Missouri, Pennsylvania, and Texas, who were all used to provide clues to the Romanian police. The DOJ Press Release listed many criminals involved in these schemes including Vadim Gherghelejiu, Anatolie Bisericanu, Jairo Osorno, Jason Eibinder, Ciprian Jdera, Pedro Pulido, Ivan Boris Barkovic, Beand Dorsainville, Sergiu Petrov, Oleg Virlan, Marian Cristea, Andrian Olarita, Adrian Culda, Tiberiu Zachiteanu, Marion Potcovaru, Augustin Prundurelu, Georgina Andrei, Sorin Mihai Madaian, Victor Angelescu, Klara Mirabela Rusu, and Eduard Sorin Neacsu. But based on this morning's report from the UAB student, a few more still need to go to jail.

This scam comes up often enough that I thought I might make a post about it here. The language used in the initial contact is "fill in the blank" so I hope that someone will read this and find themselves warned.

Here's a sample message.

Hello and sorry for my delay,

I'm SGT Paul Hayes. This Corolla LE is in perfect working condition. This vehicle engine runs very, very smooth. No electrical problems on this beauty. This detailed vehicle makes the exterior looks like it just came off the assembly line. The car has 35k miles. VIN Number: 2T1BR32E76C639533

CD Player Transmission: Automatic Air Conditioning Anti-Lock Brakes Driver Airbag Passenger Airbag Side Airbags Cruise Control Power Locks Power Windows Power Seats Click this link for more pics: http://s284.photobucket.com/albums/ll7/rr6toy/

As I know that my current situation is pretty special I want the deal closed only through eBay's Buyer Protection Program in order for you to be 100% protected. You will make the payment to eBay and they will hold the money until you receive the car. ONLY AFTER you receive the car and you inspect it(for 10 days) eBay will release the payment to me; in this way we are both protected. Anyway i am sure that if you won`t be satisfied about the car i will surely find another buyer in your area and there will be no need for you to ship the car back. I am located in London, UK and I was sent here with my department of peace maintenance. Two months ago, my wife moved here with me and brought the car with her, but now we have to sell it back in the United States because we can't register it here; it has US specs and everything, and registering it here in Europe will take for ever. My final price on it is 2,950 USD. If you will take it for this price, I am willing to handle the shipping. It will be shipped from here by plane with US Air Military Cargo so it will not cost me anything. You will get it to the nearest airport in your area and then it will be trucked forward to your place. You will receive the car in about 3 days. Please get back to me asap if you decide to buy, and include in your e-mail your full name and address where you want it shipped so I can start the deal with eBay. You will receive all the transaction payment and shipping details from them.

Best Regards,

Paul and Stephanie Hayes

That message is from November 2008, and is ALMOST identical to the message the student's brother received.

So what do you do about Soldier Auto Escrow Scams?

The best investigative team I know that works these issues is actually the eBay Motors security team. They have some great advice available on eBay Motors Security Center website. They recommend that you forward any suspicious emails you receive to "car@ebay.com" -- and they actually don't mind whether the email started at eBay, Craigslist, or anywhere else. If there is a scammer who is selling cars on the Internet, ESPECIALLY if it mentions an escrow service or eBay, please send a copy to "car@ebay.com"!!

If you actually lost money on one of these, please be sure to report it also to the FBI through the ic3.gov Internet Crime Complaint Center. The form makes it difficult to just share clues if you were not actually stolen from, but if you actually lost money, it would be well worth reporting there!

Related scams

Sometimes the best "proof" you can share with a skeptic-friend who is considering falling for the scam despite your warning is to show them ALMOST IDENTICAL emails from other victims. Here are a few to get you started:

In November 2009 - Fraudwatchers saw SGT John Edwards selling an Altima SL with VIN Number: 1N4BL11D65C376012.

June 15, 2012 - Jules was almost scammed buying a Honda Accord EX from SSgt Monica Dixon with VIN Number: 1HGCM56744A118864.

January 13, 2008 - Katy Lee was offered a Honda Accord EX by Sgt. Robert Parra with VIN Number: 1hgcg1655ya068349.

January 23, 2010 - FightTheScams posted about SGT Jacob Gulledge selling his Accord EXL with VIN Number: 1HGCM66825A031982

They don't have to be in London . . . Sgt. William Thompson is selling his car from Afghanistan using a very similar scam.

Hello,

I am emailing you regarding the 2003 Mazda 6 that I have for sale. The general condition of this car is excellent, very well maintained, no damages and no mechanical problems, the engine runs and sounds awesome, automatic transmission, 4 Cylinder 2.3 Liter, tan leather interior and white exterior with no cosmetic complaints really worth comment. The alloys are all presentable and originals the fronts having a few marks, all tyres in good condition with plenty life remaining. Clean carpets, seats, roof, boot and plastics. Both remote keys are present and they are working, no electrical issues. I do have the title, clear, under my name. The car has 90,136 miles, year 2003 and VIN#1YVFP80C635M26324. I’m not interested in any trades only to sell it!

Price was reduced to $1,995 (URGENT SALE) as I need to sell this car before June 25 when I will leave with my platoon back to Afghanistan and don’t want it get old in my backyard.

I though you might want to see more pics, click on this link:
http://s1148.photobucket.com/albums/o565/WhiteMazda/?albumview=slideshow

Hope to hear from you as soon as possible!

Thank you,
William Thompson

Lt. Steve Hoinski is selling his 2005 Audi A4 from Madrid Spain, but the description sure sounds like he's in London!
As I know that my current situation is pretty special I want the deal closed only through eBay's Buyer Protection Program in order for you to be 100% protected. You will make the payment to eBay and they will hold the money until you receive the car. ONLY AFTER you receive the car and inspect it (for 10 days) eBay will release the payment to me; in this way we are both protected. Anyway i am sure that if you won`t be satisfied with the car i will surely find another buyer in your area and there will be no need for you to ship the car back.

I am located in Madrid,Spain and I was sent here to improve the military relationships between our country and Spain. One month ago, my wife moved here with me and brought the car with her, but now we have to sell it back in the United States because In order to be able to register this car here, I would have to pay very high import/custom taxes. My final price on it is $ 2950. If you will take it for this price, I am willing to handle the shipping. It will be shipped from here by plane with US Air Military Cargo so it will not cost me anything. You will get it to the nearest airport in your area and then it will be trucked forward to your place. You will receive the car in about 4 days. Please get back to me asap if you decide to buy, and include in your e-mail your full name and address where you want it shipped so I can start the deal with eBay. You will receive all the transaction payment and shipping details from them.

Thank you and have a nice day,
Lt. Steve Hoinski

Looks Too Good To Be True

There's dozens and dozens of these, but some good advice can be had from the "LooksTooGoodToBeTrue.com" website that has a page that explains Escrow Fraud. Use the "Looks Too Good To Be True" test on your sale . . . There's a reason they are selling it at "looks too good to be true" prices:

"One month ago my wife moved here with me and brought the car with her but now we have to sell it back in the United States because we can’t register it here; it has US specs and everything and registering it here in Europe will take for ever."

They are going to ship you a car internationally in a very short period of time:

"You will get it to the nearest airport in your area and then it will be trucked forward to your place. You will receive the car in about 4 days." (In reality you would be lucky to get a car from KANSAS in four days!)

They claim the deal is with eBay, even though they aren't selling the vehicle on eBay:

"Please get back to me ASAP if you decide to buy and include in your e-mail your full name and address where you want it shipped so I can start the deal with eBay."

(eBay will only stand behind eBay deals where the whole transaction happens ON eBAY! Don't fall for these scam deals ... when someone tries to steer you OUTSIDE of eBay they are normally planning to rip you off.)

For American buyers, the only Escrow service that eBay supports is "Escrow.com". They have tips for how to do an escrow purchase on the website Using escrow services for eBay Motors vehicles purchases.

Posted by at No comments:
Labels: ,

Saturday, 19 May 2012

What about the Social Security Numbers? (The Utah Data Breach and your SSN)

The Utah Data Breach

This week the continuing saga of the Utah Medicaid Data Breach continued to unfold.

If you haven't been following the story, here's the play-by-play:

That is an amazing story. Remember that Utah only has 2.8 million people according to the US Census. So in this single data breach 28% of the residents of Utah had their personal information stolen from them, and 10% of them had their Social Security Number stolen.

The good news, if there is any, is that Utah is now Very Serious about Identity Theft, launching its new IRIS: Identity Theft Reporting Information System in response. What will it take for the other states to get serious about identity theft?

What About Social Security Numbers?

The Utah story was only intended to be a vehicle for asking this question. What are we doing about Social Security Number theft? If hackers get your password, you can have your password reset. If hackers steal your credit card number, the bank will issue you a new one. If your bank account is breached, it is not uncommon to have the bank CLOSE your account and open a new account for you. But what if you the hackers steal your Social Security Number?

The first place that seemed reasonable to check was the Social Security website. They have a page about Identity Theft called Identity Theft and Your Social Security Number (SSA Publication No. 05-10064, ICN 463270, August 2009).

That form asks "What if an identity thief is creating credit problems for you?" and answers the question:

If someone has misused your Social Security number or other personal information to create credit or other problems for you, Social Security cannot resolve these problems.

They have several recommendations:

But read on . . . IT IS POSSIBLE to get a new Social Security Number, and Social Security will work with you to do that IF YOUR NUMBER IS BEING ACTIVELY ABUSED, but they warn that getting a new number may actually be worse than the abuse. For example, in the United States, the key to your credit history is your Social Security Number. If you get a new number, congratulations, you now have Zero Credit History. You won't be able to get a credit card or a loan without a lengthy ordeal or a co-signer.

So what is the answer? Despite all the controversy, it may be time to go back to the discussion of a National Identity Card. I visited Spain last summer and my banking security friends marveled at how the US clung to our antiquated system. They have a National Identity Card (DNI - Documento nacional de identidad) that is carried at all times. The chip in the card contains a digitized version of a photo of the bearer, plus a digital version of their signature and finger prints! There is no value to having only the Number -- my friend who was explaining it to me said you can write your number on your business cards, because there is NOTHING ANYONE CAN DO by simply having the number. It is the CARD that has value. If you have my number, but not the chip in my card, it is worthless to you.

I'd like to see this discussion move forward. If criminals don't already have your Social Security Number, it is certainly only a matter of time. Even if it is only a theoretical question right now, it is extremely likely that this question will be a personal matter to you or someone you love in the near future.

Especially if you live in Utah.

Posted by at No comments:

Lessons from the First Cyber Cops

I was so excited to see Bob Gourley's blog post "A Lesson From the First Cyber Cops" which is how I learned about an event on May 16th hosted by the Atlantic Council. As part of a program called the Cyber Statecraft Initiative, Jason Healey moderated a discussion called: ”Lessons from Our Cyber Past: The First Cyber Cops”.

The panelists were all people that I have met and been very impressed with over the years: Steven Chabinsky was the lawyer who served as Senior Counsel to FBI's Cyber Division and advised our InfraGard national board when I served in 2002-2003. He was the first lawyer I met who actually understood what cyber was all about. He's currently the Assistant Deputy Director of National Intelligence for Cyber.

Shawn Henry, former FBI Executive Assistant Director of Criminal, Cyber, Response, and Services Branch, and now a principal at CrowdStrike. I saw him last sharing his passion for the InfraGard program up in DC last November.

Christopher Painter, the Coordinator for Cyber Issues at State and former U.S. Attorney, Computer Crime and Intellectual Property Section of the Department of Justice, who I first met as I was learning about the "24/7 network" of international information sharing that he helped to build.

What I've done here is listened to the audio recording of this panel session, and done my best to accurately transcribe what I heard. I think you'll find it as fascinating as I did, but encourage you to Listen to the MP3 if you have time. There were about forty minutes of Q&A from the audience at the end that I have not transcribed. Any errors in transcription are mine, please take this as "gary's notes" and use the MP3 as your authoritative source.

Getting Started in CyberCrime Investigations

Q: What got you started in Cybercrime?

A: (Chris Painter) Always interested in technology, while I was in college and law school. In 1991 went to the US Attorney's office in California. This was before the web, but many companies, and the government, and the military and others were certainly relying on computers.

I was working with Scott Charney who had started the first Computer Crime unit. There were several companies experiencing theft of source code, including cellular phone companies, and the University of Southern California, where they had data losses, but also someone storing stolen data there. That turned out to be Kevin Mitnick. We had great FBI agents here, Trent Teyema, Ken McGuire and others. In the course of investigating Kevin, I had to learn Linux, and how to review log files. Worked with the first Stock manipulation cases, the first eBay case, which was the Mafia Boy DDOS case, which was the first case I worked with Shawn on. Back in that day a plane was circling the court house with a banner reading "FREE KEVIN!"

A: (Steven Chabinsky) The way I got into computers was with games. In 1979 or 1980 I had a cousin that had a TRS-80. He was signing in to a service called "The Source" and he allowed me to play "Adventure". One of those games where you typed "Turn Right" and it says "You see a nasty elf, what do you do?" and you type "Fight Elf" and it says "The nasty elf killed you!" I was fascinated. I was the kid that worked every day after school, not to save money to buy a car, but to buy an Apple computer. The one I wanted was 1200 bucks and it didn't come with a floppy drive. A floppy drive was another 400 bucks. It came with 48k. I had to buy another 16k just to be able to program, in Fortran at the time. I end up joining the FBI. Fast forward. In 1998 President Clinton had PDD-63, and the FBI was put in the lead of the National Infrastructure Protection Center. The concept was that multi-agency and private sector had to work together. They needed another lawyer, and I raised my hand immediately. It had to do with Cyber. In 1996, Cleveland, Columbus, and Toledo had started InfraGard. I really need your help. How would we nationalize this program? We took this group of a couple hundred people and today it has 50,000 members. The FBI only has 30,000 members. After September 11th, it grew to be beyond Cyber and to include Critical Infrastructure. And in that time I began to give legal advice, and began to give legal advice on all sorts of intrusion cases, which is how I met Shawn Henry.

A: (Shawn Henry) I'm honored to be with two of my closest friends. Our relationships developed because we were on the front line in this space in 1999 and 2000. There were not a lot of things known at this time. I latched on to these two attorneys who were working in this space and who were most importantly innovative. My start was very similar to Steve's only instead of playing with an elf, mine was Star Trek. You see a Klingon ship. Turn right. That was my interest as a freshman in high school. When I joined the Bureau there were some linux courses and cyber courses available and I took them. There was a vacancy as Chief of the Cyber Investigations Unit and this was a natural route for me to take.. I had spent a couple years at headquarters as a supervisor. I wanted to take the things we did in the physical world, the things we learned fighting organized crime and terrorist groups, white collar crime, and apply them in the Cyber realm. I had a lot of experience using authorized intercepts, wiretaps, informants, that sort of thing. This was 1998. I remember sitting there with Steve in the command post at 11:59 PM on New Year's Eve watching the countdown, 9, 8, 7, ... when it hit zero, the lights went off. Because someone had flipped the switch off as a prank. But Steve and I started working the very first undercover case in the Computer Intrusion environment. We had hundreds of cases at the time but we had never used this technique. It was the first time Steve and I had met to chat about the legal consequences. We had an undercover agent who joined a hacking group, who actually did some hacking - all segmented and legally authorized - it gave us great insight into the group and is now common practice for us. That would have been February or March of 2000. We did get a prosecution, but I can't say what group.

What were the Wake Up Call events?

Q: The DOD has been through several "wake up call" events, the latest being Buckshot Yankee. Has DOJ been through that as well?

A: (Steve) Yes, with Solar Sunrise we see military computers, .mil computers, being intruded upon coming from abroad. It was happening during the conflict with Iraq. The traffic is coming in from a middle eastern country, and it really looks like this is an attack coming from a nation state. There was the obvious real possibility that we were under attack. If we are, how do we handle attribution, how do we respond. Of course the FBI does their investigations constitutionally, by the rules, regulations, statutes, and constitutional requirements of the US, not traveling easily in ways that would impact the sovereignty of other nations. Dealing with probable cause and beyond a reasonable doubt. Is there enough to justify a military response. We were at the table saying that we don't think there is enough attribution at this time. Of course we know the end of the story. A couple kids in Cloverdale, California, working with a young adult in Israel, purposely routing their traffic to make it appear to be coming from another country. (Gar-note: we blogged about The Analyzer, the Israeli in Solar Sunrise.) What was the moral of the story? Our .mil had been intruded upon. It could have been used to launch attacks on other countries. Will our adversaries show the same restraint if they were to see our computers attacking them? Another incident involved the White House, getting all the named players on a teleconference, this was before DHS. A large botnet, a very large botnet was being assembled - is it possible that it is being grown to attack the United States? Well, no, in the end it was being used for click fraud. (Laughter) Yes, your reaction, it becomes comical. But at the time, you can't anticipate the end of the story while you are in the middle of it. Early on we were thinking an attacks was coming from your country, but now its gone to the other extreme, there is such poor attribution that the problem has resolved itself. We're better at understanding the motives of events. We don't have White House calls about these incidents any more.

A: (Chris) You asked about wake up calls, we've had several, but they are like wake up calls with a snooze button. It gets attention briefly and then we go back to sleep. Back in 2000 when we saw these big botnets being built, we thought this was going to be how the criminals took down everything. But then we started seeing the large DDOS events against media companies like CNN. They got a lot of media attention, it took a few months, but we found him and it turned out to be a 13 year old boy, MafiaBoy, living in Canada. At the time we were saying "This must be a nation state! It's too sophisticated, it couldn't be an individual." RCMP monitored his communications back to his house. The father was ordering a hit on one of his colleagues, so it was Mafia Dad and Mafia Boy, great family.

That was one wake up call. Later on you had the commercialization of this with botnets, botherders, and then the lone wolf, lone gunman hackers, who kept a low profile who didn't want to be seen who wanted to steal money or trade secrets from companies and others or having an impact on infrastructure. The early Infrastructure impacts were inadvertent. Some kids playing in a telephone switch who impacted a local airport ... (24:40) ... these all built on each other to create the atmosphere now compared to even five years ago is dramatically different, because of these cases, successful cases that we've talked about and other things that have happened.

A: (Shawn) We haven't had the wake up moment yet globally, and we won't until there are physical implications ramifications of an actual attack. When the lights go off for a period of time, or when people die. Its the equivalent of planes crashing into buildings. People take terrorism seriously when they see blood in the streets. For me the wake up uwas the I Love You virus. Around Valentine's Day, I love you, everyone wants to know who, so they all click on it and have a virus. It had a cascading effect around the world in 24 hours. This is not a United States problem, this is a global problem. In the past it was relatively clear where venue was. We had victims in all 50 states and 56 field offices who all claimed they had venue. I had to decide where, as chief of the unit, where venue was going to be and which field office was going to work that case, and I did it without conferring with the US Attorney's Offices. I gave it to Newark, and their US Attorney's Office jumped on board. When ultimately at the end of the day we identified that this was a young man in the Philippines, he was identified and someone put their arms on him, but in the end the Philippines had no law against what he did. Even though he was identified, even though he caused great economic damage, nothing happened. They arrested him, but then they let him go. The global element here. How do we look at this as an International level. Its an international problems. We need to have consistent laws, consistent strategy. We have to have a consistent understanding. The FBI has now centralized rather than 56 field offices operating independently there is a central command. Headquarters will decide how things get done. We, and not just the FBI, but the community as a whole have become much more strategic in our operations and much more strategic in the execution of our mission.

A: (Steve) Cybercrime has lead in terms of our understanding and Cybersecurity followed on. People were working on cyber crime policy before they were thinking at a policy level about cyber security, partly because of the I love you virus. There was a lot of efforts through the G8 to focus on cybercrime. There was a ministerial meeting back in 1999 where this was pushed as a major initiative. Three legs of a stool, you had to have good capacity to fight these crimes, good laws in place, and the capability to cooperate internationally. The G8 and then the Budapest Convention on Cybercrime, the Council of Europe convention that is still the single item that really deals with these issues. The 24/7 program which started with 8 countries and now has 60 countries. There was a lot of work enhancing the Legat program around the world. It was really good expert work among the cognicenti that has now reached the leadership of these governments.

A: (Shawn) I think you are being modest Chris, because the world looked to you and your colleagues at DOJ. The Philippines ended up updating their laws in just a couple months and the world followed. The Department of Justice put us in a leadership role here. The United States, through the Department of Justice, really put us in place. I haven't seen any cases in the last eight years where we haven't been able to prosecute because the laws were not in place.

A: (Steve) I'll go back to what Shawn said -- Its not about all following the cyber trail. There is the money trail. You have to combine all these things. There are a lot of countries where it is still illegal to do undercover operations. You can react all day long, but if you can't get inside these organizations and bust them down from the inside.

Are We Winning?

Q: It sounds like overall on the cybercrime and law enforcement side in the US, we've made great progress. Are we winning?

A: (Shawn) We are not winning

A: (Steve) But I don't think we are losing. This is why I always hate this question! (Shawn: The State Department!) What are the metrics for winning? How do you measure winning or not winning? Clearly there is much more awareness, there is much more law enforcement resource, there are things like Infragard on the private sector, there is more international awareness of this, but the threat has gotten bigger. Criminal groups, nation states, potentially terrorist actors though we aren't seeing this yet. We clearly are more reactive than we should be and we need to have more capability to fight it. Yes or no.

A: (Shawn) When I say we aren't winning, we are not getting ahead, we are falling behind. We are having impact. We are having success. Through the efforts of the FBI, the Department of Justice, the Intelligence community, and the private sector, we have had impact. We have made arrests, we have identified groups, we have attribution, but we are not getting ahead, we are falling behind. there is more and more data getting pushed, more and more people coming online more subjects getting into this who are realizing opportunities to exploit and to line their pockets, and there are countries getting involved in cyber espionage. We are having successes but we are falling behind.

A: (Chris) We are having successes. I came to this in August of 1998. The private sector is working together, the government and the private sector are working better together. I'm seeing more arrests. Tactically, you can show a chart showing how we've improved. We're doing better, but the threat is outpacing our capabilities. When we look at our strategy - what does success look like? The reason we are getting further behind - early on we saw this as an Internet problem a net-centric threat. Over time we've come to see this is a technology threat. Every aspect of our lives are chip-enabled. The threat is controlled by technology. The vulnerabilities to automobiles there are chips controlling your accelaration chips control your brakes. Can we get in through bluetooth? Biomedical devices - there is software in the insulin pump that allows for remote diagnostic capability. There are chips controlling the flow of insulin into your body. Can we cause that to happen remotely? The researchers say yes. You see the problems with Wireless, purposeful interference and jamming. We are becoming more reliant on inherently vulnerable products and services. So the combination of those two make us as a strategic point, falling further behind. We are getting to a point where we have to reflect on what risk mitigation looks like in this area. Whether our policies that focus predominently on vulnerability mitigation and whether that is a successful long term security model. If you think of most security models they rely on on threat deterrence - the notion that the actor won't act because there will be some deterrant effect. you'll be captured, have some penalty. Here we have a model relying on hardening our targets. That's not how we live in the real world, that's called a fortress. Technologies are not meant to be bunkered down. It's not surprising as we accept technologies that are not fortressed and bunkered down, when we have a risk model that doesn't rely on threat deterrence, we'll fall further behind.

A: (Steve) We have to have both of them. You need to lock your doors which we haven't done a good job of, AND have consequences for the people who break in also. There is a lot more to do on hardening the targets and locking the doors, but you have to do threat reduction and threat deterrence. The question is, If you are a cyber criminal, let's take the criminal element for now, it used to be really costless to you, could route your attacks through other countries, you really wouldn't think there was any chance of getting caught. Most cyber criminals ... There have been some great deterrent cases, Getting deterrence cases out there, undercover cases taken down that make the criminals not trust each other. But there is no perception of risk. The positive side if there is a benefit to the criminal, but there is a neglible chance of getting caught, you aren't going to have an impact.

Lessons Learned?

Q: When I look at DOD, I see them caught up on the same questions they had in the late 90s on organizations, and authorities, and definitions, but when I look at Cybercrime it seems you have made progress beyond all that. What are the most important lessons, and are those lessons being inculcated on the new agents, new attorneys?

A: Understanding the scope of this problem and how it will impact your life. There is an age-old problem that the three of us have dealt with for years, which is that victims won't come forward. There is a sense there is nothing government will do for them. That they would be further victimized, that law enforcement would come in and cart off their computers, that they would suffer public reputational damage if it was found out. We need to move this from the area of cyber intrusions being some special sexy kind of thing, but more like bank robberies in Los Angeles. There were many bank robberies in Los Angeles, but people kept using the banks.

A: There has been dramatic progress in how law enforcement addresses these issues. We are doing much better on not victimizing victims. There were big cases before I got there, a Citibank case ???? (42:15) ??? there were stories early on when the FBI came in and in order to preserve the data we seized the computers. We fixed that right away. We didn't keep repeating that, although the stories continue. We also stopped naming the victims so often. Working with the private sector better. The other issue, a Cuckoo's Egg issue back to Clifford Stoll, where someone says there has been a victimization and you ask how much the damage is and its neglible, 75 cents, you hang up and laugh. (Gar-note: Clifford really did report that someone had used 75 cents of computer time, and then had changed the logs to hide it.) The damage is not obvious, but the threat to infrastructure represented by these intrusions are real. You don't have to wait for a big dollar loss to take an attack seriously. The third area of change is taking information IN THE COURSE Of the investigation, and using that information to help protect victims while the case is still active. Back in the NIPC days, we would literally get on a stage and tell private sector what we knew while proceeding with the investigation. I hear all the time that the FBI wants to keep the problem happening so they can monitor the crime and don't care about the victim. We've done a better job helping law enforcement provide value to the Net Defender while we are proceding against the adversaries.

Q: When we first started, every FBI dude would stand up and say "I don't really understand these computers, I have to ask my granddaughter to help me ..." and every FBI dude would get up and start the pitch that way - but I remember the first time I heard Steve with Kim Perretti talk and realize they really get this stuff.

A: We started really hiring towards this hiring pool. In the 90s we hired attorneys and CPAs for the agent role, but then over time began hiring very brilliant people, who work for major companies patriotic people who sometimes take a cut of 2/3rds of their salaries. We created a career path oriented towards cyber, with 30 unique courses that are evaluated constantly to make sure they are timely.

A: In dealing the victims, we only identified in the Mitnick case the victims by their initials. Bloomberg had a hacker try to extort them, and he came to the FBI and said "screw them, I want to send the message that you can't come threaten me like this." Bloomberg met the guy in London with $250,000 with two of his colleagues who were actually a Metropolitan Police officer and an FBI agent who proceeded to lock up these two Kazikstanis and bring them back to New York. (See: Zezov case for details)

Q&A Session

Posted by at No comments:
Labels: , ,

Friday, 18 May 2012

Social Engineering: Facebook Photo

Please welcome a guest-blogger, Sarah Turner, who authored today's report. Sarah is a malware analyst in the UAB Computer Forensics Research Laboratory and is the editor of our daily "Emerging Threats By Email" report. I asked her to put together an article about a prevalent spam campaign that has been running wild for about a month now. While the HISTORICAL malware described below is fairly well detected, each morning when a new version has come out the detection has been low, with improvement over the next 24-48 hours. If you see a message like this, RESIST TEMPTATION! DO NOT CLICK!

_-_
gar

Social Engineering: Facebook Photo

Guest blogger: Sarah Turner

This campaign utilizes social engineering containing subject lines that insinuate a photo is enclosed that was obtained from a social media site or public domain depicting the recipient or the ex girlfriend of the recipient in a scandalous or otherwise embarrassing predicament.

The campaign only uses 8 subjects, shown below.

  • FW:Check the attachment you have to react somehow to this picture
  • FW:They killed your privacy man your photo is all over facebook! NAKED!
  • FW:Why did you put this photo online?
  • FW:You HAVE to check this photo in attachment man
  • RE:Check the attachment you have to react somehow to this picture
  • RE:They killed your privacy man your photo is all over facebook! NAKED!
  • RE:Why did you put this photo online?
  • RE:You HAVE to check this photo in attachment man

The email body can vary between the 3 samples shown below:

Hey,
I have a question-have you seen this picture of yours in attachment?? Three facebook friends sent it to me today...why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :))))
Hate to bother you,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter...The question is is it really you???.
I'm sorry,
I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that due??.

all of which encourage the recipient to open the attachment and see the image to which they’re referring. Typically the attachment is in the form of a .ZIP containing an executable, however the attachments received on May 16, 17, and 18, the attachment extension was not as a .ZIP but as “.jpg.exe”.

The first few times this malware was received (April 20 – 23), once it was downloaded and prompted to run, it acted as an AntiVirus Software.

After that, the received malware was identified as Cutwail delivering Zeus. The executable would be prompted to run and there would be no recordable network traffic but multiple changes would be made to your Registry and a new file, named svchost.exe would be added to your computer. The executable received today had a detection of XXXX on Virus Total.

UAB has 11 prominent MD5’s associated with this campaign (and a couple mis-formed files)

count md5_hex
24998  b42cf3d2cc829aba1e771f9517b2b97d (38 of 41 detects at VirusTotal)
21754  57f40166fd7cafe84ef51fe5f7776c51 (21 of 41 detects at VirusTotal)
21011  77e7fc1b2addc8ee5ea74e3592d4ab89 (14 of 41 detects at VirusTotal)
14918  76e144a572b4c52e3ddb8bd860dfbdd9 (36 of 41 detects at VirusTotal)
9562  5dea03a160543724d7cf4adda93a28ae (36 of 41 detects at VirusTotal)
9138  061f96cf8f7713d17e580900ba20c6b4 (31 of 42 detects at VirusTotal)
8286  9badf88e346bd0530d4e5248d2bb2f35 (37 of 42 detects at VirusTotal)
6362  d60bfa876dc382908fbcde1c96d5b95f (36 of 42 detects at VirusTotal)
5604  bf7b30a96dc8be8bbfb826158afb2379 (34 of 42 detects at VirusTotal)
4742  8cc36756d15560335ed53c47bd7cbc5e (36 of 42 detects at VirusTotal)
2538  d6f05da06a26d9d731273a0fa26dd7e1 (12 of 42 detects at VirusTotal)
This campaign was seen for the first time on 4/20/12 and was the top campaign seen today. Below is the full list of days and receipt counts from prior to this week. 
receiving_date count
----------------        ------
 2012-04-20      6372
 2012-04-21      20819
 2012-04-22      3182
 2012-04-23      5739
 2012-04-29      14918
 2012-05-03      9252
 2012-05-04      308
 2012-05-06      2
 2012-05-07      9138
 2012-05-08      8286
 2012-05-08      13
 2012-05-11      1279
 2012-05-12      4325
 2012-05-16      7260
 2012-05-17      17053
 2012-05-17      13751
 2012-05-18      4701
 2012-05-18      2538
We have seen at least 6,757 unique IP addresses used to send us copies of this email with one of these malware attachments. When the malware is fresh, as it is each morning in the Emerging Threats By Email report, the detection rates are much lower. For example, here is the status from the May 17th Emerging Threats By Email report: So, yesterday morning when the report was written, that version of the malware had 7 detects, although as of this writing it has 14.
Posted by at No comments:

Nichole Michelle Merzi of Operation Phish Phry gets 5 years

Back in 2009, this blog ran the story FBI's Biggest Domestic Phishing Bust documenting Operation Phish Phry and explaining what was then known of the structure of an international phishing operation with more than 100 members. Yesterday Nichole Michelle Merzi, one of the ring-leaders, was finally sentenced to five years:
Defendant is committed on Counts 1, 34, 35, 38, 39, 48, and 51 of the Indictment to the Bureau of Prisons for 36 months. This term consists of 36 months on each of Counts 1, 34, 35, 38, 39, and 51; 36 months on Count 48, to be served concurrently; and 24 months on Count 46, to be served consecutively; for a total of 60 months. Defendant shall receive credit for any time served. Supervised release for three years.
The case began all the way back on September 30, 2009 with the filing of an indictment that charged:
  • Kenneth Joseph Lucas (1) count(s) 1-9,
  • Nichole Michelle Merzi (2) count(s) 1,
  • Jonathan Preston Clark (3) count(s) 1,
  • Jarrod Michael Akers (4) count(s) 1,
  • Kyle Wendell Akers (5) count(s) 1,
  • Wayne Edwards Arbaugh (6) count(s) 1-2,
  • Demorris Brooks (7) count(s) 1,
  • Antonio Late Colson (8) count(s) 1,
  • Kenneth Crews (9) count(s) 1,
  • Manu T Fifita (10) count(s) 1,
  • Jennifer Anabelle Lopez Gonzalez (11) count(s) 1, 7-9,
  • Tinika Sabrina Gunn (12) count(s) 1,
  • Jason Marcellus Jenkins (13) count(s) 1,
  • Sylvia Johnson (14) count(s) 1,
  • Remar Ahmir Lawton (15) count(s) 1,
  • Kyle Brandon Martin (16) count(s) 1,
  • Franklin Anthony Ragsdale (17) count(s) 1, 4-6,
  • Steven Aaron Saunders (18) count(s) 1,
  • Rynn Spencer (19) count(s) 1,
  • Raquel Raffi Varjabedian (20) count(s) 1,
  • Candace Marie Zie (21) count(s) 1,
  • Ashley A Ager (22) count(s) 1,
  • Latina Shaneka Black (23) count(s) 1,
  • Michael Dominick Gunn Dacosta, Jr (24) count(s) 1,
  • Virgil Phillip Daniels (25) count(s) 1,
  • Tramond S Davis (26) count(s) 1,
  • Shontovia D Debose (27) count(s) 1,
  • Joshua Vincent Fauncher (28) count(s) 1,
  • Krystal Fontenot (29) count(s) 1,
  • Anthony Donnel Fuller (30) count(s) 1, 5-6,
  • Michael Christopher Grier (31) count(s) 1,
  • Bryanna Harrington (32) count(s) 1,
  • Shawn K Jordan (33) count(s) 1-3,
  • Billy Littlejohn Kelly (34) count(s) 1,
  • Reggie B Logan, Jr (35) count(s) 1,
  • Ikinasio Lousiale, Jr (36) count(s) 1,
  • Raymond V Mancillas (37) count(s) 1,
  • David P Mullin (38) count(s) 1,
  • Vincent Nguyen (39) count(s) 1,
  • Ario Plogovii (40) count(s) 1,
  • Brandon R Ross (41) count(s) 1,
  • Alan Elvis St. Pierre (42) count(s) 1,
  • Courtney Monet Sears (43) count(s) 1,
  • Me Arlene Settle (44) count(s) 1,
  • Paula W Sims (45) count(s) 1,
  • Jamie Smith (46) count(s) 1,
  • Brandon Kyle Thomas (47) count(s) 1,
  • Christopher Uhamaka (48) count(s) 1,
  • James Michael Viorato (49) count(s) 1,
  • Jovon Darnell Weems (50) count(s) 1,
  • David D Westbrooks (51) count(s) 1,
  • Bridget Deque Wilkins (52) count(s) 1,
  • Marcus Deshaun Williams (53) count(s) 1.

In a conspiracy, we have to show "Overt Acts" committed by each member of the conspiracy in support of the conspiracy, which is how we end up with an 86 page Operation Phish Phry Indictment.

The indictment charges:

18 USC § 134: Wire and Bank Fraud Conspiracy
18 USC § 1344(1): Bank Fraud
18 USC § 1028A: Aggravated Identity Theft
18 USC § 371: Computer Fraud Conspiracy
18 USC § 1030(a)(4): Computer Fraud
18 USC § 1956(h): Money Laundering Conspiracy
§ 2: Aiding and Abetting and Causing an Act to Be Done

There are 335 Overt Acts charged in the Indictment, such as:

Overt Act No. 14: On July 31, 2008, defendant ZIE sent an SMS message to defendant LUCAS, in Los Angeles County, to transmit the account number and account holder name for the one checking account and one savings account that unindicted coconspirator K.M. opened that day at BOA, which transmission was for the purpose of causing defendant LUCAS, to make and to cause an unauthorized transfer of funds to those accounts and for the purpose of allowing unindicted coconspirator K.M. to withdraw the transferred funds.

Overt Act No. 16: On July 31, 2008, in Los Angeles County, defendant LUCAS caused a computer transfer of funds from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant LOGAN's checking and savings accounts.

(In Overt Acts 17 and 18 Logan then withdraws $900 of that money from checking and $400 from savings.)

Overt Act No 70: On August 20, 2008, in Los Angeles County, defendant LUCAS caused computer transfers of $350 from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant NGUYEN's checking account and $1,200 from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant NGUYEN's savings account.

Overt Act No. 181: On December 11, 2008, in Los Angeles County, defendant JENKINS drove unindicted coconspirator A. J. to a Wells Fargo bank branch located in Los Angeles County to withdraw the $1,000 that defendant LUCAS caused to be deposited into unindicted coconspirator A.J.'s savings account.

Overt Act No. 186: On December 16, 2008, during a telephone conversation with defendant LUCAS< defendant MERZI advised defendant LUCAS that she had caused an unindicited coconspirator to conduct a transfer of funds from a victim bank account at Wells Fargo, which neither Wells Fargo nor the victim had authorized, and next would cause an unauthorized transfer of funds from a victim BOA account.

Overt Act No. 237: On June 14, 2007, in Los Angeles Cou8nty, defendant K. AKERS transmitted $1,900 by Western Union to unindicted coconspirator E. A.

It goes on like that for some 60 pages. From January 2007 to September 2009, the Ringleaders get victim credentials, the second tier transfer the funds around to accounts opened and controlled by the third tier, who then get driven around and sent into banks to take out the money, which gets passed up through management and wired via Western Union to Egypt, with everyone taking a piece of the pie.

For those who are interested in how you argue such a case in court, I've also posted the Operation Phish Phry Closing Arguments Power Point. Hundreds of pages of courtroom transcripts are also available from PACER.

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)