Archive for April, 2010

Cops Pull Plug on Rent-a-Fraudster Service for Bank Thieves

April 20, 2010

Cops Pull Plug on Rent-a-Fraudster Service for Bank Thieves: “

callservicebiz

Two Belarusian nationals suspected of operating a rent-a-fraudster service for bank and identity thieves have been arrested overseas, according to New York authorities, who unsealed an indictment for one of the suspects on Monday.

Dmitry Naskovets, 25, and Sergey Semashko, 25, are suspected of creating and operating CallService.biz, a Russian-language site for identity criminals who trafficked in stolen bank-account data and other information. The website displayed an FBI logo Monday and the message, ‘This domain has been seized by the Federal Bureau of Investigation.’

Naskovets has been charged in U.S. District Court for Southern New York with one count each of aggravated identity theft and conspiracy to commit wire fraud and credit card fraud. Semashko has been charged by Belarusian authorities.

Naskovets was arrested in the Czech Republic last Thursday, at the request of U.S. authorities who have filed for extradition. Semashko was arrested the same day in Belarus.

According to the indictment (.pdf), the two entrepreneurs launched the site in Lithuania in June 2007 and filled a much-needed niche in the criminal world — providing English- and German-speaking ‘stand-ins’ to help crooks thwart bank security screening measures.

In order to conduct certain transactions — such as initiating wire transfers, unblocking accounts or changing the contact information on an account — some financial institutions require the legitimate account holder to authorize the transaction by phone.

Thieves could provide the stolen account information and biographical information of the account holder to CallService.biz, along with instructions about what needed to be authorized. The biographical information sometimes included the account holder’s name, address, Social Security number, e-mail address and answers to security questions the financial institution might ask, such as the age of the victim’s father when the victim was born, the nickname of the victim’s oldest sibling or the city where the victim was married.

The thieves obtained the information through various means, such as phishing attacks and malware placed on victims’ computers to log their keystrokes.

CallService.biz would then have someone who matched the legitimate account holder’s gender and was proficient in the needed language, pose as the account holder and call the financial institution to authorize the fraudulent transaction.

One client, for example, requested assistance in July 2007 with illegally siphoning $35,000 from a checking account owned by someone in Westchester County, New York. The wire transfer occurred July 17.

The site boasted that its purveyors had served more than 2,000 criminal customers. Authorities wouldn’t say what fees the two allegedly charged or how much they earned from their scheme.

The two advertised their services on other carding sites, such as CardingWorld.cc, which was also operated by Semashko. The ads boasted that their team had conducted more than 5,400 ‘confirmation calls’ to banks.

The FBI seized the domain name pursuant to a seizure warrant.

Additional co-conspirators were also arrested overseas, though authorities didn’t indicate how many.

U.S. Attorney Preet Bharara said in a statement that the site ‘was especially dangerous because it allegedly was specifically designed to bypass the usual security measures that bank and business customers have come to rely on.’

The Department of Justice’s office of international affairs worked with the Belarusian Ministry of Internal Affairs’ high-tech–crime department, the Police Presidium of the Czech Republic and the Lithuanian Criminal Police Bureau Cybercrime Board to coordinate the investigations and arrests.

If convicted on all three counts, Naskovets faces a maximum sentence of 39½ years in prison.


(Via Wired: Threat Level.)

Advertisements

Report: Google Hackers Stole Source Code of Global Password System

April 20, 2010

Report: Google Hackers Stole Source Code of Global Password System: “

The hackers who breached Google’s network last year were able to nab the source code for the company’s global password system, according to the New York Times.

The Single Sign-On password system, which Google referred to internally as Gaia, allows users to log into a constellation of services the company offers — GMail, search, business applications and others — using one password.

The hackers, who are still unknown, were able to steal the code after gaining access to the company’s software repository, which stores the crown jewels for its search engine and other programs.

Because the hackers grabbed the software, and do not appear to have grabbed customer passwords, users aren’t directly affected by the theft. But the hackers could study the software for security vulnerabilities to devise ways to breach the system that could later affect users.

Google announced in January that it and numerous other companies had been hacked in a sophisticated attack. The hackers had targeted source code repositories at many of the companies, including Google.

According to the Times, the theft began when an instant message was sent to a Google employee in China who was using Windows Messenger  The message included a link to a malicious website. Once the employee clicked on the link, the intruders were able to gain access to the employee’s computer and from there to computers used by software developers at Google’s headquarters in California.

The intruders seemed to know the names of the Gaia software developers, according to the Times. The intruders had access to an internal Google corporate directory known as Moma, which lists the work activities of every Google employee.

They initially tried to access the programmer’s work computers and ‘then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored.’

The Times doesn’t elaborate on the set of sophisticated techniques the hackers used to access the source code, but in March, security firm McAfee released a white paper in relation to the Google hack that describes serious security vulnerabilities it found in softeware configuration management systems (SCMs) used by companies that were targeed in the hacks.

‘[The SCMs] were wide open,’ Dmitri Alperovitch, McAfee’s vice president for threat research told Threat Level at the time. ‘No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting.’

Many of the companies that were attacked used the same source-code management system made by Perforce, a California-based company, according to McAfee. The paper didn’t indicate, however, whether Google used Perforce or had another system in place with vulnerabilities.

According to McAfee’s earlier report, the malicious website the hackers used in the Google hack was hosted in Taiwan. Once the victim clicked on a link to the site, the site downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser.

A binary disguised as a JPEG file then downloaded to the user’s system and opened a backdoor onto the computer and set up a connection to the attackers’ command-and-control servers, also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source-code management system or burrowed deeper into the corporate network to gain a persistent hold.

According to the paper, the hackers were successful at accessing source code because many SCMs are not secured out of the box and do not maintain sufficient logs to help forensic investigators examining an attack.

‘Additionally, due to the open nature of most SCM systems today, much of the source code it is built to protect can be copied and managed on the endpoint developer system,’ the whie paper states. ‘It is quite common to have developers copy source code files to their local systems, edit them locally, and then check them back into the source code tree…. As a result, attackers often don’t even need to target and hack the backend SCM systems; they can simply target the individual developer systems to harvest large amounts of source code rather quickly.’

Alperovitch told Threat Level his company had seen no evidence to indicate that source code at any of the hacked companies had been altered.


(Via Wired: Threat Level.)

Bank Of America Employee Charged for Plotting to Deploy ATM Code for Theft

April 7, 2010

Bank Of America Employee Charged for Plotting to Deploy ATM Code for Theft: “An AP newswire article by Mike Baker, via The Sun News, reports:

A Bank of America Corp. employee plotted to deploy malicious computer code within the company’s systems so that ATM machines would dispense cash without any record of a transaction, federal prosecutors allege in court documents.

Rodney Reed Caverly was tasked with maintaining and designing computer systems at the bank, including computers that conducted ATM transactions. Prosecutors in the western district of North Carolina said he sought to use computer code within the company’s protected computers so that the ATMs would make fraudulent disbursements.

Caverly was able to obtain more than $5,000 during a seven-month period in 2009, prosecutors allege.

The details of Caverly’s case were filed on Thursday in a ‘bill of information’ document, which typically signals that a plea deal is forthcoming. An attorney for Caverly, Christopher Fialko, declined to comment. Federal prosecutors didn’t return a phone call.

More here.

(Via Fergie’s Tech Blog.)

Windows 7 Less Vulnerable Without Admin Rights

April 1, 2010

Windows 7 Less Vulnerable Without Admin Rights: “Most Windows 7 vulnerabilities can be mitigated by administrative rights limitations, report from BeyondTrust finds”

(Via DarkReading – All Stories.)

‘Fog of War’ Led To Operation Aurora Malware Mistake

April 1, 2010

‘Fog of War’ Led To Operation Aurora Malware Mistake: “‘Fog of War’ Led To Operation Aurora Malware Mistake”

(Via DarkReading – All Stories.)

Open Source Keykeriki Captures Wireless Keyboard Traffic

April 1, 2010

Open Source Keykeriki Captures Wireless Keyboard Traffic: “Another interesting attack, rather than going after the PC/Server this one goes after the data sent by wireless devices such as the wireless keyboards sold by Microsoft. The neat thing is by using a replay attack you could also send rogue inputs to the device.
But then it serves Microsoft right for using XOR encryption for […]

Read the full post at darknet.org.uk

(Via Darknet – The Darkside.)

Gulf Times – Qatar’s top-selling English daily newspaper – Qatar

April 1, 2010

Gulf Times – Qatar’s top-selling English daily newspaper – Qatar: ”
Daily Newspaper published by Gulf Publishing & Printing Co. Doha, Qatar

Homepage \Qatar: Latest Update: Monday22/3/2010March, 2010, 01:08 AM Doha Time

Criminals are devising new threat paths, says IT expert
By Sarmad Qazi

Dr K Rama Subramaniam
Sophisticated cyber criminals are successfully finding new threat paths that are going undetected, a cyber criminologist said yesterday.
Dr K Rama Subramaniam, director at Valiant Technologies, India, and Baker Tilly MKM, Abu Dhabi, who is a visiting professor of Cyber Criminology at the University of Madras, further said that cyber crime was no longer about fun.
‘The players now include terrorists, white collar crimin”

(Via .)