Archive for the ‘Cyber Criminals’ Category

Cops Pull Plug on Rent-a-Fraudster Service for Bank Thieves

April 20, 2010

Cops Pull Plug on Rent-a-Fraudster Service for Bank Thieves: “


Two Belarusian nationals suspected of operating a rent-a-fraudster service for bank and identity thieves have been arrested overseas, according to New York authorities, who unsealed an indictment for one of the suspects on Monday.

Dmitry Naskovets, 25, and Sergey Semashko, 25, are suspected of creating and operating, a Russian-language site for identity criminals who trafficked in stolen bank-account data and other information. The website displayed an FBI logo Monday and the message, ‘This domain has been seized by the Federal Bureau of Investigation.’

Naskovets has been charged in U.S. District Court for Southern New York with one count each of aggravated identity theft and conspiracy to commit wire fraud and credit card fraud. Semashko has been charged by Belarusian authorities.

Naskovets was arrested in the Czech Republic last Thursday, at the request of U.S. authorities who have filed for extradition. Semashko was arrested the same day in Belarus.

According to the indictment (.pdf), the two entrepreneurs launched the site in Lithuania in June 2007 and filled a much-needed niche in the criminal world — providing English- and German-speaking ‘stand-ins’ to help crooks thwart bank security screening measures.

In order to conduct certain transactions — such as initiating wire transfers, unblocking accounts or changing the contact information on an account — some financial institutions require the legitimate account holder to authorize the transaction by phone.

Thieves could provide the stolen account information and biographical information of the account holder to, along with instructions about what needed to be authorized. The biographical information sometimes included the account holder’s name, address, Social Security number, e-mail address and answers to security questions the financial institution might ask, such as the age of the victim’s father when the victim was born, the nickname of the victim’s oldest sibling or the city where the victim was married.

The thieves obtained the information through various means, such as phishing attacks and malware placed on victims’ computers to log their keystrokes. would then have someone who matched the legitimate account holder’s gender and was proficient in the needed language, pose as the account holder and call the financial institution to authorize the fraudulent transaction.

One client, for example, requested assistance in July 2007 with illegally siphoning $35,000 from a checking account owned by someone in Westchester County, New York. The wire transfer occurred July 17.

The site boasted that its purveyors had served more than 2,000 criminal customers. Authorities wouldn’t say what fees the two allegedly charged or how much they earned from their scheme.

The two advertised their services on other carding sites, such as, which was also operated by Semashko. The ads boasted that their team had conducted more than 5,400 ‘confirmation calls’ to banks.

The FBI seized the domain name pursuant to a seizure warrant.

Additional co-conspirators were also arrested overseas, though authorities didn’t indicate how many.

U.S. Attorney Preet Bharara said in a statement that the site ‘was especially dangerous because it allegedly was specifically designed to bypass the usual security measures that bank and business customers have come to rely on.’

The Department of Justice’s office of international affairs worked with the Belarusian Ministry of Internal Affairs’ high-tech–crime department, the Police Presidium of the Czech Republic and the Lithuanian Criminal Police Bureau Cybercrime Board to coordinate the investigations and arrests.

If convicted on all three counts, Naskovets faces a maximum sentence of 39½ years in prison.

(Via Wired: Threat Level.)


Gulf Times – Qatar’s top-selling English daily newspaper – Qatar

April 1, 2010

Gulf Times – Qatar’s top-selling English daily newspaper – Qatar: ”
Daily Newspaper published by Gulf Publishing & Printing Co. Doha, Qatar

Homepage \Qatar: Latest Update: Monday22/3/2010March, 2010, 01:08 AM Doha Time

Criminals are devising new threat paths, says IT expert
By Sarmad Qazi

Dr K Rama Subramaniam
Sophisticated cyber criminals are successfully finding new threat paths that are going undetected, a cyber criminologist said yesterday.
Dr K Rama Subramaniam, director at Valiant Technologies, India, and Baker Tilly MKM, Abu Dhabi, who is a visiting professor of Cyber Criminology at the University of Madras, further said that cyber crime was no longer about fun.
‘The players now include terrorists, white collar crimin”

(Via .)

PNC: Former National City Bank Accounts Hacked

March 23, 2010

PNC: Former National City Bank Accounts Hacked: “

Some presents just aren’t the kind you want. You buy a new product get it home only to find it’s busted. PNC Financial Services Group Inc. found that out the hard way recently after they purchased National City Bank. Turns out that prior to the acquisition there was a data breach affecting customers. Much like herpes, it was an unpleasant surprise.


Bank officials were made aware of the data breach earlier this week, but Solomon would not say how many customers’ accounts have been compromised or how much money was stolen.

PNC Financial, which is based in Pittsburgh, said some customer debit cards were compromised shortly before the company acquired Cleveland-based National City Corp. in December 2008.

This naturally begs the question, why did it take so long to discover? I’d be interested to read more on this story as the details emerge.

Article Link

(Image used under CC from elycefeliz)

UPDATE: Here is more on this story from Channel 9 WCPO

Some Charged More than $1,000

Other customers were hit harder.

* Cynthia Suchoski e-mailed to say ‘there was a charge made yesterday at Macy’s in Costa Mesa, California for $1,300″ on her old National City debit card. She was not in California.
* Jonathan Vasiladis told me his old debit card was hit for $4,000 in bogus charges, many of them happening in England.
* And another, who asked that we not use his name, e-mailed to say his PNC account ‘is more than one $1,000 overdrawn,’ again, after unauthorized charges in California.
* A fourth viewer reports another series of unauthorized charges, supposedly from March of Dimes.

(Via Liquidmatrix Security Digest.)

Secret Service Paid TJX Hacker $75,000 a Year

March 23, 2010

Secret Service Paid TJX Hacker $75,000 a Year: “


Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

The information comes from one of Gonzalez’s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.

Watt told Threat Level that Gonzalez was paid in cash, which is generally done to protect someone’s status as a confidential informant. The Secret Service said it would not comment on payments made to informants. Gonzalez’s attorney did not respond to a call for comment.

‘It’s a significant amount of money to pay an informant but it’s not an outrageous amount to pay if the guy was working full time and delivering good results,’ says former federal prosecutor Mark Rasch. ‘It’s probably the only thing he was doing — other than hacking into TJX and making millions of dollars.’

Gonzalez’s salary highlights how entwined he was with the government at the time he participated in the largest identity theft crimes in U.S. history. Gonzalez, 28, is set for sentencing this week on three indictments covering nearly every headline-making bank-card theft in recent years, including intrusions at TJX, Office Max, Hannaford Brothers, 7-Eleven and Heartland Payment Systems (which alone exposed magstripe data on 130 million credit and debit cards). The hacker’s plea agreements contemplate a total prison term of between 17 and 25 years.

Rasch says Gonzalez’s $75,000 is nothing compared to the million-dollar payouts some undercover informants get for high-risk, high-value cases such as Mafia investigations. But Gonzalez’s payments dwarf the meager handouts given previous computer crime informants.

Identity thief Brett Johnson, aka Gollumfun, said he earned $350 a week — the equivalent of about $18,000 a year — while working undercover in the Secret Service’s Columbia, South Carolina, field office helping catch card thieves. Johnson was recruited by the agency in 2005 after he was arrested buying merchandise with counterfeit cashier’s checks; his public service ended 10 months later when agents discovered that, like Gonzalez, Johnson was two-timing them, running a fraudulent tax-return scheme during his off hours that was bringing him an extra $5,000 to $6,000 each week.

Another carder, David ‘El Mariachi’ Thomas, worked undercover for 18 months for the FBI in 2003 and 2004 running a carding site called The Grifters out of a Seattle apartment. The bureau paid rent and expenses for him and his live-in girlfriend, and bought the computers he used to run the undercover operation, but didn’t pay him a salary.

In the 1990s, informant Justin ‘Agent Steal’ Petersen was reportedly paid $200 a week while helping the FBI build a case against Kevin Mitnick, then the number one hacker target on the government’s radar.

For his part, Gonzalez began working for the Secret Service when he was arrested making fraudulent ATM withdrawals in New York. Under the nickname ‘Cumbajohnny,’ he was a top administrator on a carding site called Shadowcrew. The agency cut him loose and put him to work undercover on the site, where he set up a VPN the carders could use to communicate — a supposedly secure communications channel that was actually wiretapped by the Secret Service’s New Jersey office.

That undercover operation, known as ‘Operation Firewall,’ led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to ‘Segvec’ and moved to Miami where he resumed his life of crime under the noses of the agents who were paying him. Authorities finally arrested him in May 2008. After many months, he directed them to a stash of more than $1 million in cash buried in a barrel in the backyard of his parents’ home.

Rasch says a number of factors determine what an informant is paid, such as whether they have specialized technical skills or have infiltrated an underground organization; whether they’re putting themselves or family members at risk; and whether the investigations they work involve stolen funds that the government has a good chance of recovering.

‘If I’m working on a case involving $20 million in fraud and the government is likely to get some of that money back, $75,000 is chump change,’ Rasch says. ‘They don’t use paid informants that often…. Criminals will ordinarily cooperate [without payment] in return for a non-prosecution’ or sentence reduction.

The Department of Justice publishes nonbinding guidelines that discuss the necessity of monitoring informants and assessing a criminal’s suitability to be one, but they don’t provide standards for doing so.

Per the attorney general’s guidelines, two law enforcement representatives are required to witness any payment made to a confidential informant and document the payment in the case files, indicating if it’s for information, services or expenses. The informant must also sign or initial a written receipt.

At the time of the payment, the law enforcement agents are required to advise the confidential informant that the payment may be taxable income that must be reported to the IRS and state agencies.

The Secret Service’s embrace of Gonzalez as a professional informant may have reinforced his criminal behavior. Gonzalez felt he’d been rewarded for his preoccupation with computers, according to a letter written by his sister to one of his sentencing judges.

‘All this seemed okay at the time, but psychologically it was feeding an obsession that in the end would become my brother’s downfall,’ Frances Gonzalez Lago told the court in December.

Gonzalez is set for sentencing Thursday in U.S. District Court in Boston for the TJX, Office Max, and Dave & Buster’s breaches. He appears in front of a different judge the next day for sentencing on the Heartland, Hannaford and 7-Eleven thefts. The government is seeking a sentence of 25 years in prison.

Photo of Albert Gonzalez courtesy of Stephen Watt

See Also:

(Via Wired: Threat Level.)

Hackers Sell Twitter Accounts for Up to USD1,000 | HostExploit News

March 8, 2010

Hackers Sell Twitter Accounts for Up to USD1,000 | HostExploit News: “”

(Via .)

‘Aurora’ Attacks Still Under Way, Investigators Closing In On Malware Creators – DarkReading

February 16, 2010

‘Aurora’ Attacks Still Under Way, Investigators Closing In On Malware Creators – DarkReading: ”

‘Aurora’ Attacks Still Under Way, Investigators Closing In On Malware Creators
Researchers find ‘markers’ associated with authors of Aurora malware used in attacks against Google, others
Feb 10, 2010 | 02:27 PM

By Kelly Jackson Higgins
The targeted attacks that hit Google, Adobe, and other U.S. organizations are still ongoing and have affected many more companies than the original 20 to 30 or so reported by Google and others.”

BSOD after MS10-015? TDL3 authors “apologize”

February 16, 2010

BSOD after MS10-015? TDL3 authors “apologize”: “

On last November we’ve blogged about a new rootkit spreading around the net. That rootkit, called TDL3 or TDSS or Tidserv (there are many different names for the same malware, as often happens between various security companies) was pretty scaring because of the new way it compromised the system, by using both improved and new tricks.

After a couple months, we’re here to raise again the alarm against this threat, which has been improved by their creators.

Fact is that the team of coders behind this rootkit is working hard to improve its creature. During these months they never stopped to update it, by releasing every day – sometimes even more times a day – new updated and rebuilt droppers able to evade generic detection signatures.

All TDL3 droppers have been server-side rebuilt every day during November, December, January and February. This allowed the authors to break weak signatures or badly written generic detection routines. Actually this was the only effective obstacle, otherwise only really few specific anti-rootkits are able to detect the infection when active.

Even the rootkit itself has been updated and armored, to defense itself against the attack of a number of anti-rootkit specific tools. It’s funny following the full story of the rootkit, because it looks like a nice chess game between security vendors and malware authors. It’s one of the few times you can see a team of rootkit writers counteracting almost in real time to security vendors.

We already knew the rootkit is able to infect a system driver and to filter every disk I/O request by applying a strong filtering mechanism. Now the rootkit added a watchdog thread able to prevent any change to the service registry key related to the infected driver.By doing so, it is able to block some basic cleanup tools.

Another self defense feature added to the rootkit is that no one is anymore able to get a handle to the infected driver file. By doing so, the rootkit is preventing some cleanup tools to read the content of the file. Prior versions of the rootkit allowed to read the infected file, though they were showing the clean copy of it. This trick was used by some security tools to recover the original clean copy of the file to restore.

We have some doubts about the real usefulness of this self defense feature. If it’s true that it’s not anymore possible to get the original file content, it’s even true that now is easier to discover the infected driver, because every scanner will get no access at all to the file and this anomaly will be reported.

On last Tuesday Microsoft released a number of Windows updates, some of them critical because they fixed a 17 years old bug. After some users updated their Windows operating systems, they got a scaring and really annoying blue screen of death.

Most of those users were angry with Microsoft, but the problem this time is not related to Microsoft. Indeed a number of the users affected by this BSOD was infected by TDL3/TDSS rootkit.

More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

Sadly the number of users affected by this BSOD is quite high and this means the rootkit infection is quickly spreading.

Moreover, a parallel version of the TDL3 rootkit is spreading too. This one is using an old infection technique, already seen in one of the first versions of TDL3. The injected dll is not anymore called tdlcmd.dll but instead z00clicker.dll.

International law police should really consider about cooperating with security vendors and try to shut down this botnet network by tracking down the gang behind it. They are active, they are able to release updates every day. They already are a serious threat that should be defeated as soon as possible.

If during a scan Prevx reports an infection caused by tdlcmd.dll or z00clicker.dll, please contact Prevx technical support. Our technicians will help our customers to get rid off of the TDL3 infection.

(Via Prevx Blog.)

Shadowserver Foundation Blog: DDoS for Hire – More cooperation, or new competition?

January 9, 2010

Shadowserver Foundation – Calendar – 2010-01-09

Saturday, 9 January 2010
DDoS for Hire – More cooperation, or new competition?

I’ve always been interested in DDoS attacks, not only for their technical aspects, but also their social, economic, or political aspects. This past summer, several of us were closely watching a DDoS group that was fairly aggressive and diverse in its attack targets. This group, known as the “hack-off” group used the domains ‘” & “” for their command and control. What was particularly interesting about ‘hack-off’ was their attack campaigns on targeted industries and groups. Such industries included:

hack-off DDoS targeted industries

* Online pharmacies
* Porn sites
* Automotive parts suppliers
* Replica Watches
* Online Gambling
* Logo Design companies
* Sporting goods and sportswear
* Healthcare products
* Electronics vendors

Many of the attacks victims were fairly high profile, and law enforcement agencies from at least 5 different countries became involved. Eventually, with the assistance of cert-ru and Affilias, the domains were suspended and by October 2009, the ‘hack-off’ crew was offline.

Recently while looking through some of our data sets, I again noticed aggressive DDoS attacks against targeted industry groups. In this case, four domains are seen being used for command and control:

New DDoS controllers

Over 250 different sites were targeted for DDoS from these controllers since November, 2009. The victim sites were fairly diverse, but were seen predominately in the following industries:

Industries targeted by atatata and friends

* Car buying sites
* Footwear
* Sporting goods
* Jewelry
* Gambling and Lottery
* Watches
* Appliances
* Travel and Tourism

The domains used by these controllers have been run on various hosting providers as described below. has also been seen dropping FakeAv as well as other malware. Another active botnet domain on the same IP as, is, however I haven’t yet seen DDoS related activity from them.

The top IP address prefaced is the currently active IP for that domain. The listing below also shows the nameserver history for each domain.
Domain information

* – AS50033 – GROUP3-AS GROUP 3 LLC.
* – AS15756 -CARAVAN
* – ??


* – AS4837 – CHINA169-Backbone
* – AS9929 – China Netcom Corp.
* – AS9394 – CHINA RAILWAY Internet

Registrar:Directi Internet Solutions

* – AS4837 – CHINA169-Backbone
* – AS9929 – China Netcom Corp.
* – AS9394 – CHINA RAILWAY Internet
* – AS36351 – SoftLayer
* – AS36351 – SoftLayer
* – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich

Registrar: Privacy Protected

* 8/22/09
* 8/29/09
* 9/5/09
* 9/6/09
* 9/7/09
* 9/11/09

* – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich


While DDoS for hire is nothing new, these particular attacks and the activity behind them remain interesting. Are these new criminal groups rising up to compete in the lucrative world of DDoS? Or are we just seeing more cooperation and consolidation of efforts among the usual and familiar players?

We’ll continue to keep an eye on any new attacks from these controllers as well as the providers from where they are hosted.

=>Posted January 09, 2010, at 10:25 AM by Andre’ – Semper_Securus

(Via DDoS for Hire – More cooperation, or new competition?.)

Patriot Hacker Hits Jihad With DDoS Attacks : Information Security Resources

January 8, 2010

Patriot Hacker Hits Jihad With DDoS Attacks : Information Security Resources

Patriot Hacker Hits Jihad With DDoS Attacks
January 7, 2010 by ADMIN · Comment
By Richard Stiennon, Chief Research Analyst, IT-Harvest
I had an interesting demonstration this evening from a hacker who goes by the handle ‘The Jester’ or in so-called l33t speak, th3j35t3r which is his Twitter ID.
Since January 1, The Jester has been systematically wreaking havoc with several websites he associates with Al Quiada and Jihadists via a Denial of Service attack delivered over the web through a Swedish anonimizer service (
The Jester has been documenting his attacks against,,,,,,,, since the beginning of 2010.
Early today he posted:
Official Presidency Website of …”

‘Bulletproof’ safe havens are all the rage for Internet pirates

January 7, 2010

‘Bulletproof’ safe havens are all the rage for Internet pirates: ”

Filed under: Internet, P2P
‘Bulletproof’ safe havens are all the rage for Internet pirates
by Sebastian Anthony (RSS feed) Jan 6th 2010 at 12:02PM

Have you ever put much thought into Internet piracy?

‘Ooh, cool, tons of free stuff!’ — no, I mean, really thought about it.

In almost every Western nation software and music piracy is theft. In the eyes of the law it’s wrong. There’s simply nothing more to it: it’s intellectual property that you’re stealing from the property’s owner. As mere users, just single faces in a crowd of millions, we’re relatively safe. It’s like stealing an apple from a busy market stall: it’s not particularly hard, it’s not very damaging — and at the end of the day, it’s hard to catch a single thief in a crowd of millions.

Organized crime, on the other hand, is serious business. You can “

(Via .)