http://krebsonsecurity.com In-depth security news and investigation Thu, 03 Sep 2015 21:15:25 +0000 en-US hourly 1 http://wordpress.org/?v=4.3 http://krebsonsecurity.com/2015/09/more-atm-insert-skimmer-innovations/ http://krebsonsecurity.com/2015/09/more-atm-insert-skimmer-innovations/#comments Thu, 03 Sep 2015 21:15:25 +0000
Most of us know to keep our guard up when withdrawing cash from an ATM and to look for any signs that the machine may have been tampered with. But ATM fraud experts say they continue to see criminal innovations with “insert skimmers,” wafer-thin data theft devices that fit inside the ATM’s card acceptance slot and do not alter the outward appearance of a compromised cash machine.
The insert skimmer pictured below was recently pulled from an ATM in Europe. According to a report by the European ATM Security Team (EAST), this type of device is inserted through the card reader throat and then sits inside the card reader capturing the data of cards that are subsequently inserted.
Of course, an insert skimmer alone isn’t going to capture your PIN. For that, thieves typically rely on cleverly hidden tiny cameras. Often, the spy camera is tucked inside a false panel above or directly beside the PIN pad. But as I’ve noted in stories about skimming attacks that never touch the ATM (such as vestibule door skimmers), crooks often get very creative, hiding cameras behind things like convex mirrors — or even phony fire alarms.
The image below was captured last year by a U.S.-based bank’s own ATM security camera. It shows a skimmer scammer getting ready to install a tiny camera hidden inside of a fake fire alarm.
Broken record alert: Consumers can foil the vast majority of skimming attacks merely by covering the PIN pad with their hand when entering their PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).
I also wanted to share an update on a relatively new form of skimming that I first wrote about in November 2014 known as “ATM wiretapping” attacks. These schemes involve a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.
According to EAST, six countries reported ATM wiretapping attacks. “Typically such devices have been installed through holes drilled (or melted) below or to the right of the card reader entry throat,” EAST notes. We can see the hole drilled by the thieves in the attack on the ATM pictured above, which was covered up by the phony decal shown here removed and resting to the right of the PIN pad:
Finally, EAST’s report has an update on another type of ATM attack that is alarmingly more common these days: Those in which crooks use gas or solid explosives to blow cash machines to smithereens. Banks in at least 11 countries reported attacks on ATMs involving explosive gas, according to EAST’s latest report in July.
“Two countries reported significant increases in such attacks, and another country reported extensive collateral damage to buildings and nearby ATMs,” EAST’s Lachlan Gunn wrote. “Two countries also reported attacks using solid explosives. One of them reported that criminals perpetrating explosive attacks (gas and solid) are getting more violent and are employing para-military type tactics and weapons.”
Such attacks are becoming so common that some ATM makers are actually blowing up their own cash machines in test environments to see how they can be hardened with countermeasures. The image to the right shows the aftermath of one such test.
Fortunately, I’m not aware of any reports yet of paramilitary hoodlums lobbing grenades or blasting bazookas at U.S.-based ATMs…yet.
On that note, as this and other insert skimmer attacks show, it’s getting tougher to spot ATM skimming devices: It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Also, if you have the choice between using a free-standing ATM and one that is located inside of or attached to a bank, the latter is usually a safer bet.
http://krebsonsecurity.com/2015/09/more-atm-insert-skimmer-innovations/feed/ 0 http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/ http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/#comments Wed, 02 Sep 2015 14:27:20 +0000
The Office of Personnel Management (OPM) has awarded a $133 million contract to a private firm in an effort to provide credit monitoring services for three years to nearly 22 million people who had their Social Security numbers and other sensitive data stolen by cybercriminals. But perhaps the agency should be offering the option to pay for the cost that victims may incur in “freezing” their credit files, a much more effective way of preventing identity theft.
Not long after news broke that Chinese hackers had stolen SSNs and far more sensitive data on 4.2 million individuals — including background investigations, fingerprint data, addresses, medical and mental-health history, and financial history — OPM announced it had awarded a contract worth more than $20 million to Austin, Texas-based identity protection firm CSID to provide 18 months of protection for those affected.
Soon after the CSID contract was awarded, the OPM acknowledged that the breach actually impacted more than five times as many individuals as originally thought. In response, the OPM has awarded a $133 million contract to Portland, Ore. based ID Experts.
No matter how you slice it, $133 million is a staggering figure for a service that in all likelihood will do little to prevent identity thieves from hijacking the names, good credit and good faith of breach victims. While state-sponsored hackers thought to be responsible for this breach were likely interested in the data for more strategic than financial reasons (recruiting, discovering and/or thwarting spies), the OPM should not force breach victims to pay for true protection.
As I’ve noted in story after story, identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name. Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.
Many of these third party services also induce people to provide even more information than was leaked in the original breach. For example, CSID offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.
The only step that will reliably block identity thieves from accessing your credit file — and therefore applying for new loans, credit cards and otherwise ruining your good name — is freezing your credit file with the major credit bureaus. This freeze process — described in detail in the primer, How I Learned to Stop Worrying and Embrace the Security Freeze — can be done online or over the phone. Each bureau will give the consumer a unique personal identification number (PIN) that the consumer will need to provide in the event that he needs to apply for new credit in the future.
But there’s a catch: Depending on the state in which you reside, the freeze can cost $5 to $15 per credit bureau. Also, in some states consumers can be charged a fee to temporarily lift the freeze.
It is true that most states allow consumers who can show they have been or are likely to be a victim of ID theft to obtain the freezes for free, but this generally requires the consumer to file a police report, obtain and mail a copy of that report along with photocopied identity documents, and submit an affidavit swearing that the victim believes his or her statement about identity theft to be true.
Unsurprisingly, many who seek the comprehensive protection offered by a freeze in the wake of a breach are more interested in securing the freeze than they are untangling a huge knot of red tape, and so they pay the freeze fees and get on with their lives.
The OPM’s advisory on this breach includes the same boilerplate advice sent to countless victims in other breaches, including the admonition to monitor’s one’s financial statements carefully, to obtain a free copy of one’s credit report from annualcreditreport.com, and to consider filing a free and/or fraud alert with the three major credit bureaus. Nowhere does the agency mention the availability or merits of establishing a security freeze.
If you were affected by the OPM breach, or if you’re interested in learning more about what you can do to protect your identity, please read this story.
Update, 2:30 p.m. ET: Identity Theft Guard Solutions LLC was the original, founding name of ID Experts, the Portland-based company that won the $133 million contract from the OPM. The story above has been changed to include the new name.
http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/feed/ 57 http://krebsonsecurity.com/2015/09/like-kaspersky-russian-antivirus-firm-dr-web-tested-rivals/ http://krebsonsecurity.com/2015/09/like-kaspersky-russian-antivirus-firm-dr-web-tested-rivals/#comments Tue, 01 Sep 2015 17:30:43 +0000
A recent Reuters story accusing Russian security firm Kaspersky Lab of faking malware to harm rivals prompted denials from the company’s eponymous chief executive — Eugene Kaspersky — who called the story “complete BS” and noted that his firm was a victim of such activity. But according to interviews with the CEO of Dr.Web — Kaspersky’s main competitor in Russia — both companies experimented with ways to expose antivirus vendors who blindly accepted malware intelligence shared by rival firms.
The Reuters piece cited anonymous, former Kaspersky employees who said the company assigned staff to reverse-engineer competitors’ virus detection software to figure out how to fool those products into flagging good files as malicious. Such errors, known in the industry as “false positives,” can be quite costly, disruptive and embarrassing for antivirus vendors and their customers.
Reuters cited an experiment that Kaspersky first publicized in 2010, in which a German computer magazine created ten harmless files and told antivirus scanning service Virustotal.com that Kaspersky detected them as malicious (Virustotal aggregates data on suspicious files and shares them with security companies). The story said the campaign targeted antivirus products sold or given away by AVG, Avast and Microsoft.
“Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky’s lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010,” wrote Reuters’ Joe Menn. “When Kaspersky’s complaints did not lead to significant change, the former employees said, it stepped up the sabotage.”
Eugene Kaspersky posted a lengthy denial of the story on his personal blog, calling the story a “conflation of a number of facts with a generous amount of pure fiction.” But according to Dr.Web CEO Boris Sharov, Kaspersky was not alone in probing which antivirus firms were merely aping the technology of competitors instead of developing their own.
In an interview with KrebsOnSecurity, Sharov said Dr.Web conducted similar analyses and reached similar conclusions, although he said the company never mislabeled samples submitted to testing labs.
“We did the same kind of thing,” Sharov said. “We went to the [antivirus] testing laboratories and said, ‘We are sending you clean files, but a little bit modified. Could you please check what your system says about that?’”
Sharov said the testing lab came back very quickly with an answer: Seven antivirus products detected the clean files as malicious.
“At this point, we were very confused, because our explanation was very clear: ‘We are sending you clean files. A little bit modified, but clean, harmless files,’” Sharov recalled of an experiment the company said it conducted over three years ago. “We then observed the evolution of these two files, and a week later, half of the antivirus products were flagging them as bad. But we never flagged these ourselves as bad.”
Sharov said the experiments by both Dr.Web and Kaspersky — although conducted differently and independently — were attempts to expose the reality that many antivirus products are simply following the leaders.
“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” Sharov said. “It’s unacceptable.”
According to Sharov, a good antivirus product actually consists of two products: One that is sold to customers in a box and/or or online, and the second component that customers will never see — the back-end internal infrastructure of people, machines and databases that are constantly scanning incoming suspicious files and testing the overall product for quality assurance. Such systems, he said, include exhaustive “clean file” tests, which scan incoming samples to make sure they are not simply known, good files. Programs that have never been seen before are nearly always given more scrutiny, but they also are a frequent source of false positives.
“We have sometimes false positives because we are unable to gather all the clean files in the world,” Sharov said. “We know that we can get some part of them, but pretty sure we never get 100 percent. Anyway, this second part of the [antivirus product] should be much more powerful, to make sure what you release to public is not harmful or dangerous.”
Sharov said some antivirus firms (he declined to name which) have traditionally not invested in all of this technology and manpower, but have nevertheless gained top market share.
“For me it’s not clear that [Kaspersky Lab] would have deliberately attacked other antivirus firm, because you can’t attack a company in this way if they don’t have the infrastructure behind it,” Sharov said.
“If you carry out your own analysis of each file you will never be fooled like this,” Sharov said of the testing Dr.Web and Kaspersky conducted. “Some products prefer just to look at what others are doing, and they are quite successful in the market, much more successful than we are. We are not mad about it, but when you think how much harm could bring to customers, it’s quite bad really.
Sharov said he questions the timing of the anonymous sources who contributed to the Reuters report, which comes amid increasingly rocky relations between the United States and Russia. Indeed, Reuters reported today the United States is now considering economic sanctions against both Russian and Chinese individuals for cyber attacks against U.S. commercial targets.
Missing from the Reuters piece that started this hubub is the back story to what Dr.Web and Kaspersky both say was the impetus for their experiments: A long-running debate in the antivirus industry over the accuracy, methodology and real-world relevance of staged antivirus comparison tests run by third-party firms like AV-Test.org and Av-Comparatives.org.
Such tests often show many products block 99 percent of all known threats, but critics of this kind of testing say it doesn’t measure real-world attacks, and in any case doesn’t reflect the reality that far too much malware is getting through antivirus defenses these days. For an example of this controversy, check out my piece from 2010, Anti-Virus Is a Poor Substitute for Common Sense.
How does all this affect the end user? My takeaway from that 2010 story hasn’t changed one bit: If you’re depending on an anti-virus product to save you from an ill-advised decision — such as opening an attachment in an e-mail you weren’t expecting, installing random video players from third-party sites, or downloading executable files from peer-to-peer file sharing networks — you’re playing a dangerous game of Russian Roulette with your computer.
Antivirus remains a useful — if somewhat antiquated and ineffective — approach to security. Security is all about layers, and not depending on any one technology or approach to detect or save you from the latest threats. The most important layer in that security defense? You! Most threats succeed because they take advantage of human weaknesses (laziness, apathy, ignorance, etc.), and less because of their sophistication. So, take a few minutes to browse Krebs’s 3 Rules for Online Safety, and my Tools for a Safer PC primer.
http://krebsonsecurity.com/2015/09/like-kaspersky-russian-antivirus-firm-dr-web-tested-rivals/feed/ 33 http://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-attack-tool/ http://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-attack-tool/#comments Fri, 28 Aug 2015 13:46:10 +0000
Authorities in the United Kingdom this week arrested a half-dozen young males accused of using the Lizard Squad’s Lizard Stresser tool, an online service that allowed paying customers to launch attacks capable of taking Web sites offline for up to eight hours at a time.
The Lizard Stresser came to prominence not long after Christmas Day 2014, when a group of young n’er-do-wells calling itself the Lizard Squad used the tool to knock offline the Sony Playstation and Microsoft Xbox gaming networks. As first reported by KrebsOnSecurity on Jan. 9, the Lizard Stresser drew on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords. The LizardStresser service was hacked just days after that Jan. 9 story, and disappeared shortly after that.
“Those arrested are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous,” reads a statement from the U.K.’s National Crime Agency (NCA). “Organisations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies and a number of online retailers.”
The NCA says investigators also in the process of visiting 50 addresses linked to individuals registered on the Lizard Stresser Website but who haven’t yet carried out any apparent attacks. The agency notes that one-third of those individuals are below the age of 20, and that its knock-and-talk efforts are part of its wider work to address younger people at risk of entering into serious forms of cybercrime.
According to research published this month, the Lizard Stresser had more than 176 paying subscribers who launched more than 15,000 attacks against 3,907 targets in the two months the service was in operation.
For more information about how to beef up the security your Internet router, check out the “Harden Your Hardware” subsection in the post Tools for a Safer PC.
http://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-attack-tool/feed/ 21 http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/ http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/#comments Fri, 28 Aug 2015 01:01:54 +0000
The FBI today warned about a significant spike in victims and dollar losses stemming from an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.
In January 2015, the FBI released stats showing that between Oct. 1, 2013 and Dec. 1, 2014, some 1,198 companies lost a total of $179 million in so-called business e-mail compromise (BEC) scams, also known as “CEO fraud.” The latest figures show a marked 270 percent increase in identified victims and exposed losses. Taking into account international victims, the losses from BEC scams total more than $1.2 billion, the FBI said.
“The scam has been reported in all 50 states and in 79 countries,” the FBI’s alert notes. “Fraudulent transfers have been reported going to 72 countries; however, the majority of the transfers are going to Asian banks located within China and Hong Kong.”
CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.
Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.
They do this by scraping employee email addresses and other information from the target’s Web site to help make the missives more convincing. In the case where executives or employees have their inboxes compromised by the thieves, the crooks will scour the victim’s email correspondence for certain words that might reveal whether the company routinely deals with wire transfers — searching for messages with key words like “invoice,” “deposit” and “president.”
On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.
In these cases, the fraudsters will forge the sender’s email address displayed to the recipient, so that the email appears to be coming from example.com. In all cases, however, the “reply-to” address is the spoofed domain (e.g. examp1e.com), ensuring that any replies are sent to the fraudster.
The FBI’s numbers would seem to indicate that the average loss per victim is around $100,000. That may be so, but some of the BEC swindles I’ve written about thus far have involved much higher amounts. Earlier this month, tech firm Ubiquiti Networks disclosed in a quarterly financial report that it suffered a whopping $46.7 million hit because of a BEC scam.
In February, con artists made off with $17.2 million from one of Omaha, Nebraska’s oldest companies — The Scoular Co., an employee-owned commodities trader. According to Omaha.com, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.
In March 2015, I posted the story Spoofing the Boss Turns Thieves a Tidy Profit, which recounted the nightmarish experience of an Ohio manufacturing firm that came within a whisker of losing $315,000 after an employee received an email she thought was from her boss asking her to wire the money to China to pay for some raw materials.
The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.
Consumers are not immune from these types of scams. According to a related advisory posted the FBI today, in the three months between April 1, 2015 and June 30, 2015, the agency received 21 complaints from consumers who suffered losses of nearly $700,000 after having their inboxes hijacked or spoofed by thieves. The FBI said it identified approximately $14 million in attempted losses associated with open FBI investigations into such crimes against consumers.
http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/feed/ 23 http://krebsonsecurity.com/2015/08/who-hacked-ashley-madison/ http://krebsonsecurity.com/2015/08/who-hacked-ashley-madison/#comments Wed, 26 Aug 2015 16:04:47 +0000
AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.
It was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.
Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.
I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.
After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.
On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.
The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”
I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?
Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”
A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.
WHO IS THADEUS ZU?
As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).
Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media accounts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.
A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.
Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.
That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here. Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.: As several readers have pointed out, the two people beside Rose in that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in the movie Edge of Tomorrow).
Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.
Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).
Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.
Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu tweeted:
“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange
A month later, on Feb. 7, 2014, Zu offered this tidbit of info:
“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”
To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.
But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations. People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.
Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.
It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.
KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous. Weaver has published some additional thoughts on this post over at Medium.
http://krebsonsecurity.com/2015/08/who-hacked-ashley-madison/feed/ 354 http://krebsonsecurity.com/2015/08/leaked-ashleymadison-emails-suggest-execs-hacked-competitors/ http://krebsonsecurity.com/2015/08/leaked-ashleymadison-emails-suggest-execs-hacked-competitors/#comments Mon, 24 Aug 2015 19:16:11 +0000
Hacked online cheating service AshleyMadison.com is portraying itself as a victim of malicious cybercriminals, but leaked emails from the company’s CEO suggests that AshleyMadison’s top leadership hacked into a competing dating service in 2012.
Late last week, the Impact Team — the hacking group that has claimed responsibility for leaking personal data on more than 30 million AshleyMadison users — released a 30-gigabyte archive that it said were emails lifted from AshleyMadison CEO Noel Biderman.
A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.
At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.
“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Neither Bhatia nor Biderman could be immediately reached for comment. KrebsOnSecurity.com spoke with Bhatia last week after the Impact Team made good on its threat to release the Ashley Madison user database. At the time, Bhatia was downplaying the leak, saying that his team of investigators had found no signs that the dump of data was legitimate, and that it looked like a number of fake data dumps the company had seen in the weeks prior. Hours later, the leak had been roundly confirmed as legitimate by countless users on Twitter who were able to find their personal data in the cache of account information posted online.
The leaked Biderman emails show that a few months before Bhatia infiltrated Nerve.com, AshleyMadison’s parent firm — Avid Life Media — was approached with an offer to partner with and/or invest in the property. Email messages show that Bhatia initially was interested enough to offer at least $20 million for the company along with a second property called flirts.com, but that AshleyMadison ultimately declined to pursue a deal.
More than six months after Bhatia came to Biderman with revelations of the nerve.com security vulnerabilities, Biderman was set to meet with several representatives of the company. “Should I tell them of their security hole?” Biderman wrote to Bhatia, who doesn’t appear to have responded to that question via email.
The cache of emails leaked from Biderman run from January 2012 to July 7, 2015 — less than two weeks before the attackers publicized their break-in on July 19. According to a press conference held by the Toronto Police today, AshleyMadison employees actually discovered the breach on the morning of July 12, 2015, when they came to work and powered on their computers only to find their screens commandeered with the initial message from the Impact Team — a diatribe accompanied by the song “Thunderstruck” from rock band AC/DC playing in the background.
Interestingly, less than a month before that episode, AshleyMadison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees.
“Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business,” wrote Ashley Madison Director of Security Mark Steele to Biderman in an email dated May 25, 2015. “Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging” [links added].
As bad as this breach has been for AshleyMadison and its millions of users, it’s likely nowhere near over: Hackers who have been combing through the company’s leaked email records have just released a “selected dox” archive — a collection of documents, images and other data from Biderman’s inbox, including a 100-page movie script co-written by Biderman called “In Bed With Ashley Madison.” Also included in the archive are dozens of other sensitive documents, including a scan of the CEO’s drivers license, copies of personal checks, bank account numbers, home address, and his income statements for the last four years.
Also, the Impact Team still have not released data from the other Avid Life Media property they claim to have hacked — Establishedmen.com, a “sugar daddy” site that claims to connect wealthy men with willing young women.
Earlier today, Toronto Police announced that Avid Life Media had offered a $500,000 reward for information leading to the arrest and prosecution of the hacker or hackers responsible for the breach. But many readers took to Twitter or to the comments section on this site to denounce the bounty as an overdue or cynical ploy, with some saying the company should have offered the reward weeks ago — before the Impact Team released the company’s entire user database and caused so much irreversible damage.
Leaving aside the proliferation of sites that now allow suspicious spouses to search for their significant other’s email address in the AshleyMadison data leak, some users are finding themselves on the receiving end of online extortion attacks. Worse still, Toronto Police told reporters this morning that they have two unconfirmed reports of suicides associated with the leak of AshleyMadison customer profiles.
http://krebsonsecurity.com/2015/08/leaked-ashleymadison-emails-suggest-execs-hacked-competitors/feed/ 73 http://krebsonsecurity.com/2015/08/ashleymadison-500k-bounty-for-hackers/ http://krebsonsecurity.com/2015/08/ashleymadison-500k-bounty-for-hackers/#comments Mon, 24 Aug 2015 15:20:44 +0000
AshleyMadison.com, an online cheating service whose motto is “Life is Short, Have an Affair,” is offering a $500,000 reward for information leading to the arrest and prosecution of the individual or group of people responsible for leaking highly personal information on the company’s more than 30 million users.
The bounty offer came at a press conference today by the police in Toronto — where AshleyMadison is based. At the televised and Webcast news conference, Toronto Police Staff Superintendant Bryce Evans recounted the key events in “Project Unicorn,” the code name law enforcement officials have assigned to the investigation into the attack. In relaying news of the reward offer, Evans appealed to the public and “white hat” hackers for help in bringing the attackers to justice.
“The ripple effect of the impact team’s actions has and will continue to have a long term social and economic impacts, and they have already sparked spin-offs of crimes and further victimization,” Evans said. “As of this morning, we have two unconfirmed reports of suicides that are associated [with] the leak of AshleyMadison customer profiles.”
Evans did not elaborate on the suicides, saying only that his office is investigating those reports. The San Antonio Express-News reported Friday that a city worker whose information was found in the leaked AshleyMadison database took his life last Thursday, although the publication acknowledges that it’s unclear whether the worker’s death had anything to do with the leak.
Evans warned the public and concerned AshleyMadison users to be on guard against a raft of extortion scams that are already popping up and targeting the site’s customers. On Friday, KrebsOnSecurity featured an exclusive story about one such extortion scheme that threatened to alert the victim’s spouse unless the recipient paid the attacker a Bitcoin (worth slightly more than USD $250). The Toronto Police posted this image of a similar extortion attempt that they have seen making the rounds.
“Criminals have already engaged in online scams by claiming to provide access to the leaked web site,” he said. “The public needs to be aware that by clicking on these links, you are exposing your computer to adware and spyware and viruses. Also there are those offering to erase customer profiles from the list. Nobody is going to be able to erase that information.”
Evans said AshleyMadison employees first learned of the intrusion when they arrived at work on the morning July 12, 2015. Evans said employees powered on their computers and were presented with the initial message from the Impact Team — the hacker group that has claimed responsibility for the breach — accompanied by the song “Thunderstruck” from rock band AC/DC playing in the background.
The Toronto Police Department is encouraging anyone with information about the attacker(s) to contact them via phone or Twitter. Likewise, the department is asking victims of extortion attacks tied to the data leak not to pay the ransom demands, but instead to report the crimes at the addresses and/or numbers listed below.
http://krebsonsecurity.com/2015/08/ashleymadison-500k-bounty-for-hackers/feed/ 62 http://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-users/ http://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-users/#comments Fri, 21 Aug 2015 17:51:14 +0000
People who cheat on their partners are always open to extortion by the parties involved. But when the personal details of millions of cheaters get posted online for anyone to download — as is the case with the recent hack of infidelity hookup site AshleyMadison.com — random blackmailers are bound to pounce on the opportunity.
According to security firms and to a review of several emails shared with this author, extortionists already see easy pickings in the leaked AshleyMadison user database.
Earlier today I heard from Rick Romero, the information technology manager at VF IT Services, an email provider based in Milwaukee. Romero said he’s been building spam filters to block outgoing extortion attempts against others from rogue users of his email service. Here’s one that he blocked this morning (I added a link to the bitcoin address in the message, which shows nobody has paid into this particular wallet yet):
Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.
If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:
1B8eH7HR87vbVbMzX4gk9nYyus3KnXs4Ez [link added]
Sending the wrong amount means I won’t know it’s you who paid.
You have 7 days from receipt of this email to send the BTC [bitcoins]. If you need help locating a place to purchase BTC, you can start here…..
The individual who received that extortion attempt — an AshleyMadison user who agreed to speak about the attack on condition that only his first name be used — said he’s “loosely concerned” about future extortion attacks, but not especially this one in particular.
“If I put myself in [the extortionist’s] shoes, the likelihood of them disclosing stuff doesn’t increase their chance of getting money,” said Mac. “I just not going to respond.”
Mac says he’s more worried about targeted extortion attacks. A few years ago, he met a woman via AshleyMadison and connected both physically and emotionally with the woman, who is married and has children. A father of several children who’s been married for more than 10 years, Mac said his life would be “incredibly disrupted” if extortionists made good on their threats.
Mac said he used a prepaid card to pay for his subscription at AshleyMadison.com, but that the billing address for the prepaid ties back to his home address.
“So they have my home billing address and first and last name, so it would be relatively easy for them to get my home records and figure out who I am,” Mac said. “I’ll accept the consequences if this does get disclosed, but obviously I’d rather not have that happen because my wife and I are both very happy in our marriage.”
Unfortunately, the extortion attempts like the one against Mac are likely to increase in number, sophistication and targeting, says Tom Kellerman, chief cybersecurity officer at Trend Micro.
Kellerman is convinced we’ll see criminals leveraging the AshleyMadison data to conduct spear-phishing attacks aimed at delivering malicious software such as ransomware, a different type of extortion threat that locks the victim’s most treasured files with a secret encryption key unless and until the victim pays a ransom (also in Bitcoins).
“There is going to be a dramatic crime wave of these types of virtual shakedowns, and they’ll evolve into spear-phishing campaigns that leverage crypto malware,” Kellerman said. “The same criminals who enjoy deploying ransomware would love to use this data.”
The leaked AshleyMadison data could also be useful for extorting U.S. military personnel and potentially stealing U.S. government secrets, experts fear. Some 15,000 email addresses ending in dot-mil (the top-level domain for the U.S. military) were included in the leaked AshleyMadison database, and this has top military officials just a tad concerned.
According to The Hill, the U.S. Defense Secretary Ash Carter said in his daily briefing Thursday that the DoD is investigating the leak.
“I’m aware of it, of course it’s an issue, because conduct is very important,” Carter told reporters at the briefing, The Hill reported. The publication notes that adultery in the military is a prosecuteable offense under Article 134 of the Uniform Code of Military Justice. Maximum punishment includes dishonorable discharge, forfeiture of all pay and allowances, and confinement for one year. As such, Carter told reporters that service members found to have used adultery website Ashley Madison could face disciplinary action.
Kellerman said attacks against military personnel who used AshleyMadison may well target spouses of people whose information is included in the database — all in a bid to infect the spouse as a way to eventually steal information from the real target (the cheating military husband or wife).
“Something must already be going on for [the Secretary of Defense] to actually have a press conference on that,” Kellerman said. “We may actually see spear-phishing campaigns against spouses of individuals who are involved in this, attacks that say, ‘Hey, your wife or husband was involved in this site, do you want to see proof of that?’
And the proof, in this scenario, would be a a booby-trapped attachment that deploys spyware or malware.
Mac, who’s not a military man, says he doesn’t regret the affair he had via AshleyMadison; his only regret is not finding a way to keep his home address out of his records on the site.
“I regret using my home address and some of my personal information that AshleyMadison didn’t take as good care of as they should have,” he said. “But I really, I’m mad these hackers feel it’s so important to force the hand of people that have a different outlook on life.”
The AshleyMadison data is leaked on various sites, but the data itself is not easily searchable by folks who aren’t familiar with raw database files. However, several sites have since popped up that allow anyone to search by email address to find if that address had an account at AshleyMadison.com. True, AshleyMadison.com did not always verify email addresses, but some of these AshleyMadison search services coming online will indicate whether the associated email address also has a payment record — a marker which could be useful to extortionists.
http://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-users/feed/ 292 http://krebsonsecurity.com/2015/08/street-gangs-tax-fraud-and-drop-hoes/ http://krebsonsecurity.com/2015/08/street-gangs-tax-fraud-and-drop-hoes/#comments Fri, 21 Aug 2015 02:31:31 +0000
Authorities across the United States this week arrested dozens of gang members who stand accused of making millions of dollars stealing consumer identities in order to file fraudulent tax refund requests with the Internal Revenue Service (IRS). The arrests highlight the dramatic shift in gang activity in recent years from high-risk drug dealing to identity fraud — a far less risky yet equally lucrative crime.
According to a story last week at CBS in Los Angeles, some 32 members of the so-called Insane Crip gang and their associates were charged with 283 counts of criminal conspiracy, 299 counts of identity theft, 226 counts of grand theft and 58 counts of attempted theft. Together, they are accused of operating a $14.3 million identity theft and tax fraud scheme.
In Elizabeth, N.J., 14 members of a street gang were arrested in a 49-count indictment charging the defendants with a range of “white-collar crimes,” including filing false tax returns and manufacturing fake gift cards to collect thousands of dollars. According to NJ.com, the money from the scams was used to support members of the 111 Neighborhood Crips and to aid other gang members who were in jail or prison.
“All 14 defendants face charges under New Jersey’s Racketeer Influenced and Corrupt Organizations (RICO) statute,” NJ’s Tom Haydon writes. “Defendants allegedly bought stolen identities of real people for use in the preparation of fraudulent W-2 forms. Those forms were used for fraudulent income tax returns filed early in the tax season.”
Tax return fraud costs consumers and the U.S. Treasury more than $6 billion annually, according the U.S. Government Accountability Office. And that number is by all accounts conservative. It should not be a surprise that street gangs are fast becoming the foot soldiers of cybercrime, which very often requires small armies of highly mobile individuals who can fan out across cities to cash out stolen credit cards and cash in on hijacked identities.
Tax fraud has become such an ingrained part of the modern gang culture that there is a growing set list of anthems to the crime — a type of rap music that evokes the Narcocorrido ballads of the Mexican drug cartels in that it glorifies making money from identity theft, credit card fraud and tax return fraud.
A key component of cashing out tax return fraud involves recruiting unwitting or willing accomplices to receive the fraudulent refunds. Earlier this year, I wrote about Isha Sesay, a Pennsylvania woman who was arrested for receiving phony IRS refunds on behalf of at least two tax fraud victims — including Mike Kasper, the guy who helped expose the IRS’s pervasive authentication weaknesses and later testified to Congress about his ordeal.
Turns out, the sorts of gang members arrested in the above-mentioned crime sweeps have a different nickname for people like Ms. Sesay: Instead of money mules, they’re derisively known as “drop hoes.” In cybercriminal parlance, a “drop” is a person who can be recruited to help forward stolen funds or merchandise on to the criminals, providing a pivotal buffer against the cops for the thieves.
In this Youtube video (not safe for work), a self-styled rapper calling himself “J-Creek” opines about not being able to find enough drop hoes to help him cash out $40,000 in phony tax refund deposits to prepaid debit cards. It’s been a while since I’ve listened to pop music (let alone rap) but I think this work speaks for itself (if rather lewdly).
Here are a few choice quotes from the song (I cut out much of it, and someone please correct me if I somehow butchered the lyrics here). I think my all-time favorite line is the one about the role of Intuit’s TurboTax: “She got them stacks then went tax on the turbo.”
Without further ado:
“Tax season again
I need a drop hoe bitch
I wanna be your boyfriend”
“I wanna drop hoe
I mean a drop hoe
That’s waitin’ on the debit card to hit the box hoe”
“Shorty gotta a whole crib and a new range
Said her home girl came with a few names
Told me all a nigga need is a laptop
And she gonna show me what to do to make a tax drop”
“Got a check for forty grand she goin’ buy a hummer
Ball hard got it all from playin’ with numbers
Told her when she break me off I’ma buy a crib
And take it straight to the kit to teach her how to whip”
“I ain’t tryna be on trial resident of the state
You think I’m probably going down federal pen
Scared of money stay broke nigga fuck you
And I’ma steal your information on the dub too [W-2]”
“Bitch gimme nuff to fly stay sky high
Man I own a mother fucker on the Wi-Fi
Momma let that money flow cause she got mo
Hey fuck a dime piece bro I want a drop hoe”
“Shorty got big bank with four cars
Say she need an address she got more cards
Wanna be hood rich honey I’ma show you
Told me get a date of birth don’t forget the Social”
“Oh that’s all I gotta do you can bet that
Meet me at the Amscot I need a check cashed
Tryna’ find a drop hoe it ain’t hard
You can look for new rims and a paint job”
“Keep her hair done nails done nice clothes
Curly two strain twists on a micro
More money than you can spend but she get it in
Say she got a boyfriend but he in the pen”
“Thats everybody’s bitch Im’a bite though
I’m the type a nigga give you what you ask fo
Told that bitch I’m comin home like a furlough
She got them stacks then went tax on the turbo”
This is the latest in a series of stories I’ve been writing over the past few years about the growing menace of tax refund fraud. For more in this series, see this link.
By far, my favorite tax return fraudster is Lance Ealy, an Ohio scam artist who went on the lam after being convicted for tax refund fraud, and proceeded to lead U.S. Marshals on a multi-state chase — all the while continuing to file phony tax refund requests in the names of people already in jail (individuals that Ealy compensated by topping up their prison commissary funds).