Readers of my blog will know that I have several contacts that I discuss things with in Romania. I have had further conversations with sources closely placed to this investigation that tell me the Romanian DIICOT Press Release has one rather glaring error. Press Releases are written by a media relations person, not technical people. The best explanation I can see is that a technical person explains to the media person "the criminal did a phishing attack against 1784 people and then 1521 people and he used that data to break into eBay's computers." The media person interpreted this as "stole the userids and password from 3300 people" when in reality the technical person meant "sent a phishing email to 3300 people, and got some of their passwords."
How many is some? We now believe it is SIX. Of 3300 people sent a phishing email that imitated a VPN system at eBay used by employees, we don't know how many gave up their passwords, but the criminal only tried to use six of them. The VPN site he was imitating was protected with a two-factor authentication solution, so any passwords gathered had to be used immediately, due to the rotating "secureId" style token.
I apologize for spreading false information, but the source, the Romanian DIICOT website, seemed credible to me. It was not.
Word for word, the Romanian press release reads: "CONCIOIU LIVIU MIHAIL a lansat două atacuri tip phishing asupra unui număr de 1784 de angajaţi şi respectiv 1521 de angajaţi ai companiei eBay.Inc., cărora le-a sustras ID-ul şi parola." which I believe I correctly translated.
The other error in the press release is that Concioiu is being charged with stealing $3 Million, which includes many assorted phishing and cybercrime schemes, only a portion of which was from eBay customers.
Corrected story follows
Prosecutors in the Romanian DIICOT (Direcţiei de Investigare a Infracţiunilor de Criminalitate Organizată şi Terorism or Directorate of Investigations of Organized Crime and Terrorism) announced the arrest of Liviu Mihail Concioiu a cyber criminal who stole more than $3 million USD from eBay account holders, customers of Italian banks, and unknown others.
I wanted to use that example today to illustrate a point that I raised in my presentation earlier this week as a guest of the Maryland InfraGard chapter. My presentation, called "Cybercrime: Money, Espionage or Both?" was targeted to an audience of approximately 125 composed primarily of Defense Contractors, Law Enforcement, Critical Infrastructure security personnel and other government employees and suppliers. As an InfraGard member myself, in the Birmingham InfraGard chapter it was great to spend time with one of the nation's top InfraGard coordinators, FBI Special Agent Lauren Schuler, and the outstanding leadership of their chapter including Paul Joyal, Allan Berg, and the energetic M L Kingsley who had coordinated the event.
In my presentation, I stressed two primary points. The first is that EVERY malware attack has to be fully investigated. If you don't know the origin, purpose, and targeting of a malware attack, you have no way of understanding the full impact of the malware on your organization. The second point was that it is critical that your organization has policies that help you understand when your employees have been victims of identity theft or password- or document-stealing malware -- even if it happened at home on their home computers!
The case of Liviu Concioiu drives these points home.
In 2009, Concioiu launched two phishing attacks which were only sent to eBay employees. In the first round, he sent a phishing email to 1,784 employees and in the second round, he tried again, sending an email to 1,521 more employees.
Let's stop there for a moment.
Do you recall the "Here You Have" malware last week? In my blogpost about that event Here You Have Spam Spreads Email Worm) I stressed that it was clear that the malware had been targeted against certain organizations. Did you have an outbreak in your company? Are you aware that one of the actions of the malware was to plant a very low detection version of the BiFrost "Remote Adminstration Trojan" on the infected computers? If the only action your organization took was to remove the "Here You Have" malware, they aren't finished yet. Its important to understand whether you were a target or collateral damage for the attacker, and of course its important to understand during what infection window the BiFrost trojan was also being installed.
OK, now back to Liviu Mihail Concioiu.
After collecting some eBay credentials, Concioiu realized he was defeated by the two factor authentication and came back on June 8, 2009 and attempted to phish 417 different employee identities, to explore the eBay internal network and see what useful information he could find. This time he was prepared to immediately use the credentials he harvested, and tried at least six different accounts before finding some success. His biggest find was a tool that eBay employees use to query their internal databases and look up information about eBay clients and the transactions they perform.
By reviewing the details of eBay customer accounts, Concioiu was now able to begin his SECOND TARGETED ATTACK. One of the problems with phishing campaigns is that when criminals broadly spread spam messages advertising their fake login pages, the anti-spam services and ISPs observe these spam messages and place the advertised pages on blacklists. Concioiu was able to avoid this typical phishing trap by selectively targeting his phishing emails at high value eBay customers whose email addresses he had confirmed by harvesting them from eBay's internal systems!
The result was that 1,183 eBay users were victimized!
In addition to the eBay charges, Concioiu is also charged with creating fake ATM cards for Italian banks and withdrawing more than 300,000 Euros from these accounts, and other crimes which created a total loss of $3 Million USD.
Concioiu was one of three cyber criminals arrested today by DIICOT. The case was investigated with the cooperation of the US Secret Service agents in the US Embassy in Bucharest and Italian judicial authorities.
Hopefully this example will help push home the lessons I was trying to demonstrate in Maryland this week. I have to mention one other thing about the Maryland trip. Last year I had read an auto-biography of General Oleg Kalugin, the top counter-intelligence officer of the KGB. He was the first presenter at the Maryland event, and I got to have dinner with General Kalugin the evening before. He spoke about his experiences recruiting Americans and then I attempted to show how Cyber tools make those efforts even easier today in my follow-up presentation.
General Kalugin was kind enough to autograph one of his new books, Spymaster: My Thirty-two Years in Intelligence and Espionage Against the West, which is now one of my prized possessions! Kalugin was at one point Vladmir Putin's boss in the KGB, but later became one of the most out-spoken critics of the Soviet system and especially the KGB.
Kalugin read a part from a poem about "the new Russia" as his closing statement:
There are no departments in Russia, there are friends. There are no laws, there are personal relationships. Moreover, there is no KGB. … KGB was an organization. There are no organizations in Russia now. There are principalities and feudal lands handed out in exchange for loyal service and profitability. It was not Putin who set up the system, but he did nothing to change it. He is just handing out feudal lands to his friends in order to be able to control other feudal principalities.
(I'm not sure of the origin, but I found the quote online here: http://www.cdi.org/russia/johnson/7102a.cfm )