Friday, January 31, 2014

Yahoo reveals coordinated attack on Yahoo Emails - encourages Password reset

On January 30, 2014, Jay Rossiter, the Senior Vice President for Yahoo's Platforms and Personalization Products shared An Important Security Update for Yahoo Mail Users on the companies Tumblr blog. In this time when "breach" is the biggest buzzword on the Internet, let's look at what the post is saying and is not saying and consider what we can learn and what we should do as a result of this information.

(click image to visit Yahoo! blogpost)

Is Yahoo a breach victim? or a champion?

(Quote): Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts.(/Quote)

While we don't know how they discovered this, the typical methods for discover would be some form of network analytics showing single IP addresses or sessions attempting to access multiple Yahoo email accounts in rapid succession, or, based on the keyword "effort", possibly attempting and failing generating a large number of password guesses. Like most Email Service Providers, Yahoo! retains records of which IP addresses have previously succeeded to access your email account, and a sudden spike in "wrong address / wrong device / wrong geography" alerts may be part of what led to the conclusion this was a coordinated effort.

While everyone is raging at Yahoo!, I believe that in this situation Yahoo! is providing a well-intentioned public service that actually reveals a pro-security stance in the company, NOT a weak security status! Read on to see why.

Password Re-Use is the Problem

Next, where did the data come from and what type of data was it?

(Quote): Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems.(/Quote)

On face value many are jumping to the conclusion that this indicates that Yahoo! is allowing some third party to store userids and passwords of Yahoo! users on their systems. Again, as an outsider sharing my reasoning on this event, I don't believe that is what is being said. PASSWORD RE-USE IS REACHING CRISIS LEVELS!. Oops? Did I scream that? I guess I did! The problem that I believe we are dealing with here is that many systems on the Internet ask you to use your EMAIL ADDRESS as your UserID on their system. This is a great convenience in many ways, however, in this case, it also means that a criminal now can associate your userid on one system in a very direct way to your userid on your email provider's system. MORE THAN 81 MILLION AMERICANS (and more than 200 Million people worldwide) still use a Yahoo! email account! This means that in any breach on any system where your userid is equal to your email account, there is a very great chance that the primary accounts found in that breach would be Yahoo email accounts. Despite repeated warnings, most users still use the same password on ALL of their systems. Because of this, it is logical for a criminal who obtains userids and passwords from ANY source to try those same userids and passwords at Yahoo against the matching email account.

What is the Criminals' End-Game?

(Quote): The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.(/Quote)

If someone is using the same userid and password on multiple systems, it is likely they are doing so on many ADDITIONAL systems as well. By reading the recent emails found in the Inbox and Sent mail, the criminals are likely able to determine other places where the Yahoo email user has additional accounts. For example, when I make a purchase on,, or pay my credit card bill at or what happens? They send a confirmation of my purchase (or my statement) to my email account. If a criminal knew that information, they would be able to then try that same Yahoo email account as the userid and password and attempt to access those other accounts. In addition, how do ALL of those service confirm a password reset account? Through an email message with a "click to change your password" link. Since the criminal now has control of your Yahoo account, even if you DID use a different password, they can now reset it at will!

Of course there is also the possibility that they are just after "London traveler" type scams where knowledge of the individuals in your address book is used to send personal pleas for financial assistance due to some type of crisis. We've covered those types of scams since at least 2009 in this blog. The more recent social engineering attacks that we've heard of have been searching the compromised accounts for evidence of communications with bankers and then using the knowledge of the previous conversation to ask for financial favors or skirting of the rules to help perform a financial transaction via email.

How is Yahoo Protecting their Customers?

This is from their letter, but it is exactly what I would hope they would do after detecting this situation!

  • We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
  • We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
  • We have implemented additional measures to block attacks against Yahoo’s systems.
Jay Rossiter is also trying to help educate Yahoo! users by recommending this page of suggestions for Safeguarding your Yahoo account. Whether you are a Yahoo! user, a Gmail user, a user, or whether you are just using your corporate email account, the advice given there is well worth reviewing and following.

In the Safeguarding Your Yahoo! Account document, I'd like to call special attention to their recommendation to having an alternative email and mobile phone on file with Yahoo. This isn't so they can violate your privacy. It is so they can better protect your account! I've used this service myself from Yahoo within the past two weeks and was very pleased that they texted a password reset code to my cell phone before allowing a password change request to continue.

High praise to Yahoo! for recommending that you enable a mobile-phone based password reset. I wish my banks and credit card issuers would require the same! This isn't an example of Yahoo! being a security victim, but being a security LEADER! It is shameful that my Yahoo! email account is better protected than many other accounts! (Test your own accounts: Can you click an "I Forgot My Password" link on your bank/electronics/music website to reset your password by email? )

Breaches, Phishing, It doesn't matter ... DO NOT RE-USE PASSWORDS!

At Malcovery Security we specialize in email-based Threat Intelligence. Part of that practice is having an enormous database of spam and phishing information, including nearly 700,000 confirmed phishing websites and information about each of those threats. Many of the malware samples that we report on daily through our "Today's Top Threats" report will also steal userids and passwords to accounts, including your email accounts. Almost every version of Zeus will do so, as one example. Here are a few of the Yahoo-targeted phishing scams that were popular during the previous week:

  • BT Internet Phish:

    In this long-running phishing campaign, users of Yahoo's "" email domain are told that BT Broadband (formerly British Telecom) is discontinuing their email account and will replace it with a Premium Email account that they have to pay for, unless they confirm they want to keep the account by entering their email userid and password to prove they are really in control of the account.

    (This phishing screenshot was captured by Malcovery January 23, 2014 from dtinternet[.]bug3[.]com)

  • Google Docs Phish:

    Although this phish claims to be from Google Docs, this scam campaign began its life as a ReMax realty phish. In order to confirm your identity, you are asked to provide the userid and password of whichever popular email service you are using. From there the threats are similar to those described above.

    (This phishing screenshot was captured by Malcovery January 29, 2014 from www[.]thewigleygroup[.]com/googledocss/sss/)

  • GT Bank / Yahoo! Phish:

    GT Bank is Guaranty Trust Bank plc, a pan-African bank with Nigerian roots. In this example, the phishing target is actually Yahoo, but since the phish was created by someone logging in from Africa, the Yahoo! page they captured is adorned with a GTBank logo and advertisement.

    (This particular phishing screenshot was captured by Malcovery January 22, 2014 from highbeam[.]co[.]th/eart/Indezx.html)

Wednesday, January 29, 2014

More SpyEye Guilty Pleas

Long-time readers of this blog may remember our post in May 2013 called SpyEye Botherder BX1 - Welcome to Georgia! where we shared a timeline of the case against BX1, including the indictment filed in 2011, the Microsoft, FS-ISAC, and NACHA law suits in 2012, and the report of BX1's arrest in January 2013, and his appearance in Atlanta, Georgia's North District of Georgia Federal court.

But BX1 was only one of the people behind SpyEye. Today the US Attorney in the Northern District of Georgia announced Cyber Criminal Pleads Guilty to Developing and Distributing Notorious SpyEye Malware referring to Aleksandr Andreevich Panin, AKA Gribodemon AKA Harderman, who has confessed to conspiring with BX1 (Hamza Bendelladj) to advertise, sell, and distribute SpyEye to at least 150 people who paid between $1000 and $8500 for their copy of SpyEye. The indictment used is actually the EXACT SAME INDICTMENT as what I shared with the BX1 case, with the exception that this time, nothing is blacked out pending future charges. Interesting BX1, the "co-conspirator" has plead NOT GUILTY. According to US Attorney Sally Quillian Yates, SpyEye was used to infect more than 1.4 million computers in the US and abroad. Yates has a message for Cyber criminals: "You cannot hide in the shadows of the Internet. We will find you and bring you to justice." Panin suffered the same fate as BX1. He traveled and got picked up crossing borders. For Bx1 the arrest was in Thailand. Although an Algerian native, Bx1 was living in Malaysia and was arrested in Thailand while traveling to Egypt. For Panin, a vacation in the Dominican Republic was what brought him down. These "border crossing" arrests have led the Russian government to issue a rather strange travel advisory: "If you are wanted for crimes in the United States, don't visit Extradition Friendly Countries!" (See Russia Issues Travel Warning

The case was made possible with yet another truly International show of cooperation, including the UK's National Crime Agency, the Royal Thai Police, the Dutch National High Tech Crime Unit, the Dominican Republi's Departmento Nacional de Investigaciones (DNI), the Cybercrime Department of the State Agency for the National Security in Bulgaria, and the Australian Federal Police. On the private sector side, Trend Micro's Forward-Looking Threat Research (FTR) Team, Microsoft's Digital Crimes Unit, Mandiant, SecureWorks, Trusteer, and (a Norwegian Security Research Team) all made valuable contributions to the research and information sharing behind this case as well.

(Panin pictured above)

As an example of the types of support provided by the public sector, Microsoft investigators, working with the help of the greater security research community, provided in their affidavit's example chats, logs, forum posts, and addresses for John Doe 3, who they called Harderman and Gribodemon. Those hints include "Exhibit 5" which shows Harderman and Gribodemon claiming to be the author of SpyEye, Exhibit 13, an interview with Gribodemon where he claims to be the author, and several email and messaging addresses for Gribodemon, including:,,,, and

Also in the Microsoft Exhibits are the proof that there was a discussion about merging Zeus and SpyEye (see Exhibits 14, 15, 16, 17, and 18.

Several of those forum posts are from the forum "" which was well known as a place for buying and selling trojans.

Exhibit 5 is actually a post from the Krebs on Security website called SpyEye v. ZeuS Rivalry Ends in Quiet Merger and includes this post from Harderman:

Good day!

I will service the Zeus product beginning today and from here on. I have been given the source codes free of charge so that clients who bought the software are not left without tech support. Slavik doesn’t support the product anymore, he removed the source code from his [computer], he doesn’t sell [it], and has no relationship to it. He also doesn’t conduct any business on the Internet and in a few days his contact [information] will not be active.

He asked me to pass on that he was happy to work with everyone. If you have any unresolved issues remaining [there is a] request to get in touch with him as soon as possible.

All clients who bought the software from Slavik will be serviced from me on the same conditions as previously. [I] request that [you] come directly to me regarding all issues.

Thanks to everyone for [your] attention!

For a very approachable explanation of how Zeus and SpyEye work, I recommend the article The New Frontier for Zeus & SpyEye by Ryan Sherstobito (formerly with Panda Security) in the September 2011 issue of the ISSA Journal.

Panin (and Bendelladj) were charged with:

Conspiring to: (A) intentionally access a computer without authorization and exceeding authorization, and thereby obtain or attempt to obtain information from a protected computer, and the offense was committed for the purpose of private financial gain, in violation of Title 18, USC Sections 1030(a)(2)(C) and 1030 (C)(2)(B)(i);

(B) knowingly and with intent to defraud access a protected computer without authorization and exceeding authorization, and by means of such conduct further the intended fraud and obtain things of value, in violation of Title 18, USC, Sections 1030(a)(4) and 1030(c)(3)(A); and

(C) knowingly cause the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally cause damage and attempt to cause damage without authorization to a protected computer, and the offense caused and would, if completed, have caused damage affecting 10 or more protected computers during a one-year period, in violation of Title 18, USC, Sections 1030(a)(5)(A) and 1030(c)(4)(B).

The indictment goes on to say that Panin joined a forum on the website for the purpose of advertising the sale of SpyEye on January 10, 2010. On June 29, 2010, Panin advertised on that forum "SpyEye - this is a bank Trojan with form grabbing possibilities" (meaning it could steal the information from "web forms" such as what you enter data into when you interact with online banking. Beginning on July 6, 2010, Bendelladj, using the handle Bx1, commented that he was a client of Panin's and "vouched" for him. By September 16, 2010 Panin was advertising additional features, including the "cc grabber". Bendelladj began advertising SpyEye for sale in April 2011 on his YouTube account "danielhb1988. After selling the software to an undercover law enforcement officer for $8,500 and receiving payment, Panin uploaded the software on for the undercover agent to access.

SpyEye has been stealing login credentials for bank accounts, credit cards, and FTP accounts since at least January of 2010, when one of the first mentions was listed in the NoVirusThanks Blog post "A new sophisticated botnamed SpyEye is on the market". An analysis of SpyEye performed on those very early samples by Jorge Mieres of Malware Intelligence (Sorry Jorge, the document link on your page is broken!) reveals a couple interesting details. For example, here is a network capture showing that the bot being analyzed is going to make a connection to

Using DomainTools historical WHOIS information, we can see that the registrant for is Hilary Kneber! At about that time, Hilary Kneber was the most famous registrant of malware domains we knew of, and demonstrated the fact that a single criminal could CERTAINLY be using many bots. Check out the entries for Hilary Kneber:

2009/11/17vkontalte.cn59.53.91.102exploit kit
2009/11/01online-counter.cn115.100.250.113exploit kit panel

(A fuller list of 149 additional domains is available at the end of this article as Hilary Kneber Malware Domains)

One especially interesting Hilary Kneber attack was one that pretended to be a Christmas Card from the White House which was broadly disseminated to members of Government and the Military Intelligence apparatus. That version of Zeus, which this researcher also saw targeting government employees and exfiltrating stolen documents to Belarus, was so prominent that NetWitness dubbed the botnet "The Kneber Bot" and claimed that 75,000 computers in 2,500 companies had been used to exfiltrate out at least 75GB of data. (See Feb 2010 ComputerWorld article Over 75,000 systems compromised in cyberattack

S21 has a fantastic graphic on their blog that shows the Zeus Family Tree:

(Right-Click "view image" to see full graphic)

See the lavender line near the bottom that says "Source to Gribodemon?" Gribodemon is Panin. The origins of the SpyEye plugin are widely believed to have come from the original Zeus author announcing his retirement and passing all of the Zeus sourcecode to SpyEye and might have anticipated that the code would be used to improve SpyEye.

At that time, the biggest difference between Zeus and SpyEye was the price! While Zeus was being sold for $1000 per copy, SpyEye was only charging $500 and had all of the same features, including some nice features such as Root Kit features that prevented any usermode process from being able to see the file in Task Manager or being able to see any of the Registry Keys created by the bot.

The main feature that started the "battle of the bots" was the little check box below: "Kill Zeus"

If the "Kill Zeus" option was selected in the builder, the resulting exe file would search for an existing Zeus install on the newly infected SpyEye bot node and destroy it.

Brian Krebs documented the rising tensions between SpyEye and Zeus in his article SpyEye vs. Zeus Rivalry

Zeus, Gribodemon, and SpyEye

Zeus is widely acknowledged to have been produced by a hacker who calls himself "monstr".

A screenshot of the Spy Eye control panel from November 8, 2011 is provided here, (Image from an analysis by Xylitol, who is credited with "cracking" SpyEye and thereby depriving Gribodemon of his revenue stream. Everyone thought that once SpyEye was cracked a "New & Improved" SpyEye would be released, but this really marked the fall of SpyEye.

IOActive also did a great analysis and reverse engineering report on SpyEye called Zeus SpyEye Banking Trojan Analysis that goes into great technical detail about how the malware injects itself into processes, avoids "API Hooking" traps and hides its own presence on the machine in a way that was much more advanced than Zeus.

On August 9, 2011, Xylitol released a report called Cracking SpyEye 1.3.x. Xylitol AKA Steven K. is/was a member of RED Team - the Reverse Engineer Dream Team. As a direct result of this crack, which allowed people to "unbrand" their purchased copy of SpyEye, the original creators and marketers of the tool were no longer necessary to establish an instance of SpyEye. While it briefly seemd that this would to a great surge in use, it actually killed the product.

In the RSA 2012 Cybercrime Trends Report the number one Trend predicted as 2012 began was "Trojan Wars Continue, but Zeus will Prevail as the Top Financial Malware". RSA reports that in Q1 of 2011 SpyEye accounted for 19% of all malware infections, but had dropped to 4% by Q3 of 2011. What happened? Refer back to the S21 Timeline. See the Black Line representing the theft of the Zeus Source Code? Now it didn't matter that SpyEye was cheaper than Zeus, because Zeus was suddenly FREE! Ice IX was the first Trojan that came out that took advantage of the leaked Zeus 2.0 code and began to show significant improvements. Free is good, but Free without a code innovator who knew how to make creative advances in his malware meant that the Free version of Zeus 2.0 was soon obsolete. Ice IX grew to 13% of the financial crimeware market by Q4 2011, according to RSA. It should be noted that the prices in the 2012 RSA report are much higher than the 2010 prices above. RSA says that the full version of SpyEye cost $4,000 compared to the Zeus cost of $10,000. The other big trend that RSA mentioned in this report was Trend #2: Cybercriminals will Find New Ways to Monetize Non-Financial Data -- including Access to victim computers, access to Utility bills, Medical Records, Email addresses, DOBs, and much more. Also worth noting that in the 2012 RSA Report, RSA was claiming that every MINUTE there were 232 computers somewhere in the world infected by malware. Norton's 2013 report puts that number at 18 per second or 1,080 per minute. If equivalent, that would mean an almost a 460% increase in malware infections from 2012 to 2013!

Soldier = a Major SpyEye Customer

SpyEye was sold, as we mentioned, to many hackers who each ran their own "instance" of the malware. Traffic Analysis was able to show via an embedded user agent string which malware samples were associated with which malware operators. There have been arrests in the past for people who were SpyEye OPERATORS, but until BX1 was arrested, no significant players were taken into custody.

Perhaps the largest USER of SpyEye was a hacker named "Soldier" who was reported on by the Trend Micro team of Loucif Kharouni, Kevin Stevens, Nart Villeneuve, and Ivan Macalintal called "From Russia to Hollywood: Turning the Tables on a SpyEye Cybercrime Ring". Each SpyEye Builder has a GUID (Globally Unique Identifier) assigned to it at the time of the sale. In the Trend research paper, 23 Command & Control (C&C) Servers were identified as corresponding to SpyEye samples that had the GUID associated with Soldier. from April 19, 2011 to June 29, 2011, these C&C servers were visited from 82,999 unique IP addresses, and resulted in 25,394 systems being compromised. Of those, 23,739 were in the United States. The second most common country was the United Kingdom with only 86 compromised systems. Soldier's servers included credentials stolen from 1499 Chase customers, 770 Wells Fargo customers, and 1283 Bank of America customers. From the NON-Banking information, there were 21,819 Facebook accounts, 9,987 Yahoo! accounts, 8,078 Google accounts, and 4500 accounts.

Soldier also ran a significant Money Mule network, which recruited people through many fake job placements websites, including one called L&O. By identifying Mules and working through the Mule website, Trend researchers were able to determine the earnings per month laundered as part of the take by Soldier - more than $4.5 MILLION dollars in six months!

  • November 2010 - $576,000
  • December 2010 - $809,000
  • January 2011 - $843,000
  • February 2011 - $719,000
  • March 2011 - $957,000
  • April 2011 - $763,000
  • May 2011 - $53,000
According to the Trend report, Soldier worked with two other cut outs, Viatcheslav, who lived in West Hollywood, California (or at least banked there) and Gabriella, who banked in Los Angeles.

While it is not known if SOLDIER was brought to justice -- Bx1 may still turn out to BE "Soldier" -- that part is unclear at this time, other SpyEye operators were. One such group was arrested by the Metropolitan Police Central e-Crime Unit (PCeU). PCeU arrested Pavel Cyganok, from Lithuania, sentenced to five years for his role in stealing more than £100,000 and Ilja Zakrevski, his accomplice from Estonia who was sentenced to four years. The two worked with Aldis Krummins from Latvia who was only charged with Money Laundering and sentenced to two years. Charged under the UK's Computer Misuse Act, one of their servers hosted in the UK was shown to have been connected to and receiving data from at least 1,000 compromised computers around the world. In the PCeU's 2012 Report to Parliament this £100,000 figure for the SpyEye operators had to be compared to a single Organised Criminal Group that had been operating Zeus that had stolen more than $70 Million from the USA alone! But, just like in the US, crimes against victims in other countries aren't considered in the local jurisdiction. This loss volume was really hardly mentioned in the UK press. 285 UK Citizens were shown to have lost £2.66 million in just a single 90 day period from Zeus. (This was the case that was referred to by the FBI as "Operation Trident BreACH".) At that time, this researcher really was thinking of SpyEye in a similar way -- SpyEye £100,000 UK Pounds vs. Zeus at $70 Million US Dollars. But there were bigger SpyEye operators still to be identified.

So while we know have Aleksander Panin AKA Harderman AKA Gribodemon was the author of SpyEye, and we know that BX1 was the primary person in charge of marketing the malware to clients, much as "Magic" did for monstr on the Zeus side of the house. What we do NOT have are more examples of the criminals who actually ran the botnets and whether they are in custody. Beyond Soldier (still at large) and the Latvian/Estonian/Lithuanian trio above, we know that The claim is made that at least 150 different criminals bought a copy of SpyEye from BX1. Where are they, their botnets, and the money that they made from the victims they provided with Zeus and/or SpyEye by stealing banking information and selling personal information and documents to their clients?

Perhaps more of those individuals will be found among the John Does 1-39 listed in the Microsoft Lawsuits against Zeus actors. In the Zeus Lawsuit papers, including the Declaration of Mark Debenham (179 page PDF) Some of the named John Does include Monstr (the original Zeus author), Harderman and Gribodemon (both now known to be Panin, who Microsoft referred to as "John Doe 3") and 36 other individuals, many as yet unnamed, who may turn out to be Soldier or other SpyEye customers.

Great work! But we need to do the ADDITIONAL work of identifying and removing those underlings as well.

An aside on CyberCrime Reporting

The UK Parliament Science & Technology Committee report on Malware and Cyber Crime referenced above had many excellent parts, including some written by our friends at SOCA and Richard Clayton from Cambridge who argued for Parliament to implement a robust measuring system for gathering accurate statistics about cyber crime incidents. We suffer a similar fault in the US Justice System, where we rely on surveys and anecdotes about Cyber Crime rather than implementing Cyber Crime categories into the Unified Crime Report which implements a nation-wide set of definitions and reporting mechanisms for gathering stats on Criminal homicide, Forcible rape, Robbery, Aggravated assault, Burglary, Larceny-theft, Motor vehicle theft, and Arson, but does nothing to help us learn about White Collar and Cyber Crimes. This fault leaves us with the ability to very accurately state the improvements in dealing with certain types of crimes, for example showing a steady decline in murder from 9.5 murders per 100,000 citizens in 1993 to 4.7 murders per 100,000 citizens in 2012, or 41.1 rapes per 100,000 citizens in 1993 steadily declining to 26.9 rapes per 100,000 citizens in 2012. Yet we are left guessing that the the cost of Cyber Crime in the US is somewhere between $21 Billion per year and $1 Trillion per year.

Quite a range, both in estimates and in methodologies. For example:

  • the Ponemon Institute's Cost of Cyber Crime 2013 study estimated the cost of cybercrime in 60 benchmarked companies as being $11.6 million per year per company, with malware attacks being most prevalent, followed by DDOS. Ponemon also points out that the category of security spending with the greatest ROI is "Security Intelligence" and really offers a very interesting view of how to properly measure costs, consequences, and opportunities in cybercrime mitigation efforts.
  • The 2012 Norton Cybercrime Report put the global cost of Cybercrime at $110 Billion per year, with $21 Billion of that cost being in the United States.
  • I've previously blogged about another great report estimating Cyber Crime costs by the UK Government -- a study conducted by Detica for the Office of Cyber Security and Information Assurance. In my blog post, UK Government counts the Cost of Cybercrime I project that if the US Economy experienced cybercrime in the same ratio as the UK Economy, our cost would be $275 Billion per year.
  • More details about the "Trillion Dollar Cost" of CyberCrime, a totally bogus number that is easy to find in the Congressional Record, can be found in another blog post where I once more praised the UK on their efforts to assign costs to Cybercrime, Sir Paul Speaks the Truth: Cyber Law Enforcement is a Good Investment in which Metropolitan Police chief Sir Paul Stephenson tells us "It has been estimated that for every £1 spent on the Virtual Task Force, it has prevented £21 in theft" which is a remarkable return on investment that I would hope to see us emulate in the United States!
Quite a range of estimates, but worth noting that most of the estimates do NOT include the value of stolen personal information, beyond the immediate ability to monetize accounts. We know that SpyEye was used to sell Medical Records, Government documents, and other information. Where should that be worked into the equation for "cost" estimates?

Hilary Kneber Malware Domains

2009/10/ v1 trojan,
2009/11/ v1 trojan,
2009/11/ LdPinch,
2009/11/ v1 config file,
2009/11/ v1 config file,
2009/12/ v1 trojan,
2009/12/ v1 config file,
2009/12/ v1 config file,
2009/12/ v1 drop zone,
2009/12/ v1 trojan,
2009/12/ v1 config file,
2009/12/ v1 config file,
2009/12/ to exploits,
2009/12/ to exploits,
2009/12/ v1 config file,
2010/01/ exploit kit,
2010/01/ exploit kit,
2010/01/ dropper,
2010/01/ v1 config file,
2010/01/ v1 drop zone,
2010/01/ Chksyn,
2010/01/ v1 trojan,
2010/01/ v1 config file,
2010/02/ exploit kit,
2010/02/ exploit kit,
2010/02/!MICHAEL-F156CF7!1CD55C69&ver=10065&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=50&ccrc=9730603460.12.117.147SpyEye C&C,
2010/02/ C&C,
2010/02/ v1 drop zone,
2010/02/ Chyup,
2010/02/ v1 config file,
2010/02/ v1 drop zone,
2010/02/ v1 config file,
2010/02/ v1 drop zone,
2010/02/ Exploits pack v1.3.2,
2010/02/ v1 config file,
2010/02/ v1 config file,
2010/02/ v1 config file,
2010/02/ calls home,
2010/02/ exploit kit,
2010/02/ to exploit kit,
2010/02/ Exploits pack v1.3.1,
2010/02/ v1 config file,
2010/03/ v1 config file,
2010/03/ v1 config file,
2010/03/ v1 config file,
2010/03/ v1 config file,
2010/03/ v1 config file,
2010/03/ v1 config file,
2010/03/ v1 config file,
2010/03/ Exploits pack v1.3.2,
2010/03/ exploit kit,
2010/03/ v1 trojan,
2010/03/ calls home,
2010/03/ v1 config file,
2010/03/ v1 config file,
2010/03/21_11:35zedexstore.com61.61.20.133money mule recruitment,
2010/04/ Exploits pack v1.3.2,
2010/04/ v1 config file,
2010/04/ v1 config file,
2010/04/ v1 config file,
2010/04/ to exploits,
2010/04/ exploit kit,
2010/04/ Bebloh calls home,
2010/04/ Bebloh calls home,
2010/04/ Exploits pack,
2010/05/ v1 trojan,
2010/05/ to fake av,
2010/05/ v1 config file,
2010/05/ v1 config file,
2010/05/ exploit kit,
2010/05/ v1 drop zone,
2010/05/ to fake av,
2010/05/ pack (new Eleonore ?),
2010/05/ exploit kit,
2010/06/ v2 config file,
2010/06/ exploit kit,
2010/06/ calls home,
2010/06/ v1 drop zone,
2010/06/ v1 drop zone,
2010/07/ v2 config file,
2010/07/ v2 config file,
2010/07/ exploit kit,
2010/07/ exploit kit,
2010/07/ v1 trojan,
2010/07/ v1 config file,
2010/07/ v2 config file,
2010/07/ calls homr,
2010/08/ exploit kit,
2010/08/ v2 config file,
2010/08/ exploit, belongs to SEO Sploit pack,
2010/08/ v1 trojan,
2010/08/ exploit kit,
2010/08/ v1 config file,
2010/08/ v1 trojan,
2010/08/ v1 config file,
2010/08/ to fake av,
2010/08/ v1 config file,
2010/08/ v1 config file,
2010/08/ v1 config file,
2010/09/ v1 config file,
2010/09/ exploit kit,
2010/09/ exploit kit,
2010/09/ exploit kit,
2010/09/ exploit kit,
2010/09/ v2 config file,
2010/09/ v1 config file,
2010/09/ exploit kit,
2010/09/ exploit kit,
2010/09/ to fake av,
2010/09/ exploit kit,
2010/09/ exploit kit,
2010/09/ exploit kit,
2010/09/ v2 drop zone,
2010/09/ exploit kit,
2010/10/ v2 config file,
2010/10/ v2 trojan,
2010/10/ to fake av,
2010/10/ exploit,
2010/10/ v1 config file,
2010/10/ exploitation kit,
2010/10/ v1 trojan,
2010/10/ v2 trojan,
2010/10/ v2 trojan,
2010/10/ exploit kit,
2010/11/!SANDBOX0!D06F0742&ver=10292&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=0&ccrc=2FF9BCEC&md5=43be8f760d464ed805e32a86dc1f21de91.204.48.98SpyEye C&C,
2010/11/ v2 trojan,
2010/11/ exploit kit,
2010/11/ kit,
2010/11/ v1 trojan,
2010/11/ exploit kit,
2010/11/ exploit kit,
2010/11/ exploit kit,
2010/12/ exploit kit,
2010/12/ v2 drop zone,
2010/12/ exploit kit,
2010/12/ C&C,
2010/12/ exploit kit,
2011/01/ v2 config file,
2011/01/ v2 config file,
2011/01/ v2 config file,
2011/01/ v2 config file,
2011/01/ av,
2011/01/ v2 drop zone,
2011/01/ C&C,
2011/02/ v2 config file,

Monday, January 27, 2014

Roman Vega (CarderPlanet's Boa) Gets His Sentence!

For some time now I have been following with anticipation the case of Roman Vega, the hacker who went by the pseudonym BOA and ran the notorious BOAFactory website prior to helping spear-head the creation of Carder Planet, a specialty site created by and for credit card thieves that at its peak was servicing more than 6,000 members who brokered, bartered and sold their stolen cards.

In December 2013 it appeared that Vega, who had been in custody since 2003, was finally about to be sentenced. Vega was originally arrested while traveling in Cyprus and is said to have had in possession at the time of his arrest information on more than 500,000 credit card accounts. The New York court sentenced him December 18, 2013, but then it was time to find out what would happen in California.

On January 22, 2014, the Honorable Charles R. Breyer, Senior United States District Judge accepted Vega's plea bargain and in exchange for pleading guilty to 18 USC 1343 and 2, "Wire Fraud, Aiding and Abetting" (Counts 1-20), Counts 21-40 of his original charges were dismissed.

Boa was sentenced (by this Judgement Against Roman Vega document) to serve forty-six (46) months on counts one through twenty, all counts to be served concurrently, and also to be served concurrently with Docket #07-CR-707 (ARR) from the Eastern District of New York.

Vega will also have to pay restitution as follows:

  • Bank of America - $23,371.86
  • Bank of Cyprus - $92.63
  • Canadian Imperial Bank of Commerce - $681.56
  • Capital One - $15,039.56
  • Chase Bank - $16,223.74
  • Citibank - $29,284.42
  • Fla Card Services - $7,695.04
  • JP Morgan Chase - $1,849.27
  • Merrill Lynch Fraud Control - $6,118.54
  • National City Card Services - $614.84
  • PNC Bank - $3,144.92
  • Royal Bank of Canada - $488.49
  • USAA Federal Savings Bank - $89,294.75
  • Wachovia Bank - $13,303.35
  • Washington Mutual Bank - $12,525.60
With some fees, he is ordered to make a lump sum payment of $221,728.57 (including all the above) to the court.

The early court documents in the Boa case, including this Roman Vega Criminal Complaint from 2007 (25 page PDF) make fascinating reading, walking through how a dispute on the ShadowCrew Carding Site between Boa and others on the site that lead Boa to spawn his own website, Boa worked closely with other famous carders, including Gollum and Script.

Roman Vega (Boa) was arrested February 26, 2003 in Nicosia, Cyprus. his laptop was imaged and shared with the US Secret Service and the US Postal Inspection Service, which revealed hundreds of email messages and thousands of pages of ICQ chats. The laptop also had 500,000 credit cards issued by 7,000 different financial institutions! Vega was flown from Cyprus to Minneapolis, Minnesota on June 3, 2004. He plead guilty in November 2006 to twenty counts of wire fraud in the Northern District of California. One of the especially interesting chats was between ICQ 107711 (Vega) and ICQ 100630 (Script) where Vega claims his "boys" have cracked a database containing 2 million credit card accounts in the United States. Script and RyDen said that was too large a volume for them to handle. Later Script sent an article about the hack to Vega about a breach against Data Processors International (DPI).

Although the court documents do not specify which article it was, it may have been this CNN article Hacker hits up to 8M credit cards. Vega confesses to Script that the article is wrong - they actually got 14 million cards, including 450,000 just from Capital One!

Boa was arrested after a large number of cards from the breach were found to be used at a particular POS terminal in Cyprus.

Now, if you'll forgive me, we'll go back to the New York case. Things did not go well for BOA in New York. He insisted on dismissing his counsel, who he did not trust, and defending himself, which did not go well. Vega had a limited command of English and his defense seemed to be a mix of magazine articles, things other prisoners told him and watching too much television. Here's one example transcript from a hearing where he is trying to say that he wants access to thirty boxes worth of notes and files, including everything the government found on his hard drive.

According to the sentencing memorandum from the US, Script was Dimitry Golubov, the Godfather of CarderPlanet. But Boa played a key role in making CarderPlanet the "go to place" for cards. It was Boa who instituted the "Card Review" process by which vendors had to ensure that their cards were original and had not been previously sold. The vendor ranking system, copied to so many other boards today, originated on CarderPlanet, and it was Boa's key contribution to the new system.

More than half of the sentencing memo from the US lists the many ways in which Vega misbehaved and violated his agreements to cooperate with the US in exchange for leniency. These include:

  • having a letter sent from Italy to the private unlisted address of a government analyst that insulted Vega by saying he no longer had contact or influence in the criminal world.
  • sending money to his girlfriend and then "not being able to recall" anything about that when asked repeatedly by the government.
  • consulting on Misha Glenny's book "Dark Market: Cyberthieves, CyberCops and You".
  • withdrawing his guilty plea
  • having a powerful cell phone antenna in his cell. Although no phone was ever found, Vega was somehow
  • able to maintain several blogs about his life in prison, despite theoretically having no access to computers or phones.
Some of CarderPlanet's top customers were Cumbajonny AKA Albert Gonzalez, now serving twenty years. Maksim Yastremskiey (Maksik) sentenced to 30 years for hacking by the Turkish police. Cesar Carranza, a money launderer to the carders, now serving six years in New York for laundering $2.5 million.

Here is the sentencing "point calculator" used in the case:

Base Offense Level 2B1.1(a)(2) 6
Loss between $200 and $400 Million 2B1.1 (b)(1)(O) 28
Stolen Property Business 2B1.1(b)(4) 2
Fraud from Outside US and Sophisticated Means 2B1.1(b)(9) 2
Use of Device Making Equipment 2B1.1(1) 2
Organizer and Leader of 5 or more Participants 3B1.1(a) 4
Adjusted Offense Level for Count One 44
Base Offense Level 2S1.1(a)(1)
See also 1B1.5(b)(1)
Specific Offense Characteristic
USC 1956
2S1.1(b)(2)(B) 2
Organizer and Leader of 5 or more Participants 3B1.1(a) 4
Adjusted Offense Level for Count Two 46

To show consistency with the sentence, the New York Sentencing Memo (10MB PDF) also lists previously sentenced carders and hackers and their respective sentences as a means of justifying the requested sentence:

1. Albert Gonzalez - 20 years (sentenced September 11, 2009)

2. Edwin Pena - 10 years and $1M restitution (sentenced September 24, 2010)

3. Lin Mun Poo - 10 years (sentenced November 4, 2011)

4. Tony Perez - 14 years (sentenced September 9, 2011)

5. Jonathan Oliveras - 12 years (sentenced December 9, 2011)

6. Adriann-Tiberiu Oprea - 15 years (sentenced for hacking into 800 US Merchants' systems resulting in $17.5 million in unauthorized charges on more than 100,000 cards.) Oprea was known as "the Subway Hacker" for stealing card data from hundreds of Subway restaurants.

(to read about other famous hackers and their sentences, see Major Achievements in the Courtroom.)

In New York 1:07-cr-00707-ARR, Vega was sentenced to 216 months for Count One and 90 months on Count two, to run concurrently for a total of 216 months or 18 years. Since that is longer than the California sentence, he'll pay the California restitution and serve the 18 years courtesy of the Bureau of Prisons in Lompoc.

Saturday, January 25, 2014

Unprecedented International Cybercrime Cooperation Nabs Email Hackers

Email Hacking in China, India, Romania

Yesterday we tweeted asking for more information on a statement we found in India's press regarding an email hacker charged in Pune. The article I sited, Pune techie held after FBI alert on hacking racket, reported:
The CBI on Friday arrested a 32-year-old techie from Pune after a tip-off from the Federal Bureau of Investigation (FBI) about a racket involving hacking of 900 e-mail accounts belonging to people from across the world, including Americans and Indians. [...] Following the FBI tip-off, the CBI carried out raids in Ghaziabad, Mumbai and Pune during which several professional hackers were rounded up. Tiwari was arrested and taken on transit remand to Delhi by the CBI team. His computers and other gadgets were seized. According to the CBI, the e-mail accounts of 171 Indians and more than 700 foreign nationals, including Americans, had been hacked. [...] The agency said the raids were part of a coordinated action involving the agencies of China, Romania, the US and India. This was the first time the CBI had tied up with international investigation agencies to launch an operation against cyber crime in India.
We were so pleased to learn of the CBI's Cooperation with the FBI on it's first Cybercrime coordinated effort, but were left puzzling over the statement about coordinated raids in India, Romania, China, and the US.

The confusion was over the fact that the FBI had decided to not unseal the cases in the US related to these crimes until they received confirmation from their peers in India, Romania, and China that the others involved in the case had been successfully arrested. Once that was concluded, we were able to find the original announcement, January 24, 2014, from the US Attorney's Office in the Central District of California, International Law Enforcement Efforts Result in Charges Around the World Against Operators and Customers of E-Mail Hacking Websites.

  • Mark Anthony Townsend, 45, of Cedarville Arkansas and
  • Joshua Alan Tabor, 29, of Prairie Grove Arkansas were charged with a felony violation for running "". Customers of their service would provide an email account and make payment via PayPal once the email password was obtained. More than 6,000 email accounts were hacked during this scheme.
    Three additional US persons were charged, but these were charged with the lesser misdemeanor charges related to hiring a hacker (as opposed to the two above, who did the hacking themselves):
  • John Ross Jesensky, 30, of Northridge, California, paid $21,675 to a Chinese website to obtain email account passwords.
  • Laith Nona, 31, of Troy, Michigan, paid $1,081 to obtain email account passwords.
  • Arthur Drake, 55, of Bronx, New York, paid $1,011 to get email account passwords.

The Romanian DCCO (Direcţiei de Combatere a Criminalităţii Organizate or Directorate for Combating Organized Crime) part of the DIICOT, searched the residences and arrested four individuals associated with the hacker for hire websites:

  • (since at least September 2006!)

Romanian Email hacker, Guccifer

The Romanians report that these individuals broke into at least 1600 email accounts between February 2011 and October 2012.

Based so far only on the coincidence of timing, this blogger believes that this was the notorious "Guccifer" or Marcel Lazar Lehel, who was previously charged with a suspended sentence of three years (February 8, 2012) for hacking into email accounts belonging to SRI director George Maior, former US state secretary Colin Powell, members of Bush and Rockefeller families and officials of the Obama administration. See for example the January 22, 2014 story in Romania's Nine O'Clock news, "Hacker 'Gucifer' caught in Arad" --“guccifer”-caught-in-arad/. In another story from (via Google Translation) it says:

[In addition to] SRI boss George Major, George Bush, and Colin Powell, Other victims of 'Guccifer' were actor Steve Martin, John Dean, former advisor to President Richard Nixon, actress Mariel Hemingway, three members of the House of Lords in the UK, Laura Manning Johnson, a former CIA analyst, George Roche was Secretary of the Air Force, and President MetLife (insurance company).
. In the earlier charges that resulted in the suspended sentence, Guccifer was charged with accessing and making public photos from the Facebook pages and email accounts of many public officials in Romania as well.

Indian Email hacker, Amit Tiwari

The Central Bureau of Investigation in India arrested Amit Tiwari (who had previously been arrested for Credit Card Fraud) for operating the websites and, who hacked at least 935 e-mail accounts between February 2011 and February 2013.

HireHacker's homepage was a prolific advertiser of their services since 2007, creating many "blogs" (such as and posting questions on places like Yahoo Answers like "Can the Famous Internet Detectives at really recover my cheating spouses email password?"

Chinese Email hacker, Ying Liu

The Ministry of Public Safety in China arrested Ying Liu (劉颖), AKA Brent Liu, for operating the website Liu was shown to have broken into at least 300 email accounts between January 2012 and March 2013.

Liu's website had it's fifteen minutes of fame when it was featured in NYMag's story Hiring Hackers is Super Cheap. In that story from January 2012, two Kuwaiti brothers, Bassam Alghanim being the billionaire of the two, hired some Chinese hackers "for the price of a really good dinner" to break into his brother's email account. That story indicated that the hackers earned $200,000 in thirteen months by breaking into accounts. The story was also covered in the Wall Street Journal (which also has a video from Cassell Bryan-Low about the case), where the actual hacking may have been via Invisible Hacking Group instead.

Ying Liu hosted his website,, on the notorious Malaysian hosting platform, Here are some screen shots of that show how their system worked:

Menu of Services
Order Placement
This is such an amazing demonstration of international cooperation! I know I already said so, but for India's CBI, China's MPS, Romania's DCCO, and the FBI to cooperate together on a single case is without precedence! A great sign towards a bad future for cyber criminals!

Revenge Porn victims to get Justice?

This summary is not available. Please click here to view the post.

Friday, January 24, 2014

Consumer Reports on Smart Phone safety, Malware, and Phishing

Every year Consumer Reports does a "State of the Net" survey. I've found it to consistently be one of the most interesting and accurate measures of what's going on with regards to Computer Safety for the average American Computer user. Jeff Fox of Consumer Reports and I have spoken in the past about the great program that he's been running for many years. (We first met at an October 1st launch of Cyber Security Awareness Month at the National Press Club). I somehow failed to report on their 2013 report, so I'm catching up now.

This was based on their January 2013 survey, covering experiences for American consumers in 2012. Hopefully we'll have the next year of data in a couple months (it is usually published in their June issue.

Their Lead Article was on Smart Phone security, which found:

  • Half of all American homes have a Cell phone
  • 7.1 Million had their phone Lost, Stolen, or Broken beyond Repair
  • 69% of Americans don't back up their smart phones
  • 64% do not use a password or screen lock!
  • Only 8% use "Remote Wipe", 22% use a "Phone Finder", and 15% use Anti-virus
How well do Consumer Reports survey respondents and you protect mobile phone data?
"Click to see Consumer Reports InfoGraphic"

So much great content in their survey . . .

This article -- How Safe is your Home Computer? found:

  • 43% report being afflicted by "Heavy Spam"

    I really want to call attention to that number, because so many of my computer security friends are calling spam a "solved problem". That is ABSOLUTELY NOT the experience of the average American. Perhaps companies using the best state of the art technology are experiencing reduced volumes of spam, but 43% of Americans report they are still experiencing "Heavy Spam!"

  • 9.8 Million adults had Facebook trouble

    Either accounts taken over by an unauthorized person, had their reputation harmed, or were harassed, threatened, or defrauded.

  • 58.2 Million users had Malware issues

    to an extent that their computer's features or performance were impacted, costing $3.9 Billion in direct repairs and clean-up costs. 5% of them had to take their computer to a third party to have it repaired! I especially like the way that Consumer Reports asks this question. We know that Symantec says 18 computers are infected by new malware EVERY SECOND with a global cost of $110 Billion per year, but the question CR asks here is "How many of those infections actually lead to a real problem for the consumers?"

  • 9.2 million gave up personal data on Phishing sites

    Hundreds of thousands actually lost money from a bank account as a result. Among the big-name companies whose names successful phishers used most often, according to Consumer Reports: Bank of America, Chase, Facebook, PayPal, and Visa.

This article -- Protect Credit Cards from Scams mentions that their survey found:

  • Nearly 20 million credit-card fraud victims

    19.5 million consumers with Unauthorized charges on their cards

    CR Tip to Protect yourself: Report fraudulent charges immediately. If credit was used instead of debit on a bank card, you're probably liable for up to only $50. (That limit doesn't apply to debit charges.)

  • Lost, hijacked, stolen

    18.4 million consumers were notified by Companies, government agencies, or other organizations that their personal info had been lost, hijacked, or stolen.

    CR Tip to Protect yourself: If notified of a data breach, use the free credit monitoring that's usually offered. Add a fraud alert to your credit reports. Close affected accounts and change passwords on others. Check for incorrect charges or withdrawals after the breach.

  • Personal data compromised

    10 million consumers lost money from an account (other than credit card), had personal data used for a fraudulent purpose, or had a new credit account opened in their name by an unauthorized person.

    CR Tip to Protect yourself: Don't click on links or open attachments in e-mail purporting to be from government agencies. Have your bank alert you to possible fraudulent activity.

Great work, as usual, Consumer Reports! Please keep it up!

Monday, January 20, 2014

Target Breach considered in light of Drinkman / Gonzalez data breach gang

Everyone is talking about the Target data breach these days, but unfortunately our collective memory is sometimes too short to connect the dots.

Back in August of 2008 this blogger, like so many others, was focused on Albert Gonzalez after the TJX Arrests were made. Attorney General Michael Mukasey said that the message from the arrests was that if you do Data Breaches We Will Arrest You, and We Will Send You To Jail!. We followed up that post with a deeper look at two sets of indictments issued at the same time, TJX Update: The Boston Indictments and TJX Update: The San Diego Indictments. (The San Diego ones included the famous hackers Aleksander Suvorov, AKA JonnyHell from Estonia, and Maksym Yastremskiy, AKA Maksik). Maksik and JonnyHell were part of the Dave & Busters Point-of-Sale terminal hacks indicted in May 2008.( 23 page Dave & Busters Indictment against Maksik and JonnyHell)

In the Gonzalez case, it was mentioned that his gang had targeted "at least nine major retail corporations: including the TJX Corporation, whose stores include Marshalls and TJ Maxx; BJ's Wholesale Club; Barnes and Noble; Sports Authority; Boston Market; Office Max; Dave & Buster's restaurants; DSW shoe stores; and Forever 21."

But what is perhaps most important is that when it comes to gangs stealing millions of credit cards, there are no one-man operations, or even ten-man operations. These type of breaches are pulled off by crews. We learned much more about Gonzalez's crew in the recently unsealed documents from the case against Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov, and Dmitriy Smilianets. The order to Unseal the Drinkman et. al. case was only given on December 17, 2013. Several items on the docket remain sealed to this day, but one of special interest was the Second Superseding Indictment, which has been unsealed, although several points remain redacted.

Here's what we learn in the Drinkman indictment.

  • Drinkman resided in or near Syktyvkar and Moscow, Russia, and was "a sophisticated hacker, who specialized in penetrating and gaining access to the computer networks of multinational corporations, financial institutions, and payment processors; harvesting data, including, among other things, credit card, debit card, and other customer account information, from within the compromised networks; and exfiltrating that data out of the compromised networks.
  • Kobov resided in or near Moscow, Russia, and "specialized in harvesting data from within the computer networks that Drinkman and Kalinin had penetrated, and exfiltrating that data.
  • Co-conspirators named in the indictment include Albert Gonzalez (segvec), Damon Patrick Toey, and Vladislav Anatolievich Horohorin (BadB).
  • The hacking conspiracy is described as "a prolific hacking organization" "responsible for several of the largest known data breaches" and that it operated "from August 2005 through at least July 2012."
Data breaches that were described as being part of this case, include:

  • NASDAQ - (from at least May 2007 - SQL Injection lead to malware that extracted login credentials from databases)
  • 7-Eleven - (at least August 2007 - SQL Injection lead to malware that extracted card data from databases)
  • Carrefour S.A - (2 million credit cards - October 2007 - SQL injection lead to malware that extracted card data from databases)
  • JCPenney - (October 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
  • Hannaford Brothers - (4.2 million credit cards - November 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
  • Heartland Payment Systems (130 million card numbers, estimated losses of $200 Million - December 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
  • Wet Seal - (January 2008 - SQL Injection lead to malware placed on the network that extracted card data from databases)
  • Commidea Ltd. - (30 million Credit cards - March-November 2008 - malware was used to extract card data and exfiltrate the data)
  • Dexia Bank Belgium - ($1.7 Million loss - February 2008 to February 2009 - SQL Injection resulted in malware placed on the network that exfiltrated card data)
  • JetBlue Airways - (Jan 2008 - February 2011 - malware placed on network exfiltrated Personal Data of employees)
  • Dow Jones, Inc. - (2009 - at least 10,000 sets of Log-In Credentials stolen via malware placed on network)
  • "Bank A" - (Dec 2010 to March 2011 - malware placed on an unnamed bank HQ'ed in Abu Dhabi, United Arab Emirates used to facilitated theft of Card Numbers.)
  • Euronet - (2 million cards - July 2010 to October 2011 - SQL injection lead to malware that extracted login credentials from databases.)
  • Visa Jordan Card Services - (800,000 cards - Feb 2011 to March 2011 - SQL Injection lead to malware placed on network that exfiltrated card data.)
  • Global Payment Systems - (950,000 cards - $92.7 Million in losses - January 2011 to March 2012 - SQL Injection lead to malware placed on network that exfiltrated card data.)
  • Diners Club International, Singapore - (500,000 Diners Credit cards - $312,000 in losses - June 2011 - SQL Injection lead to malware placed on network that exfiltrated card data)
  • Ingenicard US, Inc. - ($9 million in 24 hours - March 2012 to December 2012 - SQL Injection resulted in malware placed on the network that was used to facilitate ATM withdrawals.)
Although it is true that several of the members named above are now in custody, it is also true that several are NOT in custody.

Given what is known about these previous attacks, might it be reasonable to consider that the Target breach may also be related?

Given the similarity in methods used in ALL of the cases above, what "Lessons Learned" might we hope other retailers and large network owners might be observing?

That's the focus of our latest Malcovery White Paper - "Target Hacker Tools Provide Breach Insight". I hope you'll take a chance to review it.

Friday, January 10, 2014

Target Database Breach "Phishing" Email leads to . . .

Several folks that also do security research called and texted and Facebook messaged today asking if we had seen "the New Target Phishing email"? We're normally pretty good folks to ask about that sort of thing, since Malcovery Security has both a Spam Data Mine, which is often a good source for such messages, and our PhishIQ system. I thought if it existed to the point that there was "buzz" about it, I should have hundreds of copies. But I didn't. I had three. Kinda.

Here's what the emails actually looked like.

I'll tell you what it does in just a minute.

By the way, if you find phishing sites and aren't sure what to do with them, we LOVE collecting phish! Use Malcovery's PhishIQ Report Phish page to send us any links!

Target Gift Card Spam

When I ran my search, I found all of the "normal" Target spam. People love to use Target to convince people to give up their personal contact information through the "Impossible to get Gift Card" scam.

We've blogged about Gift Card spam and related malware on several occasions including:

  • Cyber Monday 2010 - when we warned about scams using Victoria Secrets and Oliver Garden gift cards. In that scam you have to complete a series of "tasks" in order to earn your gift card, after going through several steps where you think you have "won" something. The final tasks back then were things like "Stay three nights in a Red Horse Inn hotel's luxury suite" or "buy a new car from General Motors!" but LONG before you found out about those tasks, the criminals already had your email, home address, cell phone number, and your agreement to let them share that data with other marketing firms.

  • A Day in the Life of Spam (2009) - in that blog I tried to fully categorize 10,583 spam messages received on October 4, 2009. 28 of the emails were "Giveaway gotchas" -- gift cards, plane tickets, cell phones, laptops that you had "won" if you would just perform some tasks.

  • We also told you about the Member Source Media LLC case where the FTC fined Chris Sommer $200,000 for running his spam scam where he sent email for "Free Products that Weren't Free".

So, today, I wasn't surprised to see spam with subjects and senders like these:

Share Your Opinion. Do you Love TargetShopping
Share Your Opinion. Do you Love TargetTarget Shopping
Shopped Target
Special: Snag a $100 Target Gift Card!
Complete the Target Shopping
Chance to Get a $100 Target Reward! Complete Sponsor
Back to School Savings - get a $100 Target Gift

Here's what these usually look like (or at least the more high end ones):

Target Phish? Not really ...!

All of those are normal, everyday occurrences. But these caught my eye!

Alert to Target Shoppers - your identity is at risk.Local

So what happens if you click on the links in the email? Let's find out!

Here's the Fiddler capture of the redirect stream: So, clicking on the link where it says "Has your identity been stolen - CLICK HERE to check the database" or where it says "CHECK TO SEE IF YOUR IDENTITY HAS BEEN STOLEN - CLICK HERE NOW!" takes you through a chain of "automatically redirected" websites:


All of those numbers out next to the URLs? Those are the Affiliate Codes and Redirect Codes, so the scammers can make sure to direct you to the correct scam and to make sure the right spammer gets credit for his hard work stealing your time, money, and possibly identity.

and then your "Political Opinion Survey" starts up . . .

The Fine Print

Before we go win our $1000 Shopping Voucher, make sure to read the fine print on that one . . . is not sponsored by or affiliated with This Website. This Website has not authored, participated in, or in any way reviewed this advertisement or authorized it. The trial products offered on the last page pay this website for leads generated. *Free trial offers may require shipping and handling. See manufacturer's site for details as terms vary with offers.

You'll also want to pay special attention to

How Do We Use The Personal Information?

How Do We Use The Personal Information?

We may use the Personal Information for any legally permissible purpose in our sole discretion Ad Serving Companies

We may use third party ad networks or ad serving companies to serve advertisements on our websites. We may pass the Personal Information about you to these companies so that they can deliver targeted advertisements that they believe will be of interest to you. The information passed to these companies may include, but is not limited to, your IP address, e-mail address, name, mailing address, telephone number, date of birth, gender, and any other information you provide to us. Web pages that are served by these companies will be subject to their own applicable privacy policies, if any.

Marketing Partners

We may share, license or sell your Personal Information to third parties for various marketing purposes, including their online (e.g., e-mail marketing) and offline (e.g., telemarketing, cell phone text messaging, skip tracing, and direct mail) marketing programs.

That's just part of it, there are many additional things they can do with your data!

Back to the Survey

There was a third question, but you get the idea. I finish question 3, it congratulates me and then sends me to get my reward! Wait? Where is the Target Gift Card? Well, I guess $1,000 shopping voucher at Sears/JCPenney/Kohl's/Macy's will have to do for now. Oh! And there is only ONE remaining! I better snag that!

By our Fiddler trace, you can see that we've just been handed off from one Affiliate marketing program to another. We are leaving the "rewardzone" system, and headed to the "" system, with "" making sure that everyone is going to get paid for their participation in scamming us.

So, here we go ... we said we wanted the $1,000 Sears/Macy's/Kohl's/JCPenney card, so we choose one and start our NEXT survey

After it "calculated my eligibility" it asked me for my email address. I accidentally hit "Back" then and now it is begging me not to go!

Oh goodie! More prizes! Hey? Wasn't I supposed to be getting $1,000 from JCPenney? I just got a big pay cut for all my hard work here. But that's cool, I shop at WalMart too. I'll take $150 Walmart card, I guess . . . Oh. Actually, our Fiddler tells us that we've swapped systems again...We're now on at

But wait! We ALWAYS read the fine print!

Got that? You must complete 2 silver, 2 gold, and 8 platinum offers ... WITHIN ONE CALENDAR DAY! So, it's 6:00 PM for me now, so I have 6 hours to do all the offers, or I get NOTHING.

In case the website goes down later, here's a local copy of some of the "example offers" that you have to finish TODAY!

OK? Let the Privacy Rape Begin!

Here comes the personal information extract . . . first, we're going to need a PHONE NUMBER, EMAIL, BIRTHDATE, and GENDER. Why? Because $150 Walmart Gift Card, that's why!

OK, you get the point. . . I have 13 more questions to go . . . see the Progress Bar? We are SO CLOSE to getting our gift card! Let's skip through the rest of the questions for now, but ask yourself, "what is likely to happen now that I've told these people that I have a house, a car, I'm planning to move, I like to go on vacation, I have a pet, an active checking account, and at least $15,000 in debt, as well as the next 13 questions . . .

  • Are you currently employed full time?
  • Are you interested in continuing your education?
  • Do you have health insurance?
  • Do you ever pay out of pocket for prescription drugs?
  • Do you smoke?
  • Does anyone at your home suffer from Asthma?
  • Back Pain?
  • Diabetes?
  • Joint Pain?
  • Sleep Apnea?
  • Anxiety or Depression?
  • Have you had a colonoscopy?
Remember. This guy has your email address and your telephone number. Whew! At least our 20 questions are done, right?

And then we start getting all the pop-up offers!

Wait! My home address? My birthday? Oh yeah, I forgot...they have to ship me my Gift Card, so of COURSE they need my home address! Duh!

Just in case though, it might be worth noting in Fiddler that we are no longer talking to MarktFlow. Through (passing along the credit so the right scammers keep getting paid) we are now seeing offers from "" associated with "".

FINALLY! All I have to do is confirm my Email Address (I gave them a valid email: wonder if it will start getting spam?) and now I will have my card! It says right there this is the Last Step, right?

Not quite. "YOU MUST INSTALL TO CONTINUE?" What am I installing?

My favorite part there, see the part where it says "I want to earn points for searching the web?" Make my Default Search Provider. Make my Default New Tab. (So, every time your browser opens a new tab, you reload the website. How convenient!)

NOW, All I have to do it complete those 2 Silver, 2 Gold and 8 Platinum offers!

So, I have to EITHER buy a set of Santoku Cooking Knives, (which I can return and keep one $100 knife for FREE!) or sign up for I already have a Credit Report service, so I guess I'll buy the knives. That's one down!

Now I can either get Vitamins (don't believe in them), Dr. Seuss Book Club (don't have kids at home), Amora Coffee (I drink Starbucks and already have a local roaster's coffee delivered to the house), a Hunting Knife (I don't hunt), Disney Movie Club (no kids at home), or M-Go Movie Rentals (I already have NetFlix AND Hulu). Hmmm. $150 Walmart Gift Card though ... Shoot. I guess I'll buy some Dr. Seuss books for my nieces.

Wait ... The Gold Offers are mostly the Silver offers I didn't want! And I have to buy TWO of them! I can choose from M-Go movie rentals, a Non-stick ceramic skillet (only $79.95), Dr. Seuss book club sign-up, Disney Movie Club sign up, Sedona Beauty products sign up, or Amora Coffee sign up. Well, I don't have kids at home, and already have NetFlix, I'm already beautiful, and I already have coffee delivered to the house, so I guess I go for the Ceramic Skillet. Cool! It comes with free scissors! ($79.95 plus shipping) and . . . shoot I guess you can never have too much coffee!

Wait. I have to do EIGHT Platinum Offers?? Hmmm... I already bought the knives as my Silver, so I guess I buy the MuscleXLerator, because $150 Walmart Gift Card, and . . .

Oh heck. I'll take the Free Hunting Knife, Sign up from, Get ProtectMyID by Experian (don't you wonder if these companies know so many of their referrals are from criminals? I wonder if they care?) Pimsleur Language Learning, because my Rosetta Stone has been on my shelf for two full years and I still can't speak Mandarin, (speaking of heavily spam-advertised products! Pimsleur! Shame on you!) How many is that . . . Shoot. I still need three more.

Well? I guess I'll get ActionProWhite teeth Whitener so I can have that inhuman glow in the dark smile, Join the Disney Movie Club (I can cancel at any time) and well, I do have a lot of wrinkles around my eyes, but that's because I smile so much. Come on Sedona Beauty Secrets!

NOW THAT, Ladies and Gentlemen, is How you get a Free $1000 Target Gift Card, except they actually plan to give me a $150 WalMart gift card instead . . . *IF* I complete 2 Silver, 2 Gold, and 8 Platinum tasks.

$1000 Target Gift Card? Tell the Spammers No Thank You!