Thursday, May 29, 2014

A Social Facebook Phish - is your friend acting strange?

I'm always proud when my students do a great write up on a new attack, and doubly so when that analysis comes from my nephew, Chris Warner!

Chris was logged in to Facebook today when one of his friends started chatting with him. It was pretty obvious to Chris that his friend had been the victim of an Account Takeover (ATO) and thta he was really chatting with a criminal who was inviting him to visit a Facebook phishing site. Chris gathered up an evidence package and submitted it to IC3.gov with his analysis prior to contacting me. With his permission, I'm sharing what he saw (editing his friend's identity out for her privacy.)

Original URL user sees is of the format:

http://(USER FIRST NAME)-photos.uglyfacebookpeople,commm

URL is intentionally messed up, presumably to avoid detection by Facebook systems.

URL redirects to http://accounts.login.userid.266765.facebooclk.com/lp/fbn/?next=http%3A%2F%2F%2videos%2F%3AJ%4ID%1A

Action file is security.php

Following the action file results in visiting accounts.login.userid.497031.facebooclk.com/blam/

Which directs you to a "Flash Player Update" site that I assume is a virus. http://198.52.200.49/install_flashplayer13x32_mssd_aaa_aih.ex

There are other files that were on the site, but it is down now.

WHOIS INFO(SAME FOR FACEBOOCLK.COM AND UGLYFACEBOOKPEOPLE.COM):

Registrar Abuse Contact Phone: +1-2013775952
Domain Status: clientTransferProhibited
Registry Registrant ID: DI_36635864
Registrant Name: Dave Brider
Registrant Organization: none
Registrant Street: 505 45th st   
Registrant City: new york
Registrant State/Province: New York
Registrant Postal Code: 10003
Registrant Country: US
Registrant Phone: +1.6463392283
Registrant Email: yogurtman7@mail.com
Registry Admin ID: DI_36635864
Admin Name: Dave Brider
Admin Organization: none
Admin Street: 505 45th st  
Admin City: new york
Admin State/Province: New York
Admin Postal Code: 10003
Admin Country: US
Admin Phone: +1.6463392283
Admin Email: yogurtman7@mail.com
Happy hunting!

--Chris Warner


Thanks, Chris! You did a great job on that write-up! Hope it helps save someone from being a victim!!

Thursday, May 22, 2014

Blackshades RAT leads to 97 Arrests in 16 countries

On May 19, 2014, the FBI announced a worldwide coordinated action against criminals who created, sold, and used a Remote Administration Trojan (RAT) known as BlackShades. In the FBI's BlackShades Press Release they shared that 40 participating FBI Field Offices had conducted 100 interviews, executed more than 100 e-mail and physical search warrants and seized more than 1,900 domains used by BlackShades to control victims' computers.


(image from FBI.gov)

The case actually was a spin-off from another major international operation called "Operation Card Shop" that we wrote about in April 2012 (see SOCA & FBI seize 36 Criminal Credit Card Stores. As Law Enforcement reviewed the seized websites from that case, they began to realize the extent of the role of the BlackShades RAT in the theft of credit card information, but realized also that it was much larger than they had at first believed. One of those arrested during Operation Card Shop was Michael Hogue, one of the co-authors of Blackshades, who agreed to cooperate in unveiling the rest of the BlackShades operation.

Blackshades and Miss Teen USA

For many Americans, the first time they heard of Blackshades was in the case of Miss Teen USA 2013, Cassidy Wolf. In that case, Blackshades customer Jared James Abrahams, a 20-year-old college student, used Blackshades to begin capturing video from Cassidy's webcam. The victim, unaware that their webcam is even recording, goes about their business, including dressing and undressing. Like most teens, having a laptop on in the bedroom is not unusual, and after capturing some nude images, Abrahams attempted to extort additional videos in exchange for not releasing the first images to Cassidy's friends on Facebook. But Blackshades is able to do so much more than capturing an occasional nude image! While most commonly used for good old fashioned credential and credit card theft, Blackshades has also been used to infiltrate Syrian rebel computers, as first reported by the EFF and with many more details shared by MalwareBytes.

Blackshades CoCreators HOGUE and YÜCEL

Michael Hogue, who used the hacker name xVisceral, was originally arrested in Tucson, Arizona as part of a group of arrests announced by Preet Bharara, the US Attorney in the Southern District of New York, on June 26, 2012 as part of the follow-up to Card Shop. In addition to xVisceral/Hogue that sweep grabbed up 404myth (Christian Cangeopol of Lawrencevill, Georgia), Cubby (Mark Caparelli of San Diego, California), Kabraxis314 (Sean Harper of Albuquerque, New Mexico), kool+kake (Alex Hatala of Jacksonville, Florida), OxideDox (Joshua Hicks of Bronx, New York), JoshTheGod (Mir Islam of Manhattan, new York), IwearaMAGNUM (Peter Ketchum of Pittsfield, Massachusetts), theboner1 (Steven Hansen, who was already in jail in Wisconsin) as well as 13 others in the UK (6), Bosnia (2), Bulgaria (1), Norway (1), and Germany. (See: Manhattan U.S. Attorney and FBI Assistant Director in Charge Announce 24 Arrests in Eight Countries as Part of International Cyber Crime Takedown).

For a fascinating "how I became a hacker" biography interview, please see The Rise and Fall of xVisceral which details how as a 17 year old Halo player, xVisceral first was introduced to hacking as a way to cheat other Halo players, and a detailed history of how this led to ever-more-advanced hacking tools and ultimately the creation of Blackshades. (the original source is currently unavailable, this is an archived copy of an article from:

The Charges against Hogue (filed January 9, 2013) say that "Michael Hogue a/k/a xVisceral, the defendant, and others known and unknown, willfully and knowingly combined, conspired, confederated, and agreed together and with each other to engage in computer hacking in violation of Title 18, USC, Section 1030(a)(5)(A)." It was part of the conspiracy that Hogue and others "did cause the transmission of a program, information, code and command, and as a result of such conduct, wouuld and did intentionally cause damage without authorization, to a protected computer, which would and did cause damage affecting 10 and more protected computers during a one-year period, in violation of Title 18, USC Sections 1030(a)(5)(A), 1030(c)(4)(B)(i), and (c)(4)(A)(i)(VI), to wit, HOGUES used malware to infect computers and sold that malware to others, enabling them to infect and remotely control victims' computers."

Like most RATs, once a victim has been tricked into clicking on the installer, the RAT is controlled by connecting to a server used for that purpose. The FBI was able to learn considerably more about the person being described as the "co-creator" of BlackShades, Alex YÜCEL, (also spelled Alex Yucel, Alex Yucle, Alex Yuecel), AKA marjinz, AKA Victor Soltan, by tracking one of his servers. As they investigated the various domains used to host the servers for the malware. In one case, Alex contacted a company to lease certain computers for this purpose (November 8, 2012) paying for them on January 30, 2013. On March 18, 2013, he sent email requesting tech support due to a problem with his servers. Alex was the administrator of "www.blackshades.ru" and "www.bshades.eu". Alex is a 24 year old citizen of Sweden, arrested in Moldova and awaiting extradition to the United States.

Symantec actually has an interesting screenshot from 2011 where Hogue claims to be resigning from Blackshades and turning full control over to "marjinz" in a post shared in their article from June 2012 when Hogue was first arrested. The fact that so many "script kiddie" hackers use Hack Forum may be part of why Blackshades was so popular:


(Source: www.symantec.com/connect/blogs/w32shadesrat-blackshades-author-arrested )

A Sample Customer: kbello

A look at the Criminal Complaint against one of his customers may be revealing. Kyle Fedorek (aka kbello) was charged May 15, 2014 in the Southern District of New York. On Septmeber 12, 2012, kbello purchased a copy of Blackshades over the Internet. An undercover FBI agent in New York had also purchased the software on June 30, 2010 from the same source. The FBI used this criminal complaint to document the scope and abilities of Blackshades. Between September 12, 2012 and March 2014, kbello acquired "thousands" of credit card numbers and financial account numbers through hacking using the RAT. According the the Criminal Complaint the FBI agent described Blackshades as giving the hacker "Free rein to, among other things, access and view documents, photographs and other files on the victim's computer, record all of the keystrokes entered on the victim's keyboard, steal the passwords to the victim's online accounts, and even activate the victim's web camera to spy on the victim -- all of which could be done without the victim's knowledge."

The FBI's investigation has shown that the RAT was purchased by at least several thousand users in more than 100 countries and used to infect more than half a million computers worldwide.

After kbello purchased his copy of the RAT, it was used against at least 400 victims, and was also part of a suite of additional malware that he installed on the victims' computers. After a victim was infected, the hacker could activate the "Spreader" module on that victim's computer, which would use that victim's chat programs (AOL/AIM, ICQ, MSN) and any USB devices attached to the computer to attempt to infect others.

Other modules of the program allowed the hacker to encrypt any files on the system and share a Ransomware message, demanding that payment be sent to decrypt the module. The message could be customized per victim, or the same message could be sent to many victims.

Many other modules were available, including password stealers, webcam capture tools, DDOS attack tools, and others.

Records from the primary Blackshades server indicate that the program, which often sold for as little as $40 per copy, had generated $350,000 in direct sales between September 2010 and April 2014. When a purchase was made, the purchasing hacker would establish a domain name that he or she would use as their main "controlling" domain. A custom version of the software was then generated which would only take infected users to that domain. The logs on the server indicate there were at least 6,000 Blackshades customer accounts for users in 100 countries, and that at least 1900 domain names had been registered by customers to control infected computers. All 1900 of these domains have been seized by the FBI, disabling the RAT from controlling the infected computers any more.

In February 2013, the FBI obtained a warrant to search the email account "blackshadessupport@hotmail.com" - which Yucel used to communicate with his employees who were offering technical support and administering his various infrastructure. The search revealed many email communications requesting customer support and also contained copies of receipts sent to customers for various products and services offered by the Blackshades organization.

This search warrant revealed a home address in Stony Point, New York for Kyle Fedorek when he purchased "Blackshades Remote Controller (R.A.T.) for 40.00 USD". The seized Blackshades Server also provided the information that KBello had registered the hostnames "kbella.zapto.org" and "kbello.zapto.org" as his controllers. The IP address to which these names resolved in April and May of 2013 were subscribed to at the Fedorek Residence.

In a subsequent search warrant, executed March 6, 2014, agents seized a laptop from the bedroom of Kyle Fedorek, where the username of the laptop was Kyle, and recovered a copy of the Blackshades RAT. The RAT was configured to run the "Form Grabber" (stealing any information victims typed into a webform, such as a userid and password prompt box on a banking website). At least 400 victims had provided information unwittingly to Fedorek through this form grabber. The laptop also was being used to run other malware schemes, including CARBERP, Andromeda, and Citadel, and had evidence of having been used to create Phishing sites as well. DDOS tools, SQL Injection tools were also present. More than 9,000 sets of userids and passwords and 50,000 sets of credit card information were found on the laptop.

The UK's National Crime Agency

The UK's National Crime Agency (NCA, formerly SOCA), issued their own press release. (See Unprecedented UK Operation aids global strike against Blackshades malware) indicating that 17 Blackshades customers were apprehended in the UK and that their records suggested that at least 200,000 worldwide victims had their information harvested by Blackshades customers in the UK.

EuroJust

The European Union's Judicial Cooperation Unit in The Hague also issued a press release. (See International operation hits Blackshades users.) They indicated that at least 359 "house searches" were carried out worldwide and that 97 people had been arrested. 1100 data storage devices had been seized in those searches, including computers, mobile phones, external hard drives, and USB memory sticks, in addition to "substantial quantities" of cash, illegal firearms, and drugs.

Dutch High Tech Crime Team

The Dutch High Tech Crime Team was able to secure a server in Delft operated by an 18 year old Black Shades customer. One of their most high-profile Blackshades customers was a 19 year old man who was controlling more than 2,000 webcams being used to capture photos and videos of female victims. The Dutch police seized 96 computers and laptops, 18 mobile phones, and 87 USB sticks and hard drives during searches on 34 residences. (See: 34 Dutch homes raided in worldwide crackdown on hacking software.

Dutch High Tech Crimes statement - www.om.nl/actueel/nieuwsberichten/@162701/wereldwijde-actie/