Cybercrime

18 Nigerian Spammers Headed for the Slammer

Nigeria’s Economic and Financial Crimes Commission (EFCC) says that their “Operation Eagle Claw” has so far seen members of 18 syndicates arrested and 800 scam websites shut down. The chairman of the anti-scam force, Mrs. Farida Waziri said:

We expect that Eagle Claw as conceived will be 100% operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails.

At the moment, Eagle Claw has delivered the following results:

Over 800 fraudulent e-mail addresses have been identified and shut down. The EFCC is fine tuning security modalities with Microsoft and upon full deployment, the capacity to take down fraudulent e-mails will increase to 5,000 monthly. Further it is projected that advisory mails to be sent to victims and potential victims will be about 230,000 monthly.

There have been 18 arrests of high profile syndicates operating cyber crime organizations.

When it [Eagle Claw] is fully deployed, it will afford the EFCC the option of either monitoring or shutting down all fraudulent email addresses. The EFCC would also have identified victims and potential victims and advised them that their email has been compromised.

Does this mean we won’t be getting anymore of those touchy-feely emails from Mrs. Farzad Arubi (or whatever bogus names they use these days) who really needs our help to move a million dollars from her late (murdered) husband’s estate?

Not likely, but it’s good see some of the perpetrators taking it on the chin.

Protecting Your Business from Online Banking Fraud

I’m pleased to see some professionals with clout advocating a security practice I have often recommended to my clients. Brian Krebs of The Washington Post and SANS Institute are both pushing the use of Linux live CDs for online banking. Krebs’ latest article, “Avoid Windows Malware: Bank on a Live CD,” starts off by recommending people NOT use Microsoft Windows for online banking:

An investigative series I’ve been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.

The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.

Krebs has reported frequently about some of the more prominent online banking fraud incidents, including the hack against Bullitt County, Ky. and two California firms that lost a combined total of more than half a million dollars, both of which were using two-factor authentication requiring the use of a security token.

The credential-stealing Trojans used in these attacks were designed to avoid detection by normal anti-malware software, so the victims had no clues that they had been infected. With the huge amounts of money involved, it’s likely the cybercriminals have evolved their programming skills to the point where it will be difficult for security firms to keep up.

It’s not surprising, then, that SANS, as a direct result of Krebs’ reporting, issued a challenge to its students to create a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. The report, “Protecting Your Business from Online Banking Fraud,” addresses the issue. Here’s that report’s Abstract:

Recently, small and medium businesses have lost millions of dollars from fraudulent electronic financial transactions.  This paper reviews the threat and provides guidance for mitigating the threat.  These crimes typically begin with a phishing email targeted at the comptroller or other staff in the finance department.  After the comptroller’s computer is compromised, sophisticated malware is used to eavesdrop on the comptroller’s activity and account credentials for financial systems.  Once the attackers have the required information, they begin to steal money with fraudulent transactions in amounts below $10,000.  These smaller amounts fly under the laundering detection mechanisms in the US Bank Secrecy Act.  In many cases, repeated transactions have added up to hundreds of thousands of dollars lost by individual organizations.  The paper provides a number of possible ways to mitigate these types of attacks.  A defense in depth approach is used to provide multiple mitigation recommendations.  The number one recommended mitigation is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions. [emphasis added] The mitigation steps also include protecting the email address of the comptroller, network protection, endpoint protection, virtual machines, awareness training, policy changes and monitoring financial transactions.

I highly recommend that everyone responsible for security in their organization read this paper.

Malvertising an Ever-expanding Threat

As if we don’t already have enough to deal with, it seems that malvertising–a technique where malicious code is placed in an online ad to either mislead the user or infect their computer—is on the rise. Microsoft recently filed five lawsuits against unnamed individuals accusing them of posting ads containing malicious and deceptive code on its MSN advertising network. And when Microsoft stands up and takes notice against a threat, you know it has some teeth.

The lawsuits Microsoft filed allege that individuals doing business as Soft Solutions, Direct Ad, “qiweroqw.com” (that’s a randomly generated name if there ever was one), ITmeter INC, and “ote2008.info” used malverstisements to either spread malicious code or deceive users into visiting websites that peddle scareware. Microsoft hopes that by filing civil suits in the U.S., the individuals responsible will be discovered and enjoined from continuing to post malvertising.

Recall that last week, as reported in The Register, an ad appeared on the New York Times web site offering a virus scan that then attempted to sell scareware to the user (“NYT scareware scam linked to click fraud botnet”).

As always, I recommend using a secure browser (Firefox with NoScript) and keeping your OS and security software up to date. Oh, yes, and a healthy serving of general caution couldn’t hurt.

Caveat araneo-fluitator! (Let the web-surfer beware!)

What do you think? Leave a comment!

PANDALABS REVEALS EXPONENTIAL GROWTH IN ROGUEWARE

Rogueware? The names just keep coming. It’s another name for Scareware, that stuff designed to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. The end result is to steal money from PC users by luring them into paying to remove nonexistent threats. Disturbing statistics point out why this stuff won’t go away:

• Cybercriminals are earning approximately $34 million per month through rogueware attacks
• Approximately 35 million computers are newly infected with rogueware each month
• Rogueware is being distributed through Facebook, MySpace, Twitter, Digg and targeted BlackHat SEO attacks
• Research confirms that majority of cybercriminals operate from Eastern Europe

PandaLabs, Panda Security’s malware analysis and detection laboratory, announced yesterday that they’ve made a multi-year study available that examines the proliferation of rogueware into the overall cybercriminal economy. The report, “The Business of Rogueware,” by PandaLabs researchers, Luis Corrons and Sean-Paul Correll, reviews the various forms of rogueware that have been created, and displays how this new class of malware has become an instrumental player in the overall cybercriminal economy. The study also provides in depth analysis on the increasingly sophisticated social engineering techniques used by cybercriminals to distribute rogueware via Facebook, MySpace, Twitter and Google.

It’s very clear the whole landscape has changed from a vandal model to a profit model. It used to be that the cyber-vandals trashed your hard drive and wrecked your website; now, cyber-criminals use tactics to steal your identity and extort money from you. The damage is no less costly, it has just increased in both the intensity of emotional pain and amount of financial loss. The difference is that cyber-vandals didn’t have a payday—cyber-criminals do.

And people ask me why I’m adamant about cyber-security…

Accused Spam King Alan Ralsky Pleads Guilty

Once again, I’m behind on the news. This Security Fix report is almost a week old:

Alan Ralsky, a 64-year-old Michigan man that federal investigators say was among the world’s top spam kingpins, pleaded guilty on Monday to running a multi-million dollar international stock fraud scam powered by junk e-mail.

Ralsky … and his son-in-law and chief financial officer Scott K. Bradley, 38, also of Michigan, pleaded guilty to conspiracy to commit wire fraud, money laundering and to violate the CAN-SPAM Act.

Under the terms of his plea agreement, Ralsky faces a federal prison sentence of 87 months and a fine of $1 million. He allegedly earned up to $3 million on the Chinese penny stock scam that he promoted using junk mail sent out by various botnets. It’s interesting that the plea agreement doesn’t call for the forfeiture of his profits. So, he’ll spend his time in a minimum-security “camp” at taxpayer expense and, probably get released well before his full sentence is up the while earning interest on the money he has squirreled away somewhere.

BTW, my apologies for being lax in keeping this blog up to date. I do have an excuse: I tore ligaments in my left hip and have been unable to sit, stand or lie down for the better part of two weeks.  Look for a more regular posting schedule next month.

Spam, Phishing, and Malware Related to Recent Celebrity Deaths

Michael Jackson malware? Farrah Fawcett phishing attempts? Billy Mays spam? Ed McMahon notifies you—from the other side of the grave–that you’ve just won the million-dollar Publisher’s Clearinghouse (but you have to send him some money, first)? Yes, expect it. US-CERT is monitoring reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths. Here’s a typical example:

To: <redacted>
Subject: Confidential===Michael Jackson
Date: Thu, 25 Jun 2009 19:25:50 –0400

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secrective to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us.

Notice the blatant misspellings, lack of punctuation and obvious grammatical mistakes from someone who is clearly not a native English-speaking person. If you get this email, delete it immediately. Same with anything related to any of the other celebrities’ deaths.

They’re all from scammers (criminals) either trying to steal your money, your identity or both.

How to Use the Windows Registry for Cyber Forensics: Part 2

In Part 1 of this series, I introduced you to the concept of date/time coincidence and we explored five registry keys that are useful to the forensic examiner. This time, I’ll show you how data can be encrypted and hidden in the registry.

If you’re involved in data security, you’re familiar with cryptography in some fashion and you know that ciphers - algorithms for performing encryption and decryption - are what do the work. You probably also know that there are a few quick-and-dirty algorithms for encrypting data. One such algorithm is known as the Caesar Cipher, or ROT-13, a simple algorithm that encrypts data by shifting each character 13 places in the alphabet while leaving non-alpha characters untouched. It’s so simple that you can decrypt it manually, but it’s enough to fool the casual observer. Anyone coming across something like cnffj beqsb egurf rperg svyrf vfcnf fjbeq, is naturally going to assume it’s encrypted; in fact, it’s ROT-13 for password for the secret files is password. I broke it up into five-character groups to make it more convincing.

For whatever reason, Microsoft uses ROT-13 to encrypt data in some registry keys. One such key is: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. Here’s an example: “HRZR_EHACNGU:P:\AFYBBXHC.RKR.” Decrypted, that’s “UEME_RUNPATH:C:\NSLOOKUP.EXE.” (We’ll look at the UserAssist key in Part 3.) A better way to hide data is to encode text-based information in binary format and store it in binary form as a string in registry values of type REG_SZ. Given that binary data is common in the registry, the technique would make it extremely difficult to retrieve the hidden information.

In addition to using ROT-13 and binary encoding to obfuscate data, a suspect could take advantage of a flaw in the registry editor to also make the data invisible to anyone but a forensics examiner who knows about the flaw. From “Forensic Analysis of the Windows Registry:”

The Windows 2000 and XP Registry Editor (regedit.exe or regedt32.exe) have an implementation flaw that allows hiding of registry information from viewing and editing, regardless of users access privilege (Secunia, 2005). The flaw involves any registry values with name from 256 to 259 (maximum value name) characters long. The overly long registry value (regardless of type) not only hides its own presence, but also subsequently created values (regardless of type) in the same key (Franchuk, 2005). The editor stops displaying the remaining of the values thinking the overly long value as the last value in that key. Suspect could exploit such Registry Editor flaw to hide information.

The Windows console registry tool (reg.exe) can display these overly long registry values so the hidden data can be recovered as evidence; however, given the sheer number of entries in the registry, this process is not trivial.

I hope this series is giving you some insight, perhaps even piqueing your interest, in cyber forensics. Hit the comment button and tell me what you think.

In Part 3, we’ll explore some keys that can tell us where a suspect has been storing files.

Are YOU a Hacker?

Are you? It’s not necessarily a derogatory term. Neither is “geek.” But what does “hacker” really mean? Here’s one opinion:

Someone that is looking to work outside the normal parameters. The media grabs the term and turns it into something bad. Like all hackers are evil and looking to steal your identity, your money and bring down the system in some [sort of]  anti-government/corporate protest. Sure there are always extremist[s] on the either side of nearly any issue…For a true hacker, statements like, "Never do this…" or "one use only" or even better the golden "authorized users only" tend to get us thinking. What is behind that interface, that door, that piece of tape that will void my warranty if removed you are trying to keep me from learning.

Folks, I’m a hacker. I hack computers and networks—it’s part of my job—I  don’t do anything malicious, but I dig into things I probably shouldn’t. I’ve always been the kind of guy who takes things apart to see what makes them tick. Usually, I get them back together the way they were. Sometimes, I break them; but, I always come away with a better understanding of how things work.

If more people were “hackers,” if more people knew how things work, if more people *understood* how this universe is put together, if more people even cared to look, this world would be a better place.

I’m a hacker. Are you?

ID Analytics Service Validates Identity Exposure Index

A new, free service offered by ID Analytics, www.myidscore.com, validates my Identity Exposure Index concept I proposed last month (What’s Your Identity Exposure Index?). While the results of the iEi investigation give you an index between 0 and 5, the MyIDScore.com results range from 0 to 1000. In both tests, the higher the score, the more at risk you are.

I compared iEi results for myself and my wife with those obtained from myidentityscore.com and was a bit surprised at the correlation: my iEi is exactly 4 times my wife’s; my My ID Score is 3.9 times my wife’s. I consider that a pretty strong case for my method. ID Analytics’ technology is patented, but they do reveal that they rely on real-time, cross-industry compilation of identity information, some other identity-specific analytics, and a database of reported identity frauds.

I don’t question the validity of their method and it’s certainly easier to go to their web site and enter a few pieces of basic information than it is to figure out your iEi, but it sure is interesting that my little “invention” appears to be just as valid.

You be the judge; do your own test and please let me know what you find.

How to Use the Windows Registry for Cyber Forensics: Part 1

I recently completed the free SANS mini-course on cyber forensics (see my post, Free Mini-courses from SANS). That course could not have shown up at a more opportune time as I had just been asked to see if I could determine whether a client’s former employee had stolen their customer list. I learned a bit about looking in some nooks and crannies–specifically, the Windows registry–that I hadn’t considered before and was able to determine with reasonable certainty that the employee had not saved any sensitive information to any external storage media.

I’m no expert in this subject, but I’m confident that I now have a good idea of how to conduct a quick and dirty preliminary forensic examination based upon information found in the Windows registry. When you consider that virtually everything you or a program does in Windows refers to or is recorded into the registry, it stands to reason that it will reveal most anything from minor mischief to major mayhem to the examiner who knows where to look. In this first part, we’ll take a look at how to examine the registry and explore a few of the more common registry entries that have potential forensic value.

Let me first introduce you to the concept of date/time coincidence. All the evidence in the world means little unless it can be shown that it coincides with the time window of the specific incident in question. Therefore, it’s very important that you examine the “LastWrite” time of each key you examine. While this property doesn’t tell you what value was written, knowing the LastWrite time of a key can allow you to infer the date/time coincidence of an event. You can determine the LastWrite time by right-clicking any key, selecting “Export” and then saving it in .txt format. When you open the .txt file, you’ll see something similar to this:

Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
Class Name:        <NO CLASS>
Last Write Time:   5/27/2009 - 12:29 PM

Here are five keys that can give you a quick overview of the activity on a given system and will tell you if it’s worth your effort to dig deeper. The fact that you’re investigating in the first place means that you have some idea of what you’re looking for and if you’re dealing with a non-technical user, it’s a good bet you’ll find something among these.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MRU is the abbreviation for “most recently used.” This key contains a list of files that were recently opened or saved via the Windows Explorer common dialog boxes. Note that this does not apply to Microsoft Office documents. The subkey * contains the file paths to the 10 most recently opened/saved files.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Similar to the OpenSaveMRU key, but it also contains the name of the program executable file that was used to open/save the document as well as the path to the file. All of the information is in binary format.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

This key has a similar arrangement to OpenSaveMRU. Only the filename in binary format is stored here and it contains both network and local files recently opened.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Here you’ll find a list of entries with full file paths and commands that have been executed using the Start>Run command. This is useful to determine whether your suspect has been messing around in the registry, using the cmd shell or any management consoles.

HKCU\Software\Microsoft\Internet Explorer\TypedURLs\

A listing of the 25 recent URLs or file paths typed into the IE or Windows Explorer address bar. Useful to determine what websites your suspect has been surfing, but this key is cleared if IE’s Clear History option is invoked. Still, some people may not know about it and some may forget. It’s a good way to disprove the I-have-no-idea-where-that-came-from excuse.

Next time, we’ll look into how data can be encrypted and hidden in the registry.