×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Crooks Hack Music Players For ATM Skimmers

tsu doh nimh Re:Ballpeen hammer (82 comments)

Pull skimmer equipment off the ATM and walk away with it and your are likely to get busted by feds or local cops who may be monitoring the machine. If not, you are likely to be confronted by the scammer who put the thing there in the first place. It's not uncommon for these things to disappear the minute someone from the bank notices something's wrong and goes inside to report it. That's because the thieves often are somewhere nearby watching the machine.

more than 3 years ago
top

Cybercriminals Shifting To Bugat

tsu doh nimh I just love press releases (48 comments)

Wondering how much this "story" actually differs from the Trusteer press release, below: NEWS RELEASE FOR IMMEDIATE DISTRIBUTION
Trusteer Researchers Find Criminals are Diversifying Financial Attacks with New Version of Bugat Malware

Bugat Quietly Distributed in Recent LinkedIn Phishing Assault; Unlike Zeus Trojan, it is Less Well Known and Harder to Detect

NEW YORK, Oct. 12, 2010 -Trusteer, the leading provider of secure browsing services, today announced that its researchers have discovered a new version of the Bugat financial malware used to commit online fraud. Bugat was distributed in the recent phishing campaign targeting LinkedIn users, which was generally considered to be trying to infect machines with the more common Zeus Trojan. The emergence of this new version of Bugat appears to be an attempt by criminals to diversify their attack tools using a platform that is less well known and therefore harder to detect and block.

Bugat is similar in functionality to its better known financial malware brethren Zeus, Clampi and Gozi. It targets Internet Explorer and Firefox browsers and harvests information during online banking sessions. The stolen financial credentials are used to commit fraudulent Automated Clearing House

(ACH) and wire transfer transactions mostly against small to midsized businesses, which result in high-value losses. Bugat is three times more common in the US than Europe, but its distribution is still fairly low.

In last week's attack, LinkedIn users received emails reminding them of pending messages in their account and providing a malicious URL. When a victim clicked on the link they were directed to a fraudulent website where a java applet fetched and installed the Bugat executable. LinkedIn spam email is an effective tool to push malware to enterprise users, and is being used to gather credentials for commercial bank accounts and other sensitive services used by businesses.

"Criminals are stepping up their malware distribution efforts by continuously updating configurations of well known malware like Zeus, and using new versions of less common Trojans like Bugat, to avoid detection,"

said Mickey Boodaei, CEO of Trusteer. "We are in an arms race with criminals. Although Zeus gets a lot of attention from law enforcement, banks and the security industry, we need to be vigilant against new forms of financial malware like Bugat and SpyEye which are just as deadly and quietly expanding their footprint across the internet."

Trusteer warns that the recent industry focus on Zeus is making it easier for other Trojans, like Bugat, SpyEye, and Carberp which are less wide spread but equally sophisticated, to avoid detection. Carberp currently targets nine banks in the United States, Denmark, The Netherlands, Germany, and Israel. These lesser known financial malware platforms are expected to increasingly compete with the Zeus toolkit to become the new Trojan of choice for criminal groups.

Blocking and Removing Bugat

The Trusteer Secure Browsing Service protects banking and other online sessions by blocking attacks and then disinfecting machines that are infected with Bugat and other financial malware including Zeus, SpyEye, and Carberp. When a Trusteer user browses to sensitive websites such as internet banking, Webmail, or online payment pages, the service immediately locks down the browser and creates a tunnel for safe communication with the web site. This prevents malware like Bugat from injecting data and stealing information entered and presented in the browser. The service is directly connected to the bank (or other online business protected by Trusteer) and to Trusteer's 24x7 fraud analysis service. Attempts to steal money from consumers protected by Trusteer are immediately detected by the bank or operator of the website and are blocked using various layers of protection.

more than 3 years ago
top

Banks Urge Businesses To Lock Down Online Banking

tsu doh nimh Re:what about this (201 comments)

the malware discussed in the blog posts linked from the summary illustrates how the crooks are defeating securID-like tokens, as well. Zeus, eg., is often seen in an attack rewriting the HTML of the bank's Web site as the victim sees it in his or her browser. In the simplest case, where the code is required at login, the attackers simply serve the victim with a maintenance page (down for maintenance, please try back in 15 min). e.g., Beware of Error Pages at Bank Web Sites Some banks require businesses to provide a SecurID or other token key when they initiate a wire or ACH transfer. This is getting closer to the solution, but a lot of commercial banks don't like to require that because many customers initiate such a high number of transfers each day, that it becomes impractical. The hard-to-attack solution, which really doesn't address the usability issue -- is to require the SecurID number both on login and on transfer.

more than 4 years ago
top

Washington Post Blog Shuts Down 75% of Online Spam

tsu doh nimh IronPort reports 66 percent drop in spam Tuesday (335 comments)

From their press release: "In the afternoon of Tuesday 11/11, IronPort saw a drop of almost 2/3 of overall spam volume, correlating with a drop in IronPort's SenderBase queries. While we investigated what we thought might be a technical problem, a major spam network, McColo Corp., was shutdown, as reported by The Washington Post on Tuesday evening."

more than 5 years ago

Submissions

top

Florida Arrests High-Dollar Bitcoin Exchangers for Money Laundering

tsu doh nimh tsu doh nimh writes  |  about 2 months ago

tsu doh nimh (609154) writes "State authorities in Florida on Thursday announced criminal charges targeting three men who allegedly ran illegal businesses moving large amounts of cash in and out of the Bitcoin virtual currency. Experts say this is likely the first case in which Bitcoin vendors have been prosecuted under state anti-money laundering laws, and that prosecutions like these could shut down one of the last remaining avenues for purchasing Bitcoins anonymously."
Link to Original Source
top

Michaels Stores Investigating Possible Data Breach

tsu doh nimh tsu doh nimh writes  |  about 3 months ago

tsu doh nimh (609154) writes "Michaels Stores In., which runs more than 1,250 crafts stores across the United States, said Saturday that it is investigating a possible data breach involving customer cardholder information. According to Brian Krebs, the journalist who broke the story and news of the Target and Neiman Marcus breaches, the U.S. Secret Service has confirmed it is investigating. Krebs cited multiple sources in the banking industry saying they were tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc. In response to that story, Michaels issued a statement saying it "recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.” In 2011, Michaels disclosed that attackers had physically tampered with point-of-sale terminals in multiple stores, but so far there are no indications what might be the cause of the latest breach. Both Target and Neiman Marcus have said the culprit was malicious software designed to steal payment card data, and at least in Target's case that's been shown to be malware made to infect retail cash registers."
Link to Original Source
top

The Case for a Global, Compulsory Bug Bounty

tsu doh nimh tsu doh nimh writes  |  about 4 months ago

tsu doh nimh (609154) writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue. To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
Link to Original Source
top

Meet Paunch: The Accused Author of the BlackHole Exploit Kit

tsu doh nimh tsu doh nimh writes  |  about 4 months ago

tsu doh nimh (609154) writes "In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as "Paunch," the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits. As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: "The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.""
Link to Original Source
top

Europol, Microsoft Target 2-million Strong ZeroAccess Click Fraud Botnet

tsu doh nimh tsu doh nimh writes  |  about 4 months ago

tsu doh nimh (609154) writes "Authorities in Europe joined Microsoft Corp. this week in disrupting "ZeroAccess," a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers. KrebsOnSecurity.com writes that it remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term, but for now the PCs infected with the malware remain infected and awaiting new instructions. ZeroAccess employs a peer-to-peer (P2P) architecture in which new instructions and payloads are distributed from one infected host to another. The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers, including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred. Europol has a released a statement on this action, and Microsoft has published a large number of documents related to its John Doe lawsuits intended to unmask the botnet the ZeroAccess operators and shut down the botnet."
top

Limo Company Hack Exposes Juicy Targets, 850k Credit Card Numbers

tsu doh nimh tsu doh nimh writes  |  about 5 months ago

tsu doh nimh (609154) writes "A compromise at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities. Krebsonsecurity.com writes about the break-in, which involved the theft of information on celebrities like Tom Hanks and LeBron James, as well as lawmakers such as the chairman of the U.S. House Judiciary Committee. The story also examines the potential value of this database for spies, drawing a connection between recent personalized malware attacks against Kevin Mandia, the CEO of incident response firm Mandiant. In an interview last month with Foreign Policy magazine, Mandia described receiving spear phishing attacks that spoofed receipts for recent limo rides; according to Krebs, the info for Mandia and two other Mandiant employees was in the stolen limo company database."
Link to Original Source
top

A Closer Look at the Syrian Electronic Army

tsu doh nimh tsu doh nimh writes  |  about 8 months ago

tsu doh nimh (609154) writes "Yesterday saw the publication of two stories focusing on two different Syrian men thought to be core members of the Syrian Electronic Army, the hacking group that took credit for recent break-ins that compromised the Web sites of The New York Times, The Washington Post and other media outlets. Working with a source who says he hacked into the SEA's servers this year, Vice.com profiles a fairly high-profile SEA member who uses the nickname "ThePro" and outs him as a young man named Hatem Deeb. Separately, Brian Krebs managed to get hold of the SQL database for the SEA's Web site after it was allegedly hacked this year, and follows a trail of clues back to one of two administrators of the SEA, which leads to another Syrian guy — a Web developer named Mohammed Osman, a.k.a. Mohamed Abd AlKarem."
top

Researchers Buy Twitter Bots to Fight Twitter Spam

tsu doh nimh tsu doh nimh writes  |  about 8 months ago

tsu doh nimh (609154) writes "The success of social networking community Twitter has given rise to an entire shadow economy that peddles dummy Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers. Krebsonsecurity.com writes about a paper (PDF) being released today at the USENIX conference that details how researchers spent almost a year and $5,000 buying up accounts from 27 twitter account merchants, and then built templates to help Twitter detect accounts sold by these merchants — all with the aim of getting more of these bot accounts shut down before they can be used to spam legitimate Twitter users. The story goes into great detail on the lengths to which these account merchants will go to evade Twitter's anti-bot security measures."
Link to Original Source
top

DEF CON Advises Feds Not to Attend Conference

tsu doh nimh tsu doh nimh writes  |  about 9 months ago

tsu doh nimh (609154) writes "One of the more time-honored traditions at DEF CON — the massive hacker convention held each year in Las Vegas — is "Spot-the-Fed," a playful and mostly harmless contest to out undercover government agents that attend the show each year. But that game might be a bit tougher when the conference rolls around again next month: In an apparent reaction to recent revelations about far-reaching U.S. government surveillance programs, DEF CON organizers are asking feds to just stay away: "I think it would be best for everyone involved if the feds call a âtime-outâ(TM) and not attend DEF CON this year," conference organizer Jeff Moss wrote in a short post at Defcon.org. Krebsonsecurity writes that after many years of mutual distrust, the hacker community and the feds buried a lot of their differences in the wake of 911, with the director of NSA even delivering the keynote at last year's conference. But this year? Spot the fed may just turn into hack-the-fed."
Link to Original Source
top

How Much is Your Gmail Account Worth to Crooks?

tsu doh nimh tsu doh nimh writes  |  about 10 months ago

tsu doh nimh (609154) writes "If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new OAuth service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground. From KrebsOnSecurity: "The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeperâ(TM)s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure thatâ(TM)s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.""
Link to Original Source
top

Bit9 Breach Dates to July 2012, Tied to Attacks on U.S. Defense Firms

tsu doh nimh tsu doh nimh writes  |  about a year ago

tsu doh nimh (609154) writes "Last week, Bit9 — a security firm that offers application whitelisting services — disclosed that some of its customers had received malware signed with its secret digital certificates. The company has refused to say much about which customers were targeted, but a story by Brian Krebs today shows that the Bit9 certificate was stolen back in July 2012, and that the attack involved custom malware that was discovered by forensics firm Mandiant last August as the company was responding to several targeted breaches at U.S. defense contractors. The Bit9 breach is sure to add fuel to the fire over whether China's military is sponsoring these attacks, as claimed in a 70+page report issued by Mandiant earlier this week."
Link to Original Source
top

Bit9 Hacked, Stolen Certs Used to Sign Malware

tsu doh nimh tsu doh nimh writes  |  about a year ago

tsu doh nimh (609154) writes "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known "safe" files from computer viruses and other malicious software. A leading provider of "application whitelisting" services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."
Link to Original Source
top

Washington Post: We Were Also Hacked by the Chinese

tsu doh nimh tsu doh nimh writes  |  about a year ago

tsu doh nimh (609154) writes "A sophisticated cyberattack targeted The Washington Post in an operation that resembled intrusions against other major American news organizations and that company officials suspect was the work of Chinese hackers, the publication acknowledged on Friday. The disclosure came just hours after a former Post employee shared information about the break-in with ex-Postie reporter Brian Krebs, and caps a week marked by similar stories from The New York Times and The Wall Street Journal. Krebs cites a former Post tech worker saying that the publication gave one of its hacked servers to the National Security Agency for analysis, a claim that the Post's leadership denies. The story also notes that the Post relied on software from Symantec, the same security software that failed to detect intrusions at The New York Times for many months."
Link to Original Source
top

Java Zero-Day Vulnerability Rolled into Exploit Packs

tsu doh nimh tsu doh nimh writes  |  about a year ago

tsu doh nimh (609154) writes "The miscreants who maintain Blackhole and Nuclear Pack â" competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware â" say theyâ(TM)ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname âoePaunch,â announced yesterday on several Underweb forums that the Java zero-day was a âoeNew Yearâ(TM)s Gift,â to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."
Link to Original Source
top

Turkish Registrar Enabled Phishing Attacks Against Google

tsu doh nimh tsu doh nimh writes  |  about a year ago

tsu doh nimh (609154) writes "Google and Microsoft today began warning users about active phishing attacks against Google's online properties. The two companies said the attacks resulted from a fraudulent digital certificate that was mistakenly issued by a domain registrar run by TURKTRUST Inc., a Turkish domain registrar. Google said that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the ".google.com" domain. "TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates," Google said in a blog post today. Microsoft issued an advisory saying it is aware of active attacks using one of the fraudulent digital certificates issued by TURKTRUST, and that the fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against virtually any domain. The incident harkens back to another similar compromise that happened around the same timeframe. In September 2011, Dutch certificate authority Diginotar learned that a security breach at the firm had resulted in the fraudulent issuing of certificates."
Link to Original Source
top

Cookie-stealing Yahoo.com Exploit on Sale for $700

tsu doh nimh tsu doh nimh writes  |  about a year ago

tsu doh nimh (609154) writes "A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits. Krebsonsecurity.com writes that the exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account."
Link to Original Source
top

Infamous Chinese Hacker Heads Antivirus Startup

tsu doh nimh tsu doh nimh writes  |  about a year and a half ago

tsu doh nimh (609154) writes "Questions about who is in charge at an antivirus company startup called Anvisoft prompted an investigation into the company's history. Digging through the company's registration records and other clues, Krebsonsecurity.com offers compelling evidence that the firm is headed by Tan Dailin, an infamous Chinese hacker "Wicked Rose," who once ran a Chinese government-sponsored hacking group that developed zero-day Microsoft Office exploits for use against U.S. Defense Department contractors."
Link to Original Source
top

$50,000 Zero-Day Exploit Smashes Adobe Reader Sandbox

tsu doh nimh tsu doh nimh writes  |  about a year and a half ago

tsu doh nimh (609154) writes "Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground, Krebsonsecurity.com writes. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say theyâ(TM)ve discovered that a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because â" beginning with Reader Xâ" Adobe introduced a âoesandboxâ feature aimed at blocking the exploitation of previously unidentified security holes in its software, and until now that protection has held its ground. Adobe, meanwhile, says it has not yet been able to verify the zero-day claims."
Link to Original Source
top

Insurance for Cybercriminals

tsu doh nimh tsu doh nimh writes  |  about a year and a half ago

tsu doh nimh (609154) writes "Brian Krebs follows up on a recent Slashdot discussion about a cybercrime gang that is recruiting botmasters to help with concerted heists against U.S. financial institutions. The story looks at the underground's skeptical response to this campaign, which is being led by a criminal hacker named vorVzakone ("thief in law"), who has released a series of videos about himself. vorVzakone also is offering a service called "insurance from criminal prosecution," in which miscreants can purchase protection from goons who specialize in bribing or intimidating Russian/Eastern European police into scuttling cybercrime investigations. For $100,000, the service also claims to have people willing to go to jail in place of the insured. Many in the criminal underground view the entire scheme as an elaborate police sting operation."
Link to Original Source
top

Maker of Smart-Grid Control Software Hacked

tsu doh nimh tsu doh nimh writes  |  about a year and a half ago

tsu doh nimh (609154) writes "Telvent, a multinational company whose software and services are used to remotely administer and monitor large sections of the energy and gas industries began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Brian Krebs reports that the attacker(s) installed malicious software and stole project files related to one of Telvent's core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies. A follow-up story from Wired.com got confirmation from Telvent, and includes speculation from experts that the "project files" could be used to sabotage systems. "Some project files contain the 'recipe' for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off. If you’re going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation. Then you modify the project file and load it, and they’re not running what they think they’re running.”"
Link to Original Source

Journals

tsu doh nimh has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...