Bits and Bytes

A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012.

Visa and MasterCard send periodic alerts to card-issuing banks about cards that may need to be re-issued following a security breach at a processor or merchant. Indeed, it was two such alerts — issued within a day of each other in the final week of March — which prompted my reporting that ultimately exposed the incident. Since those initial alerts, Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time.

Initially, MasterCard and Visa warned that hackers may have had access to card numbers handled by the processor between Jan. 21, 2012 and Feb. 25, 2012. Subsequent alerts sent to banks have pushed that exposure window back to January, December, and then August. In an alert sent in the last few days, the card associations warned issuers of even more compromised cards, saying the breach extended back at least eight months, to June 2011.

Security experts say it is common for the tally of compromised cards to increase as forensic investigators gain a better grasp on the extent of a security breach. But so far, Global Payments has offered few details about the incident beyond repeating that less than 1.5 million card numbers may have been stolen from its systems.

In a letter (PDF) responding to questions from  Senator Robert P. Casey (D-Pa.), Global Payments CEO Paul Garcia maintained that the company discovered the breach internally and on its own on March 8, and that it began alerting the card associations the following day. Garcia said their initial disclosure was “forced by wild speculation in the press regarding this matter and our company.”

Global Payments spokeswoman Amy Korn declined to comment for this story, but said the company would be releasing additional information about the incident in a statement on its Web site, 2012infosecurityupdate.com, later this evening.

Update, May 4, 12:37 p.m. ET: The Wall Street Journal published a story today citing unidentified sources as saying that at least 7 million card accounts are now considered potentially vulnerable because of this breach.

Hardly a week goes by without news of some widespread compromise in which thousands of Web sites that share a common vulnerability are hacked and seeded with malware. Media coverage of these mass hacks usually centers on the security flaw that allowed the intrusions, but one aspect of these crimes that’s seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites.

Regular readers of this blog may be unsurprised to learn that this is another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits.

At the very least, a decent iFramer service will allow customers to verify large lists of file transfer protocol (FTP) credentials used to administer hacked Web sites, scrubbing those lists of invalid credential pairs. The service will then upload the customer’s malware and malicious scripts to the hacked site, and check each link to ensure the trap is properly set.

A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials.

Some services, like the one offered at iframeservice.net (pictured above and at left), offer a menu of extras to help customers maintain their Web-based minefields. Iframeservice.net attempts to gain a more permanent foothold on all sites for which it is given FTP credentials, testing the sites for additional security vulnerabilities (root exploits) that may grant administrative privileges on the site’s Web server.

This service also promises to help customers stay one step ahead of antivirus companies, by monitoring URL blacklists and generating customer alerts when boobytrapped pages get flagged as malicious. In addition, it offers the automated ability to obfuscate the true destination of malicious links as a way to confuse both antivirus scanners and the legitimate administrators of the hacked sites.

A recent compromise I helped a friend deal with reminds me of a stubborn fact about hacked sites that seems relevant here. Just as PC infections can result in the theft of FTP credentials, malware infestations also often lead to the compromise of any HTML pages stored locally on the victim’s computer. Huge families of malware have traditionally included the ability to inject malicious scripts into any and all Web pages stored on host machine. In this way, PC infections can spread to any Web sites that the victim manages when the victim unknowingly uploads boobytrapped pages to his Web site.

Obviously, the best way to avoid these troubles is to ensure that your system doesn’t get compromised in the first place. But if your computer does suffer a malware infection and you manage a Web site from that machine, it’s good idea to double check any HTML pages you may have stored locally and/or updated on your site since the compromise, and to change the password used to administer your Web site (using a strong password, of course).

An earlier version of this blog post incorrectly stated that Oracle had shipped security updates for its Java software. Oracle did push out an update for Java earlier this month — Java 6 Update 32 — but the new version was a maintenance update that did not include security fixes. My apologies for any confusion this may have caused.

I spent the past week vacationing (mostly) in Southern California, traveling from Los Angeles to Santa Barbara and on to the wine country in Santa Ynez. Along the way, I received some information from a law enforcement source in the area about a recent ATM skimmer attack that showcased a well-designed and stealthy all-in-one skimmer.

The skimmer pictured below is the backside of a card acceptance slot overlay. It was recovered by a customer at a bank in the San Fernando Valley who called the cops upon her discovery. Police in the region still have no leads on who might have placed the device. The numeral “5″ engraved in the upper right portion of this skimmer suggests that it was one in a series of fraud devices produced by this skimmer maker.

The skimmer appears to be powered by a phone battery, which connects to the card reader device and to the circuit board for a video camera. Here’s a close-up of the video card+skimmer connection.

Flip the device around, and you can see the tiny pinhole where the attached camera peers through the skimmer front to capture timestamped footage of victims entering their PINs.

Of course, looking straight on at the skimmer as it would appear attached to a compromised ATM, it might be difficult to spot the pinhole, as shown in the following picture.

A few tips about ATM skimmers and skimming scams. It’s difficult — once you’re aware of how sophisticated some of these skimmers can be — to avoid being paranoid around ATMs; friends and family often tease me for stopping to tug at ATMs that I pass on the street, even when I have no intention of withdrawing money from the machines.

Still, it’s good and healthy to be somewhat paranoid while at an ATM. Make sure nobody is “shoulder surfing” you to watch you enter your PIN. A simple precaution defeats shoulder surfing and many other types of video-based PIN stealing mechanisms: Cover the PIN pad with your hand or another object when you enter your PIN.

If you are withdrawing cash after hours, visit only well-lit ATMs and those that are in plain view of other public spaces. In the unlikely event that you discover a skimming device attached to the ATM, alert the bank or proprietor immediately. Do not attempt to walk away from a compromised ATM with a skimmer in hand. For one thing, thieves who place skimmers often lurk nearby to prevent such occurrences. Also, consider how you might explain to a police officer that the device you just removed from the ATM is not yours. If you must leave with evidence, take a picture of the compromised ATM using your mobile phone (and if you get a nice picture, please consider sending it to me!).

A deep sense of doubt and dread began to sink in halfway through our journey down a long, lonely desert highway from just outside Austin to coastal Texas. We were racing against the clock (we’d just scarfed down our third meal in a row at a roadside Subway shop), yet my minivan companions — a filmmaker from California and a husband-and-wife camera crew — seemed pleased with the footage we’d collected so far. I was far less sanguine about our prospects, and was almost certain that our carefully-laid plans to ambush a money mule on camera were about to unravel.

The scheme was hatched by Berkeley writer/director Charles Koppelman, who’d emailed me in mid-2011 about the possibility of catching some money mules on camera for a documentary he’s working on called Zero Day. Koppelman said the money shot would be a mule coming out of a bank with a wad of cash in hand, but that he’d settle for an old-fashioned sit-down interview.

At the time, I was working with a source who was injected into the communications networks of several money mule recruitment gangs. These miscreants specialize in hiring willing and unwitting “mules” through work-at-home job scams. The mules then are asked to process bank transfers that help organized cyber thieves launder money stolen from small businesses victimized by cybercrime. The networks my source was monitoring indicated the gang was grooming between 75 and 100 mules across the country on any given day, and that they were sending fraudulent transfers to mules almost daily.

I told Charles that for such a plan to work, we’d need to focus on areas that typically held the most number of mules per capita, and that meant somewhere in Florida or Texas. When my source indexed the mules and sorted them by hometown, we discovered that there were five mules being groomed for payments within about 200 miles of Austin, Texas. If we rented a car and checked in with my source on a regular basis, we might be able to secure the footage he was after, I suggested.

But I cautioned Koppelman that I gave our plan about a 20 percent chance of working. I predicted that most of the mules would quit, screw up the transfer task, or be used and discarded by the time we flew down there and actually hit the road. Indeed, when we reached our fleabag motel just south of Austin on Aug. 3, 2011, my prognostication had almost come true entirely: We were down to one last money mule: Geridana, a young, unemployed single mother of two from Webster, a small town of about 9,000 residents in southeastern Texas.

On the morning of Aug. 4, we piled into the minivan again and raced down to Webster. We didn’t attempt to make contact with her until we were parked outside of her apartment complex, which was next door to a bail bonds shop. Turns out that Geridana was a bit of an oddity: The $9,000+ the thieves had just sent her was actually the fourth such transfer that Geridana had processed in as many weeks. The most pathetic aspect of the whole scheme? She never got paid her promised monthly salary or per-task commissions.

I’ll stop the story here, because I don’t want to spoil the movie. That is, if it ever attracts enough funding to be finished. The film is co-financed by BBC Storyville, but Koppelman and his son Walker just launched a Kickstarter campaign to raise $20,000 to ensure  continued filming of the project. A short introduction to their effort (including a scene starring Yours Truly) is available in the teaser video clip below. The filmmakers are also working with New York Times reporter John Markoff, Reuters reporter Joe Menn, and author Misha Glenny.

Microsoft’s most recent anti-botnet campaign — a legal sneak attack against dozens of ZeuS botnets — seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations.

Since Microsoft announced Operation B71, I’ve heard from several researchers who said they were furious at the company for publishing data on a group of hackers thought to be behind a majority of the ZeuS botnet activity — specifically those targeting small to mid-sized organizations that are getting robbed via cyber heists. The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members).

At the time, nobody I’d heard from with complaints about the action wanted to speak on the record. Then, late last week, Fox IT, a Dutch security firm, published a lengthy blog post blasting Microsoft’s actions as “irresponsible,” and accusing the company of putting its desire for a public relations campaign ahead of its relationship with the security industry.

“This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with,” wrote Michael Sandee, Principal Security Expert at Fox IT. “It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved.”

Sandee said that a large part of the information that Microsoft published about the miscreants involved was sourced from individuals and organizations without their consent, breaking various non-disclosure agreements (NDAs) and unspoken rules.

“In light of the whole Responsible Disclosure debate  [link added] from the end of Microsoft this unauthorized and uncoordinated use and publication of information protected under an NDA is obviously troublesome and shows how Microsoft only cares about protecting their own interests,” Sandee wrote.

Given the strong feelings that Microsoft’s actions have engendered in the Fox IT folks and among the larger security community, I reached out to Richard Boscovich, a former U.S. Justice Department lawyer who was one of the key architects of Microsoft’s legal initiative against ZeuS. One complaint I heard from several researchers who believed that Microsoft used and published data they uncovered was that the company kept the operation from nearly everyone. I asked Boscovich how this operation was different from previous actions against botnets such as Rustock and Waledac.

Boscovich: It’s essentially the same approach we’ve done in all the other operations. The problem that I think some people have is that due to the type of operation, we can’t have the entire community involved. That’s for several reasons. One is operational security. The bigger the number of people involved, the more likely is that is someone will make a mistake and say something that could jeopardize all of the work that everyone has done. Also, we’re making representations to a federal court that this is an ex-parte motion and very limited people know about it. If you have multiple people knowing, and the entire security community knows, let’s say we submit declarations from 30-40 people. A court may say, ‘Well there’s a lot of people here who know about this, so isn’t this information that’s already publicly available? Don’t these people know you’re looking at them already?’ We’re really asking for an extraordinary remedy: an ex-parte TRO [temporary restraining order] is a very high standard. We have to show an immediate threat and harm, ongoing, so much so that we can’t even give the other side notice that we’re going to sue them and take away their property.

The other concern is more operational. When I was in the Justice Department — I was there for just shy of 18 years — we even compartmentalized operations there. Information was shared on a need-to-know basis, to make sure the operation would be a success and that there wouldn’t be any inadvertent leaks. It wasn’t because we didn’t trust people, but because people sometimes make mistakes. So in this operation, just like the others, we engaged with industry partners, academic partners, and some of those who wished to be open, and others who preferred to do things behind the scenes.

Krebs: How do you respond to the criticism that Microsoft used and published data that came from core members of the security community who had placed certain restrictions on the use of that data — specifically that permission be obtained before it is shared or published?

Boscovich: Whenever we cooperate with the research community and industry partners, the assumption is that the information they provided is either their own, or is freely available amongst them for the purpose of securing the internet. They felt, we believe that all of this information should be used for the purpose for which it was intended: And that is to try to solve the problem and protect people who are being victimized by crime.

Now, there seems to be some allegations that there was information that one or two people provided to the research community –which is very large by the way — which for some reason they didn’t want to be acted upon. I don’t know what that means, but we only ask for information from our industry or academic partners that they believe is their own or is being freely shared in the community. The purpose for which we ask for this information is to reduce threat to consumers and people being victimized by crime. If there are any allegations that somehow Microsoft knew this was privileged information, the answer is absolutely not. We respect the rights of others and the information we received  from academic or industry partners…the representation was made to us that it was either their own work product, or it was made available by other researchers and that was freely shared amongst them to be used for this type of purpose.

Krebs: The Fox IT researcher accused Microsoft of disrupting law enforcement investigations into miscreants using ZeuS. Is that true?

Boscovich: Looking at the Fox-IT blog, I’m disappointed by the fact that they talk about ongoing investigations. There’s no way for us to know whether there’s an ongoing criminal investigations from law enforcement. There’s a litany of legal proscriptions and prohibitions in having that kind of information, so I’m not sure how they would know. But obviously we don’t. They omit the fact that in all of these operations, the objective is to notify and clean the victim’s computers. In addition to disrupting, we want to help clean these computers.

Krebs: And what about the criticism that Microsoft’s actions actually took down legitimate sites?

Boscovich: There were some mention that there were legitimate web sites that went down. But you know, the law actually provides a mechanism on that. We put up a cash bond, and we explained to the court that we have a process in place in the event that a legitimate Web site goes down. There were several that were legitimate, but they had been compromised. Our people worked with those sites, and they were not aware they were compromised. And although they were down an hour or two or three, they would probably have never known they were being used by criminal organizations.

Krebs: Some people have been critical of Microsoft’s actions as “vigilante” activity, as participating in the sort of activity that should be left to the authorities. But Microsoft has taken a slightly different approach, attacking this problem through the civil courts. Is there a conflict here, between these two approaches? Isn’t there the possibility that Microsoft’s actions on the civil side could derail progress of law enforcement investigations working the criminal side?

Boscovich: Our strategy, which is a disruptive strategy, came from the idea that there are two ways to tackle this problem; you have the very traditional law enforcement approach, which its ultimate goal has always been that you have to have a well-identified target and arrest that person. We’re not saying necessarily that that’s a bad model. For years and years we fought drug dealers by trying to stop the drugs or stop the distribution. Until we said, why don’t we disrupt them differently by going after their flow of money? And you saw this wave of legislation which came about as anti-money laundering. And we began doing money laundering prosecutions, even though that particular case had absolutely no drugs involved at all, but we were able to show some kind of taint.

Taking that idea, we were able to literally start hitting the criminal enterprises and drug dealers where they really felt it — in their profits. Even though sometimes we didn’t get many arrests, we got seizures, forfeited accounts, forfeited cars, houses. Instead of trying to get the guys behind this, we said why don’t we just strike them where it’s going to hurt them the most? And that is their criminal infrastructure — the botnets — which really allow them to leverage everything they’re doing and make a profit out of it. So we came up with Project Mars and the disruptive strategy.

Krebs: Is it working?

Boscovich: I’d say it is working. Recently, an article came out in the Wall Street Journal that mentioned a huge reduction in spam as a result of botnet takedowns. We’ve taken down Waledac, Rustock and Kelihos. All of them basically spam bots. But that disruptive activity has dented the amount of spam that gets sent out. Even today. And I think that’s a good proof point that the disruptive approach works if you give it time and keep going at it.

What we wanted to do with Zeus was continue with the disruptive approach, but in this case we didn’t target one particular bot. We wanted to make our first assault a much broader assault, and that’s why we went after a particular family of malware, all of them with the same code base, so that we could bring it all together under one legal document, which is under a RICO statute. Kyrus did the malware analysis and found that all these versions bubble back up to the same core code. We wanted to disrupt that business model as much as possible. We knew we were not going to fully eliminate one bot. That was never our intention. And I think we were pretty clear that this was the first salvo to this whole group, to introduce a certain amount of entropy in there, and at that point to try to start increasing the costs of them doing business.

Krebs: It seems like the core dispute here is what should be done with information that is unearthed by security researchers, that the key question is how or who decides when and whether information about certain bad actors should  be acted upon. Would you say that’s accurate? And where do you come down on that?

Boscovich: Microsoft is a pretty big company, and a lot of the stuff we do is based on our own research as well. But we really want to see other companies that have appropriate standing do their own actions. We really believe in the disruptive strategies. We believe that all of this information that’s out there…and the community does amazingly good work in tracing this stuff…but there comes a point in time that you have to action on the information. All this information is great, but if you don’t action on it quickly, that data either becomes stale or it moves. We really believe there are people in industry and the academic and security community that want to have an impact and want to work with us.

Krebs: Were you aware that a number of people Microsoft named in its latest John Doe complaints are considered the core group of folks that the Justice Department has pegged as the guys behind the operations that cost businesses tens of millions of dollars over the last few years?

Boscovich: Based on the investigation that we uncovered so far, we feel very confident that the people we named, with the exception of a few guys that were lower-level players…we feel confident we’ve named the right individuals involved. I really can’t give you all the information we have, other than what’s outlined in the pleadings. But I think the claim that somehow a civil action will destroy all these criminal investigations…I think that’s a fallacy, and near-sighted, and it shows I think a certain naiveté based on not being in that world and not understanding how criminal investigations operate.

Krebs: Can you talk about anything you’ve learned since this action, in terms of the actors involved?

Boscovich: There’s more information that’s coming in, and I feel confident that over the next several weeks and months that will translate into additional updates to the case, and we may amend our complaint. We also are happy to inform that as a result of being able to sinkhole the [ZeuS control] IPs, we can get the location of these infected computers, and work with the community to get this information out. We believe we may be able to get this information out as early as sometime next week.

Krebs: The Fox IT folks and others in the industry have characterized this initiative as little more than a clever public relations stunt by Microsoft, designed principally to make the company look like it is protecting customers from bad guys. How do you respond to that?

Boscovich: It’s not a black or white scenario like the Fox-IT people put it. I’ve been doing this for about 17 years 10 months, I know what very complex criminal investigations [are] and what works well and what works not as well. It’s appropriate and beneficial for both criminal and civil parallel proceedings, because they complement each other.

From a company perspective, and this goes to the PR allegations, of course every corporation is a for-profit corporation. We’re not a charitable institution, obviously. But there are some times when it makes good business sense to actually do good in the community as well. It’s one of those intersections where business and being a good corporate citizen actually complements each other. I’m not going to  be disingenuous and say we don’t have a benefit in doing this. But I can also tell you with a straight face that we do it also because we want to do the right thing, we want to protect our customers, and we want to protect people going on the Internet.

We’re sort of like the emergency room physicians: When someone comes in and they’re bleeding profusely, you have to stabilize the patient and figure out how to stop the bleeding, so that the next guy who comes — the surgeon — who’s waiting in the operating room, is able to save the life of that person. From a  civil perspective, we go in and want to help those victims. We want to stop the bleeding, save as many people as we can and clean their computers.

The question we have to ask ourselves is when you have information about millions of people who are currently victims of crimes because their systems are compromised, do you do the emergency room thing to try to stop the bleeding and try to clean those peoples’ computers so they continue not to be victimized? Or do you do nothing with the information? I think we’ve been fortunate in working with academic and industry partners to share information and address that problem.

In terms of identifying the actual cause, getting to the root, the defendants, all this information, we’re going to pass it on as we have in the past to law enforcement. But I think their investigation will be enriched by a lot of things we can do legally simply because we are a victim and we have access and resources to investigate these things. And then when we pass it along, I believe they’re in a much better position to drill down and use the legal processes that they have — which we do not have — to follow things such as money and financial trails and go overseas to international agreements.

Krebs: With the benefit of hindsight, what — if anything — would you do differently about this operation, if you had to do it all over again?

Boscovich: That’s a good question. I was a little bit taken aback by some of the criticism in light of fact that nobody from fox-it called us to discuss or explain their concerns, or to why some decisions were made legally. We always want to find ways to work with the community and the sharing of information is crucial to that. If you notice, every time we do one of these we have different academic or industry partners that work with us, and we love to rotate those who do work with us. And the ones who want credit, we really try to make sure they get credit where it’s due. We hopefully will try to explain this better, probably at the next DCC [Digital Crimes Consortium, an annual, invite-only Microsoft conference], that we’re on the same team. I think we want the same objectives, so hopefully we can bridge that gap and continue the work we’re doing, to clean these computers, and to disrupt that ecosystem that is being utilized by the criminals.

Krebs: In a nutshell, what would you like to get across or communicate better about this action?

Boscovich: Hopefully, we’ll be able to explain that there are a lot of legal issues involved, and a lot of things we can and cannot do. Some of them many people may not be aware of. Which is understandable: they’re not lawyers. These guys are technical in their field. In the same way I can’t reverse engineer malware, but I’m pretty adept in understanding what are the limitations and potential liability issues when you do these operations. I hopefully can explain that aspect to them, so they have a better understanding and appreciation that when we do things, why we do them the way we do.

Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Mules traditionally have played a key role in helping thieves cash out hacked accounts and launder money.  They are recruited through email-based work-at-home job scams, and are told they will be helping companies process payments. In a typical scheme, the mule provides her banking details to the recruiter, who eventually sends a fraudulent transfer and tells the mule to withdraw the funds in cash, keep a small percentage, and wire the remainder to co-conspirators abroad.

But mules are hardly the most expedient method of extracting funds. To avoid arousing suspicion (and triggering anti-money laundering reporting requirements by the banks), cyber crooks usually send less than $10,000 to each mule. In other words, for every $100,000 that the thieves want to steal, they need to have  at least 10 money mules at the ready.

In reality, though, that number is quite often closer to 15 mules per $100,000. That’s because the thieves may send much lower amounts to mules that bank at institutions which have low transfer limit triggers. For instance, they almost always limit transfers to less than $5,000 when dealing with Bank of America mules, because they know transfers for more than that amount to consumer accounts will raise fraud flags at BofA.

Thus, the average mule is worth up to $10,000 to a cybercrook. Unsurprisingly, there is much competition and demand for available money mules in the cybercriminal underground. I’ve identified close to two dozen distinct money mule recruitment networks, most of which demand between 40-50 percent of the fraudulent transfer amounts for their trouble. Not only are mule expensive to acquire, they often take weeks to groom before they’re trusted with transfers.

But these mules also come with their own, well, baggage. I’ve interviewed now more than 200 money mules, and it’s hard to escape the conclusion that many mules simply are not the sharpest crayons in the box. They often have trouble following simple instructions, and frequently screw up important details when it comes time to cash out (there are probably good reasons that a lot of these folks are unemployed). Common goofs include transposing digits in account and routing numbers, or failing to get to the bank to withdraw the cash shortly after the fraudulent transfer, giving the victim’s bank precious time to reverse the transaction. In isolated cases, the mules simply disappear with the money and stiff the cyber thieves.

In several recent ebanking heists, however, thieves appear to have sent at least half of the transfers to prepaid cards, potentially sidestepping the expense and hassle of hiring and using money mules. For example, last month cyber crooks struck Alta East, a wholesale gasoline dealer in Middletown, N.Y. According to the firm’s comptroller Debbie Weeden, the thieves initiated 30 separate fraudulent transfers totaling more than $121,000. Half of those transfers went to prepaid cards issued by Metabank, a large prepaid card provider.

Prepaid cards are ideal because they can be purchased anonymously for small amounts ($25-$100 values) from supermarkets and other stores. A majority of these low-value cards are not reloadable, unless the cardholder goes online and provides identity information that the prepaid card issuer can tie to a legitimate credit holder. After that card is activated, it can be reloaded remotely by transferring or depositing funds into the account, and it can be used like a debit, ATM or credit card.

“The information we gather in opening it is the same information you’d be asked if you were opening a credit card account online,” said Brad Hanson, president of Metabank’s payment systems division. “We do checks against different public resources like Experian and LexisNexis to verify that all the information matches and is accurate, and that we have a reasonable belief that you are the person applying for the card.”

The trouble is, the thieves pulling these ebanking heists have access to massive amounts of stolen data that can be used to fraudulently open up prepaid cards in the names of people whose identities and computers have already been hijacked. Once those cards are approved, the crooks can simply transfer funds to them from cyberheist victims, and extract the cash at ATMs. Alternatively, wire transfer locations like Western Union even allow senders to use their debit cards to execute a “debit spend,” thereby sending money overseas directly from the card.

THE ATTACK

Sometime on March 13, four different employees of Alta East received emails that appeared to have been sent from a current client. The messages inquired about a recent transaction, and cited an invoice number. According to Weeden, all four Alta East employees opened the attached Adobe PDF file, which contained a hidden Javascript element that infected their Windows XP systems with a variant of the ZeuS Trojan.

Six days later, the thieves set up a batch of fraudulent payroll payments, sending instructions to Alta East’s bank to fund 15 Metabank prepaid cards; the remainder of the funds apparently were sent to traditional money mules at locations around the country.

“The emails came from a legitimate customer, and we thought he was questioning an invoice,” Weeden said. “There were four of us who hit that attachment. Afterwards, we asked the customer about the email, but he said he hadn’t sent it.”

Weeden said Alta East’s internal IT guys scanned her machine with six different antivirus tools, but the scans turned up no evidence of infection. It wasn’t until the company hired an outside forensics expert who removed the hard drive and examined it in an isolated environment that the expert found the ZeuS infection.

The thieves didn’t route their fraudulent logins to Alta East’s bank account through the company’s systems; rather they proxied the traffic through  the networks of the Center for Discovery, a rehabilitation facility for disabled individuals that is located in nearby Harris, N.Y. The center did not return calls seeking comment.

Rick Jones, executive vice president business services at Alta East’s financial institution — Provident Bank — said the bank followed its agreement with Alta East, and sent the company an email about the fraudulent payroll batch the very day it was initiated. But Jones said that Alta East admitted to overlooking the notification until the following morning. By that time, most of the unauthorized transfers had already gone through.

Weeden said Provident was able to retrieve roughly $20,000 worth of illicit transfers from mule accounts, and that it expected to recover another $21,000 in the coming weeks. She added that her firm is in the process of setting up a system whereby online banking is done only from an isolated computer that will not be used for email or regular Internet browsing. Still, the company is facing an $80,000 loss from the incident.

It remains to be seen whether cyber thieves continue shifting more of their operations from traditional mules to prepaid debit accounts. I’ve talked to a number of victims who lost more than $100,000 but noted that the thieves left several hundred thousand dollars untouched in the company’s accounts. “Why would they leave so much money on the table like that? Why not just take it all?” the victims usually ask. The answer? Just as real life bank robbers are limited in the amounts they can steal by the volume of cash they can physically haul from the scene of the crime, so are cyber thieves. Usually, the thieves simply did not have access to enough mules to help them haul all of the available loot. That limitation is eased if they start depending more on prepaid cards, an entire stack of which can fit easily into a single miscreant’s wallet.

ANALYSIS

There are a few things worth calling out from the above story, and every business owner would do well to consider them closely:

-eBanking losses are likely to increase if thieves continue to find success with the prepaid card approach.

-Today’s cyber thieves are patient and willing to jump through multiple hoops to steal your money.

-Clicking on links and email attachments continues to be a risky activity, even when the links and attachments appear to come from someone you know or trust.

-Traditional antivirus tools have an atrocious record in detecting ZeuS and its ilk. If you suspect a machine is compromised, you cannot trust a report from a security program that is running on top of the potentially infected operating system.

-A majority of these ebanking heists start with a social engineering scam sent via email. Companies should be actively phishing their own employees and grading them on their performance, and perhaps even tying performance to year-end bonuses or other (dis)incentives.

-Unlike consumers, businesses have basically no legal protection from their bank due to losses from cyber fraud. Yes, organizations should push their banks to do more on security. But for better or worse, small to mid-sized businesses who are counting on their banks to prevent this type of fraud are setting themselves up for disappointment and major financial losses.

-Banking from a Live CD or from an isolated (preferably non-Windows) computer is the surest way to avoid ebanking heists. However, this approach only works if it is consistently observed.

A number of readers responded to the story I published last week on the Flashback Trojan, a contagion that was found to have infected more than 600,000 Mac OS X systems. Most people wanted to know how they could detect whether their systems were infected with Flashback — and if so — how to remove the malware. This post covers both of those questions.

Since the discovery last week of the Flashback Mac botnet, several security firms have released tools to help detect and clean up Flashback infections. Dr.Web, the Russian antivirus vendor that first sounded the alarm about the outbreak, has published a free online service that lets users tell whether their systems have been seen phoning home to Flashback’s control servers (those servers have since been hijacked by researchers). The service requires users to enter their Mac’s hardware unique user ID (HW-UUID), because this is how the miscreants who were running the botnet kept track of their infections.

F-Secure Corp., the Finnish security firm that worked with Dr.Web to more accurately gauge the true number of Flashback-infected Macs, has a Flashback Removal Tool available for download from its Web site.

Where is Apple’s response in all of this, you ask? Apple says it is developing software that will detect and remove Flashback. Inexplicably, it has not yet released this tool, nor has it added detection for it to the XProtect antivirus tool built into OS X. The company’s advisory on this threat is predictably sparse, and focuses instead on urging users to apply a recent update for Java. Flashback attacks a well-known Java flaw, but it’s worth noting that Apple released the Java patch only after Flashback had begun infecting hundreds of thousands of Macs.

Update, 8:22 p.m. ET: Apple just released a new version of Java that includes a Flashback remover. Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion. It includes no new security fixes, but it adopts a novel approach to the debate over whether to temporarily disable or remove Java: “It configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application.” If the Java web plug-in detects that no applets have been run for at least 35 days, it will again disable Java applets.

Original post:

In its advisory, Apple said it “is working with ISPs worldwide to disable the command and control network” that criminals were using to direct the activities of the Flashback botnet. But Apple’s actions speak much louder than words. Forbes’ Andy Greenberg published a fascinating piece on Wednesday showing that when it comes to working with the security community, Apple is still a bit like a spoiled toddler who hasn’t yet learned to play nice with other children in the sandbox.

On the issue of security in general, Apple appears to still have its head firmly planted in the sand: F-Secure notes that Apple still has not shipped an update that fixes this Java flaw on OS X 10.5 (or earlier), even though 16 percent of all all Macs still run this OS.

While Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. If you have Java but no longer need it, get rid of it. If you need Java on your Mac only for a specific application (such as OpenOffice), you can unplug it from the browser by disabling its plugin. In Safari, this can be done by clicking Preferences, and then the Security tab (uncheck “Enable Java”). In Google Chrome, open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing. In Mozilla Firefox for Mac, click Tools, Add-ons, and disable the Java plugin(s).

Broken record alert: If you don’t need Java, remove it from your system, whether you are a Mac or Windows user. If you need further convincing of my reasons for this recommendation, I’d encourage you to browse through some of my past Java-related posts.

Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.

Seven of the 11 bugs Microsoft fixed with today’s release earned its most serious “critical” rating, which Microsoft assigns to flaws that it believes attackers or malware could leverage to break into systems without any help from users. In its security bulletin summary for April 2012, Microsoft says it expects miscreants to quickly develop reliable exploits capable of leveraging at least four of the vulnerabilities.

Among those is an interesting weakness (MS12-024) in the way that Windows handles signed portable executable (PE) files. According to Symantec, this flaw is interesting because it lets attackers modify signed PE files undetected.

“In addition, the attacker doesn’t need to worry about controlling memory; once the user runs the content, the device has been infected,” wrote John Harrison, group product manager for Symantec Security Response. “The most common attack will probably be a scenario in which a site offers a free download of a specific program that appears to be legitimately signed.”

Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys, is particularly worried about MS12-027, because the weakness spans an unusually wide range of Microsoft products. Microsoft agrees, calling this patch the highest priority security update this month.

“What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime,” Kandek said. “Attackers have been embedding the exploit for the underlying vulnerability (CVE-2012-0158) into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.”

Other notable fixes from Microsoft this month include a .NET update, and a patch for at least five Internet Explorer flaws. Patches are available for all supported versions of Windows, and available through Windows Update.

Adobe’s updates fix critical problems in Acrobat and Reader on all supported platforms, including Windows, Mac OS X, and Linux. Users on Windows and Mac can use each products’ built-in update mechanism. The newest, patched version of both Acrobat and Reader is v. 10.1.3 for Windows and Mac systems. The default configuration is set to run automatic update checks on a regular schedule, but update checks can be manually activated by choosing Help > Check for Updates. Reader users who prefer direct links to the latest version can find them by clicking the appropriate OS, Windows, Mac or Linux (v. 9.5.1).

As always, if you have any problems installing or applying these updates, please leave a note about your experience in the comments below.

A series of hacks perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. The law enforcement agency said this is the first known report of criminals compromising the hi-tech meters, and that it expects this type of fraud to spread across the country as more utilities deploy smart grid technology.

Smart meters are intended to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. Smart grid technology also holds the promise of improving a utility’s ability to remotely read meters to determine electric usage.

But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet.

Sometime in 2009, an electric utility in Puerto Rico asked the FBI to help it investigate widespread incidents of power thefts that it believed was related to its smart meter deployment. In May 2010, the bureau distributed an intelligence alert about its findings to select industry personnel and law enforcement officials.

Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert states.

The FBI believes that miscreants hacked into the smart meters using an optical converter device — such as an infrared light — connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.

“The optical converter used in this scheme can be obtained on the Internet for about $400,” the alert reads. “The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact.”

The bureau also said another method of attacking the meters involves placing a strong magnet on the devices, which causes it to stop measuring usage, while still providing electricity to the customer.

“This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company.”

“Each method causes the smart meter to report less than the actual amount of electricity used.  The altered meter typically reduces a customer’s bill by 50 percent to 75 percent.  Because the meter continues to report electricity usage, it appears be operating normally.  Since the meter is read remotely, detection of the  fraud is very difficult.  A spot check of meters conducted by the utility found that approximately 10 percent of meters had been altered.”

“The FBI assesses with medium confidence that as Smart Grid use continues to spread throughout the country, this type of fraud will also spread because of the ease of intrusion and the economic benefit to both the hacker and the electric customer,” the agency said in its bulletin.

The feds estimate that the Puerto Rican utility’s losses from the smart meter fraud could reach $400 million annually. The FBI didn’t say which meter technology or utility was affected, but the only power company in Puerto Rico with anywhere near that volume of business is the publicly-owned Puerto Rican Electric Power Authority (PREPA). The company did not respond to requests for comment on this story.

The hacks described by the FBI do not work remotely, and require miscreants to have physical access to the devices. They succeed because many smart meter devices deployed today do little to obfuscate the credentials needed to change their settings, said according to Tom Liston and Don Weber, analysts with InGuardians Inc., a security consultancy based in Washington, D.C.

Liston and Weber have developed a prototype of a tool and software program that lets anyone access the memory of a vulnerable smart meter device and intercept the credentials used to administer it. Weber said the toolkit relies in part on a device called an optical probe, which can be made for about $150 in parts, or purchased off the Internet for roughly $300.

“This is a well-known and common issue, one that we’ve warning people about for three years now, where some of these smart meter devices implement unencrypted memory,” Weber said. “If you know where and how to look for it, you can gather the security code from the device, because it passes them unencrypted from one component of the device to another.”

The two researchers were slated to demo their smart meter hacking tools at the Shmoocon security conference earlier this year, but agreed to pull the presentation at the last minute at the request of several vendors and utilities that they declined to name.

“It turns out that the vendor has a consortium of utility customers with whom they have regular conference calls,” Weber said. “Several of the utilities in this group had a concern about the information becoming public. Luckily we have worked with several of the utilities in the group. We have been able to stem the fears of all but one utility. We hope to have
them on board very soon.”

Liston said utilities have become accustomed to deploying meters that can last 30 years before needing to be replaced, but that the advanced interactive components being built into modern smart meters requires a much more thoughtful and careful approach to security.

“Traditionally, metering technology has been very cost effective, because much of it is very resilient. But these older devices didn’t have a lot of technology in them, and they certainly didn’t have wireless connections and things like memory storage,” Liston said. “The utilities are still expecting the lifecycle of newer pieces of equipment to be 2o to 30 years, and they’re just coming to the realization that some of new stuff deployed is not going to last nearly that long.”

Robert Former, a security engineer at smart meter manufacturer Itron, said he hopes that researchers continue to push the industry toward adopting technologies that can withstand these and potentially other, as-yet-undiscovered attacks.

“What you’re hearing is the sound of [a] paradigm shifting without a clutch,” Former said. “Utilities have to be more enterprise security-aware. With these incidents at  organizations of any size or age, the first reaction is to cover it up. The thinking is if we keep this kind of thing secret, nobody will find it or exploit it. But for those of us who are inside the industry, and have been at this long enough, the only way we’re going to fix a security problem is to expose it.”