Identity Theft Malware Surges 600%

Hard times appear to be one reason for the explosion of malicious software designed to steal sensitive personal and financial information. 

By Thomas Claburn,  InformationWeek 

The indictment of Albert Gonzales of Miami, Fla., for allegedly hacking into corporate computers and stealing more than 130 million credit and debit cards may not have much impact on the identity theft underground.

In the first half of 2009, the number of computer users affected by malware engineered to steal personal information has risen by 600% compared to the January through June period in 2008, according to PandaLabs, part of computer security company Panda Security. In quantitative terms, Panda reports identifying 391,406 computers infected with identity-theft malware in the first six months of the year.

Luis Corrons, technical director of PandaLabs, speculates that the global economic downturn and the thriving black market for credit and debit card numbers and online account information is driving the creation of so much identity stealing malware. He also notes that the distribution of identity-theft malware through social networks and services like Facebook and Twitter is on the rise.

Panda reports receiving more than 35,000 new malware samples -- viruses, worms, Trojans and the like -- every day. Trojan software designed to steal bank details, credit/debit card numbers, or online account login names and passwords represents 71% of this total. That's up from 51% in 2007.

Identity thieves are also seeking sensitive information through a more diverse set of targets. Where previously financial data thieves focused on spoofing online bank sites to dupe users into entering login information, they have recently been targeting a variety of services where payment account information may be stored or entered, like PayPal, Amazon, eBay, or charity sites.

The methods used to propagate identity theft malware have also become more diverse. Whereas e-mail used to be the primary medium for malware distribution, social sites have become a major attack vector, along with infected Web pages, SMS messages containing Web links, and spyware that attempts to convince users to pay for fake antivirus programs.

Acting U.S. Attorney Ralph J. Marra, Jr. said the indictment of Gonzales shows that law enforcement can track down even the most sophisticated global hacking conspiracies. Whether law enforcement can keep up with growth of the identity theft industry remains to be seen.

 

Card Data Exposed as Radisson Hotels Becomes Latest Breach Victim


Radisson Hotels & Resorts has revealed that the credit card details of some its customers were compromised in a data breach that took place at several of its hotels in the U.S. and Canada between November 2008 and May. The company said that the names of an unknown number of its customers, as well as their credit and debit card numbers and expiration dates, were exposed when someone illegally accessed its computer systems. However, no Social Security numbers were stolen in the incident. Radisson says it is working with law enforcement and forensic investigators to look into the breach, which was discovered by Visa, MasterCard, and several payment processors. Radisson has also launched a review of the affected computer systems and has implemented several security measures to ensure that a similar breach does not take place again.

Identity Theft Malware Surges 600%

 

Hard times appear to be one reason for the explosion of malicious software designed to steal sensitive personal and financial information.

By Thomas Claburn 
InformationWeek 
August 19, 2009 07:02 PM 

The indictment of Albert Gonzales of Miami, Fla., for allegedly hacking into corporate computers and stealing more than 130 million credit and debit cards may not have much impact on the identity theftunderground.

In the first half of 2009, the number of computer users affected by malware engineered to steal personal information has risen by 600% compared to the January through June period in 2008, according toPandaLabs, part of computer security company Panda Security. In quantitative terms, Panda reports identifying 391,406 computers infected with identity-theft malware in the first six months of the year.

Luis Corrons, technical director of PandaLabs, speculates that the global economic downturn and the thriving black market for credit and debit card numbers and online account information is driving the creation of so much identity stealing malware. He also notes that the distribution of identity-theft malware through social networks and services like Facebook and Twitter is on the rise.

Panda reports receiving more than 35,000 new malware samples -- viruses, worms, Trojans and the like -- every day. Trojan software designed to steal bank details, credit/debit card numbers, or online accountlogin names and passwords represents 71% of this total. That's up from 51% in 2007.

Identity thieves are also seeking sensitive information through a more diverse set of targets. Where previously financial data thieves focused on spoofing online bank sites to dupe users into entering login information, they have recently been targeting a variety of services where payment account information may be stored or entered, like PayPal, Amazon, eBay, or charity sites.

The methods used to propagate identity theft malware have also become more diverse. Whereas e-mailused to be the primary medium for malware distribution, social sites have become a major attack vector, along with infected Web pages, SMS messages containing Web links, and spyware that attempts to convince users to pay for fake antivirus programs.

Acting U.S. Attorney Ralph J. Marra, Jr. said the indictment of Gonzales shows that law enforcement can track down even the most sophisticated global hacking conspiracies. Whether law enforcement can keep up with growth of the identity theft industry remains to be seen.

InformationWeek Analytics has published an independent analysis on data-loss prevention. Download the report here (registration required).

 

SQL injection attacks led to Heartland, Hannaford breaches

Details of the attacks could spur focus on Web app security

Jaikumar Vijayan

 

August 18, 2009 (Computerworld) This week's disclosure that the huge data thefts at Heartland Payment Systems and other retailers resulted from SQL injection attacks could finally push retailers to pay serious attention to Web application security vulnerabilities, just as the breach at TJX focused attention on wireless issues.

A federal grand jury on Monday indicted Albert Gonzalez and two unidentified Russian accomplices on charges related to data intrusions at Heartland, Hannaford Bros., 7-Eleven and three other retailers. Gonzalez is alleged to have masterminded an international operation that stole a staggering 130 million credit and debit card numbers from those companies. Gonzalez and 10 other individuals were indicted in May 2008 on charges related to similar intrusions at numerous other retailers, including TJX Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

Court documents filed in connection with Monday's indictment spelled out howGonzalez and his accomplices used SQL injection attacks to break into Heartland's systems and those of the other companies. Once they gained access to a network, the attackers then planted sophisticated packet-sniffing tools and other malware to detect and steal sensitive payment card data flowing over the retailers' networks.

In SQL injection attacks, hackers can take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online. An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. Large Web applications have hundreds of places where users can input data, each of which can provide a SQL injection opportunity.

The vulnerability is well understood, and security analysts have warned retailers about it for several years. Yet a large number of all Web-facing applications are believed to contain SQL injection vulnerabilities -- a fact that has made SQL injection the most common form of attack against Web sites.

"We see SQL injection as the top attack technique on the Web," said Michael Petitti, chief marketing officer at Trustwave, a Chicago-based company that conducts security and compliance assessments for some of the largest retailers in the world, including -- ironically -- Heartland, for whom it was a security assessor.

"Not only is it the most attempted, it is also the most successful" form of attack now employed by malicious hackers, Petitti said.

Launching such attacks is not difficult, said Chris Wysopal, co-founder and chief technology officer at Veracode, a firm that offers application penetration testing services for companies. Tools are available that allow attackers to quickly check home-grown and third-party Web applications for SQL injection vulnerabilities, he said. One such tool might find a form field on a Web page, enter data into it, and check the response it gets to see whether a SQL injection vulnerability exists.

"It doesn't require much expertise at all," Wysopal said. "It is at the script-kiddie level to do these kinds of attacks." Exacerbating the situation is the fact that many companies are still using older versions of the MS SQL Server database that allow attackers to essentially take complete control of the database via SQL injection, Wysopal said.

The use of SQL injection attacks has gained popularity as companies have gotten better at shutting down other avenues for breaking into corporate systems and networks, said Matt Marshall, vice president of security engineering at Redspin, which performs security assessments for businesses. "One of the few ports that are still allowed through the firewall is Web traffic through the Web server," he said. "It is one of the few avenues of attacks that are still readily available" to hackers.

Those factors seem to have influenced Gonzalez's plans in attacking retailers. Initially, most of the attacks -- including the one at TJX -- took advantage of weak wireless access points. But starting around August 2007, he stopped using wireless vulnerabilities and turned almost exclusively to SQL injection attacks.

The success of those attacks and the high-profile nature of the retailers affected are likely to push more companies to deal with Web application security issues. "When vulnerable technologies get deployed, security people notice it and inform [clients], but no action is usually taken until attackers start becoming successful," Marshall said. "Until TJX, people didn't start locking down their wireless networks. If Heartland and Hannaford are not a wake-up call [for Web application security], I wonder what is."

According to Wysopal and others, there are several measures companies can take to limit their exposure to SQL injection vulnerabilities. One involves a code review of all Web applications to identify input validation errors. Companies need to identify such coding flaws and ensure that a Web form accepts only legitimate input. Web application firewalls can also be useful in protecting against SQL injection attacks, though they must be tuned properly to automatically block malicious traffic while permitting legitimate traffic to get through.

Hardening the underlying database and ensuring that the Web application connecting to it has limited access are also helpful in fending off attacks, Wysopal said.

 

Inside The Year's Biggest Data Breach
Taylor Buley, 08.18.09, 5:20 PM ET

BURLINGAME, CALIF. -

The U.S. Department of Justice's indictment of Albert Gonzalez on Monday seems to have all the elements of a Hollywood crime drama: A hacker gains access to millions of credit and debit card numbers and has the power to take down a nation. Too bad for Tinseltown, the attack itself was about as sexy and a pile of routers.

According to the indictment, Gonzalez, 28, gained a foothold into the systems of credit card processors such as Heartland Payment Systems and retailers like OfficeMax,Barnes & Noble and TJX Cos. using an amateur hacking technique called "wardriving," which uses wireless access points to find vulnerable networks from which to launch attacks. Once connected to those private networks, Gonzalez used a well-known technique called "SQL injection" to trick Web applications into forking over private information that gave him deeper access into networks. Even though it sounds complicated, techies liken this kind of hack to simply turning the front doorknob to get into a house.

In the seven-layer Open System Interconnection model, a popular reference guide for securing a network software stack, the application layer is at the top. SQL injection is a Web-based attack that happens on this surface level. Securing the application layer is entry-level security stuff, which raises the question of why so many credit card handlers were vulnerable in the first place.

They certainly shouldn't have been vulnerable, says Kurt Roemer, chief security strategist of Citrix Systems. Citrix is on the board of advisers for the Payment Card Industry (PCI) security standards council, an industry effort for hardening the security systems of businesses that handle credit cards.

Roemer says businesses need to use either a Web application scanner or Web application firewall to guard against SQL injections. A Web application scanner likely would have likely caught the SQL injection vulnerabilities Gonzalez exploited. If it didn't, an application firewall probably would have isolated the attacker from gaining access to other parts of the compromised networks.

"PCI specifically calls this out," Roemer says. "The way these guys got hacked there's no way they would have satisfied" those standards.

The PCI rules also try to mitigate the threats of wardriving. Earlier this year, the PCI standards body called for the phase-out of any wireless networks using WEP encryption, a digital lock that takes only a couple of minutes to break.

Though the way Gonzalez broke into systems is hardly the work of a criminal mastermind, Roemer says he's impressed by how Gonzalez and his co-conspirators were able to use relatively simple means to gain powerfully damaging access.

"The criminals would rather have something that's pretty easy and gets them the maximum amount of data," he says. "I'm just amazed at how they profiled all these companies and actually had a complete attack methodology."

 

China syndrome

Hacking schools flourish in China

Published 8 August 2009

Chinese hackers have been on the forefront of sustained hacking and disruption campaign against Western business and government networks -- some do it for fun, other for profit, but many do so on behalf of the Chinese government and its many intelligence and military agencies; ever wondered where all these hackers come from? "Hacker schools" are big business in China, generating $34.8 million last year

As if the world did not have enough problems caused by Chinese hackers, now comes this: China has seen the emergence of online training schools that teach students the skills necessary to either be a network defender or a cybercriminal. These "hacker schools," as they are known, are also big business, generating $34.8 million last year, China Dailyreports.

Matthew harwood writes that Students can enroll in online classes for as little as a few hundred yuan. While some schools advertise themselves as training the next generation of security experts, many worry a percentage of the students will use their skills to commit various cybercrimes, such as identity theft or stealing trade secrets.

Wang Xianbing-a security consultant for a prominent online hacking school, Hackbase.com, likens the training provided by the Web site to that of the locksmith trade. "It's like teaching lock picking," he told Beijing Today. "No one can guarantee the student will become a professional locksmith rather than a future thief."

Rather, it is up to the individual and his conscience whether to use his knowledge for good or evil, Wang said. Interviewed by China Daily, he said that the company's students are explicitly told not to use their knowledge for illegal activities. "Lots of hacker schools only teach students how to hack into unprotected computers and steal personal information," said Wang. "They then make a profit by selling users' information."

Imparting such knowledge, even with caveats, runs obvious risks. Last year alone, according to China Daily, hacking cost the Chinese economy approximately $1 billion. Globally, Symantec estimates cybercrime cost firms a total of $1 trillion in 2008, CNet.com reported in January (but see 27 March 2009 HSNW for skepticism about this high figure).

Money is not the only motivation, reports China Daily.

A 25-year-old hacker school student from Shanghai surnamed Wang, said most of his "classmates" simply enroll in hacker school for personal reasons, such as spying on relatives, showing off their computer-savvy skills or taking revenge on a rival's Websites, rather than making money.

Wang described the Catch-22 of teaching a new generation of security experts the tools of the trade: "They have to learn how to attack a Web site before they can learn how to defend it." 

 

Cyber attackers empty business accounts in minutes

August 6, 2009 (IDG News Service) The criminals knew what they were doing when they hit the Western Beaver County School District.

They waited until school administrators were away on holiday, and then during a four-day period between Dec. 29 and Jan. 2, siphoned $704,610.35 out of two of the school district's bank accounts. Western Beaver's financial institution, ESB Bank, managed to reverse some of the transfers, but the Pennsylvania school district was out more than $441,000.

On July 9, Western Beaver sued ESB to try and recover the money, but security experts say that it's just one of many organizations that have been hit in recent months by a disturbing new type of financial fraud that can often leave the victim holding the bag.

Fraudsters are taking advantage of the widely used but obscure Automated Clearing House (ACH) Network in order to pull off their attacks. This financial network is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.

In April, ACH fraudsters moved $1.2 million out of a Sugar Land, Texas, importer called Unique Industrial Products, according to a report in the Houston Chronicle. They did this by hacking into the company's computers and then authorizing 39 transfers to move the money out of Unique Industrial's account. Although the bulk of the money was recovered, scammers made $150,000 from the attack -- not bad for 30 minutes of work.

"ACH fraud continues to grow, especially in this current economic downturn where unemployment is at very high levels," said Jeffery Dertz, a partner in the insurance practice group with Blackman Kallick, a Chicago-based accounting and consulting firm.

Criminals can make millions of dollars per day with ACH fraud, investigators say. And while consumers are protected from this type of fraud, the rules for corporations and organizations are not as clear-cut, so sometimes victims like Western Beaver find themselves having to pay.

The fraud typically starts with a targeted phishing e-mail, aimed at whomever is in charge of the company's checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.

"If I can get a hold of their credentials then I can have some fun," said Robert West, the former chief information security officer at Fifth Third Bank, who is now CEO of security intelligence consultancy Echelon One. He agrees that ACH fraud is a growing problem

Western Beaver's attorney, Alfred Steff, declined to comment for this story, but in court filings the county said that fraudsters used a computer virus to hack into the school board's computer system.

Often the malicious software lies right inside the browser, waiting for the victim to log into a bank site before springing into action. Then, once the victim has logged in, the software sets up new payees and transfers money to them -- once the victim's accounts have been hacked, all the attacker needs is a routing number and an account number to send the cash to a money mule. If two people must sign off on the transfer, the hackers hit both of them.

The mules are victims too. They typically think they are doing legitimate payroll work for international companies. After being recruited on sites such as Monster.com, they're told they get to keep a 5 percent commission if they move money out of the country. Often when the bank reverses the transaction, they have to pay.

Some security experts believe that the fact that mules are difficult to recruit is the only thing keeping this type of fraud from skyrocketing right now. Security vendor Trusteer estimates that 3 percent of consumers are already infected with financial fraud software. "The bottleneck is getting the money out of the accounts," said Amit Klein, Trusteer's chief technology officer.

The fraud works, in part, because fraudulent ACH activity doesn't always trigger red flags with the banks, especially when smaller regional banks are involved, according to one investigator, who asked not to be identified because he is working on active cases. "There's a very serious problem going on," he said of the ACH fraud. "It's a very old system and there are potentially not a lot of controls in the underlying transfer system."

In Western Beaver's case, red flags should have been raised when the school board suddenly added 42 individuals to its payroll in places as far away as California and Puerto Rico during its Christmas break, and then started to pay them far more than most other people on the payroll, he said. According to court filings ESB received 74 transfer requests during the four-day period, another red flag.

In its lawsuit, Western Beaver faults its bank for failing to "red flag" unauthorized requests. An ESB bank spokesman could not be reached for comment.

One reason that banks have a hard time spotting fraudulent ACH transactions is because the volume of money moving through the network is simply overwhelming. The ACH network processed nearly 9 billion payments in 2002, valued at more than $24.4 trillion dollars. "The last couple of banks I worked at, we would go through the equivalent of our net assets in a couple of days," West said.

As lucrative as it may be, this type of ACH fraud is not widespread, according to Mary Gilmeister, president of WACHA, a nonprofit organization that provides information relating to ACH to financial organizations. "It's important, but it's not affecting a large number of financial institutions," she said. "Financial institutions are paying more attention to it," communicating with each other and sending up warning flags when the fraud occurs, she said.

For consumers who have their bank accounts emptied by an ACH scam, federal banking regulations cap liability at $50, so long as the fraud is reported in a timely manner. But for corporations and other entities, things are a lot more complicated, and whether the victim has to pay can vary from bank to bank.

That could seriously erode the public's trust in Internet banking, the investigator said: "We're talking about small businesses, the lifeblood of the U.S., that are getting hit for five or six figures because they've embraced online banking."

 

 

Sincerely,

 

Ilan Meller

CEO

Made4Biz Security Inc.

 

     

 Security outpaces cybercrime                                    

  www.IDentiWall.com

  www.Made4Biz-Security.com

  ilan@simplement.co.il

  Office: +972 (0)3 635 8822

  Mobile: +972 (0)54 470 4008

  Skype: ilanmeller

  Time Zone: GMT +2

 

- CONFIDENTIAL-

This email and any files transmitted with it are confidential, and may also be legally privileged.  If you are not the intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, please notify the sender immediately by reply email and then delete this email.

 

On the Backs Of Mules: An ACH Fraud Scheme

By Craig Priess

A community bank based in the Midwest recently intercepted an elaborate ACH fraud scheme involving unwitting mules and multiple financial institutions. With $1B in assets and eight branches, this bank's case proves sophisticated fraudsters aren't solely targeting the nation's largest institutions, and banks of all sizes should consider additional fraud prevention strategies to counter today's evolving threats.

Founded in the early 1900s, this community bank (let's call it "CB" for short) knows that customer trust and its reputable brand must be actively guarded against cybercrime. Accordingly, it takes a proactive approach to cooperating with anti-fraud teams at other banks and federal law enforcement to aid criminal investigations. However, this case provides two lessons: all financial institutions - and their customers - should closely monitor online account activity and not rely entirely on multiple layers of authentication to protect them, and catching suspicious online access early prevents fraud from materializing later in other channels.

The victim in this case was nonprofit organization that was a small business customer. Most likely using key logging malware, the fraudster(s) obtained the online account credentials of a fully authorized individual from the nonprofit. CB has three layers of online banking security that all failed: username/password, a challenge question, and the customer's unique PIN are required to execute transactions. On the first day of the compromise, session logs revealed the fraudster got oriented and tested privileges - looking at account balances, transaction history, and even modifying a pending ACH transaction. If this unusual account reconnaissance activity had been flagged, that might have been the end of the attack, but it wasn't.

The next day, the fraudsters executed an ACH batch file containing 16 separate debit transfers - each less than $9,000 to stay undetected - for a total withdrawal of $142,000. The transfers were sent to accounts at eight banks, all larger institutions, in states throughout the U.S. The post-event investigation utilized IP geolocation tools to uncover nearly simultaneous fraudulent access to the compromised account from Oklahoma and Ohio - again unusual for the account holder.

Here's where this case gets interesting: Recipient account owners were unwitting mules who thought they had been hired via the Internet to do legitimate jobs. One thought she had been hired by a firm providing a moving allowance for her relocation out of state; the other thought he was employed by an insurance company based in Switzerland. Mules were instructed to empty the funds from their accounts the day they arrived, to use Western Union to send the money to (bogus) beneficiaries at locations in Texas and Florida, but to keep 5 percent of the amount as "commission." Many of the mule accounts were new and had been opened online.

Investigators obtained the phony "employee manual" that the criminals provided to mules. One look reveals the level of sophistication of this scam as well as the great lengths taken to recruit and train unwitting participants. The manual explains that Prime Insurance, a firm based in Switzerland, is encountering "business and strategic obstacles" to being able to operate in the U.S. The mules are called "regional clerks" who help the company by distributing "reimbursements to policy holders" via wire transfer. Mules are "under evaluation" for two months before being offered "full employment," perhaps allowing for rapid turnover.

In this case, the victimized nonprofit had opted in to CB's online banking alerting feature for debit activity, so an e-mail was triggered automatically. Unfortunately it was not read immediately, so the funds were already gone. CB scrambled to execute an ACH reversal file that same day. Quick action, luck and direct follow up with the eight receiving institutions resulted in blocking 12 out of the 16 transfers. Two of the fraudster's mules were actually in their banks at the time trying to withdraw the funds, but were intercepted.

Ultimately, the customer realized a $35,000 loss, not insignificant for a nonprofit and it sought to prosecute the mules for their part in the scheme. To avoid CB's fate, and any potential damage to customer retention resulting from cases like this, follow these guidelines:

1. Bolster online account security measures. As implemented, CB's login, challenge and PIN layers essentially amounted to three passwords easily compromised. Thresholds for challenges were based on simple geolocation rules that didn't trigger with the domestic access. Device ID cookies were subverted. Monitoring online accounts for suspicious behavior after the login is a best practice for complementing authentication technologies.

2. Don't wait for actual transactions to detect fraudulent activity. Account reconnaissance occurred a day before the crime and the entire scheme could have been shut down immediately if detected. Today's behavior-based account monitoring technologies can detect benign-looking reconnaissance activities that don't involve financial transactions.

3. Beware of new retail accounts created online that immediately start moving large amounts of money. Cooperate and collaborate with peers on known and suspected mules, who should be tracked. Mules often handle multiple fraudulent transactions at multiple institutions, and can flip from victim to criminal if they suddenly keep stolen funds for themselves.