Security

Are We Loosing The War On CyberCrime?

Roger Grimes, Security Expert Adviser at InfoWorld thinks so. His argument goes like thisroger grimes

“You may have read the reports: We have captured Albert Gonzalez, one of the “world’s biggest malicious hackers.” Big deal.

I’ve been fighting cybercrime for more than 20 years, so you’ll have to excuse me if I’m a little jaded for thinking that this “huge” hacker is but another small-time player in the big-time world of cybercrime. In fact, I’m pretty sure that we still haven’t captured a single major player — the Pablo Escobars.”

[ The Department of Homeland Security reports that the IT sector is resilient against serious cyberattacks. | Learn how to secure your systems with InfoWorld’s free Security Central newsletter. ]

Read about this at InfoWorld.com – What do you think?   We like to know.

The sophisticated money mule have a HAVEN NETWORK TimeNet BeiJing Graphically presentation below Part of The Asporx Network Self-Sustaining Cybercrime Platform

Spam Haven Botnet1

________________________________________________________

Spam Haven Botnet
_________________________________________________________

19 thoughts on “Security

  1. Scrub says:

    Report Calls on Microsoft to Ban Ads for Rogue Internet Drug Outlets on Bing.com
    On August 4, 2009, LegitScript and KnujOn released the first in a series of reports about United States companies that facilitate, and profit from, the illicit sale of prescription drugs. The first report focuses on Microsoft and how rogue Internet drug outlets are being allowed to participate in its online advertising program for bing.com, a search engine recently launched by the company. The authors assert that Microsoft has the ability, and responsibility, to ensure it does not display, much less profit from, Internet ads for Web sites engaged in illegal activities, such as selling prescription drugs without a license or a prescription. The report states that 89.7% of the ads on bing.com for Internet drug outlets that the authors reviewed are acting unlawfully in some way, and some drugs obtained from these sites were found to be counterfeit.

  2. Scrub says:

    New Malware Threat
    ==================

    Name: Worm.Lovgate.F
    Type: Worm
    Affected Platform: Win32
    Media-Type: application/executable
    Static File: yes
    MD5 Checksum: 5D73ABA7169EBFD2BDFD99437D5D8B11
    Filesize: 107,008 Bytes
    Wildlist Entry: yes
    Alias Names (also known as):
    – CA ETrust: Win32/Lovgate.F
    – McAfee: W32/Lovgate.f@M
    – Sophos: W32/Lovgate-E
    Side Effects:
    – Drops malicious files
    – Uses its own Email engine
    – Registry modification
    Propagation:
    – Email
    – Local network

    You can find a detailed description of this malware on
    http://www.trustedsource.org/malware-virus-description/194

  3. Scrub says:

    Isuzu Turkey Web Site Compromise

    Websense Security Labs(TM) ThreatSeeker Network has discovered that the official Isuzu Web site in Turkey has been injected with a malicious iframe redirector. Isuzu is one of the well-known Japanese commercial vehicle and truck manufacturing companies, particularly in the Asian and European regions.

    The ThreatSeeker Network has found thousands of sites compromised by a similar attack strategy. At the time of writing, the iframe redirector’s target URL was unreachable. The redirector itself is still present, however, offering continued infection risk if the malicious Web server comes back up, or if it is replaced by another malicious server. Further investigation indicates that the IP address hosting the target URL hosts other malicious sites, as well.

    Websense® Messaging and Websense Web Security customers are protected against this attack.

    To view the details of this alert Click here

    To unsubscribe from these emails Click here

    Protected by Websense Hosted Email Security — http://www.websense.com

  4. Scrub says:

    FIRE: Finding Rogue Networks

    Motivation

    For many years, online criminals have been able to conduct their illicit activities and masquerade behind disreputable Internet Service Providers (ISPs). For example, until recently, organizations such as the Russian Business Network (RBN) and Atrivo (a.k.a. Intercage) operated with impunity, providing a safe haven for Internet criminals for their own financial gain. What primarily sets these ISPs apart from others is the significant longevity of the malicious activities on their networks and the apparent lack of action taken in response to abuse reports. Interestingly, even though the Internet provides a certain degree of anonymity, such ISPs fear public attention. Once exposed, rogue networks often cease their malicious activities quickly, and the Internet criminals are forced to relocate their operations.

    This website is the frontend of FIRE, a novel system to identify and expose organizations and ISPs that demonstrate persistent, malicious behavior. The goal is to isolate the networks that are consistently implicated in malicious activity from those that are victims of compromise. To this end, FIRE actively monitors botnet communication channels, spam traps, drive-by-download servers, and phishing web sites. This data is refined and correlated to quantify the degree of malicious activity for individual organizations and presented on this web page.

    http://maliciousnetworks.org/info.php

  5. Scrub says:

    Websense Security Labs(TM) ThreatSeeker(TM) Network has detected that the site media-servers.net has been compromised and injected with malicious code. The Web site belongs to a high-profile advertiser on the Internet realm. It’s important to note that media-servers.net serves advertising content from ad.media-servers.net, and that this site is clean. The injected code is part of an ongoing mass injection campaign that compromised thousands of legitimate Web sites. Websense Security labs have been tracking this campaign for months.

  6. Scrub says:

    Feds Bust Hacking Ring Accused of Stealing Millions

    November 11, Reuters – (International)

    A U.S. grand jury indicted eight foreigners on charges that they hacked a computer Signnetwork used by the credit card processing company RBS WorldPay and stole more than $9 million, the U.S. Justice Department said on November 10. The group, which included people from Estonia, Russia and Moldova, was accused of compromising the data encryption used by RBS WorldPay, based in Atlanta and part of Royal Bank of Scotland, and gaining access to accounts a year ago. RBS WorldPay is one of the leading payment processing businesses globally. U.S. cyber security officials long have been worried about hacks into global financial networks that could harm the financial system. This indictment marked the latest in a series of cases that have highlighted the risk to such networks. The ring was charged with hacking data for payroll debit cards, which enable employees to withdraw their salaries from automated teller machines. Those accused in the case allegedly raised the limits on some cards so they could withdraw the money, the U.S. government said. More than $9 million was withdrawn in less than 12 hours from more than 2,100 ATMs around the world, the Justice Department said, adding that RBS WorldPay immediately reported the breach once it was discovered.

    Source: http://www.foxnews.com/story/0,2933,573670,00.html?test=latestnews

  7. Scrub says:

    NACHA Phishing Alert – E-mail Claiming to be from NACHA

    11/12/2009

    NACHA – The Electronic Payments Association has received reports that individuals consumer alertand/or companies have received a fraudulent e-mail that has the appearance of having been sent from NACHA. See sample below.

    The subject line of the e-mail states: “Rejected ACH Transaction.” The e-mail includes a link which redirects the individual to a fake web page which appears like the NACHA Web site and contains a link which is almost certainly executable virus with malware. Do not click on the link. Both the e-mail and the related Web site are fraudulent.

    Be aware that phishing e-mails frequently have links to Web pages that host malicious code and software. Do not follow Web links in unsolicited e-mails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or otherwise unusual.

    NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive.

    If malicious code is detected or suspected on a computer, consult with a computer security or anti-virus specialist to remove malicious code or re-install a clean image of the computer system. Always use anti-virus software and ensure that the virus signatures are automatically updated. Ensure that the computer operating systems and common software applications security patches are installed and current.

    Be alert for different variations of fraudulent e-mails.

    = = = = = Sample E-mail = = = = = =

    From: nacha.org [mailto:report@nacha.org]
    Sent: Thursday, November 12, 2009 10:25 AM
    To: Doe, John
    Subject: Rejected ACH transaction, please review the transaction report

    Dear bank account holder,

    The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

    Unauthorized ACH Transaction Report (this is the how the link is presented)

    NACHA

    Other Domains Associated With This Scam

    1. nacha.org.corefirstid.com
    2. nacha.org.corefirstid.eu
    3. nacha.org.corefirstid3.com
    4. nacha.org.corefirstid4.com
    5. nacha.org.corefirstid5.com
    6. nacha.org.corefirstid8.com
    7. nacha.org.fffazsa.co.uk
    8. nacha.org.fffazsa.me.uk
    9. nacha.org.fffazsa.org.uk
    10. nacha.org.fffazsf.co.uk
    11. nacha.org.fffazsf.me.uk
    12. nacha.org.fffazsf.org.uk
    13. nacha.org.fffazss.co.uk
    14. nacha.org.fffazss.me.uk
    15. nacha.org.fffazss.org.uk
    16. nacha.org.fffazsx.co.uk
    17. nacha.org.fffazsx.me.uk
    18. nacha.org.fffazsx.org.uk
    19. nacha.org.fstpproid01.com
    20. nacha.org.fstpproid02.com
    21. nacha.org.fstpproid03.com
    22. nacha.org.fstpproid04.com
    23. nacha.org.fstpproid08.com
    24. nacha.org.fstpproid09.com
    25. nacha.org.fstpproid10.com
    26. nacha.org.fstpproid12.com
    27. nacha.org.fstpproid15.com
    28. nacha.org.modsftp01.com
    29. nacha.org.modsftp03.com
    30. nacha.org.modsftp04.com
    31. nacha.org.modsftp05.com
    32. nacha.org.redaczxj.co.uk
    33. nacha.org.redaczxj.me.uk
    34. nacha.org.redaczxj.org.uk
    35. nacha.org.redaczxk.co.uk
    36. nacha.org.redaczxk.me.uk
    37. nacha.org.redaczxk.org.uk
    38. nacha.org.redaczxm.co.uk
    39. nacha.org.redaczxm.me.uk
    40. nacha.org.redaczxm.org.uk
    41. nacha.org.redaczxn.me.uk
    42. nacha.org.redaczxn.org.uk
    43. nacha.org.redaczxs.co.uk
    44. nacha.org.redaczxs.me.uk
    45. nacha.org.tttteacb.co.uk
    46. nacha.org.tttteacb.me.uk
    47. nacha.org.tttteacb.org.uk
    48. nacha.org.tttteacf.co.uk
    49. nacha.org.tttteacf.me.uk
    50. nacha.org.tttteacg.co.uk
    51. nacha.org.tttteacg.org.uk
    52. nacha.org.tttteack.co.uk
    53. nacha.org.tttteack.me.uk
    54. nacha.org.tttteack.org.uk
    55. nacha.org.tttteacx.co.uk
    56. nacha.org.tttteacx.me.uk
    57. nacha.org.tttteacx.org.uk
    58. nacha.org.tyeen.me.uk
    59. nacha.org.tyeep.me.uk
  8. Scrub says:

    December 30, Softpedia – (International)

    Major cyber fraud syndicate dismantled inAsia. Authorities in the Philippines and China have arrested more than 100 members ofa crime syndicate involved in a variety of telecommunications, bank, and credit card scams. A total of 24 men were arrested December 28 during simultaneous raids coordinated by Philippines’ National Bureau of Investigation (NBI) at six locations in Manila. One suspect resisted arrest and attacked an NBI agent with a knife. He wasshot in the stomach and was taken to the hospital. The Philippine Star reports that, atfirst, authorities did not even know the nationalities of the suspects. Interrogators eventually got them to write down their names in Chinese characters, and the Chinese embassy sent a representative to help establish identities.

    The suspected leader of the gang apparently was not among the men arrested in Manila. But Chinese police detained 100 individuals believed to be part of the same crime syndicate, which stolemore than $130 million from people in China, Taiwan, and Hong Kong. Aside from credit card counterfeiting, the gang resorted to intimidation to obtain money. Investigators said they impersonated judges, prosecutors and police officers to trick people into thinking they owed money to the government.

    Source: http://news.softpedia.com/news/Major-Cyber-Fraud-Syndicate-Dismantled-in-Asia-175530.shtml

  9. Nelson says:

    Please:

    I’m writing to “nothankyou@careeradvisor1.com:

    I got a bunch of calls at my work from 800-675-7219!
    This is going to my boss phone business!
    Please, stop call 972-224-8835 to offer me courses AT MY JOB!!!!
    I could loose it !

    Thank you!

  10. Scrub says:

    Cybercrime in Russia
    JUL 14, 2011
    By Jarrod Rifkind

    Cybercrime is a growing problem for the international community. The lack of attention given to cybercrime currently can be attributed to the priority given to “cyber” as a military domain. Over the past decade, cybercrime has caused companies around the world to lose millions, if not billions, of dollars. These criminal acts are unlikely to diminish in the future. This can be attributed to the many decentralized, yet organized, groups of technologically skilled individuals that operate internationally. These organizations are considered to be the primary sources of spyware and malware globally. Groups within Russia and China are believed to be the source of over 50 percent of these types of malicious software and code. Russia, specifically, has played host to a number cyber criminal groups. The Russian Business Network (RBN) is one of the most well-known cybercrime groups internationally. Organizations like the RBN are able to thrive because of the poor economic conditions in the countries in which they operate, their lack of hierarchical organization, and the international nature of the technology they use.

    Statistical context:
    Global computer crime market turnover = $7 billion
    Share of cybercriminals living in Russia = $1.3 billion
    Cybercriminals from Russian speaking countries = $2.5 billion
    Many believe that poor economic conditions in Russia have contributed to the rise of cybercrime groups. According to a document released CERT-LEXSI, the technology industry in Russia only employs 10% of new job candidates every year, and the overabundance of candidates has lowered the salaries of those who are offered jobs. The paper goes on to say that compared to employees in other Eastern European countries with salaries around 2,500 Euros, Russian technology industry employees have been making closer to 800 Euros (2006 numbers). Several sources have also attributed the disbanding of the Federal Agency for Government Communications and Information (FAPSI) to the growth and strength of cybercrime organizations in Russia. After FAPSI disbanded in 2003, many of the employees were recruited by hacker groups, while others joined the Russian security service successor of the KGB, the FSB. Thus, these underground organizations have members that are financially needy, know ways to use computers maliciously, and often have contacts within the government that protect them and sometimes use them for their own ends.
    Most of these criminal organizations in Russia make money by selling cyber “goods” on websites they host. The items for sale range from botnets used for DDoS attacks to Trojans programmed to attack a specific target. The groups with these types of websites make thousands, if not millions, of dollars over the course of a year. According to a document released by Group-IB, botnets sold on these sites can be used for DDoS attacks and are priced anywhere between 70-500 US dollars. This large spread in prices is attributed to varying degrees of effectiveness, the quality of the DDoS-services, and the complexity of the mission. Organizations sell these types of goods and services to continue their operations, and they will continue to exist as long as there is a demand for their services.
    One of the most well-known and prominent cybercrime organizations in Russia is the Russian Business Network (RBN). A Newsweek article describes the group as a shadowy cyberstructure reported to have sold hacking tools and software for accessing U.S. government systems. Although it disappeared after increased pressure from U.S. and Russian law enforcement, evidence has come to light hinting at the group simply redefining its operations and working off of servers in several countries around the world. The group has been able to host websites for criminal organizations that want to carry out their own attacks or sell malware, spyware, and botnets to others with similar goals. It has also made most of its money from spam, child porn, online casinos, phishing scams, fake anti-spyware and anti-virus, and Internet pharmacies. The technology and international nature of computer networks has allowed organizations like the RBN to adapt, relocate, and survive. It doesn’t hurt that they operate in countries in which they have ties to powerful government officials who turn a blind eye to and oftentimes profit from their illegal activities.
    The RBN is an example of how Russian cybercrime is not synonymous with traditional conceptions of organized crime. Although the Russian mafia is probably involved in certain types of cybercrime, the groups that worry Russian and U.S. law enforcement the most appear to be ones comprised of technologically savvy criminals who use the Internet to make profits from products they sell on their own “black markets” or from blackmail. They are organized to the extent that they work together for mutual financial gain or at the behest of the Russian government. These do not have to be mutually exclusive. Based on the types of people joining these groups, it is difficult to assert that they are organized according to a hierarchy like other known criminal organizations. The horizontal network structure of these types of organizations is what will likely make them difficult to remove in the long-run.
    There are a number of potential solutions to this international cybercrime problem. One of the greatest hindrances to deterring global cybercrime is the lack of international law governing the actions states must take against criminal organizations operating within their borders. Without discussions and actions taken by the international community on cybercrime, groups like the RBN will continue to operate in countries that are not held responsible for their actions. Some effort has been made on the part of the Russian government to facilitate dialogue between its law enforcement agencies and those in the United States. They have been working together to target organizations responsible for selling malware and spyware online, but this cooperation must be strengthened in the future. Lastly, countries like Russia must hold their officials accountable when they choose to associate with groups like the RBN. Corruption is a problem that Russia has faced throughout its long and tumultuous history. With these prescriptions in mind, Russia will likely become more willing to deter and remove criminal organizations in the future as it becomes more internationally engaged on and domestically aware of the international legal implications of global cybercrime.

    Related Programs:
    CSIS Technology and Public Policy Blog

    http://csis.org/blog/cybercrime-russia

  11. Scrub says:

    Overview

    The last months of 2011 saw an increase in free-merchandise scams on Facebook. This trend report includes a study of Facebook attacks in 2011 revealing that many rely solely on social engineering while most ultimately lead victims to fraudulent affiliate marketing/survey sites. In the fourth quarter of 2011 email attached malware levels dropped significantly from the billions of messages observed in Q3. These were replaced with numerous outbreaks of emails with malicious links. Most of these links led to compromised websites that were used to host malware scripts. Spam levels increased marginally in December but remained at a three year low.

    Facebook security – a 2011 retrospective

    Facebook continued to grow in 2011, adding over 200 million more users to reach over 800 million. The growth and enormous user base continues to make Facebook an attractive target for attacks from malware distributors, scammers and plain old jokers looking to spread chain messages. Facebook attacks can generally be broken into three parts:

    1) The social engineering – this is the false information provided in the post or invite that inspires action by a Facebook user. It could be a free gift card offer or the promise of a girls-in-bikinis video.

    2) Further spread – once the initial user has been hooked, the attack needs to spread. This is usually accomplished with wall posts which are seen by the victim’s friends. These friends then follow the links, further perpetuating the attack. An important part of the Facebook ecosystem (and often used to spread attacks) is the “Like” button. When a user likes a link or a post, all of their friends see the like on their own news feeds. Liking a page (company, singer, cybercriminal) gives that page the right to post updates to the user’s wall.

    3) The attack goal – Whoever initiated the attack had some ultimate purpose – it might simply be to deface as many user profiles as possible with pornography and violent images. More often the aim is to lead users to affiliate marketing pages which earn the attackers revenue.

    From the attacks reported in 2011, 70 have been analyzed to determine the distribution within the three parts described above.

    Social engineering

    What interests Facebook users most? What will get them to take the next step (click like, follow a link, add an app) that suits the cybercriminals. The topics of interest can basically be divided into four categories:

    1) Free stuff – in 2011 scammers offered loads of free items ranging from headphones to gift cards to unreleased Facebook phones.

    2) Celebrity or current news scoops – These usually include sensational headlines and promise some unreleased video clip or photo. An example is the death of Osama Bin Laden which was quickly followed by numerous posts inviting users to view an actual death video. The death of Steve Jobs also triggered a wave a “free iPad/iPhone” scams.

    3) Something “you have to see” – These could be any tragic or astonishing event that is not celebrity related. “Girls in bikinis”, “a funny photo of you”, “a tragic story of a boy who was beaten by his father” – all presented with a call to action. Users must follow a link, or click on Like to see a shocking/amazing video or photo, or forward a chain message to let other users know. The Spanish in the example below translates to “Look what happens”.

    4) Must-have Facebook functionality – the most popular of these (repeated in many attacks) is the mythical app that allows users to see who has been viewing their profile. The post shown below invites users to install an app that tells them the breakdown of boy and girl views of their profile.






    Read More…..

  12. SFA Reporter says:

    October 10, Fox News – (National)

    SunTrust the latest victim in cyber attack saga. SunTrust seemed to be the latest bank targeted with a denial of service attack October 10 in a chain of cyber attacks that hit Capital One October 9 and other major Wall Street institutions in September.

    The hacking group in a blogpost October 8 said it would target Capital One October 9, regional bank SunTrust October 10, and Regions Financial October 11. A handful of users reported on Twitter and SiteDown.com they were having issues accessing SunTrust’s e-banking Web site.

    That is different from some of the earlier attacks where customers could not access the main customer Web site altogether.

    When attempting to log on, some customers complained of receiving one of two error messages: “Server Unavailable” or “Server is too busy”. “We have seen increased traffic today and have experienced some intermittent service availability,” a SunTrust spokesperson said. October 9, SunTrust said that it was “aware of the threat” and was working to mitigate any disruption to clients should an attack occur.

    The group threatened to pursue more cyber attacks the week of October 15 and has long said it will not stop until a video mocking the Islam religion first posted to YouTube is removed from the Internet.

    Source: http://www.foxbusiness.com/technology/2012/10/10/suntrust-may-be-latestvictim- in-cyber-attack-saga/

  13. SFA Reporter says:

    October 11, Softpedia – (National)

    Regions Bank website attacked by hackers. Hackers have once again kept their promise and launched a distributed denial-of-service (DDOS) attack against the Web site of Regions Financial Corp. October 10, they took aim at the site owned by SunTrust and October 11, they seemed to focus on the Regions Bank Web site.

    Regions representatives told Fox News that the organization was aware of the threats, and claimed they were “taking every measure” to protect the company and customers.

    The site appeared to be experiencing some performance issues, but it seemed to be accessible from the United States. On the other hand, it was not accessible from a Romania IP, which might mean that certain IP address ranges were restricted in order to mitigate the attack. The hackers claimed that during the weekend of October 13 they will plan the next attacks.

    Source: http://news.softpedia.com/news/Regions-Bank-Website-Attacked-by-Izz-ad- Din-al-Qassam-Hackers-298767.shtml

Leave a Reply