Sunday, February 26, 2017

More on Bluetooth Ingenico Overlay Skimmers

This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.

An "overlay" skimming device (right) that was found attached to a card reader at a retail establishment.

An “overlay” skimming device (right) that was found attached to a card reader at a retail establishment.

The device featured here is a Bluetooth-based skimmer; it is designed to steal both the card data when a customer swipes and to record the victim’s PIN using a PIN pad overlay.

The Bluetooth component of the skimmer allows the thieves to retrieve stolen data wirelessly via virtually any Bluetooth enabled device — just by being in proximity to the compromised card terminal (~30 meters).

If we look on the backside of this skimmer, we can see the electronics needed to intercept the PIN. The source who shared these pictures said an employee thought the PIN pad buttons were a little too difficult to press down, and soon discovered this plastic overlay and others just like it on two more self-checkout terminals.

PED1

Here’s a closeup of the electronics that power this skimmer (sorry, this is the highest resolution photo available):

closeupe

This model of overlay skimmers appears to be quite similar to a version sold in the cybercrime underground and detailed in this post.

According to my retail source who shared these pictures, the overlay skimmers used parts cannibalized from Samsung smart phones. The source said the devices placed themselves in a mode to transmit stolen card data and PINs as soon as they were turned off and back on again. Investigators also discovered that they could connect via Bluetooth to the skimming devices by entering the PIN “2016” on a Bluetooth-enabled wireless device.

However, the source said none of the overlay skimmers they found appeared to have any on-board data storage, suggesting the thieves had planted a second wireless device somewhere in or near the store and were hoovering up card and PIN data via Bluetooth in real time. Or, perhaps the crooks were simply sitting outside the store in the parking lot, using a laptop and high-gain antenna to pull down card and PIN data.

skimside“We combed the property for something like an old cell phone gathering data, but we didn’t find anything,” the source told KrebsOnSecurity.

Customers generally are the first line of defense against these types of scams. Not long ago, KrebsOnSecurity published a post on how to spot Ingenico self-checkout skimmers. Unfortunately, most of the telltale signs are only noticeable if you are already well familiar with the appearance of a legitimate Ingenico ISC 250 terminal. Nevertheless, most of these skimmers will detach themselves with a gentle tug on the card reader.

For more tips on spotting these Ingenico overlay skimmers, check out this post. Want to read more about skimming devices, check out my series, All About Skimmers.



from
https://krebsonsecurity.com/2017/02/more-on-bluetooth-ingenico-overlay-skimmers/

Friday, February 24, 2017

iPhone Robbers Try to iPhish Victims

In another strange tale from the kinetic-attack-meets-cyberattack department, earlier this week I heard from a loyal reader in Brazil whose wife was recently mugged by three robbers who nabbed her iPhone. Not long after the husband texted the stolen phone — offering to buy back the locked device — he soon began receiving text messages stating the phone had been found. All he had to do to begin the process of retrieving the device was click the texted link and log in to the phishing page mimicking Apple’s site.

applephish

Edu Rabin is a resident of Porto Alegre, the capital and largest city of the Brazilian state of Rio Grande do Sul in southern Brazil. Rabin said three thugs robbed his wife last Saturday in broad daylight. Thankfully, she was unharmed and all they wanted was her iPhone 5s.

Rabin said he then tried to locate the device using the “Find my iPhone” app.

“It was already in a nearby city, where the crime rates are even higher than mine,” Rabin said.

He said he then used his phone to send the robbers a message offering to buy back his wife’s phone.

“I’d sent a message with my phone number saying, ‘Dear mister robber, since you can’t really use the phone, I’m preparing to rebuy it from you. All my best!’ This happened on Saturday. On Sunday, I’d checked again the search app and the phone was still offline and at same place.”

But the following day he began receiving text messages stating that his phone had been recovered.

“On Monday, I’d started to receive SMS messages saying that my iphone had been found and a URL to reach it,” Rabin said. Here’s a screenshot of one of those texts:

buscariphonetext

The link led to a page that looks exactly like the Brazilian version of Apple’s sign-in page, but which is hosted on a site that allows free Web hosting.

fakeapple

Rabin said he didn’t fall for the ruse, but that he imagines the scam would trick quite a few people who have lost their iPhone and are anxious to get it back.

Leave the “icloud” off the end of that texted URL and we can see a phony copy of Apple’s “Find My iPhone” login page that is still live (the hosting provider has been notified):

A "Find my iPhone" phishing page used by the robbers.

A “Find my iPhone” phishing page used by the robbers.

But the scammers didn’t stop there in trying to phish the Apple ID and password for his iPhone account. Rabin said that just two days later, he received an odd, automated call on his mobile.

“It came from a strange number and a voice sounding like Siri or the [Google] Waze voice, informing me that my iPhone had been found and to look for my SMS for more info,” Rabin said. “That’s when I thought I had to tell this story to someone. To me, it really got to another level, connecting the lowest kind of criminals to a high profile one (probably went to school and college) that can buy (or even create) this kind of scam.”

The high cost of smart phones makes mobile device theft a serious problem everywhere in the world, not just Brazil. If you use an Apple device, it’s a good idea to turn on the “Find My iPhone” feature using the Find My iPhone App, so that when or if the device gets lost you can located it by signing into icloud.com/find.

If your Apple device is lost or stolen, check out Apple’s advice on how to manage the loss, depending on the severity of the situation. In Rabin’s case, even though the phone is currently turned off, he has the options to put it in “Lost mode,” “lock it,” or “remotely erase it.” The next time your device is online, these actions will take effect.

Also, try to make a habit of regularly synching your device to your computer, so that in the event your phone is lost or stolen your data is backed up and you don’t have to worry about remotely wiping important data that may not already be saved locally.



from
https://krebsonsecurity.com/2017/02/iphone-robbers-try-to-iphish-victims/

Tuesday, February 21, 2017

How to Bury a Major Breach Notification

Amid the hustle and bustle of the RSA Security Conference in San Francisco last week, researchers at RSA released a startling report that received very little press coverage relative to its overall importance. The report detailed a malware campaign that piggybacked on a popular piece of software used by system administrators at some of the nation’s largest companies. Incredibly, the report did not name the affected software, and the vendor in question has apparently chosen to bury its breach disclosure. This post is an attempt to remedy that.

The RSA report detailed the threat from a malware operation the company dubbed “Kingslayer.” According to RSA, the attackers compromised the Web site of a company that sells software to help Windows system administrators better parse and understand Windows event logs. RSA said the site hosting the event log management software was only compromised for two weeks — from April 9, 2015 to April 25, 2015 — but that the intrusion was likely far more severe than the short duration of the intrusion suggests.

That’s because in addition to compromising the download page for this software package, the attackers also hacked the company’s software update server, meaning any company that already had the software installed prior to the site compromise would likely have automatically downloaded the compromised version when the software regularly checked for available updates (as it was designed to do).

Image: RSA

Image: RSA

RSA said that in April 2016 it “sinkholed” or took control over the Web site that the malware used as a control server — oraclesoft[dot]net — and from there they were able to see indicators of which organizations might still be running the backdoored software. According to RSA, the victims included five major defense contractors; four major telecommunications providers; 10+ western military organizations; more than two dozen Fortune 500 companies; 24 banks and financial institutions; and at least 45 higher educational institutions.

RSA declined to name the software vendor whose site was compromised, but said the company issued a security notification on its Web site on June 30, 2016 and updated the notice on July 17, 2016 at RSA’s request following findings from further investigation into a defense contractor’s network. RSA also noted that the victim software firm had a domain name ending in “.net,” and that the product in question was installed as a Windows installer package file (.msi).

Using that information, it wasn’t super difficult to find the product in question. An Internet search for the terms “event log security notification april 2015” turns up a breach notification from June 30, 2016 about a software package called EVlog, produced by an Altair Technologies Ltd. in Mississauga, Ontario. The timeline mentioned in the breach notification exactly matches the timeline laid out in the RSA report.

As far as breach disclosures go, this one is about the lamest I’ve ever seen given the sheer number of companies that Altair Technologies lists on its site as subscribers to eventid.net, an online service tied to EVlog. I could not locate a single link to this advisory anywhere on the company’s site, nor could I find evidence that Altair Technologies had made any effort via social media or elsewhere to call attention to the security advisory; it is simply buried in the site. A screenshot of the original, much shorter, version of that notice is here.

Just some of the customers of Eventid.

Just some of the customers of Eventid.

Perhaps the company emailed its subscribers about the breach, but that seems doubtful. The owner of Altair Technologies, a programmer named Adrian Grigorof, did not respond to multiple requests for comment.

“This attack is unique in that it appears to have specifically targeted Windows system administrators of large and, perhaps, sensitive organizations,” RSA said in its report. “These organizations appeared on a list of customers still displayed on the formerly subverted software vendor’s Web site. This is likely not coincidence, but unfortunately, nearly two years after the Kingslayer campaign was initiated, we still do not know how many of the customers listed on the website may have been breached, or possibly are still compromised by the Kingslayer perpetrators.”

It’s perhaps worth noting that this isn’t the only software package sold by Altair Technologies. An analysis of Eventid.net shows that the site is hosted on a server along with three other domains, eventreader.com, firegen.com and grigorof.com (the latter being a vanity domain of the software developer). The other two domains — eventreader.com and firegen.com — correspond to different software products sold by Altair.

The fact that those software titles appear to have been sold and downloadable from the same server as eventid.net (going back as far as 2010) suggests that those products may have been similarly compromised. However, I could find no breach notification mentioning those products. Here is a list of companies that Altair says are customers of Firegen; they include 3M, DirecTV, Dole Food Company, EDS, FedEx, Ingram Micro, Northrup Grumman, Symantec and the U.S. Marshals Service.

RSA calls these types of intrusions “supply chain attacks,” in that they provide one compromise vector to multiple targets. It’s not difficult to see from the customer lists of the software titles mentioned above why an attacker might salivate over the idea of hacking an entire suite of software designed for corporate system administrators.

“Supply chain exploitation attacks, by their very nature, are stealthy and have the potential to provide the attacker access to their targets for a much longer period than malware delivered by other common means, by evading traditional network analysis and detection tools,” wrote RSA’s Kent Backman and Kevin Stear. “Software supply chain attacks offer considerable ‘bang for the buck’ against otherwise hardened targets. In the case of Kingslayer, this especially rings true because the specific system-administrator-related systems most likely to be infected offer the ideal beachhead and operational staging environment for system exploitation of a large enterprise.”

A copy of the RSA report is available here (PDF).



from
https://krebsonsecurity.com/2017/02/how-to-bury-a-major-breach-notification/

Sunday, February 19, 2017

February Updates from Adobe, Microsoft

A handful of readers have inquired as to the whereabouts of Microsoft‘s usual monthly patches for Windows and related software. Microsoft opted to delay releasing any updates until next month, even though there is a zero-day vulnerability in Windows going around. However, Adobe did push out updates this week as per usual to fix critical issues in its Flash Player software.

brokenwindowsIn a brief statement this week, Microsoft said it “discovered a last minute issue that could impact some customers” that was not resolved in time for Patch Tuesday, which normally falls on the second Tuesday of each month. In an update to that advisory posted on Wednesday, Microsoft said it would deliver February’s batch of patches as part of the next regularly-scheduled Patch Tuesday, which falls on March 14, 2017.

On Feb. 2, the CERT Coordination Center at Carnegie Mellon University warned that an unpatched bug in a core file-sharing component of Windows (SMB) could let attackers crash Windows 8.1, and Windows 10 systems, as well as server equivalents of those platforms. CERT warned that exploit code for the flaw was already available online.

The updates from Adobe fix at least 13 vulnerabilities in versions of Flash Player for Windows, Mac, ChromeOS and Linux systems. Adobe said it is not aware of any exploits in the wild for any of the 13 flaws fixed in this update.

The latest update brings Flash to v. 24.0.0.221. The update is rated “critical” for all OSes except Linux; critical flaws can be exploited to compromise a vulnerable system through no action on the part of the user, aside from perhaps browsing to a malicious or hacked Web site.

Flash has long been a risky program to leave plugged into the browser. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

brokenflash-aThe smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep and update Flash, please do it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.



from
https://krebsonsecurity.com/2017/02/february-updates-from-adobe-microsoft/

Friday, February 17, 2017

Men Who Sent Swat Team, Heroin to My Home Sentenced

It’s been a remarkable week for cyber justice. On Thursday, a Ukrainian man who hatched a plan in 2013 to send heroin to my home and then call the cops when the drugs arrived was sentenced to 41 months in prison for unrelated cybercrime charges. Separately, a 19-year-old American who admitted to being part of a hacker group that sent a heavily-armed police force to my home in 2013 was sentenced to three years probation.

Sergei "Fly" Vovnenko, in an undated photo. In a letter to this author following his arrest, Vovnenko said he forgave me for "doxing" him -- printing his real name and image -- on my site.

Sergei “Fly” Vovnenko, in an undated photo. In a letter to this author following his arrest, Vovnenko said he forgave me for “doxing” him — printing his real name and image — on my site.

Sergey Vovnenko, a.k.a. “Fly,” “Flycracker” and “MUXACC1,” pleaded guilty last year to aggravated identity theft and conspiracy to commit wire fraud. Prosecutors said Vovnenko operated a network of more than 13,000 hacked computers, using them to harvest credit card numbers and other sensitive information.

When I first became acquainted with Vovnenko in 2013, I knew him only by his many hacker names, including “Fly” and “Flycracker,” among others. At the time, Fly was the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

After I secretly gained access to his forum, I learned he’d hatched a plot to have heroin sent to my home and to have one of his forum lackeys call the police when the drugs arrived.

I explained this whole ordeal in great detail in 2015, when Vovnenko initially was extradited from Italy to face charges here in the United States. In short, the antics didn’t end when I foiled his plot to get me arrested for drug possession, and those antics likely contributed to his arrest and to this guilty plea.

Vovnenko contested his extradition from Italy, and in so doing spent roughly 15 months in arguably Italy’s worst prison. During that time, he seemed to have turned his life around, sending me postcards at Christmas time and even an apparently heartfelt apology letter.

Seasons greetings from my pen pal, Flycracker.

Seasons greetings from my pen pal, Flycracker.

On Thursday, a judge in New Jersey sentenced Vovnenko to 41 months in prison, three years of supervised released and ordered him to pay restitution of $83,368.

Separately, a judge in Washington, D.C. handed down a sentence of three year’s probation to Eric Taylor, a hacker probably better known by his handle “Cosmo the God.”

Taylor was among several men involved in making a false report to my local police department at the time about a supposed hostage situation at our Virginia home. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax known as “swatting.”

CosmoTheGod rocketed to Internet infamy in 2013 when he and a number of other hackers set up the Web site exposed[dot]su, which routinely “doxed” dozens of public officials and celebrities by publishing the address, Social Security numbers and other personal information on the former First Lady Michelle Obama, the then-director of the FBI and the U.S. attorney general, among others. The group also swatted many of the people they doxed.

Exposed[dot]su was built with the help of identity information obtained and/or stolen from ssndob[dot]ru.

Exposed[dot]su was built with the help of identity information obtained and/or stolen from ssndob[dot]ru.

Taylor and his co-conspirators were able to dox so many celebrities and public officials because they hacked a Russian identity theft service called ssndob[dot]ru. That service in turn relied upon compromised user accounts at data broker giant LexisNexis to pull personal and financial data on millions of Americans.

At least two other young men connected to the exposed[dot]su conspiracy have already been sentenced to prison.

Eric "CosmoTheGod" Taylor.

Eric “CosmoTheGod” Taylor, in a recent selfie posted to his Twitter profile.

Among them was Mir Islam, a 22-year-old Brooklyn man who was sentenced last year to two years in prison for doxing and swatting, and for cyberstalking a young woman whom he also admitted to swatting. Because he served almost a year of detention prior to his sentencing, Islam was only expected to spend roughly a year in prison, although it appears he was released before even serving the entire year.

Hours after his sentencing, Taylor reached out to KrebsOnSecurity via Facetime to apologize for his actions. Taylor, a California native, said he is trying to turn his life around, and that he has even started his own cybersecurity consultancy.

“I live in New York City now, have a baby on the way and am really trying to get my shit together finally,” Taylor said.

If Taylor’s physical appearance is any indication, he is indeed turning over a new leaf. At the time he was involved in publishing exposed[dot]su, the six-foot, seven-inch CosmoTheGod was easily a hundred pounds heavier than he is now.

Unfortunately, not everyone in Taylor’s former crew is making changes for the better. According to Taylor, his former co-conspirator Islam was recently re-arrested after allegedly cyberstalking Taylor’s girlfriend. That stalking claim could not be independently confirmed, however court documents show that Islam was indeed re-arrested and incarcerated last month in New York.

Mir Islam, at his sentencing hearing today. Sketches copyright by Hennessy / CourtroomArt.com

Mir Islam, at his sentencing hearing last year. Sketches copyright by Hennessy / CourtroomArt.com



from
https://krebsonsecurity.com/2017/02/men-who-sent-swat-team-heroin-to-my-home-sentenced/

Wednesday, February 15, 2017

Who Ran Leakedsource.com?

Late last month, multiple news outlets reported that unspecified law enforcement officials had seized the servers for Leakedsource.com, perhaps the largest online collection of usernames and passwords leaked or stolen in some of the worst data breaches — including billions of credentials for accounts at top sites like LinkedIn, Myspace, and Yahoo.

In a development that could turn out to be deeply ironic, it seems that the real-life identity of LeakedSource’s principal owner may have been exposed by many of the same stolen databases he’s been peddling.

The now-defunct Leakedsource service.

The now-defunct LeakedSource service.

LeakedSource in October 2015 began selling access to passwords stolen in high-profile breaches. Enter any email address on the site’s search page and it would tell you if it had a password corresponding to that address. However, users had to select a payment plan before viewing any passwords.

LeakedSource was a curiosity to many, and for some journalists a potential source of news about new breaches. But unlike services such as BreachAlarm and HaveIBeenPwned.com — which force users to verify that they can access a given account or inbox before the site displays whether it has found a password associated with the account in question — LeakedSource did nothing to validate users. This fact, critics charged, showed that the proprietors of LeakedSource were purely interested in making money and helping others pillage accounts.

I also was curious about LeakedSource, but for a different reason. I wanted to chase down something I’d heard from multiple sources: That one of the administrators of LeakedSource also was the admin of abusewith[dot]us, a site unabashedly dedicated to helping people hack email and online gaming accounts.

Abusewith[dot]us began in September 2013 as a forum for learning and teaching how to hack accounts at Runescape, a massively multiplayer online role-playing game (MMORPG) set in a medieval fantasy realm where players battle for kingdoms and riches.
runescape

The currency with which Runescape players buy and sell weapons, potions and other in-game items are virtual gold coins, and many of Abusewith[dot]us’s early members traded in a handful of commodities: Phishing kits and exploits that could be used to steal Runescape usernames and passwords from fellow players; virtual gold plundered from hacked accounts; and databases from hacked forums and Web sites related to Runescape and other online games.

The administrator of Abusewith[dot]us is a hacker who uses the nickname “Xerx3s.” The avatar attached to Xerx3s’s account suggests the name is taken from Xerxes the Great, a Persian king who lived during the fifth century BC.

Xerx3s the hacker appears to be especially good at breaking into discussion forums and accounts dedicated to Runescape and online gaming. Xerx3s also is a major seller of Runescape gold — often sold to other players at steep discounts and presumably harvested from hacked accounts.

Xerx3s's administrator account profile at Abusewith.us.

Xerx3s’s administrator account profile at Abusewith.us.

I didn’t start looking into who might be responsible for LeakedSource until July 2016, when I sought an interview by reaching out to the email listed on the site (leakedsourceonline@gmail.com). Soon after, I received a Jabber chat invite from the address “leakedsource@chatme.im.”

The entirety of that brief interview is archived here. I wanted to know whether the proprietors of the service believed they were doing anything wrong (we’ll explore more about the legal aspects of LeakedSource’s offerings later in this piece).  Also, I wanted to learn whether the rumors of LeakedSource arising out of Abusewith[us] were true.

“After many of the big breaches of 2015, we noticed a common public trend…’Where can I search it to see if I was affected?’,” wrote the anonymous person hiding behind the leakedsource@chatme.im account. “And thus, the idea was born to fill that need, not rising out of anything. We are however going to terminate the interview as it does seem to be more of a witch hunt instead of journalism. Thank you for your time.”

Nearly two weeks after that chat with the LeakedSource administrator, I got a note from a source who keeps fairly close tabs on the major players in the English-speaking cybercrime underground. My source told me he’d recently chatted with Xerx3s using the Jabber address Xerx3s has long used prior to the creation of LeakedSource — xerx3s@chatme.im.

Xerx3s told my source in great detail about my conversation with the Leakedsource administrator, suggesting that either Xerx3s was the same person I spoke with in my brief interview with LeakedSource, or that the LeakedSource admin had shared a transcript of our chat with Xerx3s.

Although his username on Abusewith[dot]us was Xerx3s, many of Xerx3s’s closest associates on the forum referred to him as “Wade” in their forum postings. This is in reference to a pseudonym Xerx3s frequently used, “Jeremy Wade.”

An associate of Xerx3s tells another abusewith[dot]us user that Xerx3s is the owner of LeakedSource. That comment was later deleted from the discussion thread pictured here.

An associate of Xerx3s tells another abusewith[dot]us user that Xerx3s is the owner of LeakedSource. That comment was later deleted from the discussion thread pictured here.

One email address this Jeremy Wade identity used pseudonymously was imjeremywade@gmail.com. According to a “reverse WHOIS” record search ordered through Domaintools.com, that email address is tied to two domain names registered in 2015: abusing[dot]rs, and cyberpay[dot]info. The original registration records for each site included the name “Secure Gaming LLC.”

The “Jeremy Wade” pseudonym shows up in a number of hacked forum databases that were posted to both Abusewith[dot]us and LeakedSource, including several other sites related to hacking and password abuse.

For example, the user database stolen and leaked from the DDoS-for-hire service “panic-stresser[dot]xyz” shows that a PayPal account tied to the email address eadeh_andrew@yahoo.com paid $5 to cover a subscription for a user named “jeremywade;” The leaked Panicstresser database shows the Jeremywade account was tied to the email address xdavros@gmail.com, and that the account was created in July 2012.

The leaked Panicstresser database also showed that the first login for that Jeremywade account came from the Internet address 68.41.238.208, which is a dynamic Internet address assigned to residential customers of Comcast Communications in Michigan.

According to a large number of forum postings, it appears that whoever used the xdavros@gmail.com address also created several variations on that address, including alexdavros@gmail.com, davrosalex3@yahoo.com, davrosalex4@yahoo.com, as well as themarketsales@gmail.com.

The Gmail account xdavros@gmail.com was used to register at least four domain names almost six years ago in 2011. Two of those domains — daily-streaming.com and tiny-chats.com — were originally registered to a “Nick Davros” at 3757 Dunes Parkway, Muskegon, Mich. The other two were registered to a Nick or Alex Davros at 868 W. Hile Rd., Muskegon, Mich. All four domain registration records included the phone number +12313430295.

I took that 68.41.238.208 Internet address that the leaked Panicstresser database said was tied to the account xdavros@gmail.com and ran an Internet search on it. The address turned up in yet another compromised hacker forum database — this time in the leaked user database for sinister[dot]ly, ironically another site where users frequently post databases plundered from other sites and forums.

The leaked sinister[dot]ly forum database shows that a user by the name of “Jwade” who registered under the email address trpkisaiah@gmailcom first logged into the forum from the same Comcast Internet address tied to the xdavros@gmail.com account at Panicstresser.

I also checked that Michigan Comcast address with Farsight Security, a security firm which runs a paid service that tracks the historic linkages between Internet addresses and domain names. Farsight reported that between 2012 and 2014, the Internet address 68.41.238.208 was tied to no-ip.biz, popular “dynamic IP” service.

No-ip.biz and other dynamic IP address services are usually free services that allow users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because services like No-ip.biz can be used to easily map the domain name to the user’s new Internet address whenever it happens to change.

Unfortunately, these dynamic IP providers are extremely popular in the attacker community, because they allow bad guys to keep their malware and scam sites up even when researchers mange to track the attacking IP address and convince the ISP responsible for that address to disconnect the malefactor. In such cases, dynamic IP services allow the owner of the attacking domain to simply re-route the attack site to another Internet address that he controls.

Farsight reports that the address 68.41.238.208 maps back to three different dynamic IP domains, including “jwade69.no-ip.biz,” “wadewon.no-ip.biz,” and “jrat6969.zapto.org.” That first dynamic address — jwade69.no-ip.biz — was included among several hundred others in a list published by the Federal Bureau of Investigation as tied to the distribution of Blackshades, a popular malware strain that was used as a password-stealing trojan by hundreds of paying customers prior to May 2014.

XERX3S HACKED?

In January 2017, when news of the alleged raid on LeakedSource began circulating in the media, I began going through my notes and emails searching for key accounts known to be tied to Xerx3s and the administrator of Abusewith[dot]us.

Somehow, in the previous three months I’d managed to overlook an anonymous message I received in mid-September from a reader who claimed to have hacked the email account themarketsales@gmail.com, one of several addresses my research suggested was tied to Xerx3s.

The anonymous source didn’t say exactly how he hacked this account, but judging from the passwords tied to Xerx3s’s other known accounts that were included in the various forum database leaks listed above it may well have been because Xerx3s in some cases re-used the same password across multiple accounts. 

My anonymous source shared almost a dozen screenshots of his access to themarketsales@gmail.com, which indicate the name attached to the account was “Alex Davros.” The screenshots also show this user received thousands of dollars in Paypal payments from Leakedsource.com over a fairly short period in 2015.
alexdavrosleakedsource

The screenshots also showed that themarketsales@gmail.com was tied to a PayPal account assigned to a Secured Gaming LLC. Recall that this is the same company name included in the Web site registration records back in 2011 for daily-streaming.com and tiny-chats.com.

A screenshot shared with me in Sept. 2016 by an anonymous source who said he'd hacked the Gmail address "themarketsales@gmail.com".

A screenshot shared with me in Sept. 2016 by an anonymous source who said he’d hacked the Gmail address “themarketsales@gmail.com”.

In addition, the screenshot above and others shared by my source indicate that the same Paypal account tied to themarketsales@gmail.com was habitually used to pay a monthly bill from Hyperfilter.com, a company that provides DDoS protection and hosting and which has long been the provider used by Abusewith[dot]us.

Finally, the anonymous hacker shared screenshots suggesting he had also hacked into the email account desiparker18@gmail.com, an account apparently connected to a young lady in Michigan named Desi Parker. The screenshots for Ms. Parker suggest her hacked Gmail account was tied to an Apple iTunes account billed to a MasterCard ending in 7055 and issued to an Alexander Davros at 868 W. Hile, Muskegon, Mich.

The screenshots show the desiparker18@gmail.com address is associated with an Instagram account for a woman by the same name from Muskegon, Mich. (note that the address given in the WHOIS records for Alex Davros’s daily-streaming.com and tiny-chats.com also was Muskegon, Mich).

Desi Parker’s Instagram lists her “spouse” as Alex Davros, and says her phone number is 231-343-0295. Recall that this is the same phone number included in the Alex Davros domain registration records for daily-streaming.com and tiny-chats.com. That phone number is currently not in service.

Desi Parker’s Facebook account indeed says she is currently in a relationship with Alexander Marcus Davros, and the page links to this Facebook account for Alex Davros.

Alex’s Facebook profile is fairly sparse (at least the public version of it), but there is a singular notation in his entire profile that stands out: Beneath the “Other Names” heading under the “Details about Alexander” tab, Alex lists “TheKing.” Parker’s Instagram account includes a photo of an illustration she made including her beau’s first name with a crown on top.

Interestingly, two email addresses connected to domains associated with the Jeremy Wade alias — matt96sk@yahoo.com and skythekiddy@yahoo.com — are tied to Facebook accounts for Michigan residents who both list Alex Davros among their Facebook friends.

Below is a rough mind map I created which attempts to show the connections between the various aliases, email addresses, phone numbers and Internet addresses mentioned above. At a minimum, they strongly indicate that Xerx3s is indeed an administrator of LeakedSource.

iamxerbutlsnoI managed to reach Davros through Twitter, and asked him to follow me so that we could exchange direct messages. Within maybe 60 seconds of my sending that tweet, Davros followed me on Twitter and politely requested via direct message that I remove my public Twitter messages asking him to follow me.

After I did as requested, Davros’s only response initially was, “Wow, impressive but I can honestly tell you I am not behind the service.” However, when pressed to be more specific, he admitting to being Xerx3s but claimed he had no involvement in LeakedSource.

“I am xer yes but LS no,” Davros said. He stopped answering my questions after that, saying he was busy “doing a couple things IRL.” IRL is Internet slang for “in real life.” Presumably these other things he was doing while I was firing off more questions had nothing to do with activities like deleting profiles or contacting an attorney.

Even if Davros is telling the truth, the preponderance of clues here and the myriad connections between them suggest that he at least has close ties to some of those who are involved in running LeakedSource.

A "mind map" I created to illustrate the apparent relationships between various addresses and pseudonyms referenced in this story.

A “mind map” I created to illustrate the apparent relationships between various addresses and pseudonyms referenced in this story.

THE LEGALITY OF LEAKEDSOURCE

On the surface, the rationale that LeakedSource’s proprietors have used to justify their service may seem somewhat reasonable: The service merely catalogs information that is already stolen from companies and that has been leaked in some form online.

But legal experts I spoke with saw things differently, saying LeakedSource’s owners could face criminal charges if prosecutors could show LeakedSource intended for the passwords that are for sale on the site to be used in the furtherance of a crime.

Orin Kerr, director of the Cybersecurity Law Initiative at The George Washington University, said trafficking in passwords is clearly a crime under the Computer Fraud and Abuse Act (CFAA).

Specifically, Section A6 of the CFAA, which makes it a crime to “knowingly and with intent to defraud traffic in any password or similar information through which a computer may be accessed without authorization, if…such trafficking affects interstate or foreign commerce.

“CFAA quite clearly punishes password trafficking,” Kerr said. “The statute says the [accused] must be trafficking in passwords knowingly and with intent to defraud, or trying to further unauthorized access.”

Judith Germano, a senior fellow at the Center on Law and Security at New York University’s School of Law, said LeakedSource might have a veneer of legitimacy if it made an effort to check whether users already have access to the accounts for which they’re seeking passwords.

“If they’re not properly verifying that when the user goes to the site to get passwords then I think that’s where their mask of credibility falls,” Germano said.

LeakedSource may be culpable also because at one point the site offered to crack hashed or encrypted passwords for a fee. In addition, it seems clear that the people who ran the service also advocated the use of stolen passwords for financial gain.



from
https://krebsonsecurity.com/2017/02/who-ran-leakedsource-com/

Thursday, February 9, 2017

Fast Food Chain Arby’s Acknowledges Breach

Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.

arbys2A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.

“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”

Arby’s said the breach involved malware placed on payment systems inside Arby’s corporate stores, and that Arby’s franchised restaurant locations were not impacted.

Arby’s has more than 3,330 stores in the United States, and roughly one-third of those are corporate-owned. The remaining stores are franchises. However, this distinction is likely to be lost on Arby’s customers until the company releases more information about individual restaurant locations affected by the breach.

“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”

The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions.

The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks.

“PSCU believes the alerts are associated with a large fast food restaurant chain, yet to be announced to the public,” reads the alert, which was sent only to PSCU member banks.

Arby’s declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017.

Such a large alert from the card associations generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.

The breach at Arby’s comes as many credit unions and smaller banks are still feeling the financial pain from fraud related to a similar breach at the fast food chain Wendy’s. KrebsOnSecurity broke the news of that breach in January 2016, but the company didn’t announce it had fully removed the malware from its systems until May 2016. But two months after that the company was forced to admit that many Wendy’s locations were still compromised.

B. Dan Berger, president and CEO of the National Association of Federal Credit Unions, said the number of cards that PSCU told member banks were likely exposed in this breach is roughly in line with the numbers released not long after news of the Wendy’s breach broke.

“Hundreds of thousands of cards is a big number, and with the Wendy’s breach, the alerts we were getting from Visa and MasterCard were in the six-digit ranges for sure,” Berger said. “That’s probably one of the biggest numbers I’ve heard.”

Berger said the Wendy’s breach was especially painful because the company was re-compromised after it scrubbed its payment systems of malicious software. Many banks and credit unions ended up re-issuing customer cards several times throughout last year after loyal Wendy’s customers re-compromised their brand new cards again and again because they routinely ate at multiple Wendy’s locations throughout the month.

“We had institutions that stopped approving debit and credit transactions through Wendy’s when they were still dealing with that breach,” Berger said. “Our member credit unions were eating the costs of fraud on compromised cards, and on top of that having to re-issue the same cards over and over.”

Point-of-sale malware has driven most of the major retail industry credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware sometimes is installed via hacked remote administration tools like LogMeIn; in other cases the malware is relayed via “spear-phishing” attacks that target company employees. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).



from
https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/

Wednesday, February 8, 2017

‘Top 10 Spammer’ Indicted for Wire Fraud

Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email purveyor tagged as one of the World’s Top 10 Worst Spammers, was indicted this week on federal wire fraud charges tied to an alleged spamming operation.

According to an indictment returned in federal court in Chicago, Persaud used multiple Internet addresses and domains – a technique known as “snowshoe spamming” – to transmit spam emails over at least nine networks.

persaud-fb

The Justice Department says Persaud sent well over a million spam emails to recipients in the United States and abroad. Prosecutors charge that Persaud often used false names to register the domains, and he created fraudulent “From:” address fields to conceal that he was the true sender of the emails. The government also accuses Persaud of “illegally transferring and selling millions of email addresses for the purpose of transmitting spam.”

Persaud is currently listed as #8 on the World’s 10 Worst Spammers list maintained by Spamhaus, an anti-spam organization. In 1998, Persaud was sued by AOL, which charged that he committed fraud by using various names to send millions of get-rich-quick spam messages to America Online customers. Persaud did not contest the charges and was ordered to pay more than a half-million dollars in restitution and damages.

In 2001, the San Diego District Attorney’s office filed criminal charges against Persaud, alleging that he and an accomplice crashed a company’s email server after routing their spam through the company’s servers.

Persaud has not responded to requests for comment. But he maintains that his email marketing business is legitimate and complies with the CAN-SPAM Act, the main anti-spam law in the United States. The law prohibits the sending of spam that spoofs that sender’s address or does not give recipients an easy way to opt out of receiving future such emails from that sender.

Persaud told FBI agents who raided his home last year that he currently conducts internet marketing from his residence by sending a million emails in under 15 minutes from various domains and Internet addresses.

The indictment charges Persaud with ten counts of wire fraud and seeks the forfeiture of four computers. Each count of wire fraud is punishable by up to 20 years in prison. If convicted, the court must impose a reasonable sentence under federal statutes and sentencing guidelines.

Persaud was charged in Chicago because at least two of the servers he allegedly used to conduct snowshow spamming operations were located there (named only as victims “B” and “F” in the government’s indictment). A copy of the indictment against Persaud is here (PDF).

For more on how spam allegedly sent by Persaud was traced back to his companies, see my story from November 2014, Still Spamming After All These Years. For a deeper understanding of why and how spam is the engine that drives virtually all other forms of cybercrime, check out my book — Spam Nation: The Inside Story of Organized Cybercrime.



from
https://krebsonsecurity.com/2017/02/top-10-spammer-indicted-for-wire-fraud/

Tuesday, February 7, 2017

House Passes Long-Sought Email Privacy Bill

The U.S. House of Representatives on Monday approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails. Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge.

cloudprivacyThe House passed by a voice vote The Email Privacy Act (HR 387). The bill amends the Electronic Communications Privacy Act (ECPA), a 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.

Online messaging was something of a novelty when lawmakers were crafting ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information.

But the U.S. Justice Department wanted different treatment for stored electronic communications. Congress struck a compromise, decreeing that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with an administrative subpoena and without requiring the approval of a judge.

HR 387’s sponsor Kevin Yoder (R-Kan.) explained in a speech on the House floor Monday that back in when the bill was passed, hardly anybody stored their personal correspondence “in the cloud.” He said the thinking at the time was that “if an individual was leaving an email on a third-party server it was akin to that person leaving their paper mail in a garbage can at the end of their driveway.”

“Thus, that individual had no reasonable expectation of privacy in regards to that email under the Fourth Amendment,” Yoder said.

Lee Tien, a senior staff attorney with the Electronic Frontier Foundation (EFF), said a simple subpoena also can get law enforcement the following information about communications records (in addition to the content of emails stored at a service provider for more than 180 days):

-name;
-address;
-local and long distance telephone connection records, or records of session times and durations;
-length of service (including start date) and types of service utilized;
-telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
-means and source of payment for such service (including any credit card or bank account number), of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena.

The Email Privacy Act does not force investigators to jump through any additional hoops for accessing so-called “metadata” messaging information about stored communications, such as the Internet address or email address of a message sender. Under ECPA, the “transactional” data associated with communications — such as dialing information showing what numbers you are calling — was treated as less sensitive. ECPA allows the government to use something less than a warrant to obtain this routing and signaling information.

The rules are slightly different in California, thanks to the passage of CalECPA, a law that went into effect in 2016. CalECPA not only requires California government entities to obtain a search warrant before obtaining or accessing electronic information, it also requires a warrant for metadata.

Activists who’ve championed ECPA reform for years are cheering the House vote, but some are concerned that the bill may once again get hung up in the Senate. Last year, the House passed the bill in an unanimous 419-0 vote, but the measure stalled in the upper chambers of the Senate.

The EFF’s Tien said he’s worried that the bill heading to the Senate may not have the support of the Trump administration, which could hinder its chances in a Republican-controlled chamber.

“The Senate is a very different story, and it was a different story last year when Democrats had more votes,” Tien said.

Whether the bill even gets considered by the Senate at all is bound to be an issue again this year.

“I feel a little wounded because it’s been a hard fight,” Tien said. “It hasn’t been an easy fight to get this far.”

The U.S. government is not in the habit of publishing data about subpoenas it has requested and received, but several companies that are frequently on the receiving end of such requests do release aggregate numbers. For example, Apple, FacebookGoogleMicrosoft and Twitter all publish transparency reports. They’re worth a read.

For a primer on protecting your communications from prying eyes and some tools to help preserve your privacy, check out the EFF’s Surveillance Self-Defense guide.



from
https://krebsonsecurity.com/2017/02/house-passes-long-sought-email-privacy-bill/

Monday, February 6, 2017

InterContinental Confirms Breach at 12 Hotels

InterContinental Hotels Group (IHG), the parent company for thousands of hotels worldwide including Holiday Inn, acknowledged Friday that a credit card breach impacted at least a dozen properties nationwide. News of the breach was first reported by KrebsOnSecurity more than a month ago.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

In a statement issued late Friday, IHG said it found malicious software installed on point of sale servers at restaurants and bars of 12 IHG-managed properties between August and December 2016. The stolen data included information stored on the magnetic stripe on the backs of customer credit and debit cards — the cardholder name, card number, expiration date, and internal verification code.

A list of the known breached locations is here. IHG said cards used at the front desk of these properties were not affected.

According to IHG, we may not yet know the full scope of this breach: The company advised that its investigation into other properties in the Americas region is ongoing.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt.

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).



from
https://krebsonsecurity.com/2017/02/intercontinental-confirms-breach-at-12-hotels/

Friday, February 3, 2017

How Google Took on Mirai, KrebsOnSecurity

The third week of September 2016 was a dark and stormy one for KrebsOnSecurity. Wave after wave of huge denial-of-service attacks flooded this site, forcing me to pull the plug on it until I could secure protection from further assault. The site resurfaced three days later under the aegis of Google’s Project Shield, an initiative which seeks to protect journalists and news sites from being censored by these crippling digital sieges.

Damian Menscher, a Google security engineer with whom I worked very closely on the migration to Project Shield, spoke this week about the unique challenges involved in protecting a small site like this one from very large, sustained and constantly morphing attacks.

Google Security Reliability Engineer Damian Menscher speaking at the Enigma conference this week. Photo: @mrisher

Google Security Reliability Engineer Damian Menscher speaking at the Enigma conference this week. Photo: @mrisher

Addressing the Enigma 2017 security conference in Oakland, Calif., Menscher said his team only briefly considered whether it was such a good idea to invite a news site that takes frequent swings at the DDoS-for-hire industry.

“What happens if this botnet actually takes down google.com and we lose all of our revenue?” Menscher recalled. “But we considered [that] if the botnet can take us down, we’re probably already at risk anyway. There’s nothing stopping them from attacking us at any time. So we really had nothing to lose here.”

Ars Technica’s Dan Goodin was at the Engima conference and filed this report:

“It took only about an hour for Menscher’s team to arrive at the decision to help Krebs. A much more lengthy process involved actually admitting KrebsOnSecurity into Project Shield…A key requirement for admittance is that the person requesting service proves they have control over the site. Because KrebsOnSecurity was down at that moment, Krebs was unable to satisfy this requirement.

Making matters worse, the domain-name system settings KrebsOnSecurity used had been locked to thwart the attempted domain hijacking attacks that regularly targeted the site. That prevented Krebs from showing he had control of the site’s DNS settings.

Once Project Shield ultimately got KrebsOnSecurity back online, it took just 14 minutes for the attacks to resume.”

For more, check out Dan Goodin’s excellent piece, How Google Fought Back Against a Crippling IoT-Powered Botnet and Won. And a rolling thanks to Damian (a true mensch) and to Project Shield for deflecting the evil bits.

For more background on the botnet responsible for knocking this site offline, see Who is Anna-Senpai, the Mirai Worm Author?



from
https://krebsonsecurity.com/2017/02/how-google-took-on-mirai-krebsonsecurity/

Thursday, February 2, 2017

IRS: Scam Blends CEO Fraud, W-2 Phishing

Most regular readers here are familiar with CEO fraud — e-mail scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster. Loyal readers also have heard an earful about W-2 phishing, in which crooks impersonate the boss and request a copy of all employee tax forms. According to a new “urgent alert” issued by the U.S. Internal Revenue Service, scammers are now combining both schemes and targeting a far broader range of organizations than ever before.

athookThe IRS said phishers are off to a much earlier start this year than in tax years past, trying to siphon W-2 data that can be used to file fraudulent refund requests on behalf of taxpayers. The agency warned that thieves also appear to be targeting a wider range of organizations in these W-2 phishing schemes, including school districts, healthcare organizations, chain restaurants, temporary staffing agencies, tribal organizations and nonprofits.

Perhaps because they are already impersonating the boss, the W-2 phishers feel like they’re leaving money on the table if they don’t also try to loot the victim organization’s treasury: According to the IRS, W-2 phishers very often now follow up with an “executive” email to the payroll or comptroller requesting that a wire transfer be made to a certain account.

“This is one of the most dangerous email phishing scams we’ve seen in a long time,” IRS Commissioner John Koskinen said. “Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars.”

The Federal Bureau of Investigation (FBI) has been keeping a running tally of the financial devastation visited on companies via CEO fraud scams. In June 2016, the FBI estimated that crooks had stolen nearly $3.1 billion from more than 22,000 victims of these wire fraud schemes.

First surfacing in February 2016, the W-2 phishing scams also have netted thieves plenty of victims. At one point last year I was hearing from almost one new W-2 phishing victim each day. Some of the more prominent companies victimized by W-2 scams last year included Seagate Technology, Moneytree, Sprouts Farmer’s Market, and EWTN Global Catholic Network.

As noted earlier this week, scammers also are now selling 2016 employee W-2 forms that were phished or otherwise stolen from victim organizations, peddling individual W-2 tax records for between $4 and $20 apiece.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

The IRS says organizations receiving a W-2 scam email should forward it to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the FBI.

Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft. Employees should file a Form 14039 (PDF) Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.

W-2 forms are prized by ID thieves because they feature virtually all of the data needed to file a fraudulent tax refund request with the IRS in a victim’s name, including the employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints in 2015. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can. 

The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and to establish other communication channels — such as telephone calls — to verify significant banking transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating CEO fraud schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.



from
https://krebsonsecurity.com/2017/02/irs-scam-blends-ceo-fraud-w-2-phishing/