Sunday, March 31, 2019

Annual Protest Raises $250K to Cure Krebs

For the second year in a row, denizens of a large German-language online forum have donated more than USD $250,000 to cancer research organizations in protest of a story KrebsOnSecurity published in 2018 that unmasked the creators of Coinhive, a now-defunct cryptocurrency mining service that was massively abused by cybercriminals. Krebs is translated as “cancer” in German.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted thousands of thank you receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”).

All told, thousands of Pr0gramm’s members donated more than USD $250,000 to cancer cure efforts within days of that March 2018 story. This week, the Pr0gramm administrators rallied members to commemorate that successful fundraiser with yet another.

“As announced there will be a donation marathon at anniversary day of Krebsaction,” Pr0gramm’s administrators announced. “Today, March 27th, we’re firing the starting shot for the marathon. Please tag your donation bills properly if they shall be accounted. The official tag is ‘krebsspende.’

According to a running tally on Pr0gramm’s site, this year’s campaign has raised 252,000 euros for cancer research so far, or about USD $284,000. That brings the total that Pr0gramm members have donated to cancer research to more than a half-million dollars.

As a bonus, Coinhive announced last month that it was shutting down, citing a perfect storm of negative circumstances. Coinhive had made structural changes to its systems following my 2018 story so that it would no longer profit from accounts used on hacked Web sites. Perhaps more importantly, the value of the cryptocurrency Coinhive’s code helped to mine dropped precipitously over the past year.



from
https://krebsonsecurity.com/2019/03/annual-protest-raises-250k-to-cure-krebs/

Friday, March 29, 2019

Man Behind Fatal ‘Swatting’ Gets 20 Years

Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.

Tyler Barriss, in an undated selfie.

Barriss has admitted to his role in the Kansas man’s death, as well as to dozens of other non-fatal “swatting” attacks. These dangerous hoaxes involve making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident.

On Dec. 28, 2017, Barriss placed a call from California to police in Wichita, Kan., claiming that he was a local resident who’d just shot his father and was holding other family members hostage.

When Wichita officers responded to the address given by the caller — 1033 W. McCormick — they shot and killed 28-year-old Andrew Finch, a father of two who had done nothing wrong.

Barriss admitted setting that fatal swatting in motion after getting in the middle of a dispute between two Call of Duty online gamers, 18-year-old Casey Viner from Ohio and Shane Gaskill, 20, from Wichita. Viner and Gaskill are awaiting their own trials in connection with Finch’s death.

Barriss pleaded guilty to making hoax bomb threats in phone calls to the headquarters of the FBI and the Federal Communications Commission in Washington, D.C. He also made bomb threat and swatting calls from Los Angeles to emergency numbers in Ohio, New Hampshire, Nevada, Massachusetts, Illinois, Utah, Virginia, Texas, Arizona, Missouri, Maine, Pennsylvania, New Mexico, New York, Michigan, Florida and Canada.

“I hope that this prosecution and lengthy sentence sends a strong message that will put an end to the juvenile and reckless practice of ‘swatting’ within the gaming community, as well as in any other context,” said Kansas U.S. Attorney Stephen McAllister said in a written statement. “Swatting is just a terrible idea. I also hope that today’s result helps bring some peace to the Finch family and some closure to the Wichita community.”

Many readers have commented here that the officer who fired the shot which killed Andrew Finch should also face prosecution. However, the district attorney for the county that encompasses Wichita decided in April 2018 that the officer will not face charges, and will not be named because he isn’t being charged with a crime.

As the victim of a swatting attack in 2013 and two other attempted swattings, I’m glad to finally see a swatting prosecution that may actually serve as a deterrent to this idiotic and extremely dangerous crime going forward.

But as I’ve observed in previous stories about swatting attacks, it would also be nice if more police forces around the country received additional training on exercising restraint in the use of deadly force, particularly in responding to hostage or bomb threat scenarios that have hallmarks of a swatting hoax.

For example, perpetrators of swatting often call non-emergency numbers at state and local police departments to carry out their crimes precisely because they are not local to the region and cannot reach the target’s police department by calling 911. This is exactly what Tyler Barriss did in the Wichita case and others. Swatters also often use text-to-speech (TTY) services for the hearing impaired to relay hoax swat calls, as was the case with my 2013 swatting.



from
https://krebsonsecurity.com/2019/03/man-behind-fatal-swatting-gets-20-years/

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.

Some 2.1 million+ credit and debit card accounts stolen from dozens of Earl Enterprises restaurant locations went up for sale on a popular carding forum on Feb. 20, 2019.

In a statement posted to its Web site today, Orlando, Fla. based hospitality firm Earl Enterprises said a data breach involving malware installed on its point-of-sale systems allowed cyber thieves to steal card details from customers between May 23, 2018 and March 18, 2019.

Earl Enterprises did not respond to requests for specifics about how many customers total may have been impacted by the 10-month breach. The company’s statement directs concerned customers to an online tool that allows one to look up breached locations by city and state.

According to an analysis of that page, it appears the breach impacts virtually all 67 Buca di Beppo locations in the United States; a handful out of the total 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando. Also impacted were Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles.

KrebsOnsecurity contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis.

Joker’s Stash typically organizes different batches of stolen cards around a codename tied to a specific merchant breach. This naming convention allows criminals who purchased cards from a specific batch and found success using those cards fraudulently to buy from the same batch again when future cards stolen from the same breached merchant are posted for sale.

While a given batch’s nickname usually has little relation to the breached merchant, Joker’s Stash does offer a number of search options for customers that can sometimes be used to trace a large batch of stolen cards back to a specific merchant.

This is especially true if the victim merchant has a number of store locations in multiple smaller U.S. towns. That’s because while Joker’s Stash makes its stolen cards searchable via a variety of qualities — the card-issuing bank or expiration date, for example — perhaps the most useful in this case is the city or ZIP code tied to each card.

As with a number of other carding sites, Joker’s Stash indexes cards by the city and/or ZIP code of the store from which the card was stolen (not the ZIP code of the affected cardholders).

On Feb. 20, Joker’s Stash moved a new batch of some 2.15 million stolen cards that it dubbed the “Davinci Breach.” An analysis of the cities and towns listed among the Davinci cards for sale included a number of hacked store locations that were not in major cities, such as Burnsville, Minn., Levonia, Mich., Midvale, Utah, Norwood, Ohio, and Wheeling, Ill.

Earl Enterprises said in its statement the malicious software installed at affected stores captured payment card data, which could have included credit and debit card numbers, expiration dates and, in some cases, cardholder names. The company says online orders were not affected.

Malicious hackers typically steal card data from organizations by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers.

Cardholders are not responsible for fraudulent charges, but your bank isn’t always going to detect card fraud. That’s why it’s important to regularly review your monthly statements and quickly report any unauthorized charges.



from
https://krebsonsecurity.com/2019/03/a-month-after-2-million-customer-cards-sold-online-buca-di-beppo-parent-admits-breach/

Friday, March 22, 2019

Alleged Child Porn Lord Faces US Extradition

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there.

“My suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the US,” FBI Special Agent Brooke Donahue reportedly told an Irish court in 2013.

Even before the FBI testified in court about its actions, clues began to emerge that the Firefox exploit used to record the true Internet address of Freedom Hosting visitors was developed specifically for U.S. federal investigators. In an analysis posted on Aug. 4, reverse engineer Vlad Tsrklevich concluded that because the payload of the Firefox exploit didn’t download or execute any secondary backdoor or commands “it’s very likely that this is being operated by an [law enforcement agency] and not by blackhats.”

According to The Irish Times, in a few days Marques is likely to be escorted from Cloverhill Prison to Dublin Airport where he will be put on a US-bound flight and handcuffed to a waiting US marshal. If convicted of all four charges, he faces life in prison (3o years for each count).



from
https://krebsonsecurity.com/2019/03/alleged-child-porn-lord-faces-us-extradition/

Thursday, March 21, 2019

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people within those organizations, and for far shorter periods of time.

Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

“This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening,” Renfro said. “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data.”

Facebook’s password woes come amid a tough month for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest tech companies.

Earlier in March, Facebook came under fire from security and privacy experts for using phone numbers provided for security reasons — like two-factor authentication — for other things (like marketing, advertising and making users searchable by their phone numbers across the social network’s different platforms).

Update, 11:43 a.m.: Facebook has posted a statement about this incident here.



from
https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

Sunday, March 17, 2019

Why Phone Numbers Stink As Identity Proof

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites.

BK: We weren’t always so tied to our phone numbers, right? What happened?

AN: The whole concept of a phone number goes back over a hundred years. The operator would punch in a number you know was associated with your friend and you could call that person and talk to them. Back then, a phone wasn’t tied any one person’s identity, and possession of that phone number never proved that person’s identity.

But these days, phone number are tied to peoples’ identities, even though we’re recycling them and this recycling is a fundamental part of how the phone system works. Despite the fact that phone number recycling has always existed, we still have all these Internet companies who’ve decided they’re going to accept the phone number as an identity document and that’s terrible.

BK: How does the phone number compare to more traditional, physical identity documents?

AN: Take the traditional concept of identity documents — where you have to physically show up and present ID at some type of business or office, and then from there they would look up your account and you can conduct a transaction. Online, it’s totally different and you can’t physically show your ID and can’t show your face.

In the Internet ecosystem, there are different companies and services that sell things online who have settled on various factors that are considered a good enough proxy for an identity document. You supply a username, password, and sometimes you provide your email address or phone number. Often times when you set up your account you have some kind of agreed-upon way of proofing that over time. Based on that pre-established protocol, the user can log in and do transactions.

It’s not a good system and the way the whole thing works just enables fraud. When you’re bottlenecked into physically showing up in a place, there’s only so much fraud you can do. A lot of attacks against phone companies are not attacking the inherent value of a phone number, but its use as an identity document.

BK: You said phone number recycling is a fundamental part of how the phone system works. Talk more about that, how common that is.

AN: You could be divorced, or thrown into sudden poverty after losing a job. But that number can be given away, and if it goes to someone else you don’t get it back. There all kinds of life situations where a phone number is not a good identifier.

Maybe part of the reason the whole phone number recycling issue doesn’t get much attention is people who can’t pay their bills probably don’t have a lot of money to steal anyways, but it’s pretty terrible that this situation can be abused to kick people when they’re down. I don’t think a lot of money can be stolen in this way, but I do think the fact that this happens really can undermine the entire system.

BK: It seems to me that it would be a good thing if more online merchants made it easier to log in to their sites without using passwords, but instead with an app that just asks hey was that you just now trying to log in? Yes? Okay. Boom, you’re logged in. Seems like this kind of “push” login can leverage the user’s smart phone while not relying on the number — or passwords, for that matter.

If phone numbers are bad, what should we look to as more reliable and resilient identifiers?

AN: That’s something I’ve been thinking a lot about lately. It seems like all of the other options are either bad or really controversial. On the one hand, I want my bank to know who I am, and I want to expose my email and phone number to them so they can verify it’s me and know how to get in touch with me if needed. But if I’m setting up an email account, I don’t want to have to give them all of my information. I’m not attached to any one alternative idea, I just don’t like what we’re doing now.

For more on what you can do to reduce your dependence on mobile phone numbers, check out the “What Can You Do?” section of Hanging Up on Mobile in the Name of Security.



from
https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-identity-proof/

Wednesday, March 13, 2019

Ad Network Sizmek Probes Account Breach

Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers.

In a recent posting to a Russian-language cybercrime forum, an individual who’s been known to sell access to hacked online accounts kicked off an auction for “the admin panel of a big American ad platform.”

“You can add new users to the ad system, edit existing ones and ad offers,” the seller wrote. The starting bid was $800.

The seller included several screen shots of the ad company’s user panel. A few minutes on LinkedIn showed that many of these people are current or former employees of Sizmek.

The seller also shared a screenshot of the ad network’s Alexa site rankings:

A screenshot of the Alexa ranking for the “big American ad network,” access to which was sold on a cybercrime forum.

I checked Sizmek’s Alexa page and at the time it almost mirrored the statistics shown in the screenshot above. Sizmek’s own marketing boilerplate says the company operates its ad platform in more than 70 countries, connecting more than 20,000 advertisers and 3,600 agencies to audiences around the world. The company is listed by market analysis firm Datanyze.com as the world third-largest ad server network.

After reaching out to a number of folks at Sizmek, I heard back from George Pappachen, the company’s general counsel.

Pappachen said the account being resold on the dark web is a regular user account (not a all-powerful administrator account, despite the seller’s claim) for its Sizmek Advertising Suite (SAS). Pappachen described Sizmek’s SAS product line as “a sizable and important one” for the company and a relatively new platform that has hundreds of users.

He acknowledged that the purloined account had the ability to add or modify the advertising creatives that get run on customer ad campaigns. And Sizmek is used in ad campaigns for some of the biggest brands out there. Some of the companies shown in the screenshot of the panel shared by the dark web seller include PR firm Fleishman-Hillard, media giants Fox Broadcasting, Gannett, and Hearst Digital, as well as Kohler, and Pandora.

A screenshot shared by the dark web seller. Portions of this panel — access to a Sizmek user account — was likely translated by the Chrome Web browser, which has a built-in page translate function. As seen here, that function tends to translate items in the frame of the panel, but it leaves untouched the data inside those frames.

Crooks who exploited this access could hijack existing ad campaigns running on some of the world’s top online properties, by inserting malicious scripts into the HTML code of ads that run on popular sites. Or they could hijack referral commissions destined for others and otherwise siphon ad profits from the system.

“Or someone who is looking to sabotage our systems in a bigger way or allow malicious code to enter our systems,” Pappachen offered.

Pappachen said Sizmek forced a password reset on all internal employees (“a few hundred”), and that the company is scrubbing its SAS user database for departed employees, partners and vendors whose accounts may have been hijacked.

“We’re now doing some level of screening to see if there’s been any kind of intrusion we can detect,” Pappachen said. “It seemed like [the screenshots were accounts from] past employees. I think there were even a couple of vendors that had access to the system previously.”

The Sizmek incident carries a few lessons. For starters, it seems like an awful lot of people at Sizmek had access to sensitive controls and data a good deal longer than they should have. User inventory and management is a sometimes painful but very necessary ongoing security process at any mature organization.

Best practices in this space call for actively monitoring all accounts — users and admins — for signs of misuse or unauthorized access. And when employees or vendors sever business ties, terminate their access immediately.

Pappachen asked KrebsOnSecurity what else could have prevented this. I suggested some form of mobile-based multi-factor authentication option would prevent stolen credentials from turning into instant access. He said the company does use app/mobile based authentication for several of its new products and some internal programs, but allowed that “the legacy ones probably did not have this feature.”

PASSWORD SPRAYING

It’s not clear how this miscreant got access to Sizmek’s systems. But it is clear that attackers have moved rapidly of late toward targeting employees at key roles in companies they’d like to infiltrate, and they’re automating the guessing of passwords for employee accounts. One popular version of this attack involves what’s known as “password spraying,” which attempts to access a large number of accounts (usernames/email addresses) with a few commonly used passwords.

There are technologies like CAPTCHAs — requiring the user to solve an image challenge or retype squiggly letters — which try to weed out automated bot programs from humans. Then again, password spraying attacks often are conducted “low and slow” to help evade these types of bot challenges.

Password spraying was suspected in a compromise reported last week at Citrix, which said it heard from the FBI on March 6 that attackers had successfully compromised multiple Citrix employee accounts. A little-known security company Resecurity claimed it had evidence that Iranian hackers were responsible, had been in Citrix’s network for years, and had offloaded terabytes of data.

Resecurity drew criticism from many in the security community for not sharing enough evidence of the attacks. But earlier this week the company updated its blog post to include several Internet addresses and proxies it says the attackers used in the Citrix campaign. The update stated the attackers had gained access to nearly 32,000 Citrix accounts through password spraying.

Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018. Citrix initially denied that claim, but has since acknowledged that it did receive a notification from Resecurity on Dec. 28. Citrix has declined to comment further beyond saying it is still investigating the matter.

BRUTE-FORCE LIGHT

If anything, password spraying is a fairly crude, if sometimes marginally effective attack tool. But what we’ve started to see more of over the past year has been what one might call “brute-force light” attacks on accounts. A source who has visibility into a botnet of Internet of Things devices that is being mostly used for credential stuffing attacks said he’s seeing the attackers use distributed, hacked systems like routers, security cameras and digital video recorders to anonymize their repeated queries.

This source noticed that the automated system used by the IoT botmasters typically will try several dozen variations on a password that each target had previously used at another site — adding a “1” or an exclamation point at the end of a password, or capitalizing the first letter of whole words in previous passwords, and so on.

The idea behind this method to snare not only users who are wholesale re-using the same password across multiple sites, but to also catch users who may just be re-using slight variations on the same password.

This form of credential stuffing is brilliant from the attacker’s perspective because it probably nets him quite a few more correct guesses than normal password spraying techniques.

It’s also smart because it borrows from human nature. Let’s say your average password re-user is in the habit of recycling the password “monkeybutt.” But then he gets to a site that wants him to use capitalization in his password to create an account. So what does this user pick? Yes, “Monkeybutt.” Or “Monkeybutt1”. You get the picture.

There’s an old saying in security: “Everyone gets penetration tested, whether or not they pay someone for the pleasure.” It’s kind of like that with companies and their users and passwords. How would your organization hold up to a password spraying or brute-force light attack? If you don’t know, you should probably find out, and then act on the results accordingly. I guarantee you the bad guys are going to find out even if you don’t.



from
https://krebsonsecurity.com/2019/03/ad-network-sizmek-probes-account-breach/

Tuesday, March 12, 2019

Patch Tuesday, March 2019 Edition

Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you (ab)use Microsoft products, it’s time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today’s patch batch without any help from users.

One interesting patch from Microsoft this week comes in response to a zero-day vulnerability (CVE-2019-0797) reported by researchers at Kaspersky Lab, who discovered the bug could be (and is being) exploited to install malicious software.

Microsoft also addressed a zero day flaw (CVE-2019-0808) in Windows 7 and Windows Server 2008 that’s been abused in conjunction with a previously unknown weakness (CVE-2019-5786) in Google’s Chrome browser. A security alert from Google last week said attackers were chaining the Windows and Chrome vulnerabilities to drop malicious code onto vulnerable systems.

If you use Chrome, take a moment to make sure you have this update and that there isn’t an arrow to the right of your Chrome address bar signifying the availability of new update. If there is, close out and restart the browser; it should restore whatever windows you have open on restart.

This is the third month in row Microsoft has released patches to fix high-severity, critical flaws in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”).

These are severe “receive a bad packet of data and get owned” type vulnerabilities. But Allan Liska, senior solutions architect at security firm Recorded Future, says DHCP vulnerabilities are often difficult to take advantage of, and the access needed to do so generally means there are easier ways to deploy malware.

The bulk of the remaining critical bugs fixed this month reside in Internet Explorer, Edge and Office. All told, not the craziest Patch Tuesday. Even Adobe’s given us a month off (or at least a week) patching critical Flash Player bugs: The Flash player update shipped this week includes non-security updates.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Further reading:

Qualys

SANS Internet Storm Center

Ask Woody

ZDNet



from
https://krebsonsecurity.com/2019/03/patch-tuesday-march-2019-edition/

Sunday, March 10, 2019

Insert Skimmer + Camera Cover PIN Stealer

Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PINs. These little video bandits can be hidden 100 different ways, but they’re frequently disguised as ATM security features — such as an extra PIN pad privacy cover, or an all-in-one skimmer over the green flashing card acceptance slot at the ATM.

And sometimes, the scammers just hijack the security camera built into the ATM itself.

Below is the hidden back-end of a skimmer found last month placed over top of the customer-facing security camera at a drive-up bank ATM in Hurst, Texas. The camera components (shown below in green and red) were angled toward the cash’s machine’s PIN pad to record victims entering their PINs. Wish I had a picture of this thing attached to the ATM.

This hidden camera was fixed to the underside of a fake lens cover for the skimmed ATM’s built-in security camera. Image: Hurst Police.

The clever PIN grabber was paired with an “insert skimmer,” a wafer-thin, usually metallic and battery powered skimmer made to be fitted straight into the mouth of the ATM’s card acceptance slot, so that the card skimmer cannot be seen from outside of the compromised ATM.

The insert skimmer, seen as inserted into the card acceptance device in the hacked ATM. Image: Hurst PD.

For reference, here’s a similar card acceptance slot, minus the skimmer.

An unaltered ATM card acceptance slot (without insert skimmer).

Police in Hurst, Texas released a photo taken from footage showing what appears to be a young woman affixing the camera skimmer to the drive-up ATM. They said she was driving a blue Ford Expedition with silver trim on the lower portion of the vehicle.

The skimmer crooks seem to realize that far fewer people are going to cover their hand when entering a PIN at drive-up ATMs. Often the machine is either too high or too low for the driver-side window, and covering the PIN pad to guard against hidden cameras can be a difficult reach for a lot of people.

Nevertheless, covering the PIN pad with a hand, wallet or purse while you enter the PIN is one of the easiest ways to block skimming attacks. The skimmer scammers don’t just want your bank card: They want your PIN so they can create an exact copy of the card and use it at another ATM to empty your checking or savings account.

So don’t be like the parade of people in these videos from hidden cameras at hacked ATMs who never once covered the PIN pad.

Further reading: Woman Caught on Video Installing Skimmer Outside Bank’s ATM in Hurst



from
https://krebsonsecurity.com/2019/03/insert-skimmer-camera-cover-pin-stealer/

Friday, March 8, 2019

MyEquifax.com Bypasses Credit Freeze PIN

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.

In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.

Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did previously possess.

Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.

The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I can about my recent financial history.

In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.

One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.

Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.

Equifax’s site says it will require users requesting changes to an existing credit freeze to have access to their freeze PIN and be ready to supply it. But Equifax never actually asks for the PIN.

This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email. 

In other words, credit freezes and thaws requested via myExquifax don’t require users to supply any pre-existing PIN.

Fine, I said. Let’s do this.

myEquifax then asked for the date range requested to thaw my credit freeze. Submit.

“We’ve successfully processed your security freeze request!,” the site declared.

This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.

In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.

Successfully unfreezing (temporarily thawing) my credit freeze did not require me to ever supply my previously-issued freeze PIN from Equifax. Anyone who knew the vaguest and most knowable details about me could have done the same.

myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).

Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.

It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.

Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..

“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.”

I asked Bistritz-Balkan what else besides a username and a password the company may have meant by “multi-factor;” I’m still waiting for clarification. But I did not experience anything like multi-factor in setting up or logging into my myEquifax account.

This may by closer to Equifax’s idea of multi-factor: The company told me that if I still really wanted to use my freeze PIN, I could always call their 800 number (800-349-9960) or make the request via mail. Nevermind that if I’m a bad guy looking to hack others, I’m definitely going to be using the myEquifax Web site — not the options that make me have to supply a PIN.

Virtually the entire United States population in 2017 became eligible for free credit monitoring from Equifax following its 2017 breach. Credit monitoring can be useful for recovering from identity theft, but consumers should not expect these services to block new account fraud; the most they will likely do in this case is alert you after ID thieves have already opened new accounts in your name.

A credit freeze does not impact your ability to use any existing financial accounts you may have, including bank and credit/debit accounts. Nor will it protect you from fraud on those existing accounts. It is mainly a way to minimize the risk that someone may be able to create new accounts in your name.

If you haven’t done so lately, it might a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annual from each of the three credit bureaus — either all at once or spread out over the year.

Additional reading:

Credit Freezes are Free: Let the Ice Age Begin

Plant Your Flag, Mark Your Territory

Experian Site Can Give Anyone Your Freeze PIN

Survey: Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach

Equifax Breach Fallout: Your Salary History

Data Broker Giants Hacked by ID Theft Service

Experian Sold Access to ID Theft Service



from
https://krebsonsecurity.com/2019/03/myequifax-com-bypasses-credit-freeze-pin/

Monday, March 4, 2019

Hackers Sell Access to Bait-and-Switch Empire

Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.

Earlier this week, a cybercriminal on a Dark Web forum posted an auction notice for access to a Web-based administrative panel for an unidentified “US Search center” that he claimed holds some four million customer records, including names, email addresses, passwords and phone numbers. The starting bid price for that auction was $800.

Several screen shots shared by the seller suggested the customers in question had all purchased subscriptions to a variety of sites that aggregate and sell public records, such as dmv.us.org, carhistory.us.org, police.us.org, and criminalrecords.us.org.

A (redacted) screen shot shared by the apparent hacker who was selling access to usernames and passwords for customers of multiple data-search Web sites.

A few hours of online sleuthing showed that these sites and dozens of others with similar names all at one time shared several toll-free phone numbers for customer support. The results returned by searching on those numbers suggests a singular reason this network of data-search Web sites changed their support numbers so frequently: They quickly became associated with online reports of fraud by angry customers.

That’s because countless people who were enticed to pay for reports generated by these services later complained that although the sites advertised access for just $1, they were soon hit with a series of much larger charges on their credit cards.

Using historic Web site registration records obtained from Domaintools.com (a former advertiser on this site), KrebsOnSecurity discovered that all of the sites linked back to two related companies — Las Vegas, Nev.-based Penguin Marketing, and Terra Marketing Group out of Alberta, Canada.

Both of these entities are owned by Jesse Willms, a man The Atlantic magazine described in an unflattering January 2014 profile as “The Dark Lord of the Internet” [not to be confused with The Dark Overlord].

Jesse Willms’ Linkedin profile.

The Atlantic pointed to a sprawling lawsuit filed by the Federal Trade Commission, which alleged that between 2007 and 2011, Willms defrauded consumers of some $467 million by enticing them to sign up for “risk free” product trials and then billing their cards recurring fees for a litany of automatically enrolled services they hadn’t noticed in the fine print.

“In just a few months, Willms’ companies could charge a consumer hundreds of dollars like this, and making the flurry of debits stop was such a convoluted process for those ensnared by one of his schemes that some customers just canceled their credit cards and opened new ones,” wrote The Atlantic’s Taylor Clark.

Willms’ various previous ventures reportedly extended far beyond selling access to public records. In fact, it’s likely everyone reading this story has at one time encountered an ad for one of his dodgy, bait-and-switch business schemes, The Atlantic noted:

“If you’ve used the Internet at all in the past six years, your cursor has probably lingered over ads for Willms’s Web sites more times than you’d suspect. His pitches generally fit in nicely with what have become the classics of the dubious-ad genre: tropes like photos of comely newscasters alongside fake headlines such as “Shocking Diet Secrets Exposed!”; too-good-to-be-true stories of a “local mom” who “earns $629/day working from home”; clusters of text links for miracle teeth whiteners and “loopholes” entitling you to government grants; and most notorious of all, eye-grabbing animations of disappearing “belly fat” coupled with a tagline promising the same results if you follow “1 weird old trick.” (A clue: the “trick” involves typing in 16 digits and an expiration date.)”

In a separate lawsuit, Microsoft accused Willms’ businesses of trafficking in massive quantities of counterfeit copies of its software. Oprah Winfrey also sued a Willms-affiliated site (oprahsdietscecrets.com) for linking her to products and services she claimed she had never endorsed.

KrebsOnSecurity reached out to multiple customers whose name, email address and cleartext passwords were exposed in the screenshot shared by the Dark Web auctioneer who apparently hacked Willms’ Web sites. All three of those who responded shared roughly the same experience: They said they’d ordered reports for specific criminal background checks from the sites on the promise of a $1 risk-free fee, never found what they were looking for, and were subsequently hit by the same merchant for credit card charges ranging from $20 to $38.

I also pinged several customer support email addresses tied to the data-broker Web sites that were hacked. I received a response from a “Mike Stef,” who described himself as a Web developer for Terra Marketing Group.

Stef said the screenshots appeared to be legitimate, and that the company would investigate the matter and alert affected customers if warranted. Stef told me he doubts the company has four million customers, and that the true number was probably closer to a half million. He also insisted that the panel in question did not have access to customer credit card data.

Nevertheless, it appears from the evidence above that Willms and several others who were named in the FTC’s 2012 stipulated final judgment (PDF) are still up to their old tricks. The FTC has not yet responded to requests for comment. Nor has Mr. Willms.

I can’t help express feeling a certain amount of schadenfreude (schadenfraud?) at the victim in this hacking case. But that amusement is tempered by the reality that the hundreds of thousands or possibly millions of people who got suckered into paying money to this company are quite likely to find themselves on the receiving end of additional phishing and fraud attacks (particularly credential stuffing) as a result of their data being auctioned off to the highest bidder.

Terra Marketing Group’s Web developer Mike Stef responded to my inquiries from an email address at the domain “tmgbox.com.” That message was instrumental in identifying the connection to Willms and Terra Marketing/Penguin. In the interests of better informing people who might wish to become future customers of this group, I am publishing the list of the domains associated with tmgbox.com and its parent entities. This list may be updated periodically as new information surfaces.

In case it is useful for others, KrebsOnSecurity is also publishing the results of several reverse WHOIS lookups for historic domains tied to email addresses of several people Mike Stef described as “senior customer support managers” of Terra Marketing, as these also include some interesting and related (albeit mostly dead) domains.

Reverse WHOIS on Peter Graver and Jesse Willms (rickholl2k9@gmail.com)

Reverse WHOIS on mike@tmgbox.com

Reverse WHOIS on Jason Oster (joster2008@gmail.com)

Public records search domains associated with Terra Marketing Group and Penguin Marketing:

memberreportaccess.com
publicrecords.us.org
dmvrecords.co
dmv.us.org
courtrecords.us.org
myfeeplan.com
police.us.org
warrantcheck.com
myinfobill.com
propertysearch.us.org
homevalue.us.org
carinfo2.com
backgroundchecks.us.org
arrestrecords.us.org
propertyrecord.com
criminalrecords.us.org
jailinmates.us.org
vehiclereportusa.com
dmvinfocheck.com
carrecordusa.com
carhistoryindex.com
autohistorychecks.com
mugshots.us.org
trafficticket.us.org
prison.us.org
reversephonelookup.us.org
deathrecords.us.org
deathrecord.com
deathcertificates.us.org
census.us.org
phonelookup.us.org
vehiclehistoryreports.us.org
vinsearchusa.org



from
https://krebsonsecurity.com/2019/03/hackers-sell-access-to-bait-and-switch-empire/