The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the Blackshades RAT, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.
An advertisement for RevCode WebMonitor.
At issue is a program called “WebMonitor,” which was designed to allow users to remotely control a computer (or multiple machines) via a Web browser. The makers of WebMonitor, a company in Sweden called “RevCode,” say their product is legal and legitimate software “that helps firms and personal users handle the security of owned devices.”
But critics say WebMonitor is far more likely to be deployed on “pwned” devices, or those that are surreptitiously hacked. The software is broadly classified as malware by most antivirus companies, likely thanks to an advertised feature list that includes dumping the remote computer’s temporary memory; retrieving passwords from dozens of email programs; snarfing the target’s Wi-Fi credentials; and viewing the target’s Webcam.
In a writeup on WebMonitor published in April 2018, researchers from security firm Palo Alto Networks noted that the product has been primarily advertised on underground hacking forums, and that its developers promoted several qualities of the software likely to appeal to cybercriminals looking to secretly compromise PCs.
For example, RevCode’s website touted the software’s compatibility with all “crypters,” software that can encrypt, obfuscate and manipulate malware to make it harder to detect by antivirus programs. Palo Alto also noted WebMonitor includes the option to suppress any notification boxes that may pop up when the RAT is being installed on a computer.
A screenshot of the WebMonitor builder panel.
RevCode maintains it is a legitimate company officially registered in Sweden that obeys all applicable Swedish laws. A few hours of searching online turned up an interesting record at Ratsit AB, a credit information service based in Sweden. That record indicates RevCode is owned by 28-year-old Swedish resident Alex Yücel.
In February 2015, a then 24-year-old Alex Yücel pleaded guilty in a U.S. court to computer hacking and to creating, marketing and selling Blackshades, a RAT that was used to compromise and spy on hundreds of thousands of computers. Arrested in Moldova in 2013 as part of a large-scale, international takedown against Blackshades and hundreds of customers, Yücel became the first person ever to be extradited from Moldova to the United States.
Yücel was sentenced to 57 months in prison, but according to a record for Yücel at the U.S. Federal Bureau of Prisons, he was released on Nov. 1, 2016. The first advertisements in hacker forums for the sale of WebMonitor began in mid-2017. RevCode was registered as an official Swedish company in 2018, according to Ratsit.
Until recently, RevCode published on its Web site a value added tax (VAT) number, an identifier used in many European countries for value added tax purposes. That VAT number — first noted by the blog Krabsonsecurity.com (which borrows heavily from this site’s design and banner but otherwise bears no relation to KrebsOnSecurity.com) — has since been removed from the RevCode Web site and from historic records at The Internet Archive. The VAT number cited in that report is registered to Alex Yücel, and matches the number listed for RevCode by Ratsit AB.
Yücel could not be immediately reached for comment. But an unnamed person responded to an email sent to the customer support address listed at RevCode’s site. Presented with the information and links referenced above, the person responding wrote, “nobody working for/with RevCode is in any way related to BlackShades. Anything else suggesting otherwise is nothing but rumors and attempts to degrade our company by means of defamation.”
The person responding from the RevCode support email address contended that the Alex Yücel listed as owner of the company was not the same Alex Yücel convicted of co-authoring Blackshades. However, unless the Ratsit record is completely wrong, this seems unlikely to be true.
According to the Ratsit listing, the Alex Yücel who heads RevCode currently lives in a suburb of Stockholm, Sweden with his parents Can and Rita Yücel. Both Can and Rita Yücel co-signed a letter (PDF) in June 2015 testifying to a New York federal court regarding their son’s upstanding moral character prior to Yücel the younger’s sentencing for the Blackshades conviction, according to court records.
A letter from Alex Yücel’s parents to the court in June 2016.
Marcus Hutchins, a 24-year-old blogger and malware researcher arrested in 2017 for allegedly authoring and selling malware designed to steal online banking credentials, has pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.
Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog
Hutchins, who authors the popular blog MalwareTech, was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.
In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. A British citizen, Hutchins has been barred from leaving the United States since his arrest.
Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a lengthy investigation into activities tied to his various online personas over the years.
As I wrote in summary of that story, the clues suggested “Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.” Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood.
In a statement posted to his Twitter feed and to malwaretech.com, Hutchins said today he had pleaded guilty to two charges related to writing malware in the years prior to his career in security.
“I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”
Hutchins pleaded guilty to two of the 10 counts for which he was originally accused, including conspiracy charges and violating U.S.C. Title 18, Section 2512, which involves the manufacture, distribution, possession and advertising of devices for intercepting online communications.
Creating malware is a form of protect speech in the United States, but selling it and disseminating it is another matter. George Washington University Professor Orin Kerr‘s 2017 dissection of the government’s charges is worth a read for a deep dive on this sticky legal issue.
According to a copy of Hutchins’ plea agreement, both charges each carry a maximum of up to five years in prison, and up to a $250,000 fine, and up to one year of supervised release. However, those charges are likely to be substantially tempered by federal sentencing guidelines, and may take into account time already served in detention. It remains unclear when he will be sentenced.
The plea agreement is here (PDF). “Attachment A” beginning on page 15 outlines the government’s case against Hutchins and an alleged co-conspirator. The government says between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit.
Despite what many readers here have alleged, I hold no ill will against Hutchins. He and I spoke briefly in a friendly exchange after a chance encounter at last year’s DEF CON security conference in Las Vegas, and said at the time I was rooting for him to beat the charges. I sincerely hope he is able to keep his nose clean and put this incident behind him soon.
Yours Truly shaking hands with Marcus Hutchins in Las Vegas, August 2018.
The crooks responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant, new evidence suggests. The clues so far suggest the work of a fairly experienced crime group that is focused on perpetrating gift card fraud.
On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.
In a follow-up story Wednesday on the tone-deaf nature of Wipro’s public response to this incident, KrebsOnSecurity published a list of “indicators of compromise” or IOCs, telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.
If one examines the subdomains tied to just one of the malicious domains mentioned in the IoCs list (internal-message[.]app), one very interesting Internet address is connected to all of them — 185.159.83[.]24. This address is owned by King Servers, a well-known bulletproof hosting company based in Russia.
According to records maintained by Farsight Security, that address is home to a number of other likely phishing domains:
The subdomains listed above suggest the attackers may also have targeted American retailer Sears; Green Dot, the world’s largest prepaid card vendor; payment processing firm Elavon; hosting firm Rackspace; business consulting firm Avanade; IT provider PCM; and French consulting firm Capgemini, among others. KrebsOnSecurity has reached out to all of these companies for comment, and will update this story in the event any of them respond with relevant information.
WHAT ARE THEY AFTER?
It appears the attackers in this case are targeting companies that in one form or another have access to either a ton of third-party company resources, and/or companies that can be abused to conduct gift card fraud.
Wednesday’s follow-up on the Wipro breach quoted an anonymous source close to the investigation saying the criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. That source, who works for a large U.S. retailer, said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.
Another source said the investigation into the Wipro breach by a third party company has determined so far the intruders compromised more than 100 Wipro systems and installed on each of them ScreenConnect, a legitimate remote access tool. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.
This is remarkably similar to activity that was directed in 2016 and 2017 against Cognizant, one of Wipro’s competitors and likely the target of the same attackers. In May 2018, Maritz Holdings Inc., a Missouri-based firm that handles customer loyalty and gift card programs for third-parties, sued Cognizant (PDF), saying a forensic investigation determined that hackers had broken into Cognizant’s systems and used them to pivot attacks into Maritz’s loyalty program and siphon more than $11 million in fraudulent eGift cards.
That investigation determined the attackers also used ScreenConnect to access computers belonging to Maritz employees. “This was the same tool that was used to effectuate the cyber-attack in Spring 2016. Intersec [the forensic investigator] also determined that the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 attack.”
According to the lawsuit by Maritz Holdings, investigators also determined that the “attackers were accessing the Maritz system using accounts registered to Cognizant. For example, in April 2017, someone using a Cognizant account utilized the “fiddler” hacking program to circumvent cyber protections that Maritz had installed several weeks earlier.”
Maritz said its forensic investigator found the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 eGift card cashout. Likewise, my retailer source in the Wipro attack told KrebsOnSecurity that the attackers who defrauded them also searched their systems for specific phrases related to gift cards, and for clues about security systems the retailer was using.
It’s unclear if the work of these criminal hackers is tied to a specific, known threat group. But it seems likely that the crooks who hit Wipro have been targeting similar companies for some time now, and with a fair degree of success in translating their access to cash given the statements by my sources in the Wipro breach and this lawsuit against Cognizant.
What’s remarkable is how many antivirus companies still aren’t flagging as malicious many of the Internet addresses and domains listed in the IoCs, as evidenced by a search at virustotal.com.
I’m not a huge fan of stories about stories, or those that explore the ins and outs of reporting a breach. But occasionally I feel obligated to publish such accounts when companies respond to a breach report in such a way that it’s crystal clear they wouldn’t know what to do with a data breach if it bit them in the nose, let alone festered unmolested in some dark corner of their operations.
And yet, here I am again writing the second story this week about a possibly serious security breach at an Indian company that provides IT support and outsourcing for a ridiculous number of major U.S. corporations (spoiler alert: the second half of this story actually contains quite a bit of news about the breach investigation).
On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, the third-largest IT services provider in India and a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.
Wipro asked for several days to investigate the request and formulate a public comment. Three days after I reached out, the quote I ultimately got from them didn’t acknowledge any of the concerns raised by my sources. Nor did the statement even acknowledge a security incident.
Six hours after my story ran saying Wipro was in the throes of responding to a breach, the company was quoted in an Indian daily newspaper acknowledging a phishing incident. The company’s statement claimed its sophisticated systems detected the breach internally and identified the affected employees, and that it had hired an outside digital forensics firm to investigate further.
Less than 24 hours after my story ran, Wipro executives were asked on a quarterly investor conference call to respond to my reporting. Wipro Chief Operating Officer Bhanu Ballapuram told investors that many of the details in my story were in error, and implied that the breach was limited to a few employees who got phished. The matter was characterized as handled, and other journalists on the call moved on to different topics.
At this point, I added a question to the queue on the earnings conference call and was afforded the opportunity to ask Wipro’s executives what portion(s) of my story was inaccurate. A Wipro executive then proceeded to read bits of a written statement about their response to the incident, and the company’s chief operating officer agreed to have a one-on-one call with KrebsOnSecurity to address the stated grievances about my story. Security reporter Graham Cluley was kind enough to record that bit of the call and post it on Twitter.
In the follow-up call with Wipro, Ballapuramtook issue with my characterization that the breach had lasted “months,” saying it had only been a matter of weeks since employees at the company had been successfully phished by the attackers. I then asked when the company believed the phishing attacks began, and Ballapuram said he could not confirm the approximate start date of the attacks beyond “weeks.”
Ballapuram also claimed that his corporation was hit by a “zero-day” attack. Actual zero-day vulnerabilities involve somewhat infrequent and quite dangerous weaknesses in software and/or hardware that not even the maker of the product in question understands before the vulnerability is discovered and exploited by attackers for private gain.
Because zero-day flaws usually refer to software that is widely in use, it’s generally considered good form if one experiences such an attack to share any available details with the rest of the world about how the attack appears to work — in much the same way you might hope a sick patient suffering from some unknown, highly infectious disease might nonetheless choose to help doctors diagnose how the infection could have been caught and spread.
Wipro has so far ignored specific questions about the supposed zero-day, other than to say “based on our interim investigation, we have shared the relevant information of the zero-day with our AV [antivirus] provider and they have released the necessary signatures for us.”
My guess is that what Wipro means by “zero-day” is a malicious email attachment that went undetected by all commercial antivirus tools before it infected Wipro employee systems with malware.
Ballapuram added that Wipro has gathered and disseminated to affected clients a set of “indicators of compromise,” telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.
Hours after that call with Ballapuram, I heard from a major U.S. company that is partnering with Wipro (at least for now). The source said his employer opted to sever all online access to Wipro employees within days of discovering that these Wipro accounts were being used to target his company’s operations.
The source said the indicators of compromise that Wipro shared with its customers came from a Wipro customer who was targeted by the attackers, but that Wipro was sending those indicators to customers as if they were something Wipro’s security team had put together on its own.
So let’s recap Wipro’s public response so far:
-Ignore reporter’s questions for days and then pick nits in his story during a public investor conference call.
-Question the stated timing of breach, but refuse to provide an alternative timeline.
-Downplay the severity of the incident and characterize it as handled, even when they’ve only just hired an outside forensics firm.
-Say the intruders deployed a “zero-day attack,” and then refuse to discuss details of said zero-day.
-Claim the IoCs you’re sharing with affected clients were discovered by you when they weren’t.
WHAT DID THE ATTACKERS DO?
The criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. A source I spoke with at a large retailer and Wipro customer said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.
I suppose that’s something of a silver lining for Wipro at least, if not also its customers: An intruder that was more focused on extracting intellectual property or other more strategic assets from Wipro’s customers probably could have gone undetected for a much longer period.
A source close to the investigation who asked not to be identified because he was not authorized to speak to the news media said the company hired by Wipro to investigate the breach dated the first phishing attacks back to March 11, when a single employee was phished.
The source said a subsequent phishing campaign between March 16 and 19 netted 22 additional Wipro employees, and that the vendor investigating the incident has so far discovered more than 100 Wipro endpoints that were seeded with ScreenConnect, a legitimate remote access tool sold by Connectwise.com. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.
Additionally, investigators found at least one of the compromised endpoints was attacked with Mimikatz, an open source tool that can dump passwords stored in the temporary memory cache of a Microsoft Windows device.
The source also said the vendor is still discovering newly-hacked systems, suggesting that Wipro’s systems are still compromised, and that additional hacked endpoints may still be undiscovered within Wipro.
Wipro has not yet responded to follow-up requests for comment.
Overall, I’m willing to chalk this entire episode up to a complete lack of training in how to deal with the news media, but if I were a customer of Wipro I’d be more than a little concerned about the tone-deaf nature of the company’s response thus far.
As one follower on Twitter remarked, “openness and transparency speaks of integrity and a willingness to learn from mistakes. Doing the exact opposite smacks of something else entirely.”
In the interests of openness, here are some indicators of compromise that Wipro customers are distributing about this incident (I had to get these from one of Wipro’s partners as the company declined to share the IoCs directly with KrebsOnSecurity).
Indian information technology (IT) outsourcing and consulting giant Wipro Ltd. [NYSE:WIT] is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity. Wipro has refused to respond to questions about the alleged incident.
Earlier this month, KrebsOnSecurity heard independently from two trusted sources that Wipro — India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker.
Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.
The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.
On April 9, KrebsOnSecurity reached out to Wipro for comment. That prompted an email on Apr. 10 from Vipin Nair, Wipro’s head of communications. Nair said he was traveling and needed a few days to gather more information before offering an official response.
On Friday, Apr. 12, Nair sent a statement that acknowledged none of the questions Wipro was asked about an alleged security incident involving attacks against its own customers.
“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”
Wipro has not responded to multiple additional requests for comment. Since then, two more sources with knowledge of the investigation have come forward to confirm the outlines of the incident described above.
One source familiar with the forensic investigation at a Wipro customer said it appears at least 11 other companies were attacked, as evidenced from file folders found on the intruders’ back-end infrastructure that were named after various Wipro clients. That source declined to name the other clients.
The other source said Wipro is now in the process of building out a new private email network because the intruders were thought to have compromised Wirpo’s corporate email system for some time. The source also said Wipro is now telling concerned clients about specific “indicators of compromise,” telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.
Wipro says it has more than 170,000 employees helping clients across six continents with Fortune 500 customers in healthcare, banking, communications and other industries. In March 2018, Wipro said it passed the $8 billion mark in annual IT services revenue.
The apparent breach comes amid shifting fortunes at Wipro. On March 5, the State of Nebraska abruptly canceled a contract with Wipro after spending $6 million with the company. In September 2018, the Nebraska Department of Health and Human Services issued a cease-and-desist letter to Wipro, ordering it to stop work on the upgrade to the state’s Medicaid enrollment system, and to vacate its state offices. Wipro is now suing Nebraska, saying its project was on schedule and on budget.
Another curious, if only coincidental, development: On April 4, 2019, the government of India sold “enemy” shares in Wipro worth approximately $166 million. According to this article in The Business Standard, enemy shares are so called because they were originally held by people who migrated to Pakistan or China and are not Indian citizens any longer.
“A total of 44.4 million shares, which were held by the Custodian of Enemy Property for India, were sold at Rs 259 apiece on the Bombay Stock Exchange,” The Business Standard reported. “The buyers were state-owned Life Insurance Corporation of India (LIC), New India Assurance and General Insurance Corporation. LIC”
Wipro is expected to announce its fourth-quarter earnings report on Tuesday, April 16 (PDF).
Scammers who make a living swindling Airbnb.com customers have a powerful new tool at their disposal: A software-as-a-service offering called “Land Lordz,” which helps automate the creation and management of fake Airbnb Web sites and the sending of messages to advertise the fraudulent listings.
The ne’er-do-well who set up the account below has been paying $550 a month for a Land Lordz “basic plan” subscription at landlordz[.]site that helps him manage more than 500 scam properties and interactions with up to 100 (soon-to-be-scammed) “guests” looking to book the fake listings. Currently, this scammer has just four dozen listings, virtually all of which are for properties in London and the surrounding United Kingdom.
The Land Lordz administrative panel for a scammer who’s running dozens of Airbnb scams in the United Kingdom.
Your typical victim will respond to an advertisement for a listing provided at Airbnb.com, and be assured they can pay through Airbnb, which offers buyer protection and refunds for unhappy customers. But when the interested party inquires about the listing, they are sent a link to a site that looks like Airbnb.com but which is actually a phishing page.
In the case of these particular fraudsters, their fake page was “airbnb.longterm-airbnb[.]co[.]uk” (I’ve added brackets to prevent the link from being clickable). The site looks exactly like the real Airbnb, includes pictures of the requested property, and steers visitors toward signing in or to creating a new account. The fake site simply forwards all requests on this page to Airbnb.com, and records any usernames and passwords submitted through the site.
The fake Airbnb site used by the scammers logged all Airbnb credentials submitted by new and existing users.
Here’s a look at some of the properties listed for rent by these scammers. All of the names and images on these listings have been lifted from other legitimate listings.
Fake properties for rent, as listed by the Land Lordz Airbnb scam service.
The Land Lordz service includes several sets of default positive comments from fake past reviewers that can be used to populate the phony listings. The non-existent home and apartment rentals offered by these scammers are all sold on monthly rates, and the seller’s page says buyers must pay a deposit of the first month before the date is locked in.
A phony comments generator page.
The Land Lordz panel lets the scammer keep track of all messages with would-be victims, who are strung along and told the reservation on the residence will be lifted unless a cash deposit is made within 72 hours. Here’s one from would-be victim Shanon, on March 28, 2019, to the scammers.
Shanon: My partner wants to see the place before we send money over as we done this last time and someone scammed us I ain’t saying your not legit as you have send documents with details on name etc
Scammer: “Hello, The property is still available for your dates. The price is € 250 + €500 secure deposit. As security deposit needs to be added ,discount needs to be applied please follow the airbnb link” (which goes to the fake Airbnb page).
Alex Holden, CTO of Hold Security Inc. and the researcher who shared screen shots of this fraud panel, said the scammers appear to be advertising their fake listings primarily via Gumtree, a free classifieds service in the U.K.
People who lose money in these scams fail big time on two things. First, they fail to notice they are not on airbnb.com. More importantly, they end up wiring money to secure the promise of a fake apartment or home in another country, and the thieves cut off all communications at that point.
Like they did to this poor sucker, who paid $1,200 in exchange for a piece of paper which promised they’d hand over keys to the apartment at a specific date:
The subject of this victim’s message “pickup of keys” says it all.
This 2018 story from travel blog goatsontheroad.com tells the tale of a couple that was very nearly scammed by a Land Lordz-like trap, before the wife figures out they’re no longer on airbnb.com.
It’s important to note that these scams can just as likely target users of Airbnb as they can other services, such as craigslist.com and booking.com. Be wary of clicking on links in emails from property hosts, and make sure you are always on Airbnb or whatever site you think you’re on.
Airbnb could help by adding some type of robust multi-factor authentication, such as Security Keys — which would defeat these Airbnb phishing pages. According to twofactorauth.org, Airbnb currently does not support any type of multi-factor authentication that users can enable.
Airbnb.com says if the company detects something phishy about a login for your account it may ask you to enter a security code sent to your phone or email address, or verify some of your account details.
In case anyone would like to follow up on this research, other domains used by these scammers include airbnb.longterm-airbnb[.]co.uk, airbnb.pt-anuncio[.]com, airbnb.request-online[.]com, and airbnb-invoice[.]com. Some of the bank accounts and payment recipients from scams tied to theselistingsarepicturedhere.
Google this week made it easier for Android users to enable strong 2-factor authentication (2FA) when logging into Google’s various services. The company announced that all phones running Android 7.0 and higher can now be used as Security Keys, an additional authentication layer that helps thwart phishing sites and password theft.
As first disclosed by KrebsOnSecurity last summer, Google maintains it has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes.
The most commonly used Security Keys are inexpensive USB-based devices that offer an alternative approach to 2FA, which requires the user to log in to a Web site using something they know (the password) and something they have (e.g. a one-time token, key fob or mobile device).
But Google said starting this week, any mobile phone running Android 7.0+ (Nougat) can serve the same function as a USB-based security key. Once a user has enrolled their Android phone as a Security Key, the user will need to approve logins via a prompt sent to their phone after submitting their username and password at a Google login page.
Many readers have expressed confusion or skepticism about how Security Keys can prevent users from getting hooked by phishing sites or clever man-in-the-middle attacks. This capability was described in far greater visual detail in this video last year by Christiaan Brand, product manager at Google Cloud.
But the short version is that even if a user who has enrolled a Security Key for authentication tries to log in at a site pretending to be Google, the company’s systems simply refuse to request the Security Key if the user isn’t on an official Google site, and the login attempt fails.
“It puts you in this mode….[in] which is there is no other way to log in apart from the Security Key,” Brand said. “No one can trick you into a downgrade attack, no one can trick you into anything different. You need to provide a security key or you don’t get into your account.”
Google says built-in security keys available on phones running Android 7.0+ (Nougat) with Google Play Services, enabling existing phones to act as users’ primary 2FA method for work (G Suite, Cloud Identity, and GCP) and personal Google accounts to sign in on a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 device with a Chrome browser.
The basic idea behind two-factor authentication (Google calls it “two step verification” or 2SV) is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.
The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via an app (like Authy or Google Authenticator), text message, or an automated phone call. But all of these methods are susceptible to interception by various attacks.
A Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.
Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.
A number of high-profile sites now allow users to enroll their accounts with USB- or Bluetooth-based Security Keys, including Dropbox, Facebook, Github and Twitter. If you decide to use Security Keys with your account, it’s a good idea to register a backup key and keep it in a safe place, so you can still get into your account if you loose your initial key (or phone, in Google’s case).
To be sure you’re using the most robust forms of authentication at sites you entrust with sensitive data, spend a few minutes reviewing the options at twofactorauth.org, which maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).
Please bear in mind that if the only 2FA options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
I should also note that Google says Android 7.0+ phones also can be used as the Security Key for people who have adopted the company’s super-paranoid Advanced Protection option. This is a far more stringent authentication process for Google properties designed specifically for users who are most likely to be targeted by sophisticated attacks, such as journalists, activists, business leaders and political campaigns.
I’ve had Advanced Protection turned on since shortly after Google made it available. It wasn’t terribly difficult to set up, but it’s probably not for your casual user. For one thing, it requires users to enroll two security keys, and in the event the user loses both of those keys, Google may take days to validate your request and grant you access to your account.
Microsoft today released fifteen software updates to fix more than 70 unique security vulnerabilities in various flavors of its Windows operating systems and supported software, including at least two zero-day bugs. These patches apply to Windows, Internet Explorer (IE) and Edge browsers, Office,Sharepoint and Exchange. Separately, Adobe has issued security updates for Acrobat/Reader and Flash Player.
According to security firm Rapid 7, two of the vulnerabilities — CVE-2019-0803 and CVE-2019-0859 — are already being exploited in the wild. They can result in unauthorized elevation of privilege, and affect all supported versions of Windows.
“An attacker must already have local access to an affected system to use these to gain kernel-level code execution capabilities,” Rapid7 researcher Greg Wiseman observed. “However, one of the 32 Remote Code Execution (RCE) vulnerabilities patched today could potentially be used with them in an exploit chain to obtain full control of a system.”
Aside from these zero-day privilege escalation flaws, Wiseman said, it’s a fairly standard Patch Tuesday.
“Which of course still means that there are bugs that should be patched as soon as possible, such as the eight vulnerabilities classified as critical in the scripting engine used by Microsoft browsers, and CVE-2019-0822 (an RCE in Microsoft Office that can be exploited by convincing a user to open a malicious file).”
Flash updates are installed along with other monthly Windows patch rollups for consumers, and auto-installed by Google Chrome, but users may need to reboot the operating system (in the case of IE/Edge) or the browser (in Chrome) for the new updates to take effect.
Adobe’s actions also sound the death knell for Adobe Shockwave Player, which has at long last reached end-of-life.
Chris Goettl, director of product management and security for security firm Ivanti, said Windows users need to get any existing Shockwave installations out of their environments now.
“There are 7 vulnerabilities that are going to be vulnerable for the majority of Shockwave installs still in existence,” Goettl said. “You can bet an exploit is imminent there.”
Standard advice: Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system.
Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.
As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.
Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.
Researchers at Cisco Talosdiscovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.
Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.
“Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers found. “While some groups were removed immediately, other groups only had specific posts removed.”
But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings. This is precisely what I experienced a year ago.
Not long after Facebook deleted most of the 120 cybercrime groups I reported to it back in April 2018, many of the groups began reemerging elsewhere on the social network under similar names with the same members.
Instead of reporting those emergent groups directly to people at Facebook’s public relations arm — something most mere mortals aren’t able to do — KrebsOnSecurity decided to report the re-offenders via Facebook’s regular abuse reporting procedures.
What did we find? I received a series of replies saying that Facebook had reviewed my reports but that none of the groups were found to have violated its standards. KrebsOnSecurity later found that reporting the abusive Facebook groups to a quarter-million followers on Twitter was the fastest way to get them disabled.
How else have Facebook’s public statements about its supposed commitment to security and privacy been undermined by pesky facts over the past few weeks?
KrebsOnSecurity broke the news that Facebook developers wrote apps which stored somewhere between 200 million and 600 million Facebook user passwords in plain text. These plaintext passwords were indexed by Facebook’s data centers and searchable for years by more than 20,000 Facebook employees.
It emerged that Facebook’s new account signup page urges users to supply the password to their email account so Facebook can harvest contact details and who knows what else. Yes, that’s right: Facebook has been asking new users to share their email password, despite decades of consumer advice warning that is exactly what phishers do.
Once again, that old adage applies: If you can’t quite figure out how you’re the customer in a given online relationship, that’s probably because you’re best described as the product being sold to others.
I long ago stopped providing personal information via any Facebook account. But for my part, there remain probably three big reasons why I’m still on Facebook.
For better or worse, a great many sources choose to share important information this way. Also, sometimes Facebook is the fastest way to find a potential source and get their attention.
Secondly, many people unfortunately still get much of their news from Facebook and prefer to be notified about new stories this way.
Finally, I periodically need to verify some new boneheaded privacy disclosure or security screw-up manufactured by Facebook.
I would probably never delete my Facebook account, for the same reason I wouldn’t voluntarily delete my accounts from various cybercrime forums: For my part, the potential benefits of being there outweigh the potential risks. Then again, I am likely far from your typical Facebook (ab)user.
But what about you, Dear Reader? How does your Facebook cost/benefit analysis break down? Have any of the recent or not-so-recent Facebook scandals prompted you to delete your account, or to heavily restrict what types of information you store on the social network or make available to others? Sound off in the comments below.
An alleged top boss of a Romanian crime syndicate that U.S. authorities say is responsible for deploying card-skimming devices at Automated Teller Machines (ATMs) throughout North America was arrested in Mexico last week on firearms charges. The arrest comes months after the accused allegedly ordered the execution of a former bodyguard who was trying to help U.S. authorities bring down the group’s lucrative skimming operations.
On Mar. 31, police in Cancun, Mexico arrested two Romanian men, identified only as 42-year-old “Florian N” and 37-year-old “Adrian Nicholae N,” 37, for the possession of an illegal firearm and cash totaling nearly 500,000 pesos (~USD $26,000) in both American and Mexican denominations.
An uncaptioned photo published by the Mexican police. According to multiple sources, the individual on the left is Intacash boss Florian Tudor, along with his deputy Nicholae Cosmin.
The two men’s faces were partially obscured in the mugshots released to Mexican media. But according to multiple sources familiar with the investigation, the older man arrested (pictured on the left) is Florian “The Shark” Tudor, reputed to be in charge of a relatively new ATM company based in Mexico called Intacash. The man on the right has been identified as Nicholae Cosmin, Tudor’s deputy.
Intacash was the central focus of a three–partinvestigation KrebsOnSecurity published in September 2015. That story tracked the activities of a crime gang that was bribing and otherwise coercing ATM technicians to install sophisticated Bluetooth-based skimmers inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.
Meanwhile, Intcash’s machines were about the only ATMs in top tourist spots in Mexico that weren’t getting compromised with these bluetooth skimming devices.
Law enforcement and ATM industry sources cited in that story said they believe Intacash is controlled by Romanian nationals and that its key principals were the ones paying ATM technicians to compromise machines at competing ATM providers.
As I discovered in reporting that series, it was possible to tell which ATMs were compromised in Mexico’s top tourist spots just by approaching each with a smart phone and looking for the presence of a Bluetooth signal beaconing out a wireless network with the name “Free2Move”.
This functionality allowed the crime syndicate to siphon credit and debit card details and PINs from hacked ATMs wirelessly, without ever again having to touch the compromised machines (see the video below for more on that investigation).
In April 2018, KrebsOnSecurity heard from a Romanian person who claimed to have been working for Intacash. This individual seemed extremely concerned for their safety, but at the same time eager to share details about the company’s operations and owners.
The source shared photographs of Intacash’s chief deputies, as well as screenshots of card data allegedly hoovered up by the company’s various skimming operations. The source repeatedly told me the Romanian gang was paying large sums of money to Mexican authorities to stay off their radar.
The last time I heard from that source was June 2018, just after a like-minded associate at Intacash was shot dead in his car. The associate, 44-year-old Sorinel Constantin Marcu, was already wanted on a warrant from Interpol, the international criminal police organization.
In 2014, a Romanian court issued a criminal warrant for Marcu on allegations of attempted murder back in his hometown of Craiova, Romanian’s 6th-largest city. But Marcu was able to flee to Mexico before he could be tried. The court later convicted Marcu in abstentia, leveling a sentence of eight years in prison.
On the evening of June 11, 2018, Marcu was shot in the head, reportedly while trying to kidnap a businessman in Mexico, according to multiple media accounts. A street surveillance video of the incident published by Romanian daily Gazeta de SUD shows a Dodge Nitro allegedly driven by Marcu hitting the businessman’s parked car.
The businessman manages to flee, and the passenger in Marcu’s vehicle briefly starts after him, before returning to the picture a few seconds later. Marcu’s passenger gets back in the vehicle, which then moves out of view of the security camera.
“Later, one of the businessman’s guards came out of the house and shot several gun shots in the car driven by Marcu, and he was killed on the spot,” Gazeta reported.
My source’s last communication was that they had tried to reach out to U.S. federal investigators but hadn’t had much luck. The source wanted the name and a number of someone to talk to at the FBI or Secret Service.
That source also said corrupt Mexican authorities were complicit in changing the news media narrative of what happened to Sorinel Marcu.
“Hi Brian do you have some news about your contact? Because the person who was going to testify now is dead,” my source wrote. “The boss of the gang do it, who I told you kill him, now he pay a lot of money to change the real story, and now that Cancun’s police work for him. Because the maybe guilty stayed 24 hours arrested (or less) for homicide. Please if this week you can do something for us, help us!”
Searching for others who might have knowledge of the shooting, I found a Facebook posting by Marcu’s brother — Aurelio Marcu — who commented on a Facebook video recorded shortly after Marcu’s execution in which bystanders can be heard telling those approaching the car not to move his brother’s body. The video was posted by a Mexican news channel, which reported the men questioned by police in connection with the incident were carrying Russian passports.
“They are from Romania, not Russia,” Aurelio Marcu wrote in a comment on the video, saying the boss of the gang is a guy named Tudor Florin, also known as “Rechinu” or “shark” in Romanian.
Police in Puerto Morelos seized weapons and a Cadillac Escalade from Romanians Florian Tudor and Nicholae Cosmin. Image: Riviera-maya-news.com.
In an interview with KrebsOnSecurity, Aurelio Marcu said his younger brother was killed in front of a new apartment complex being built and paid for by Mr. Tudor, and that the dead man’s body was moved to his car to make it look like he was slain there instead. He also said his brother and the passenger in the Dodge Nitro were following a man who worked in Tudor’s crew, not some random businessman.
“He was unarmed, and if you look at the pictures in the papers from his death, you can see he is wearing flip flops when he was shot,” Aurelio Marcu said, speaking through an interpreter. “How can you go kidnap someone wearing flip flops and with no weapon?”
BAD BODYGUARD
Marcu the elder said his dead brother long served as Tudor’s personal bodyguard, but at some point the two had a falling out over the money and women. Marcu said things got really tense between Tudor and his brother when the latter began sabotaging Intacash’s operations by applying superglue to the PIN pads and card acceptance slots of Intacash ATMs throughout Cancun.
A warrant for Constantine Sorinel Marcu, on attempted murder charges. Marcu was shot and killed in June 2018, allegedly by Mr. Tudor and/or his associates.
Marcu said Tudor’s crew had tried once before to kill his brother, but only managed to seriously wound him in a knife attack that ruptured his spleen.
Asked why he believes Florian Tudor was responsible for his brother’s death, Marcu said Sorinel “was an impediment for them, and Mr. Tudor was afraid that he would talk to the police.”
Marcu said Tudor and his associates are working with criminal syndicates in China, India and Indonesia to help cash out credit and debit card accounts stolen via Intacash’s extensive ATM skimming operations. He also said Mr. Tudor is reputed to keep up to USD $50,000 in cash on hand at all times, just in case he needs to buy himself out of a sticky situation with the police.
“This is so that if anything happens to him, he has a window to escape,” Marcu said. “He used to brag that he had days when he was making like $200,000 a day doing all this ATM and fake credit cards stuff.”
Additionally, Marcu said Mr. Tudor is working on building a theme park in the Puerto Morelos area of Quintana Roo, a Mexican state on the Yucatan Peninsula that encompasses Cancun and other tourist areas close by.
Aurelio Marcu says he and his brother are from the the same hometown as Tudor and his crew — Craiova, Romania, and that he’s been living under active protection from the Romanian police out of fear for his life.
Marcu is doubly worried now because he’s recently learned that both Tudor and Cosmin made bail on the weapons charges. He believes they are probably trying to figure out how to quietly wind down their operations in Mexico and flee the country.
KrebsOnSecurity has learned that Tudor and others alleged to be part of the Romanian ATM skimming ring in Mexico are the target of a more wide-ranging FBI investigation into the alleged Romanian crime family. The FBI did not respond to requests for comment.
According to people briefed on the investigation, Mexico is a central hub for hundreds of people from Romania who have moved into tourist areas of Mexico to help execute various ATM skimming and money laundering schemes there and across the border in the United States.
Those officials describe the Romanian crime network in Mexico as part of a far larger criminal syndicate that has foot soldiers who are ready and able to execute ATM skimming attacks throughout North America and in virtually every major U.S. city.
Sources say Romanian intelligence services also have been keeping tabs on this group’s operations south of the U.S. border — specifically on Mssrs. Tudor and Cosmin, as well as the now-deceased Sorinel Marcu.
Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.
In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).
“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”
Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”
The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”
“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”
Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.
Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.
“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”
As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity.
Rezvesz appears to have a flair for the dramatic, and has periodically emailed this author over the years. Sometimes, the missives were taunting, or vaguely ominous and threatening. Like the time he reached out to say he was hiring a private investigator to find and track me. Still other unbidden communications from Rezvesz were friendly, even helpful with timely news tips.
According to Rezvesz himself, he is no stranger to the Canadian legal system. In June 2018, Rezvesz shared court documents indicating he has been involved in multiple physical assault charges since 2007, including “7 domestic disputes between partners as well as incidents with his parents.”
“I am not your A-typical computer geek, Brian,” he wrote in a 2018 email. “I tend to have a violent nature, and have both Martial arts and Military training. So, I suppose it is really good that I took your article with a grain of salt instead of actually really getting upset.”
The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty of such tools sold by legitimate companies to help computer experts remotely administer computers.
However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.
Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.
Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.
In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.
Meanwhile on Hackforums[.]net — the forum where Orcus was principally advertised and sold — members and customers expressed concern that authorities would soon be visiting Orcus RAT customers, posts that were deleted almost as quickly by the Hackforums administrator.
As if in acknowledgement of that concern, in the Pastebin press release published this week Rezvesz warned people away from using Orcus RAT, and added some choice advice for others who would follow his path.
“Orcus is no longer to be considered safe or secure solution to Remote Administrative needs,” he wrote, pointing to a screenshot of a court order he says came from one of the police investigators, which requires him to abstain from accessing Hackforums or Orcus-related sites. “Please move away from this software without delay. It has been a pleasure getting to know everyone in my time online, and I hope you all can take my words as a life lesson. Stay safe, don’t do stupid shit.”