Mal-Aware.org

Recent reports of GPCode, a Ransom Trojan that encrypts files and asks for $300.00 to unlock the victim files have been hitting headlines in the news. Secure Science has offered a freely available decoder for freeing up the files without any problems. This program was written as open source software in the interest of support for other researchers. If you have become a victim of the GPCode Ransom trojan, please download a copy and run it on your systems and it will decrypt the files back to the state they were in before the trojan infected the computer.

Decoder located here.

Phishing scams for banks aren’t really new, but one received last night came with a new twist. The spam e-mail stated:

Bank of America Warning

Dear Bank of America Customer,

During our regular update and verification we could not verify your current
phone number.
Either your information has been changed or it is incomplete.
Please update your phone number by
CLICKING HERE [http://www.xxxxxxx.de/gallery/albums/userpics/boa/] or on the link: http://www.xxxxxxx.de/gallery/albums/userpics/boa/ [http://www.bankofamerica.com/updatephone]

If this is not completed by April 24 , 2007, we will be forced to suspend
your account indefinitely.

The root domain was a hacked, legitimate site running one of the commonly used photo gallery scripts.

The scam page started out with an eye-catching demand that the victim forward their phone number to the phisher’s number as part of the ‘verification’ process:

Click on Image to zoom

There were two versions of the scam page. The first had specific, numbered instructions:

To confirm you phone number please fallow the steps :

Step 1- Go to your phone and Dial *72
Step 2- Dial 707xxxxxxx (Bank of America Secure Line )
Step 3- Your phone is confirmed
You will receive a call from us in 1 h for final verification !

What followed for both was the ‘standard’ identity theft form:

Click on Image to zoom

In checking with one carrier, Qwest, the procedure followed with a forwarded number is the phone will ring at the source location first. If unanswered after a certain number of rings, it will transfer through to the forwarded number.

It’s unknown what the protocol is for all carriers. The obvious concern is that there is no ‘source’ location ring and the forwarding occurs immediately, which in many tests have proven to be standard.

Depending on how long it takes the victim to realize they’re not getting inbound calls and resolve the problem, the bank is effectively blocked from conducting fraud checks for suspicious account activity and/or attempting to advise their customer of the identity theft and the need to cancel their cards. Also, from a “cashing out” perspective, if there is any required phone verification to use the credit card on the account, the verification will succeed, as the forwarded number will be routed to the phishers.

The site has been disabled and the phone number appears to be a SkypeIN number that goes to voicemail.

 
Slashdot It!

Ripped directly from zonelabs blog site.

Earlier today, the External Threat Assessment Team at Secure Science Corp. emailed an image taken from a Phishing/Carding group website. The question is, what is this image for or what purpose does it serve?

Because these groups are comprised of people who engage in fraud, and break laws, often the biggest obstacle to them cooperating with each other is the fact no one trusts the other.

This image is apparently used to confirm and advertise this groups abilities to people who might work with them and prove they are capable of conducting fraud — it’s a kind of “show me the money” amongst criminals.

More at the zonelabs blog

Herb Weisbaum (The consumer guy) is looking out this holiday season for the consumer at home. Great tips brought to you by the active members in the anti-phishing community are included in this article and podcast. A must read/listen!

Article

Podcast

Microsoft has finally released the VML patch for the recent Internet Explorer 0-day that’s been plaguing the Internet.

http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx

Update your windows systems immediately.

Crypto experts and US Government regulations (FFIEC) have been pushing the need for financial Web sites to move beyond mere passwords and implement so-called “two-factor authentication” — the second factor being something the user has in their physical possession like a token — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data. According to a Washington Post Blog, “SecurityFix”, phishers have now started phishing for the two-factor token ID from the user as well. The most interesting part is that these tokens only give you one minute to log in to the bank until that key will expire. The phishers employ a man-in-the-middle attack against the victim and Citibank to log in via php and conduct money transfers immediately when logged in.

More

A Blog at Washington Post discloses many major financial institutions, stock market facilities, and e-commerce businesses with having cross-site scripting vulnerabilities that aid phishers in gaining misplaced trust. Among the list were eBay, American Stock Exchange, American Express, Visa and Microsoft. The research was performed by Secure Science Corporation

An article on CNET covers the fact that even though law enforcement is making solid efforts, the cybercrime problem is not diminishing, but actually advancing.

quoted from the article:

“Botnets are one of the greatest facilitators of cybercrime these days. Really the cybercrime arena is wrapped around botnets.”
–Wendi Whitmore, special agent, Air Force Office of Special Investigations

Secure Science Corporation released a graph on their surveillance of a carding forum that stole a minimum of 21,000 credit/debit cards over the past 3 months. The graph highlights the top 10 financial institutions and the amount of loss. According the statute in the 9th circuit, each card is valued at $500.00 on average. This number conservatively states that one carding forum can cause over $10,500,000.00 in loss in 3 months.

Click image to enlarge.

BusinessWeek has a story titled “Meet The Hackers” on some high profile Russian “hackers” who are behind the creation of spyware, credit card fraud, and spam, which all seem to go hand in hand as most of you may know. The article even gives out some websites used by these “hackers” which are still currently live, as they’re being host overseas on bulletproof servers.

You can find the BusinessWeek article with full details here.

The latest phishing tactic moves the threat of phishing from the internet to the phone, while using easily accessible Voice over IP technology. From TechWeb.com:

A security firm on Tuesday reported discovering a phishing scheme in which the scammers used Internet telephony to copy a bank’s automated voice system in order to steal customers’ passwords, account numbers and other personal information.

In the attack that occurred last week, con artists sent spam disguised as coming from a small bank in a large East Coast city, Cloudmark Inc., a messaging security firm, said. The message asked the recipient to dial a telephone number to talk with a bank representative.

The number went to an automated voice system that asked for an account number and personal identification number, or PIN, in order to access the caller’s finances. The number was obtained through a regular provider of voice over Internet protocol services.

There was no indication that the VoIP provider was aware of the scam, said Cloudmark, which declined to name the company and the spoofed bank.

The incident reflected a mutation in the tactics used by phishers to snare victims. More traditional schemes involve spam asking the recipient to visit their bank’s Web site through a link in the message. At the bogus site, the visitor is asked to input personal information.

The latest scheme, however, is the first Cloudmark has seen using Internet telephony. An investigation by the San Francisco security firm showed that the scammers had used open-source software called Asterisk to convert a computer into a PBX, or private branch exchange, running an automated telephone information system. The voice system sounds exactly like the bank’s phone tree, directing the caller to specific extensions, Adam J. O’Donnell, senior research scientist at Cloudmark, said.

Click here to continue reading the story.

Brian Krebs’ SecurityFix Blog has an article describing the “real” numbers behind the data theft business. For the samples, he targeted only one phishing group’s success and announced the numbers; over 13,000 logins stolen in one day including 3,536 credit cards, 255 paypal accounts, 1,038 ebay accounts, and 2,609 hotmail accounts.

The Anti-Phishing Working Group has posted their phishing trends report for the month of January 2006. The group reports 9,715 unique phishing sites in the month of January, up almost 35% from December 2005.

The full report from the Anti-Phishing Working Group is available at: http://antiphishing.org/reports/apwg_report_jan_2006.pdf.

Wired wrote 2 solid articles on the 17 million entry database supposedly belonging to “Ibill”. The first one discusses the discovery of over 17 million entries exposing internet consumers. The follow-up covers the fact that Ibill denies that this is their data, and rightfully so, since they do not entertain Diner’s Club cards. So who’s data is this? And who is specialham.com? According to google cache phishers and spammers are selling “18 million Ibill” for $1300.00.

Abstract:
———
The ExpressPay stored-value card system used by FedEx Kinko’s is vulnerable to attack. An attacker who gains the ability to alter the data stored on the card can use FedEx Kinko’s services fraudulently and anonymously, and can even obtain cash from the store.

Description:
————
The FedEx Kinko’s ExpressPay system, developed by enTrac Technologies of Toronto, Ontario, is based on a Siemens / Infineon SLE4442 memory chip card. The data stored on this card is freely rewritable once a three-byte security code has been presented to the card’s security logic. Neither this security code nor the data stored on the card is encrypted; anyone able to obtain the security code is free to rewrite the data stored on the card using an inexpensive commercially available smart card reader/writer.

The first thirty-two bytes of the memory chip card are writable and subsequently permanently write-protectable (in this application, these bytes are write-protected), and contain a header which identifies the card as an ExpressPay stored-value card. Bytes 0×20 through 0×27 contain the value stored on the card, represented in IEEE 754 double-precision floating point format. Bytes 0×60 through 0×6A contain the card’s eleven-digit serial number stored as unsigned zoned-decimal ASCII; digits 0×60 through 0×63 are the store number the card was initially issued at, and the remaining seven digits are assigned sequentially at the moment of first issue. A timestamp indicating date and time of issue are located from 0×30 through 0×37, and is repeated from 0xC7 through 0xCE.

In order to write to the card, a three-byte security code must be presented in a specific sequence of commands as outlined by the SLE4442’s white paper. By soldering wires to the contact points of the card and then connecting those wires to an inexpensive logic analyzer, an attacker can sniff the three-byte code as the kiosk or a card terminal prepares to write data to the card. This security code appears to be the same across all FedEx Kinko’s ExpressPay cards currently in circulation.

Once the three-byte code is known to the attacker, the card’s stored value and serial number can be changed to any value. The ExpressPay system appears to implicitly trust the value stored on the card, regardless of what that value actually is. The system will also accept cards with obviously fake serial numbers (e.g. a non-existent store number followed by all nines). Using these altered cards, xeroxes can be made from any machine with a card reader, and computers can be rented anonymously and indefinitely. Most disturbing, however, is that since stored-value cards can be cashed out by an employee at the register at any time, an attacker could cash out altered cards obtained at little or no monetary cost. If a card is cashed out, its serial number does not appear to be invalidated in the system. If an attacker were to clone a known good card and cash it out, the clone would still be usable.

Tested Vendors:
—————
- FedEx Kinko’s

Suspected Vendors:
——————
- Any client of enTrac Technologies who uses the ExpressPay stored-value card system.
- Any company which uses a stored-value card system based on the SLE4442

Vendor and Patch Information:
—————————–
Proof-of-concept of the initial security vulnerability was achieved on 8 February 2006, with research into the ramifications continuing through 12 February. Copies of this report were sent to both FedEx Kinko’s and enTrac Technologies on 15 February; a read receipt was returned from enTrac on 19 February, while no receipt has yet been received from FedEx Kinko’s.

Solution:
———
- Encrypt data before storing it on the SLE4442 card, or migrate to a system which uses cards which have built-in encryption functionality.
- Verify that the stored value on the card does not significantly differ from a reference value stored in a database.
- Do not allow the use of cards with invalid serial numbers.
- Invalidate serial numbers of cards that are cashed out.

Credits:
——–
Strom Carlson, Secure Science Corporation: Hardware Security Division
stromc@securescience.net