Cybercrime stories

[Bent_Bladi]

Thanks ya monda ()

I'm at work now, so when I get home I'll pay rapt attention

[Al-khiyal]

Internet Love Scams

[Al-khiyal]

August 14, 2007 -- An Australian farmer held captive in west Africa after being tricked in an internet bride scam has returned home, warning other lovelorn bachelors to be more careful than he was.

Des Gregor said he was lucky to be alive after a 12-day ordeal in Mali in which he was kidnapped, beaten, had his cash and credit cards stolen and was told that his limbs would be hacked off with a machete if his family did not pay a ransom. The 56-year-old wheat farmer from South Australia was freed after a joint operation by the Australian and Malian police.

Mr Gregor travelled to the impoverished west African country last month to meet his supposed bride, known as Natacha, whom he had been communicating with for several months. He was met at the airport by a well-dressed man, who claimed to be a relative of his future wife, and who took him to a scruffy apartment in the capital city of Bamako.

Once inside the man and an accomplice beat him, made him strip and demanded he have money wired from Australia. During his captivity he was allowed to call home, seeking cash. His brother, who received the calls pleading for help and money, contacted the police. Mr Gregor was freed after being taken by his kidnappers to the Canadian embassy in Bamako on the pretext of obtaining cash. Once inside, he was met by police officers. His kidnappers got away.

The police do not believe Natacha, or a reputed 100,000 Australian dollar (£42,000) dowry, ever existed.They said Mr Gregor was lucky to have got out alive. Mr Gregor, who tried to find a Russian bride online three years ago, said he would not be pursuing love on the internet again.

Farmer 'lucky to be alive' after web bride scam

[amalgamate]

yalateef- allahi jeerna

[Al-khiyal]

August 14, 2007 -- IT security and control firm, Sophos, is warning social networking users of the dangers of allowing strangers to gain access to their online profiles, following new research into the risks of identity and information theft occurring through global phenomenon Facebook.

Compiled from a random snapshot of Facebook users, Sophos's research shows that 41 percent of users, more than two in five, will divulge personal information - such as email address, date of birth and phone number - to a complete stranger, greatly increasing their susceptibility to ID theft.

The Sophos Facebook ID Probe involved creating a fabricated Facebook profile before sending out friend requests to individuals chosen at random from across the globe.

To conduct the experiment, Sophos set up a profile page for 'Freddi Staur' (an anagram of 'ID Fraudster'), a small green plastic frog who divulged minimal personal information about himself. Sophos then sent out 200 friend requests to observe how many people would respond, and how much personal information could be gleaned from the respondents.

"Freddi encouraged 82 users to hand over their personal details on a plate," says Brett Myroff, CEO of master Sophos distributor, NetXactics.

"While accepting friend requests is unlikely to result directly in theft, it is an enabler, giving cyber criminals many of the building blocks they need to spoof identities, to gain access to online user accounts, or potentially, to infiltrate their employers' computer networks."

The full results of the Sophos Facebook ID Probe are as follows:

- 87 of the 200 Facebook users contacted responded to Freddi, with 82 leaking personal information (41 percent of those approached)

- 72 percent of respondents divulged one or more email addresses

- 84 percent of respondents listed their full date of birth

- 87 percent of respondents provided details about their education or workplace

- 78 percent of respondents listed their current address or location

- 23 percent of respondents listed their current phone number

- 26 percent of respondents provided their instant messaging screen name

In the majority of cases, Freddi was able to gain access to respondents' photos of family and friends, information about likes/dislikes, hobbies, employer details and other personal facts.

In addition, many users also disclosed the names of their spouses or partners, several included their complete résumés, while one user even divulged his mother's maiden name - information often requested by websites in order to retrieve account details.

What is concerning is how easy it was for Freddi to go about his business, obtaining enough information to create phishing emails or malware specifically targeted at individual users or businesses, to guess users' passwords, impersonate them or even stalk them, explains Myroff.

While most people wouldn't give out their details to a stranger in the street, or respond to a spam email, several of the users Freddi contacted went so far as to make him one of their “top friends”.

“People should understand that despite occurring within Facebook, this type of communication is still unsolicited and users should employ the same basic precautions - such as not responding in any way - to prevent exposure to wrongdoers,” Myroff says.

As well as the successful friend requests, a number of users unwittingly enabled Freddi to gain access to their profile information simply by sending response messages such as "Who are you?" and "Do I know you?" back to his Facebook inbox.

Sophos experts note that users' profiles can be protected from such exposure by adjusting the privacy controls within their Facebook account settings.

While Facebook's privacy features go far beyond those of many competing social networking sites, it is ultimately about the human factor - carelessness and being preoccupied with having more Facebook friends than their peers could have a serious impact on business security, if accessed in the workplace, Myroff adds.

Some businesses may already be considering blocking Facebook for productivity reasons but, equally, other companies will see business benefits in this type of interaction, hence it's important that the site is used sensibly and securely.

In addition to these findings, Sophos poked a further 100 random Facebook users to see if this form of communication would elicit the same response and encourage people to let Freddi access their details. However, just eight people responded, with only five revealing personal information.

"Curiously, while so many users were perfectly willing to make friends with Freddi - despite knowing nothing about him – it appears that few wanted to engage in casual poking, suggesting that, true to the site's ethos, Facebook users are primarily interested in commitment and friendship," Myroff says.

Facebook users happy to reveal all

[Al-khiyal]

Fake toolbar cripples jobseekers' PCs and steals personal data

August 23, 2007 -- Tom is a copywriter living in Los Angeles. He's desperately looking for a new job, so he signed up to Monster - the online careers and recruitment resource for employers and jobseekers. An email he believed was from Monster arrived, inviting him to download the new "Monster Job Seeker Tool". But Tom soon discovered that it was no such thing. Instead, he had fallen victim to the "worst ever" ransomware trojan that encrypted all his files and stole information.

"Hundreds of files, if not over 1,000, were encrypted," says Tom. He found messages in his folders from the Glamorous Team demanding $300 (£150) to decrypt his files and threatening to share his private information. A few days later, a friend pointed him towards Prevx, a UK-based internet security company which had written a free decryption tool.

File encryption

"Unfortunately, it seems my files were encrypted a few times over, so the tool didn't work for me. I never considered paying up. I would never run a program from these crooks on my machine - who knows what it would be. My big concern is their threat to share my personal info with the world," says Tom who, thanks to good backups, only lost recent family photographs.

Mike, a management consultant from Arizona, had been let go from his job, and was moving files from his company laptop so he could return it. "I noticed the "read_me.txt" files [with the ransom demand] on my 80GB external hard drive, and of course knew there was a problem. Thinking I was doing the right thing, I deleted all of the .txt files and copied my good files to DVDs. When I tried to read the DVD to make sure the files would open, my heart sank as I discovered that everything was trashed," says Mike.

"Of the 80GB of data, I would estimate that I permanently lost about half."

"This is the worst attack I've ever seen," says Jacques Erasmus, Prevx's director of malware research and a former hacker who has proved a worthy opponent for the Glamorous Team. He's spent days trying to help victims like Tom and Mike recover their files.

"We received a first sighting of this around eight hours after it was released via spearphished emails to a targeted audience of people looking for work using the monster.com website," says Erasmus. The attack may have used an email list stolen from Monster or a similar job-seeking service.

"[Normally] to get an uptake of 1,000 machines, you'd need to send the email to around 75,000 people. However, because this email was highly targeted, the conversion ratio would be much better. Therefore I believe it was sent to around 10,000 email addresses," says Erasmus. A secondary wave of infection involved pornography and a malicious website in Panama. Only people in the USA were affected, except for one person in Saudi Arabia.

The software was a password-stealer trojan with a new ransomware feature and three functions: encrypting files on the victim's hard disk; stealing browser data and silently sending out stolen information to a website on a shared Yahoo server. No documents were taken - just data from browser sessions - although panicked users who deleted the read_me.txt messages with the randomly generated encryption key lost their files forever.

A key component was an http sniffer, which captures user data from browser sessions by bypassing the SSL encryption - the lock icon - normally relied on for secure internet transactions. Every 60 seconds, stolen data was encrypted by the trojan and sent to a dump site created only days beforehand.

"It took us about six hours to reverse-engineer the [encryption] algorithm including testing," says Erasmus. "We made two tools, one to decrypt the stolen data and one to decrypt the files for users."

Helped by access to the dump site (possibly an oversight by the ransomware creators), Erasmus found that around 1,000 PCs had been infected. Apart from individuals at home, the victims included US government departments and multinationals including Hewlett-Packard. He found 257MB of stolen data and contacted the FBI and a dozen seriously affected companies.

The data proved startling in its detail. An employee of General Dynamics Corporation, working inside the US Department of Transportation, was monitored making his online passport application to the US Department of State. A woman working for Booz Allen Hamilton, a global consulting group, was seen applying for a job directly to the CIA. Although both were using secure browser connections, they now face identity theft from organised criminals.

"There was an entire biometric profile of a government contractor in the stolen data - details such as eye colour, hair colour, exact measurements and weight," says Erasmus. "What worried us more was the level of data that was compromised from large US corporations and government contractors. Logins to critical systems, databases and intranet logins were captured. This could be devastating."

Stolen data

The Guardian has seen 5.6m lines of stolen data including credit card and bank account numbers, home addresses, social security numbers, logins, passwords, job applications and even emails with sexual content. We quickly found logins for Mike in Arizona and Bill in Oregon. Using Bill's details, we logged into his email account and left a message. His view of the ransomware trojan now? "Very malicious, and dangerous, and very scary."

We sent Mike his login details for his Fuse.net email and Paypal accounts, discovering even more about the trojan's capabilities. "My first reaction, to put it bluntly, is holy ****!" says Mike.

It's even worse for other people. Stolen banking information, almost certainly sold on by the Glamorous Team, will delight cash-seeking criminals. "We believe that Glamorous Team are Russian and part of a bigger crime network," says Erasmus. Only Prevx (prevx.com) users were protected as its software works by stopping any suspicious behaviour rather than reacting to previously detected files.

Are we going to see such a well-targeted attack here in the UK? It's very likely, although the criminals are probably now lying low. "For what they have achieved, I'd need to give them high marks. They've got into the government, major defence contractors and major corporates in the USA," says Erasmus.

As a former hacker, Erasmus admires the criminals' technical skills and he urges people not to be fooled by odd-looking emails that could be phishing attacks.

The ransom note

Hello, your files are encrypted with RSA-4096 algorithm (en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: [email address] and provide us your personal code [personal code]. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.

Monster hit by 'worst ever' trojan

[Al-khiyal]

August 23, 2007 -- The malware authors behind the Prg Trojan appear to be soliciting their identity theft victims to become 'money mules,' moving stolen money from bank accounts to the hackers' own coffers.

Vikram Thakur, a researcher with Symantec's Security Response team, reported in a blog post that they have discovered templates of e-mails that the Trojan authors are sending out, using their newly acquired collection of stolen identities to target their money mule scam at people looking for jobs.

"The templates all point to the same position," wrote Thakur. "The job is that of a 'Transfer Manager' at an investment company. The job description states that the position would entail facilitating financial transactions made by the clients of the investment company. The e-mail looks very realistic and may convince many that it has been sent from Monster.com or Careerbuilder.com."

While the e-mail says the job doesn't require any experience and offers a $500 sign-on bonus and the ability to work from home, it also notes that it does require people to have an account with Bank of America for wire transactions.

Gunter Ollmann, director of security strategy at IBM's Internet Security Systems, explained that cybercriminals, like hackers and phishers, have been using mules for several years, setting them up to move money out of a compromised bank account and then to transfer it - possibly even wire it - to the hacker's overseas account.

"The average life of a mule appears to be fairly short," added Gunter. "People have no idea what a mule actually is so they don't realize they're participating in a money laundering scam. They're being promised that they can work for an hour or two a day and earn thousands a month. They only have to live in the U.S., use this bank, and work from home a few hours a day."

In this particular case, the authors of the Prg Trojan are using the plethora of identities that they've stolen in the last several months to find of potential mules.

In the last few weeks, researchers from SecureWorks found 12 caches with about 100,000 stolen identities - all stolen via fraudulent ads on Monster.com. And researchers at Symantec found another massive cache - this one contained about 1.6 million pieces of stolen data, such as names, addresses, mobile phone numbers, and name of employers. The number correlates to data pieces, not 1.6 million victims.

It's still unclear how many stolen identities - how many victims of identity theft - the information in that cache represents, according to Dave Cole, director of Symantec's Security Response team.

On Wednesday, Monster Worldwide, parent company of Monster.com, released an advisory saying that it is investigating the impact the Trojan has had on its database.

"Monster has identified and shut down a rogue server that was accessing seeker contact information through unauthorized use of compromised legitimate employer-client log-in credentials," said the advisory. "The information contained on this server was limited to names, addresses, phone numbers, and e-mail addresses. The company is currently analyzing the number of job seeker contacts impacted by this action and will be communicating with those affected as appropriate."

Trojan authors recruit 'money mules' from list of stolen identities