Tag Archive for: Cyber

Annual Protest to ‘Fight Krebs’ Raises €150K+

In 2018, KrebsOnSecurity unmasked the creators of Coinhive — a now-defunct cryptocurrency mining service that was being massively abused by cybercriminals — as the administrators of a popular German language image-hosting forum. In protest of that story, forum members donated hundreds of thousands of euros to nonprofits that combat cancer (Krebs means “cancer” in German). This week, the forum is celebrating its third annual observance of that protest to “fight Krebs,” albeit with a Coronavirus twist.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted a large number of ‘thank you’ receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”). They ended up raising more than a quarter-million dollars worth of donations from members.

Last year’s commemoration of the protest fundraiser — dubbed “Krebsaction” by Pr0gramm — raised almost $300,000 for anti-cancer research groups. Interestingly, Coinhive announced it was shutting down around the same time as that second annual fundraiser.

This year’s Krebsaction started roughly three days ago and so far has raised more than 150,000 euros (~$165,000), with many Pr0gramm members posting screenshots of their online donations. The primary beneficiary appears to be DKMS, a German nonprofit that works to combat various blood cancers, such as leukemia and lymphoma.

The pr0gramm post kicking off this year’s “Krebsaction” fundraiser.

This year, however, Pr0gramm’s administrators exhorted forum members to go beyond just merely donating money to a worthy cause, and encouraged them to do something to help those most affected by the COVID-19/Coronavirus pandemic.

“This year pr0gramm-members shall not only donate but do a good act in terms of corona (and prove it), for example bring food to old people, bring proof of volunteering and such stuff,” reads the Pr0gramm image kicking off this year’s Krebsaction.  The message further states, “Posts mit geringem Einsatz können wir nicht akzeptieren,” which translates roughly to “Posts with little effort we cannot accept.”

Russians Shut Down Huge Card Fraud Ring

Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade.

In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.

A still image from a video of the raids released by the Russian FSB this week shows stacks of hundred dollar bills and cash counting machines seized at a residence of one of the accused.

The FSB has not released a list of those apprehended, but the agency’s statement came several days after details of the raids were first leaked on the LiveJournal blog of cybersecurity blogger Andrey Sporov. The post claimed that among those apprehended was the infamous cybercriminal Alexey Stroganov, who goes by the hacker names “Flint” and “Flint24.”

According to cyber intelligence firm Intel 471, Stroganov has been a long-standing member of major underground forums since at least 2001. In 2006, Stroganov and an associate Gerasim Silivanon (a.k.a. “Gabrik“) were sentenced to six years of confinement in Russia, but were set free just two years into their sentence. Intel 471 says Selivanon also was charged along with Stroganov in this past week’s law enforcement action.

“Our continuous monitoring of underground activity revealed despite the conviction, Flint24 never left the cybercrime scene,” reads an analysis penned by Intel 471.

“You can draw your own conclusions [about why he was released early],” Sporaw wrote, suggesting that perhaps the accused bribed someone to get out of jail before his sentence was up.

Flint is among the biggest players in the crowded underground market for stolen credit card data, according to a U.S. law enforcement source who asked to remain anonymous because he was not authorized to speak to the media. The source described Flint’s role as that of a wholesaler of credit card data stolen in some of the biggest breaches at major Western retailers.

“He moved hundreds of millions of dollars through BTC-e,” the source said, referring to a cryptocurrency exchange that was seized by U.S. authorities in 2017. “Flint had a piece of almost every major hack because in many cases it was his guys doing it. Whether or not his marketplaces sold it, his crew had a role in a lot of the big breaches over the last ten years.”

Intel 471’s analysis seemed to support that conclusion, noting that Flint worked closely with other major carding shops that were not his, and that he associated with a number of cybercrooks who regularly bought stolen credit cards in batches of 100,000 pieces at once.

Top denizens of several cybercrime forums who’ve been tracking the raids posited that Stroganov and others were busted because they had a habit of violating the golden rule for criminal hackers residing in Russia or in a former Soviet country: Don’t target your own country’s people and/or banks.

A longtime moderator of perhaps the cybercrime underground’s most venerated Russian hacking forum posted a list of more than 40 carding sites thought to be tied to the group’s operations that are no longer online. Among them is MrWhite[.]biz, a carding site whose slick video ads were profiled in a KrebsOnSecurity post last year.

A snippet from a promotional video from the carding/dumps shop MrWhite.

KNOW YOUR FRAUDSTER

Nearly all of the carding sites allegedly tied to this law enforcement action — including those with such catchy names as BingoDumps, DumpsKindgom, GoldenDumps, HoneyMoney and HustleBank — were united by a common innovation designed to win loyalty among cybercriminals who buy stolen cards or “dumps” in bulk: Namely, a system that allowed buyers to get instant refunds on “bad” stolen cards without having to first prove that the cards were canceled by the issuing bank before they could be used for fraud.

Most carding sites will offer customers a form of buyer’s insurance known as a “checker,” which is an automated, à la carte service customers can use after purchasing cards to validate whether the cards they just bought are still active.

These checking services are tied to “moneyback” guarantees that will automatically refund the purchase price for any cards found to be invalid shortly after the cards are bought (usually a window of a few minutes up to a few hours), provided the buyer agrees to pay an added fee of a few cents per card to use the shop’s own checking service.

But many cybercrooks have long suspected some checkers at the more popular carding sites routinely give inaccurate results that favor the card shop (i.e., intentionally flagging some percentage of inactive cards as valid). So, the innovation that Flint’s gang came up with was a policy called “Trust Your Client” or “TYC,” which appears to be a sly dig on the banking industry’s “know your customer” or KYC rules to help fight fraud and money laundering.

With TYC, if a customer claimed a card they bought was declined for fraudulent transaction attempts made within six hours of purchase, the carding shop would refund the price of that card — no questions asked. However, it seems likely these shops that observed TYC ran their own checkers on the back-end to protect themselves against dishonest customers.

An ad for the “Trust Your Client” or TYC policy observed by virtually all of the carding shops taken down in this past week’s Russian law enforcement operation.

Want to learn more about how carding shops work and all the lingo that comes with them? Check out my behind-the-scenes profile of one major fraud store — Peek Inside a Professional Carding Shop.

US Government Sites Give Bad Security Advice

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.

For example, the official U.S. Census Bureau website https://my2020census.gov carries a message that reads, “An official Web site of the United States government. Here’s how you know.” Clicking the last part of that statement brings up a panel with the following information:

A message displayed at the top of many U.S. .gov Web sites.

The text I have a beef with is the bit on the right, beneath the “This site is secure” statement. Specifically, it says, “The https:// ensures that you are connecting to the official website….”

Here’s the deal: The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

However, the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

In other words, while readers should never transmit sensitive information to a site that does not use https://, the presence of this security feature tells you nothing about the trustworthiness of the site in question.

Here’s a sobering statistic: According to PhishLabs, by the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates. PhishLabs found this percentage increased from 68% in Q3 and 54% in Q2 of 2019.

“Attackers are using free certificates on phishing sites that they create, and are abusing the encryption already installed on hacked web sites,” PhishLabs founder and CTO John LaCour said.

Image: PhishLabs.com

The truth is anyone can get an SSL certificate for free, and that’s a big reason why most phishing sites now have them. The other reason is that they help phishers better disguise their sites as legitimate, since many Web browsers now throw up security warnings on non-https:// sites.

KrebsOnSecurity couldn’t find any reliable information on how difficult it may be to obtain an SSL certificate for a .gov site once one has a .gov domain, but it is apparently not difficult for just about anyone to get their very own .gov domain name.

The U.S. General Services Administration (GSA), which oversees the issuance of .gov domains, recently made it a tiny bit more difficult to do so — by requiring all applications be notarized — but this seems a small hurdle for scam artists to clear.

Regardless, it seems the federal government is doing consumers a disservice with this messaging, by perpetuating the myth that the presence of “https://” in a link denotes any kind of legitimacy.

“‘Https’ does not mean that you are at the correct website or that the site is secure,” LaCour said. “It only indicates that the connection is encrypted. The server could still be misconfigured or have software vulnerabilities. It is good that they mention to look for ‘.gov’. There’s no guarantee that a .gov website is secure, but it should help ensure that visitors are on the right website.”

I should note that this misleading message seems to be present only on some federal government Web sites. For instance, while the sites for the GSA, the Department of Labor, Department of Transportation, and Department of Veterans Affairs all include the same wording, those for the Commerce Department and Justice Department are devoid of the misleading text, stating:

“This site is also protected by an SSL (Secure Sockets Layer) certificate that’s been signed by the U.S. government. The https:// means all transmitted data is encrypted — in other words, any information or browsing history that you provide is transmitted securely.”

Other federal sites — like dhs.gov, irs.gov and epa.gov — simply have the “An official website of the United States government” declaration at the top, without offering any tips about how to feel better about that statement.

Who’s Behind the ‘Web Listings’ Mail Scam?

In December 2018, KrebsOnSecurity looked at how dozens of U.S. political campaigns, cities and towns had paid a shady company called Web Listings Inc. after receiving what looked like a bill for search engine optimization (SEO) services rendered on behalf of their domain names. The story concluded that this dubious service had been scamming people and companies for more than a decade, and promised a Part II to explore who was behind Web Listings. What follows are some clues that point to a very convincing answer to that question.

Since at least 2007, Web Listings Inc. has been sending snail mail letters to domain registrants around the world. The missives appear to be an $85 bill for an “annual search engine listing” service. The notice does disclose that it is in fact a solicitation and not a bill, but wording of the notice asserts the recipient has already received the services in question.

Image: Better Business Bureau.

The mailer references the domain name web-listings.net, one of several similarly-named domains registered sometime in 2007 or later to a “James Madison,” who lists his address variously as a university in New Britain, Connecticut or a UPS Store mailbox in Niagara Falls, New York.

Some others include: weblistingservices.com, webservicescorp.net, websiteservicescorp.com, web-listingsinc.com, weblistingsinc.net, and weblistingsreports.net. At some point, each of these domains changes the owner’s name from James Madison to “Mark Carter.” As we’ll see, Mark is a name that comes up quite a bit in this investigation.

Image: Better Business Bureau.

A Twitter account for Web Listings Inc. has posts dating back to 2010, and points to even more Web Listings domains, including weblistingsinc.orgCached versions of weblistingsinc.org at archive.org show logos similar to the one featured on the Web Listings mailer, and early versions of the site reference a number of “business partners” in India that also perform SEO services.

Searching the Internet for some of these Web listing domains mentioned in the company’s Twitter account brings up a series of press releases once issued on behalf of the company. One from May 2011 at onlineprnews.com sings the praises of Weblistingsinc.info, weblistingsinc.org and web-listings.net in the same release, and lists the point of contact simply as “Mark.”

Historic WHOIS registration records from Domaintools [an advertiser on this blog] say Weblistingsinc.org was registered in Nov. 2010 to a Mark Scott in Blairgowrie, Scotland, using the email address clientnews@reputationmanagementfor.com.

Reputationmanagementfor.com bills itself as an online service for “fighting negative and incorrect content on the internet,” which is especially interesting for reasons that should become clearer in a few paragraphs. The site says Mark Scott, 46, is an employee of Reputationmanagementfor.com, and that he is also involved with two other companies:

-GoBananas, a business that sets up group outings, with a focus on bachelor and bachelorette parties;

-HelpMeGo.to, an entity in Scotland that did online marketing and travel tourism both in Scotland (via sites like Scotland.org.uk and marketinghotelsonline.co.uk) and on India’s coastal Kerala state where HelpMeGo.to employed a number of people involved in the SEO business. Helpmego.to now simply redirects to GoBananas.

According to Farsight Security, a company that keeps historic records of which Web sites were hosted at which Internet addresses, Weblistingsinc.org was for a while hosted at the IP address 68.169.45.65 with just six other domains, including travelingalberta.com, which was a blog about traveling and living in Alberta, Canada registered to Mark Scott and the email address management@helpmego.to. Cached versions of this site from 2011 show it naming Web Listings Inc. as a business partner.

That same management@helpmego.to email address is tied to the WHOIS records for markscottblog.com, gobananas.co.uk, gobananas.com. Cached copies of markscottblog.com from 2010 at Archive.org show his profile page on blogger.com links to another blog with much the same content, images and links called internetmadness.blogspot.com.

Among the 2011 entries from the Internetmadness blog is a post promoting the wonders of benefits of Web Listings Inc.

A cached copy of Mark Scott’s blog Internet Madness from 2011 promotes Web Listings Inc.

THE COBRA/APPCO GROUP

Aha! But wait, there’s more. You see, for years Weblistingsinc.org was hosted on the same servers along with a handful of other domains that all switched Internet addresses at the same times, including gobananas.com, gobananasworld.com and the IP addresses 107.20.142.166 (17 hosts), 54.85.65.241 (6 hosts).

Most of the other domains at these IPs historically have been tied to other domains connected to Mark Scott and his various companies and business partners, including chrisniarchos.net, redwoodsadvance.net, gdsinternationalus.com, staghensscotlands.com, cobra-group.blogspot.comthe-cobra-group.com, appcogroup.co.uk, and reputationmanagementfor.com.

I found a similar pattern with domains stemming from a Crunchbase company profile on Web Listings Inc., which says the firm is based in Toronto, Canada, with the Web site webtechnologiesinc.net, and email address webtechnologiesletter@gmail.com. Historic WHOIS data from Domaintools.com says Webtechnologiesinc.net was registered in 2013 to a Marcus Ruskov in Toronto.

Information about who registered Webtechnologiesletter.com is completely hidden behind privacy protection services. But Farsight says the domain was in 2015 hosted at the Internet address 54.77.128.87, along with just 70 other domains, including the same list of domains mentioned above, chrisniarchos.net, redwoodsadvance.net, gdsinternationalus.com, et cetera.

What do all of these domains have in common? They are tied to companies for which Mark Scott was listed as a key contact. For example, this press release from 2o11 says Mark Scott is the contact person for a company called Appco Group UK which bills itself as a market leader in face-to-face marketing and sales.

“Worldwide, Appco Group has raised hundreds of millions of pounds for some of the world’s biggest charities, delivered pay-TV and broadband services, financial services, security and many other successful marketing solutions on a diverse range of products,” the press release enthuses.

The Appco Group is the re-branded name of a family of marketing and sales companies originally created under the name The Cobra Group, whose Wikipedia page states that it is a door-to-door selling and marketing company headquartered in Hong Kong. It says investigations by the media have found the company promises much larger compensation rates that employees actually receive.

“It is also criticized for being a cult, a scam and a pyramid scheme,” the entry reads.

The Cobra Group and its multifariously named direct sales and marketing companies are probably best described as “multi-level marketing” schemes; that is, entities which often sell products and/or services of dubious quality, use high-pressure sales tactics and misleading if not deceptive advertising practices, and offer little to no employee payment for anything other than direct sales.

Even the most cursory amount of time spent searching the Internet for information on some of the companies named above (Appco Group, Cobra Group, Redwoods Advance, GDS International) reveals a mountain of bad press and horrible stories from former employees.

For example, Appco salespeople became known as “charity muggers” because they were trained to solicit donations on behalf of charities from random people on the street, and because media outlets later discovered that the people running Appco kept the majority of the millions of dollars they raised for the charities.

This exhaustive breakdown on the door-to-door sales industry traces Cobra and Appco Group back to a long line of companies that simply renamed and rebranded each time a scandal inevitably befell them.

Now it makes sense why Web Listings Inc. had so many confusingly-named domain names. And this might also explain the primary role of Mr. Scott’s business — the online reputation management company reputationmanagementfor.com — in relation to the Cobra Group/Appco’s efforts to burnish its reputation online.

A partial screenshot of a mind map I used to keep track of the myriad connections between various Web Listings domains and their owners. This map was created with MindNode Pro for Mac.

Mark Scott did not respond to multiple requests for comment sent to various email addresses and phone numbers tied to his name. However, KrebsOnSecurity did receive a response from Cobra Group founder Chris Niarchos, a Toronto native who said this was the first he’d heard of the Web Listings scam.

“Mark used to provide some services to us but my understanding was that stopped a long time ago,” Niarchos said. “He used to own a marketing company that we supplied but that contract ended maybe 12 years ago. That’s how we met. After that he did start some internet based businesses where he sold services to us as a customer at arms length. That also stopped many years ago again as we did it all in house. As far as I know he did this for many companies and we were simply a customer of his. In my dealings with him we got what we paid for but never did we have any closer relationship than that.”

USA CONNECTIONS

Two more small — possibly insignificant — but interesting things. First, if we go back and look at archived posts from markscottblog.com in 2010, we can see a number of entries where he defends the honor of Cobra Group, Appco, and other multi-level marketing programs he supports, saying they’re not scams. If we go back further to 2008 and look at Mark Scott’s profile on Blogger.com, we can see at the bottom of the page a link called “Enquiries and Emails.”

Visiting that link brings up what looks like a public shaming page of emails apparently sent to Mr. Scott from scammers trying to set him up for some kind of fake check scheme in connection with renting one of the U.K. properties listed by his various travel accommodations Web sites. Click the “Contact” tab at the top right of that page and you’ll see Travel Scotland has a U.S. phone number that potential customers here in the states can use to make reservations toll-free.

That number happens to be in Connecticut. Recall that the address listed in the ownership records for many of the Web Listings domains tied to the “James Madison/Mark Carter” identities were for an address in Connecticut.

Finally, I wanted to mention something that has stumped me (until very recently) since I began this investigation a couple of years ago. There are two unexpected domains returned when one performs a reverse search on a couple of different persistent data points in the WHOIS registration records for the Web Listings domains. See if you can spot the odd duck in this list produced by running a reverse search at Domaintools on info@web-listings.net (the contact email address shown on the mailed letter above):

Domain Name Create Date Registrar
finzthegoose.com 2010-08-03 enom, inc.
web-listings.net 2007-04-24 ENOM, INC.,ENOM, LLC
web-listingsinc.com 2015-11-06 ENOM, INC.,ENOM, LLC
weblistingservices.com 2007-04-23 ENOM, INC.,ENOM, LLC
weblistingsinc.com 2014-06-21 GODADDY.COM, LLC
weblistingsinc.net 2016-02-09 ENOM, INC.,ENOM, LLC
weblistingsreports.net 2015-11-06 ENOM, INC.,ENOM, LLC
webservicescorp.net 2007-06-03 ENOM, INC.,ENOM, LLC
websiteservicescorp.com 2007-06-03 —

Ten points if you said “finzthegoose.com.” Now let’s run a search on the phone number for Mark Carter — the phony persona behind all the Web Listings domains registered to the Niagara Falls address — +1.716-285-3575. What stands out about this list?

Domain Name Create Date Registrar
aquariumofniagara.org 2001-01-11 GODADDY.COM, LLC
web-listings.net 2007-04-24 ENOM, INC.,ENOM, LLC
web-listingsinc.com 2015-11-06 ENOM, INC.,ENOM, LLC
weblistingservices.com 2007-04-23 ENOM, INC.,ENOM, LLC
weblistingsinc.com 2014-06-21 GODADDY.COM, LLC
weblistingsinc.net 2016-02-09 ENOM, INC.,ENOM, LLC
weblistingsreports.net 2015-11-06 ENOM, INC.,ENOM, LLC
webservicescorp.net 2007-06-03 ENOM, INC.,ENOM, LLC
websiteservicescorp.com 2007-06-03 —

If you’re picking up an aquatic and marine life theme here, you’re two for two. That is actually the real phone number for the Aquarium of Niagara; the Web-Listings people just for some reason decided to list it in their WHOIS records as theirs.

It appears that a Scotsman named Robert Paul Graham Scott — perhaps Mark’s older brother — was in the same line of work (SEO and advertising) and pimping the exact same companies as Mark. According to a listing at Companies House, the official ledger of corporations in the United Kingdom, Paul Scott was for four years until Sept. 2019 a director in HMGT Services Ltd. (HMGT stands for the aforementioned HelpMeGo.To business).

Paul Scott’s own Internet presence says he lives in Perth — a short distance from Mark’s hometown in Blairgowrie, Scotland. Like Mark, Paul Scott did not respond to requests for comment. But Paul Scott’s Twitter profile — @scubadog_uk — shows him tweeting out messages supporting many of the same companies and causes as Mark over the past decade.

More to the point, Paul’s Website — scubadog.co.uk — says he has an abiding interest in underwater photography, scuba diving, and all things marine-related.

Zyxel Flaw Powers New Mirai IoT Botnet Strain

In February, hardware maker Zyxel fixed a zero-day vulnerability in its routers and VPN firewall products after KrebsOnSecurity told the company the flaw was being abused by attackers to break into devices. This week, security researchers said they spotted that same vulnerability being exploited by a new variant of Mirai, a malware strain that targets vulnerable Internet of Things (IoT) devices for use in large-scale attacks and as proxies for other cybercrime activity.

Security experts at Palo Alto Networks said Thursday their sensors detected the new Mirai variant — dubbed Mukashi — on Mar. 12. The new Mirai strain targets CVE-2020-9054, a critical flaw that exists in many VPN firewalls and network attached storage (NAS) devices made by Taiwanese vendor Zyxel Communication Corp., which boasts some 100 million devices deployed worldwide.

Like other Mirai variants, Mukashi constantly scans the Internet for vulnerable IoT devices like security cameras and digital video recorders (DVRs), looking for a range of machines protected only by factory-default credentials or commonly-picked passwords.

Palo Alto said IoT systems infected by Mukashi then report back to a control server, which can be used to disseminate new instructions — such as downloading additional software or launching distributed denial of service (DDoS) attacks.

The commands Mukashi botmasters can send to infected devices include scanning for and exploiting other systems, and launching DDoS attacks. Image: Palo Alto Networks.

Zyxel issued a patch for the flaw on Feb. 24, but the update did not fix the problem on many older Zyxel devices which are no longer being supported by the company. For those devices, Zyxel’s advice was not to leave them connected to the Internet.

A joint advisory on CVE-2020-9054 from the U.S. Department of Homeland Security and the CERT Coordination Center rates this vulnerability at a “10” — the most severe kind of flaw. The DHS/CERT advisory also includes sample code to test if a Zyxel product is vulnerable to the flaw.

My advice? If you can’t patch it, pitch it, as Mukashi is not the only thing interested in this Zyxel bug: Recent activity suggests attackers known for deploying ransomware have been actively working to test it for use against targets.

Security Breach Disrupts Fintech Firm Finastra

Finastra, a company that provides a range of technology solutions to banks worldwide, said today it was shutting down key systems in response to a security breach discovered this morning. The company’s public statement and notice to customers does not mention the cause of the outage, but their response so far is straight out of the playbook for dealing with ransomware attacks.

London-based Finastra has offices in 42 countries and reported more than $2 billion in revenues last year. The company employs more than 10,000 people and has over 9,000 customers across 130 countries — including nearly all of the top 50 banks globally.

Earlier today, sources at two different U.S. financial institutions forwarded a notice they received from Finastra saying the outage was expected to disrupt certain services, particularly for clients in North America.

“We wish to inform our valued customers that we are investigating a potential security breach. At 3:00 a.m. EST on March 20, 2020, we were alerted to anomalous activity on our network which risked the integrity of our data-centers,” reads the notice. “As such, and to protect our customers, we have taken quick and strict remedial action to contain and isolate the incident, while we investigate further.”

Update, 5:21 p.m. ET: Finastra has acknowledged that it is battling ransomware.

“At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted,” the company said in a revised statement.

The statement continues:

“Our approach has been to temporarily disconnect from the internet the affected servers, both in the USA and elsewhere, while we work closely with our cybersecurity experts to inspect and ensure the integrity of each server in turn. Using this ‘isolation, investigation and containment’ approach will allow us to bring the servers back online as quickly as possible, with minimum disruption to service, however we are anticipating some disruption to certain services, particularly in North America, whilst we undertake this task. Our priority is ensuring the integrity of the servers before we bring them back online and protecting our customers and their data at this time.”

Finastra also acknowledged an incident via a notice on its Web site that offers somewhat less information and refers to the incident merely as the detection of anomalous activity.

“The Finastra risk and security services team has detected anomalous activity on our systems,” wrote Tom Kilroy, Finastra’s chief operating officer. “In order to safeguard our customers and employees, we have made the decision to take a number of our servers offline while we investigate. This, of course, has an impact on some of our customers and we are in touch directly with those who may be affected.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to strongarm victim companies into paying up.

One reader on Twitter told KrebsOnSecurity they’d heard Finastra had sent thousands of employees home today as a result of the security breach. Finastra told this author the company closed select offices in Canada and Paddington, London today where employees were unable to access the servers which they took offline.

“The majority of the Company’s employees are already working from home,” a statement shared by Finastra reads. “This is determined by Finastra’s response to COVID-19 and not related in any way to this incident.”

Interestingly, several ransomware gangs have apparently stated that they are observing a kind of moratorium on attacking hospitals and other healthcare centers while the COVID-19/Coronavirus epidemic rages on. Bleeping Computer’s Lawrence Abrams said he recently reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to ask if they would continue targeting health and medical organizations during the outbreak.

Abrams said several of those gangs told him they would indeed stop attacking healthcare providers for the time being. One gang even used its victim-shaming Web site to post a “press release” on Mar. 18 stated that “due to situation with incoming global economy crisis and virus pandemic” it would be offering discounts to victims of their ransomware.

“We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus,” reads the release from the Maze ransomware gang.

A press release published by the Maze ransomware group.

This story will be updated as more details become available.

Coronavirus Widens the Money Mule Pool

With many people being laid off or working from home thanks to the Coronavirus pandemic, cybercrooks are almost certain to have more than their usual share of recruitable “money mules” — people who get roped into money laundering schemes under the pretense of a work-at-home job offer. Here’s the story of one upstart mule factory that spoofs a major nonprofit and tells new employees they’ll be collecting and transmitting donations for an international “Coronavirus Relief Fund.”

On the surface, the Web site for the Vasty Health Care Foundation certainly looks legitimate. It includes various sections on funding relief efforts around the globe, explaining that it “connects nonprofits, donors, and companies in nearly every country around the world.” The site says it’s a nonprofit with offices based in Nebraska and Quebec, Canada.

Vasty is a phony charity that pretends to raise money for Coronavirus victims but instead hires people to help launder stolen funds. This and the rest of the content at Vasty’s site was lifted from GlobalGiving, a legitimate charity that is helping people affected by the pandemic.

The “Vasty Health Care Foundation” is one of several fraudulent Web sites that recruit money mules in the name of helping Coronavirus victims. The content on Vasty’s site was lifted almost entirely from globalgiving.org, a legitimate charity that actually is trying to help people affected by the pandemic.

“We have been contacted by job seekers asking if we are related to some of these job opportunities they’ve been finding on Indeed.com and Monster.com,” said Kevin Conroy, chief product officer at GlobalGiving. “And we always tell them no that’s not from us, and not to cash any checks someone may be giving them in relation to those offers.”

The Vasty domain — vastyhealthcarefoundation[.]com — was registered just weeks ago, although the site claims its organization has been around for years.

The crooks behind this scheme also seem to have submitted the Vasty name in custom links at vetting sites like The Better Business Bureau and Guidestar that ultimately take one to a summary of data on GlobalGiving. No doubt this is part of an effort to lend legitimacy to the Vasty name (hovering over the links above reveals the trickery).

What proof is there that Vasty isn’t a legitimate charity? None of the dozens of Canadian mules contacted by this author responded to requests for comment. But KrebsOnSecurity received copious amounts of information about this scam from Milwaukee, Wisc. based Hold Security, which managed to intercept key file exchanges between threat actors through public file sharing services.

Among those files were a set of form letters and boilerplate email messages that describe the ideal candidate for the job at Vasty and welcome new recruits to the Vasty payroll. Here’s a look at part of the job description, which includes (not pictured) a description of the healthcare plans and other benefits allegedly offered to Vasty employees.

After congratulating applicants (everyone who applies is “hired”) on their new positions, Vasty asks the recruits to do some busy work. In this case, new hires are sent to local pharmacies on some bogus errand, such as to inspect the pricing of face masks and hand sanitizer products for price-gouging.

“Now we have the first task for you. You will have to perform a trip within your city. So that we can compensate for transportation costs along with your hourly rate, I ask you to keep receipts confirming your expenses.

LOCATION: Sam’s Geneva Street Pharmacy

ADDRESS:  284 Geneva St, St. Catharines, ON L2N 2E8

I ask you to go to the pharmacy at the specified address. We are increasingly receiving reports of private sellers violating the pricing policy for products such as: aspirin, face masks are loose surgical masks with elastic loops that go around the ears, hand sanitizers.”

New recruits are then asked to assemble and submit a written report of their observations at the store in question.

These types of menial, meaningless tasks are a typical tactic of money mule recruitment schemes and they serve two main purposes: They separate out slackers from people who really need and want a job, and they help the employee feel like he’s doing something useful and legitimate (aside from just moving money around, which if brought up too soon might make him question whether the job is legit).

Eventually, after successfully completing one or more of these busy work tasks, the new hire is asked to process a “donation” from someone who wants to help fight the Coronavirus outbreak:

“Please read the instructions carefully. One donor wants to make donations to help fight the coronavirus. As you know, this is a big problem for most countries of the world. Every day we receive information from the World Health Organization that more and more people are sick. Quite a lot of people died from this virus. Some people simply don’t have enough funds to provide themselves with standard face masks and disinfectants to fight the virus.”

“The donor requests that Bitcoins be bought with his funds. For this task, you need to create your Bitcoin wallet, or use the QR code that we send you in this letter. You will receive from the donor up to 3000 CAD. Your commission up to 150 CAD will be included in this amount to cover your expenses. I remind you that you do not need to use your funds to buy bitcoins. The funds will be sent to you. You will need to receive cash atm or at your bank branch.”

What happens next is the employee then receives an electronic transfer of money into his bank account, is asked to withdraw the cash, and to keep 150 Canadian dollars for himself. He’s then instructed to take the remainder of the funds to a Bitcoin ATM and scan an emailed QR code with his mobile phone. This causes the cash he deposits into the Bitcoin ATM to be sent in an irreversible transaction to a Bitcoin wallet controlled by the scammers.

What’s going on behind the scenes is the funds that get deposited in the employee’s account are invariably stolen from other hacked bank accounts, and the employee is merely helping the crooks launder the stolen money into a form of payment that can’t be reversed.

Another boilerplate email intercepted by Hold Security shows Vasty’s new hires manager offering advice to employees who are asked by nosey bank employees about the nature of the funds withdrawal.

“Important: If you receive any questions from the bank regarding the purpose of the payment, you can open part of the instructions if necessary and inform that these funds are intended for payment of medicines. In any case, it is a personal payment and it will not be taxed. However, I strongly recommend that you not divulge the rest of the instructions for paying for medicines against coronavirus so as not to aggravate panic among the population.”

Americans shouldn’t feel left out of the scam: Hold Security founder Alex Holden says his analysts also intercepted a nearly identical set of scam templates targeting job seekers in the United States.

Money mule scammers specialize in hacking employer accounts at job recruitment Web sites like Monster.com, Hotjobs.com and other popular employment search services. Armed with the employer accounts, the crooks are free to search through millions of resumes and reach out to people who are currently between jobs or seeking part-time employment.

If you receive a job solicitation via email that sounds too-good-to-be-true, it probably is related in some way to one of these money-laundering schemes. Even if you can’t see the downside to you, someone is likely getting ripped off. Also, know that money mules — however unwitting — may find themselves in hot water with local police, and may be asked by their bank to pay back funds that were illegally transferred into the mules’ account.

Overall, Holden said, established cybercriminals who specialize in recruiting and grooming money mules for financial crimes have been cooing of late over the potential glut of new mules. One mule vendor on a popular Russian-language crime forum posted Tuesday that his “drops” — the hacker slang term for money mules — weren’t scared of Coronavirus concerns.

“We got drops in masks!,” one vendor proclaimed.

“We continue to work despite the Coronavirus,” declared another drops vendor.

Any readers interested in helping others affected by the Coronavirus outbreak should consider giving through the organization Vasty is impersonating here; Global Giving. Alternatively, these two stories link to a number of other reputable organizations facilitating Coronavirus relief efforts.

The Web’s Bot Containment Unit Needs Your Help

Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace: Shadowserver.org, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.

Image: Ghostbusters.

Shadowserver provides free daily live feeds of information about systems that are either infected with bot malware or are in danger of being infected to more than 4,600 ISPs and to 107 national computer emergency response teams (CERTs) in 136 countries. In addition, it has aided the FBI and other nations’ federal law enforcement officials in “sinkholing” domain names used to control the operations of far-flung malware empires.

In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. Typically, a sinkhole is set up in tandem with some kind of legal action designed to wrest control over key resources powering a malware network.

Some of these interventions involving ShadowServer have been documented here, including the Avalanche spam botnet takedown, the Rustock botnet takeover, the Gameover malware botnet seizure, and the Nitol botnet sneak attack. Last week, Shadowserver was instrumental in helping Microsoft kneecap the Necurs malware network, one of the world’s largest spam and malware botnets.

Image: Shadowserver.org

Sinkholing allows researchers to assume control over a malware network’s domains, while redirecting any traffic flowing to those systems to a server the researchers control. As long as good guys control the sinkholed domains, none of the infected computers can receive instructions about how to harm themselves or others online.

And Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.

But very recently, Shadowserver got the news that the company which has primarily funded its operations for more than 15 years, networking giant Cisco Systems Inc., opted to stop providing that support.

Cisco declined to respond to questions about why it withdrew funding. But it did say the company was exploring the idea of supporting the organization as part of a broader support effort by others in the technology industry going forward.

“Cisco supports the evolution of Shadowserver to an industry alliance enabling many organizations to contribute and grow the capabilities of this important organization,” the company said in a written statement. “Cisco is proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape.”

To make matters worse, Shadowserver has been told it needs to migrate its data center to a new location by May 15, a chore the organization reckons will cost somewhere in the neighborhood of $400,000.

“Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control ​by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased,” Shadowserver wrote in a blog post published today about their financial plight.

The Shadowserver Foundation currently serves 107 National computer emergency response teams (CERTs) in 136 countries, more than 4,600 vetted network owners and over 90% of the Internet, primarily by giving them free daily network reports.

“These reports notify our constituents ​about millions of misconfigured, compromised, infected or abusable devices for remediation every day,” Shadowserver explained.

The group is exploring several options for self-funding, but Shadowserver Director Richard Perlotto says the organization will likely depend on a tiered “alliance” funding model, where multiple entities provide financial support.

“Many national CERTs have been getting our data for free for years, but most of these organizations have no money and we never charged them because Cisco paid the bill,” Perlotto said. “The problem for Shadowserver is we don’t blog about our accomplishments very frequently and we operate pretty quietly. But now that we need to do funding it’s a different story.”

Perlotto said while Shadowserver’s data is extremely valuable, the organization took a stance long ago that it would never sell victim data.

“This does not mean that we are anti-commercial sector activities – we definitely believe that there are huge opportunities for innovation, for product development, and to sell cyber security services,” he said. “Shadowserver does not seek to compete with commercial vendors, or disrupt their business models. But we do fundamentally believe that no-one should have to pay to find out that they have been a victim of cybercrime.”

Most immediately, Shadowserver needs to raise approximately $400,000 by the end of this month to manage the migration of its 1,300+ servers out of Cisco’s California data center into a new facility.

Anyone interested in supporting that migration effort can do so directly here; Shadowserver’s contact page is here.

Update 10:46 a.m., ET: Added comment from Cisco.

Live Coronavirus Map Used to Spread Malware

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu.

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware.

Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate.

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”

The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java.

“Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.”

It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware.

As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know.

A tip of the hat to @holdsecurity for a heads up about this malware offering.

Crafty Web Skimming Domain Spoofs “https”

Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site’s source code: “http[.]ps” (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).

This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida. Here’s what a portion of the login page looked like until earlier today when you right-clicked on the page and selected  “view-source”:

The malicious domain added to the HTML code for grandwesternsteaks.com (highlighted in orange) fetched a script that intercepted data entered by customers, including credit card details and logins. The code has since been removed from the site.

Viewing the HTML source for the malicious link highlighted in the screenshot above reveals the obfuscated card-skimming code, a snippet of which is pictured below:

The obfuscated card skimming code is full of references to “ants” and “cockroaches,” which is enough to give any site owner the heebie-jeebies.

A simple search on the malicious domain “http[.]ps” at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations.

The http[.]ps domain is hosted in Russia, and sits on a server with one other malicious domain — autocapital[.]pw. According a Mar. 3 Twitter post by security researcher and blogger Denis Sinegubko, the autocapital domain acts as a collector of data hoovered up by the http[.]ps skimming script.

Jerome Segura over at Malwarebytes recently wrote about a similar attack in which the intruders used http[.]ps to spoof the location of a script that helps improve page load times for sites that rely on Web infrastructure firm Cloudflare.

“There is a subtle difference in the URI path loading both scripts,” Segura wrote. “The malicious one uses a clever way to turn the domain name http.ps (note the dot ‘.’ , extra ‘p’ and double slash ‘//’) into something that looks like ‘https://’. The threat actors are taking advantage of the fact that since Google Chrome version 76, the “https” scheme (and special-case subdomain “www”) is no longer shown to users.”

Segura says there are two ways e-commerce sites are being compromised here:

  • Skimming code that is injected into a self hosted JavaScript library (the jQuery library seems to be the most targeted)
  • A script that references an external JavaScript, hosted on a malicious site (in this case, http[.]ps)

Malwarebytes assesses that the tricks this domain uses to obfuscate the malicious code are tied to various site-hacking malware campaigns dating back to 2016. By the way, an installation of Malwarebytes on a test machine used for this investigation blocked the http[.]ps script from loading on each of the compromised sites I found.

Finally, the “.ps” bit of the malicious skimming domain refers to the country code top-level-domain (ccTLD) for the State of Palestine. The domain was registered on Feb. 7.

If you run an e-commerce Web site, it would be a great idea to read up on leveraging Content Security Policy (CSP) response headers and Subresource Integrity security features offered by modern Web browsers. These offer mitigation options to prevent your site from being used in these card skimming attacks. Ryan Barnett at Akamai penned a comprehensive blog post on these approaches not long ago that is well worth reading [full disclosure: Akamai is an advertiser on this site].

I’ve been playing recently with privacy.com, which among other things offers a free service that allows users to generate a unique, one-time credit card number for each online transaction (privacy.com makes money from the interchange fees paid by merchants). The beauty of this approach is if your credit card details do get swiped by one of these site skimmers, you won’t have to change your credit card information at dozens of other sites and services you frequent.