Tag Archive for: Cyber

Pay Up, Or We’ll Make Google Ban Your Ads

A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.

A redacted extortion email targeting users of Google’s AdSense program.

Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:

“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”

The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”

The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.

The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially.

The reader, who asked not to be identified in this story, also pointed to articles about a recent AdSense crackdown in which Google announced it was enhancing its defenses by improving the systems that identify potentially invalid traffic or high risk activities before ads are served.

Google defines invalid traffic as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources.”

“Pretty concerning, thought it seems this group is only saying they’re planning their attack,” the reader wrote.

Google declined to discuss this reader’s account, saying its contracts prevent the company from commenting publicly on a specific partner’s status or enforcement actions. But in a statement shared with KrebsOnSecurity, the company said the message appears to be a classic threat of sabotage, wherein an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to their inventory.

“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding,” the statement explained. “For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.”

Google said it has extensive tools and processes to protect against invalid traffic across its products, and that most invalid traffic is filtered from its systems before advertisers and publishers are ever impacted.

“We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”

A Light at the End of Liberty Reserve’s Demise?

In May 2013, the U.S. Justice Department seized Liberty Reserve, alleging the virtual currency service acted as a $6 billion financial hub for the cybercrime world. Prompted by assurances that the government would one day afford Liberty Reserve users a chance to reclaim any funds seized as part of the takedown, KrebsOnSecurity filed a claim shortly thereafter to see if and when this process might take place. This week, an investigator with the U.S. Internal Revenue service finally got in touch to discuss my claim.

Federal officials charged that Liberty Reserve facilitated a “broad range of criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.” The government says from 2006 until the service’s takedown, Liberty Reserve processed an estimated 55 million financial transactions worth more than $6 billion, with more than 600,000 accounts associated with users in the United States alone.

While it’s clear that the digital currency system for years was the go-to money-moving vehicle for many engaged in dodgy online activities, it also was favored by users primarily because it offered a relatively anonymous way to send irrevocable transfers globally with low fees.

Indeed, the two stories I wrote about the closure of Liberty Reserve in 2013 remain among the most-read on this site, and have generated an enormous volume of emails from readers who saw many thousands of dollars held in legal limbo — much of it related to investments in online gaming platforms, payments to and from adult entertainment services, and various investment schemes.

The IRS official who contacted me was not authorized to be quoted in the media (and indeed did not initially realize he was speaking to a member of the press when he called). But he told me the government had recently obtained legal access to some of the funds held in overseas bank accounts that were used by Liberty Reserve, and that IRS investigators were now starting to contact people and vet any claims made in the wake of the takedown.

“We’re just getting to the point where we have received funds,” the investigator said. “We’ve started to contact people who originally contacted us, to vet their claims, make sure they weren’t involved in any illegal activity, and that the claim amounts match the records that we have.”

The official said he didn’t know how much money in total the government was seeking to return to former Liberty Reserve users. Requests for this information from the Justice Department office that prosecuted the case — the U.S. Attorney for the Southern District of New York — went unanswered.

The founder of Liberty Reserve, 45-year-old Arthur Budovsky, pleaded guilty in 2016 to conspiring to commit money laundering. He was sentenced to 20 years in prison, ordered to pay a $500,000 fine and forfeit $122 million in company funds.

If you filed a monetary claim in response to the Liberty Reserve seizure years back, you may have already been contacted by federal investigators, or you may be soon. But please know that fraudsters will likely seize on public awareness about the possible repatriation of funds to fleece the unwary: KrebsOnSecurity has received more than a few emails from readers over the years who fell for various phishing scams that promised to return funds lost at Liberty Reserve in exchange for a bogus “processing fee.”

Microsoft Patch Tuesday, February 2020 Edition

Microsoft today released updates to plug nearly 100 security holes in various versions of its Windows operating system and related software, including a zero-day vulnerability in Internet Explorer (IE) that is actively being exploited. Also, Adobe has issued a bevy of security updates for its various products, including Flash Player and Adobe Reader/Acrobat.

A dozen of the vulnerabilities Microsoft patched today are rated “critical,” meaning malware or miscreants could exploit them remotely to gain complete control over an affected system with little to no help from the user.

Last month, Microsoft released an advisory warning that attackers were exploiting a previously unknown flaw in IE. That vulnerability, assigned as CVE-2020-0674, has been patched with this month’s release. It could be used to install malware just by getting a user to browse to a malicious or hacked Web site.

Microsoft once again fixed a critical flaw in the way Windows handles shortcut (.lnk) files (CVE-2020-0729) that affects Windows 8 and 10 systems, as well as Windows Server 2008-2012. Allan Liska, intelligence analyst at Recorded Future, says Microsoft considers exploitation of the vulnerability unlikely, but that a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September.

Another flaw fixed this month in Microsoft Exchange 2010 through 2019 may merit special attention. The bug could allow attackers to exploit the Exchange Server and execute arbitrary code just by sending a specially crafted email. This vulnerability (CVE-2020-0688) is rated “important” rather than “critical,” but Liska says it seems potentially dangerous, as Microsoft identifies this as a vulnerability that is likely to be exploited.

In addition, Redmond addressed a critical issue (CVE-2020-0618) in the way Microsoft SQL Server versions 2012-2016 handle page requests.

After a several-month respite from patches for its Flash Player browser plug-in, Adobe has once again blessed us with a security update for this program (fixes one critical flaw). Thankfully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year.

Other Adobe products for which the company shipped updates today include Experience Manager, Digital Editions, Framemaker and Acrobat/Reader (17 flaws). Security experts at Qualys note that on January 28th, Adobe also issued an out-of-band patch for Magento, labeled as Priority 2.

“While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed,” said Qualys’s Jimmy Graham.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack

The U.S. Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

The nine-count indictment names Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊) as members of the PLA’s 54th Research Institute, a component of the Chinese military. They are each charged with three counts of conspiracy to commit computer fraud, economic espionage and wire fraud.

The government says the men disguised their hacking activity by routing attack traffic through 34 servers located in nearly 20 countries, using encrypted communications channels within Equifax’s network to blend in with normal network activity, and deleting log files daily to remove evidence of their meanderings through the company’s systems.

U.S. Attorney General Bill Barr said at a press conference today that the Justice Department doesn’t normally charge members of another country’s military with crimes (this is only the second time the agency has indicted Chinese military hackers). But in a carefully worded statement that seemed designed to deflect any criticism of past offensive cyber actions by the U.S. military against foreign targets, Barr said the DOJ did so in this case because the accused “indiscriminately” targeted American civilians on a massive scale.

“The United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decision makers have access to timely, accurate and insightful information,” Barr said. “But we collect information only for legitimate national security purposes. We don’t indiscriminately violate the privacy of ordinary citizens.”

FBI Deputy Director David Bowdich sought to address the criticism about the wisdom of indicting Chinese military officers for attacking U.S. commercial and government interests. Some security experts have charged that such indictments could both lessen the charges’ impact and leave American officials open to parallel criminal allegations from Chinese authorities.

“Some might wonder what good it does when these hackers are seemingly beyond our reach,” Bowdich said. “We answer this question all the time. We can’t take them into custody, try them in a court of law and lock them up. Not today, anyway. But one day these criminals will slip up, and when they do we’ll be there. We in law enforcement will not let hackers off the hook just because they’re halfway around the world.”

The attorney general said the attack on Equifax was just the latest in a long string of cyber espionage attacks that sought trade secrets and sensitive data from a broad range of industries, and including managed service providers and their clients worldwide, as well as U.S. companies in the nuclear power, metals and solar products industries.

“Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret thefts cases in recent years involved some connection with China,” he said.

The indictments come on the heels of a conference held by US government officials this week that detailed the breadth of hacking attacks involving the theft of intellectual property by Chinese entities.

“The FBI has about a thousand investigations involving China’s attempted theft of U.S.-based technology in all 56 of our field offices and spanning just about every industry and sector,” FBI Director Christopher Wray reportedly told attendees at the gathering in Washington, D.C., dubbed the “China Initiative Conference.”

At a time when increasingly combative trade relations with China combined with public fears over the ongoing Coronavirus flu outbreak are stirring Sinophobia in some pockets of the U.S. and other countries, Bowdich was quick to clarify that the DOJ’s beef was with the Chinese government, not its citizenry.

“Our concern is not with the Chinese people or with the Chinese American,” he said. “It is with the Chinese government and the Chinese Communist Party. Confronting this threat directly doesn’t mean we should not do business with China, host Chinese students, welcome Chinese visitors or co-exist with China as a country on the world stage. What it does mean is when China violates our criminal laws and international norms, we will hold them accountable for it.”

A copy of the indictment is available here.

ANALYSIS

DOJ officials praised Equifax for their “close collaboration” in sharing data that helped investigators piece together this whodunnit. Attorney General Barr noted that the accused not only stole personal and in some cases financial data on Americans, they also stole Equifax’s trade secrets, which he said were “embodied by the compiled data and complex database designs used to store personal information.”

While the DOJ’s announcement today portrays Equifax in a somewhat sympathetic light, it’s important to remember that Equifax repeatedly has proven itself an extremely poor steward of the highly sensitive information that it holds on most Americans.

Equifax’s actions immediately before and after its breach disclosure on Sept 7, 2017 revealed a company so inept at managing its public response that one couldn’t help but wonder how it might have handled its internal affairs and security. Indeed, Equifax and its leadership careened from one feckless blunder to the next in a series of debacles that KrebsOnSecurity described at the time as a complete “dumpster fire” of a breach response.

For starters, the Web site that Equifax set up to let consumers check if they were affected by the breach consistently gave conflicting answers, and was initially flagged by some Web browsers as a potential phishing site.

Compounding the confusion, on Sept. 19, 2017, Equifax’s Twitter account told people looking for information about the breach to visit the wrong Web site, which also was blocked by multiple browsers as a phishing site.

And two weeks after its breach disclosure, Equifax began notifying consumers of their eligibility to enroll in free credit monitoring — but the messages did not come from Equifax’s domain and were in many other ways indistinguishable from a phishing attempt.

It soon emerged the intruders had gained access to Equifax’s systems by attacking a software vulnerability in an Internet-facing server that had been left unpatched for four months after security experts warned that the flaw was being broadly exploited. We also learned that the server in question was tied to an online dispute portal at Equifax, which the intruders quickly seeded with tools that allowed them to maintain access to the credit bureau’s systems.

This is especially notable because on Sept. 12, 2017 — just five days after Equifax went public with its breach — KrebsOnSecurity broke the news that the administrative account for a separate Equifax dispute resolution portal catering to consumers in Argentina was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

A partial list of active and inactive Equifax employees in Argentina. This page also let anyone add or remove users at will, or modify existing user accounts.

Perhaps we all should have seen this megabreach coming. In May 2017, KrebsOnSecurity detailed how countless employees at many major U.S. companies suffered tax refund fraud with the IRS thanks to a laughably insecure portal at Equifax’s TALX payroll division, which provides online payroll, HR and tax services to thousands of U.S. firms.

Equifax’s TALX — now called Equifax Workforce Solutions — aided tax thieves by relying on outdated and insufficient consumer authentication methods.

In October 2017, KrebsOnSecurity showed how easy it was to learn the complete salary history of a large portion of Americans simply by knowing someone’s Social Security number and date of birth, thanks to yet another Equifax portal.

Around that same time, we also learned that at least two Equifax executives sought to profit from the disaster through insider trading just days prior to the breach announcement. Jun Ying, Equifax’s former chief information officer, dumped all of his stock in the company in late August 2017, realizing a gain of $480,000 and avoiding a loss of more than $117,000 when news of the breach dinged Equifax’s stock price.

Sudhakar Reddy Bonthu, a former manager at Equifax who was contracted to help the company with its breach response, bought 86 “put” options in Equifax stock on Sept. 1, 2017 that allowed him to profit when the company’s share price dropped. Bonthu was later sentenced to eight months of home confinement; Ying got four months in prison and one year of supervised release. Both were fined and/or ordered to pay back their ill-gotten gains.

While Equifax’s stock price took a steep hit in the months following its breach disclosure, shares in the company [NYSE:EFX] gained a whopping 50.5% in 2019, according to data from S&P Global Market Intelligence.

KrebsOnSecurity has long maintained that the 2017 breach at Equifax was not the work of financially-motivated identity thieves, as there has been exactly zero evidence to date that anything close to the size of the data cache stolen from that incident has shown up for sale in the cybercrime underground.

However, readers should understand that there are countless other companies with access to SSN, DOB and other information crooks need to apply for credit in your name that get hacked all the time, and that this data on a great many Americans is already for sale across various cybercrime bazaars.

Readers also should know that while identity theft protection services of the kind offered by Equifax and other companies may alert you if crooks open a new line of credit in your name, these services generally do nothing to stop that identity theft from taking place. ID theft protection services are most useful in helping people recover from such crimes.

As such, KrebsOnSecurity continues to encourage readers to place a freeze on their credit files with Equifax and the other major credit bureaus. This process puts you in control over who gets to grant credit in your name. Placing a freeze is now free for all Americans and their dependents. For more information on how to do that and what to expect from a freeze, please see this primer.

Dangerous Domain Corp.com Goes Up for Sale

As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.

Now, facing 70 and seeking to simplify his estate, O’Connor is finally selling corp.com. The asking price — $1.7 million — is hardly outlandish for a 4-letter domain with such strong commercial appeal. O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.

One reason O’Connor hopes Microsoft will buy it is that by virtue of the unique way that Windows handles resolving domain names on a local network, virtually all of the computers trying to share sensitive data with corp.com are somewhat confused Windows PCs. More importantly, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com.

At issue is a problem known as “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” which is a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

For instance, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “drive1” alone will suffice, and Windows takes care of the rest.

But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

INSTANT CORPORATE BOTNET, ANYONE?

That’s according to Jeff Schmidt, a security expert who conducted a lengthy study on DNS namespace collisions funded in part by grants from the U.S. Department of Homeland Security. As part of that analysis, Schmidt convinced O’Connor to hold off selling corp.com so he and others could better understand and document the volume and types of traffic flowing to it each day.

During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks.

For a brief period during that testing, Schmidt’s company JAS Global Advisors accepted connections at corp.com that mimicked the way local Windows networks handle logins and file-sharing attempts.

“It was terrifying,” Schmidt said. “We discontinued the experiment after 15 minutes and destroyed the data. A well-known offensive tester that consulted with JAS on this remarked that during the experiment it was ‘raining credentials’ and that he’d never seen anything like it.”

Likewise, JAS temporarily configured corp.com to accept incoming email.

“After about an hour we received in excess of 12 million emails and discontinued the experiment,” Schmidt said. “While the vast majority of the emails were of an automated nature, we found some of the emails to be sensitive and thus destroyed the entire corpus without further analysis.”

Schmidt said he and others concluded that whoever ends up controlling corp.com could have an instant botnet of well-connected enterprise machines.

“Hundreds of thousands of machines directly exploitable and countless more exploitable via lateral movement once in the enterprise,” he said. “Want an instant foothold into about 30 of the world’s largest companies according to the Forbes Global 2000? Control corp.com.”

THE EARLY ADVENTURES OF CORP.COM

Schmidt’s findings closely mirror what O’Connor discovered in the few years corp.com was live on the Internet after he initially registered it back in 1994. O’Connor said early versions of a now-defunct Web site building tool called Microsoft FrontPage suggested corporation.com (another domain registered early on by O’Connor) as an example domain in its setup wizard.

That experience, portions of which are still indexed by the indispensable Internet Archive, saw O’Connor briefly redirecting queries for the domain to the Web site of a local adult sex toy shop as a joke. He soon got angry emails from confused people who’d also CC’d Microsoft co-founder Bill Gates.

Archive.org’s index of corp.com from 1997, when its owner Mike O’Connor briefly enabled a Web site mainly to shame Microsoft for the default settings of its software.

O’Connor said he also briefly enabled an email server on corp.com, mainly out of morbid curiosity to see what would happen next.

“Right away I started getting sensitive emails, including pre-releases of corporate financial filings with The U.S. Securities and Exchange Commission, human resources reports and all kinds of scary things,” O’Connor recalled in an interview with KrebsOnSecurity. “For a while, I would try to correspond back to corporations that were making these mistakes, but most of them didn’t know what to do with that. So I finally just turned it off.”

TOXIC WASTE CLEANUP IS HARD

Microsoft declined to answer specific questions in response to Schmidt’s findings on the wayward corp.com traffic. But a spokesperson for the company shared a written statement acknowledging that “we sometimes reference ‘corp’ as a label in our naming documentation.”

“We recommend customers own second level domains to prevent being routed to the internet,” the statement reads, linking to this Microsoft Technet article on best practices for setting up domains in Active Directory.

Over the years, Microsoft has shipped several software updates to help decrease the likelihood of namespace collisions that could create a security problem for companies that still rely on Active Directory domains that do not map to a domain they control.

But both O’Connor and Schmidt say hardly any vulnerable organizations have deployed these fixes for two reasons. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time. Second, according to Microsoft applying the patch(es) will likely break or at least slow down a number of applications that the affected organization relies upon for day-to-day operations.

Faced with either or both of these scenarios, most affected companies probably decided the actual risk of not applying these updates was comparatively low, O’Connor said.

“The problem is that when you read the instructions for doing the repair, you realize that what they’re saying is, ‘Okay Megacorp, in order to apply this patch and for everything to work right, you have to take down all of your Active Directory services network-wide, and when you bring them back up after you applied the patch, a lot of your servers may not work properly’,” O’Connor said.

Curiously, Schmidt shared slides from a report submitted to a working group on namespace collisions suggesting that at least some of the queries corp.com received while he was monitoring it may have come from Microsoft’s own internal networks.

Image: JAS Global Advisors

“The reason I believe this is Microsoft’s issue to solve is that someone that followed Microsoft’s recommendations when establishing an active directory several years back now has a problem,” Schmidt said.

“Even if all patches are applied and updated to Windows 10,” he continued. “And the problem will persist while there are active directories named ‘corp’ – which is forever. More practically, if corp.com falls into bad hands, the impact will be on Microsoft enterprise clients – and at large scale – paying, Microsoft clients they should protect.”

Asked why he didn’t just give corp.com to Microsoft as an altruistic gesture, O’Connor said the software giant ought to be accountable for its products and mistakes.

“It seems to me that Microsoft should stand up and shoulder the burden of the mistake they made,” he said. “But they’ve shown no real interest in doing that, and so I’ve shown no interest in giving it to them. I don’t really need the money. I’m basically auctioning off a chemical waste dump because I don’t want to pass it on to my kids and burden them with it. My frustration here is the good guys don’t care and the bad guys probably don’t know about it. But I expect the bad guys would like it.”

Further reading:

Mitigating the Risk of DNS Namespace Collisions (PDF)

DEFCON 21 – DNS May Be Hazardous to your Health (Robert Stucke)

Mitigating the Risk of Name Collision-Based Man-in-the-Middle Attacks (PDF)

When Your Used Car is a Little Too ‘Mobile’

Many modern vehicles let owners use the Internet or a mobile device to control the car’s locks, track location and performance data, and start the engine. But who exactly owns that control is not always clear when these smart cars are sold or leased anew. Here’s the story of one former electric vehicle owner who discovered he could still gain remote, online access to his old automobile years after his lease ended.

Mathew Marulla began leasing a Ford Focus electric vehicle in 2013, but turned the car back in to Ford at the end of his lease in 2016. So Marulla was surprised when he recently received an email from Ford.com stating that the clock in his car was set incorrectly.

Out of curiosity, Marulla decided to check if his old MyFordMobile.com credentials from 2016 still worked. They did, and Marulla was presented with an online dashboard showing the current location of his old ride and its mileage statistics.

The dashboard also allowed him to remotely start the vehicle, as well as lock and unlock its doors.

Mathew Marulla turned in his leased Ford EV to Ford 4 years ago, so he is no longer the legal owner of the car. But he can still remotely track its location and usage, lock and unlock it, and start the engine.

“It was a three-year lease from Ford and I turned it in to Ford four years ago, so Ford definitely knows I am no longer the owner,” Marulla said, noting that the dashboard also included historic records showing where the Focus had been driven in days prior.

“I can track its movements, see where it plugs in,” he said. “Now I know where the current owner likely lives, and if I watch it tomorrow I can probably figure out where he works. I have not been the owner of this vehicle for four years, Ford knows this, yet they took no action whatsoever to remove me as the owner in this application.”

Asked to comment on Marulla’s experience, a spokesperson for Ford said all Ford dealerships are supposed to perform a “master reset” as part of their used car checklist prior to the resale of a vehicle. A master reset (carried out via the vehicle’s SYNC infotainment screen by a customer or dealer) disassociates the vehicle from all current accounts.

“A master reset cleans phone data and removes previous Ford Pass and My Ford Mobile connections,” the company said in a statement released to KrebsOnSecurity. “Once complete, a previous owner will no longer be able to connect to the vehicle when they log in to My Ford Mobile or Ford Pass.”

As Marulla’s experience shows, if you’re in the market for a used car you should probably check whether it’s possible to reset the previous owner’s control and/or information before purchasing it, or at least ask the dealership to help you ensure this gets done once the purchase is made.

And if you’re thinking of selling your car, it’s a good idea to clear your personal data from the vehicle first. As the U.S. Federal Trade Commission advises, some cars have a factory reset option that will return the settings and data to their original state.

“But even after a factory reset, you may still have work to do,” reads an FTC consumer privacy notice from 2018. “For example, your old car may still be connected to subscription services like satellite radio, mobile Wi-Fi hotspots, and data services. You need to cancel these services or have them transferred to your new vehicle.”

By the way, this issue of de-provisioning is something of a sticky wicket, and it potentially extends well beyond vehicles to a number of other “smart” devices that end up being resold or refurbished. This is doubly so for Internet-connected/capable devices whose design may give the previous owner a modicum of access to or control over the device in question regardless of what steps the new owner takes to limit such access (particularly some types of security cameras).

Booter Boss Busted By Bacon Pizza Buy

A Pennsylvania man who operated one of the Internet’s longest-running online attack-for-hire or “booter” services was sentenced to five years probation today. While the young man’s punishment was heavily tempered by his current poor health, the defendant’s dietary choices may have contributed to both his capture and the lenient sentencing: Investigators say the onetime booter boss’s identity became clear after he ordered a bacon and chicken pizza delivered to his home using the same email address he originally used to register his criminal attack service.

David Bukoski, 24, of Hanover Township, Pa., pleaded guilty to running Quantum Stresser, an attack-for-hire business — also known as a “booter” or “stresser” service — that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.

The landing page for the Quantum Stresser attack-for-hire service.

Investigators say Bukoski’s booter service was among the longest running services targeted by the FBI, operating since at least 2012. The government says Quantum Stresser had more than 80,000 customer subscriptions, and that during 2018 the service was used to conduct approximately 50,000 actual or attempted attacks targeting people and networks worldwide.

The Quantum Stresser Web site — quantumstress[.]net — was among 15 booter services that were seized by U.S. and international authorities in December 2018 as part of a coordinated takedown targeting attack-for-hire services.

Federal prosecutors in Alaska said search warrants served on the email accounts Bukoski used in conjunction with Quantum Stresser revealed that he was banned from several companies he used to advertise and accept payments for the booter service.

The government’s sentencing memorandum says Bukoski’s replies demanding to know the reasons for the suspensions were instrumental in discovering his real name.  FBI agents were able to zero in on Bukoski’s real-life location after a review of his email account showed a receipt from May 2018 in which he’d gone online and ordered a handmade pan pizza to be delivered to his home address.

When an online pizza delivery order brings FBI agents to raid your home.

While getting busted on account of ordering a pizza online might sound like a bone-headed or rookie mistake for a cybercriminal, it is hardly unprecedented. In 2012 KrebsOnSecurity wrote about the plight of Yuriy “Jtk” Konovalenko, a then 30-year-old Ukrainian man who was rounded up as part of an international crackdown on an organized crime gang that used the ZeuS malware to steal tens of millions of dollars from companies and consumers. In that case, Konovalenko ultimately unmasked himself because he used his Internet connection to order the delivery of a “Veggie Roma” pizza to his apartment in the United Kingdom.

Interestingly, the feds say their examination of Bukoski’s Internet browsing records showed he knew full well that running a booter service was punishable under federal law (despite disclaimers published on Quantum Stresser stating that the site’s owners weren’t responsible for how clients used the service).

“The defendant’s web browsing history was significant to investigators for a number of reasons, including the fact that it shows that the defendant browsed an article written by a prominent security researcher referencing both the defendant’s enterprise along with a competing service, including a link provided by the researcher in the article to an advisory posted by the FBI warning that the operation of booter services was potentially punishable under federal law,” reads the sentencing memo from Assistant U.S. Attorney Adam Alexander.

That’s interesting because the article in question was actually a 2017 KrebsOnSecurity story about a mobile app tied to a competing booter service that happened to share some of the same content as Quantum Stresser.

That 2017 story referenced an FBI advisory that had just been issued warning the use of booter services is punishable under the Computer Fraud and Abuse Act, and may result in arrest and criminal prosecution.

Bukoski was sentenced to five years of probation and six months of “community confinement.” The government suggested a lenient sentence considering the defendant’s ongoing health complications, which include liver failure.

Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).

The courthouse in Dallas County, Iowa. Image: Wikipedia.

Gary DeMercurio, 43 of Seattle, and Justin Wynn, 29 of Naples, Fla., are both professional penetration testers employed by Coalfire Labs, a security firm based in Westminster, Colo. Iowa’s State Court Administration had hired the company to test the security of its judicial buildings.

Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, “tailgate” employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.

When the duo’s early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county’s sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they’d obtained entry to the premises via an unlocked door.

“They said they found a courthouse door unlocked, so they closed it from the outside and let it lock,” Dan Goodin of Ars Technica wrote of the ordeal in November. “Then they slipped a plastic cutting board through a crack in the door and manipulated its locking mechanism. (Pentesters frequently use makeshift or self-created tools in their craft to flip latches, trigger motion-detected mechanisms, and test other security systems.) The deputies seemed impressed.”

To assuage concerns they might be burglars, DeMercurio and Wynn produced an authorization letter detailing the job they’d been hired to do and listing the names and mobile phone numbers of Iowa state employees who could verify their story.

After contacting some of the court officials listed in the letter, the deputies seemed satisfied that the men weren’t thieves. That is, until Dallas County Sheriff Chad Leonard showed up.

“The pentesters had already said they used a tool to open the front door,” Goodin recounted. “Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm—something Coalfire officials vehemently deny. In Leonard’s mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.”

DeMercurio and Wynn were arrested, jailed, and held for nearly 24 hours before being released on a $100,000 bail. Initially they were charged with felony third-degree burglary and possessing burglary tools, although those charges were later downgraded to misdemeanor trespass.

What initially seemed to Coalfire as a momentary lapse of judgment by Iowa authorities quickly morphed into the surreal when state lawmakers held hearings questioning why and how someone in the state’s employ could have so recklessly endangered the safety and security of its citizens.

DeMercurio and Wynn, minus the orange jumpsuits.

Judicial Branch officials in Dallas County said in response to this grilling that they didn’t expect Coalfire’s physical penetration testing to be conducted outside of business hours. State Sen. Amy Sinclair was quoted as telling her colleagues that “the hiring of an outside company to break into the courthouses in September created ‘significant danger, not only to the contractors, but to local law enforcement, and members of the public.’”

“Essentially a branch of government has contracted with a company to commit crimes, and that’s very troubling,” lamented Iowa state Sen. Zach Whiting. “I want to find out who needs to be held accountable for this and how we can do that.”

Those strong words clashed with a joint statement released Thursday by Coalfire and Dallas County Attorney Charles Sinnard:

“Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges,” the statement reads. “Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the judicial branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing.

Matthew Linholm, an attorney representing DeMercurio and Wynn in the case, said the justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas.

“Such a practice endangers the effective administration of justice and our confidence in the criminal justice system,” Linholm told The Des Moines Register, which broke the news of the dropped charges.

While the case against Coalfire’s employees has rallied many in the cybersecurity community around the accused, not everyone sees this dispute in black-and-white. Chris Nickerson, a digital intrusion specialist and founder of LARES Consulting, said in a Twitter post Thursday that “when a company puts us in harm’s way due to their poor planning, failed sales education, inadequate project management and deplorable contract management…We shouldn’t celebrate them. We should hold them accountable.”

Asked to elaborate, Nickerson referred to a recent podcast which touched on the arrests.

“The things that concern me about this situation are more of the pieces of safety that exist across how the industry instruments doing these types of engagements,” Nickerson said. “They seem very, very reasonable and obvious once they become obvious but until then they’re completely foreign to people.”

“It’s really on the owners of the organization to educate the customer of those potential pitfalls,” Nickerson continued. “Because there isn’t a good standard. We haven’t all gotten together and institutionalized the knowledge that we have in our heads and dump it down to paper so that someone who is new to the field being tasked with this can go through and say, ‘Hey, did you ask them if the city versus the state versus the building owner and the real estate people…are all of these people in lock step?’”

Coalfire CEO Tom McAndrew seemed to address this point in our interview Thursday, saying there were two unique aspects of this particular engagement. First, although the client in this case said they did not want Coalfire to make local law enforcement aware of the ongoing engagement prior to testing the physical security of the site, it was clear after the fact that state officials never did that on their own.

More importantly, McAndrew said, there was ambiguity around who actually owned the buildings that they were hired to test.

“If you’re doing a test for the state and you walk into the building and it’s the courthouse and you’re doing a test for the court system, you’d think that they would have jurisdiction or own it, and that turned out not to be the case in this scenario because there’s some things the state owns and some things the county owns, and that was something we weren’t aware of as we did some of this work,” he said. “We didn’t understand the nuances.”

Asked what Coalfire has learned from this ordeal, McAndrew said his company is likely to insist that local, state and even federal law enforcement be informed in advance of any penetration tests, at least as far as those engagements relate to public entities.

“When we look at the contracts and we look at who’s authorized to do what…typically, if a [chief security officer] says test these IP addresses, we would say okay that’s enough,” he said. “But we’re questioning from a legal perspective at what point does that need to have legal counsel review.”

McAndrew said it’s probably time for experts from various corners of the pen testing community to collaborate in documenting best practices that might help others avoid a repeat of the scenario in Dallas County.

“There’s no standard in the industry,” he said. “When it comes to these sorts of issues in red teaming — the legal challenges and the contracts — there’s really nothing out there. There are some things that can’t be undone. There’s the mugshots that are out there forever, but even as we get the charges dropped, these are permanently going to be in the federal database. This is a permanent thing that will reside with them and there’s no legal way we’re aware of to get these charges removed from the federal database.”

McAndrew said while he remains frustrated that it took so long to resolve this dispute, he doesn’t believe anyone involved acted with malicious intent.

“I don’t think there were any bad people,” he said. “Everyone was trying to do the right things — from law enforcement to the sheriff to the judges to the county — they all had the right intentions. But they didn’t necessarily all have the right information, and possibly people made decisions at levels they weren’t really authorized to do. Normally that’s not really our call, but I think people need to be thinking about that.”

Sprint Exposed Customer Support Site to Web

Fresh on the heels of a disclosure that Microsoft Corp. leaked internal customer support data to the Internet, mobile provider Sprint has addressed a mix-up in which posts to a private customer support community were exposed to the Web.

KrebsOnSecurity recently contacted Sprint to let the company know that an internal customer support forum called “Social Care” was being indexed by search engines, and that several months worth of postings about customer complaints and other issues were viewable without authentication to anyone with a Web browser.

A redacted screen shot of one Sprint customer support thread exposed to the Web.

A Sprint spokesperson responded that the forum was indeed intended to be a private section of its support community, but that an error caused the section to become public.

“These conversations include minimal customer information and are used for frontline reps to escalate issues to managers,” said Lisa Belot, Sprint’s communications manager.

A review of the exposed support forum by this author suggests that while none of the posts exposed customer information such as payment card data, a number of them did include customer account information, such customer names, device identifiers and in some cases location information.

Perhaps more importantly for Sprint and its customers, the forum also included numerous links and references to internal tools and procedures. This sort of information would no doubt be of interest to scammers seeking to conduct social engineering attacks against Sprint employees as way to perpetrate other types of fraud, including unauthorized SIM swaps or in gleaning more account information from targeted customers.

Earlier this week, vice.com reported that hackers are phishing workers at major U.S. telecommunications companies to gain access to internal company tools. That news followed a related Vice report earlier this month which found ne’er-do-wells are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers.

The misstep by Sprint comes just days after Microsoft acknowledged that a database containing “a subset of information related to customer support interactions was accessible to the internet between the dates of Dec. 5 and Dec. 31, 2019.” Microsoft said it was alerting individuals whose information was exposed, which included location information, email and IP addresses, telephone numbers and descriptions of technical issues.

A message Microsoft sent to customers affected by their recent leak of customer support data.

This week marked the annual observance of Data Privacy Day, an occasion in which we are reminded to be more judicious about the types of personal information we voluntarily share on social media and other Web sites. But both the Microsoft and Sprint stumbles are a reminder that billion-dollar companies very often expose this information on our behalf, even when we are doing everything within our power to safeguard it.

Wawa Breach May Have Compromised More Than 30 Million Payment Cards

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states.

The fraud bazaar Joker’s Stash on Monday began selling some 30 million stolen payment card accounts that experts say have been tied back to a breach at Wawa in 2019.

Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening — dubbed “BIGBADABOOM-III” by Joker’s Stash — map squarely back to cardholder purchases at Wawa.

On Dec. 19, 2019, Wawa sent a notice to customers saying the company had discovered card-stealing malware installed on in-store payment processing systems and fuel dispensers at potentially all Wawa locations.

Pennsylvania-based Wawa says it discovered the intrusion on Dec. 10 and contained the breach by Dec. 12, but that the malware was thought to have been installed more than nine months earlier, around March 4. The exposed information includes debit and credit card numbers, expiration dates, and cardholder names. Wawa said the breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card).

A spokesperson for Wawa confirmed that the company today became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on December 19, 2019.

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa said in a statement released to KrebsOnSecurity. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the statement continues. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”

Gemini Advisory, a New York-based fraud intelligence company, said the biggest concentrations of stolen cards for sale in the BIGBADABOOM-III batch map back to Wawa customer card use in Florida and Pennsylvania, the two most populous states where Wawa operates. Wawa also has locations in Delaware, Maryland, New Jersey, Virginia and the District of Columbia.

According to Gemini, Joker’s Stash has so far released only a small portion of the claimed 30 million. However, this is not an uncommon practice: Releasing too many stolen cards for sale at once tends to have the effect of depressing the overall price of stolen cards across the underground market.

“Based on Gemini’s analysis, the initial set of bases linked to “BIGBADABOOM-III” consisted of nearly 100,000 records,” Gemini observed. “While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries. Non-US-based cardholders likely fell victim to this breach when traveling to the United States and utilizing Wawa gas stations during the period of exposure.”

Gemini’s director of research Stas Alforov stressed that some of the 30 million cards advertised for sale as part of this BIGBADABOOM batch may in fact be sourced from breaches at other retailers, something Joker’s Stash has been known to do in previous large batches.

Gemini monitors multiple carding sites like Joker’s Stash. The company found the median price of U.S.-issued records in the new Joker’s Stash batch is currently $17, with some of the international records priced as high as $210 per card.

“Apart from banks with a nationwide presence, only financial institutions along the East Coast had significant exposure,” Gemini concluded.

Representatives from MasterCard did not respond to requests for comment. Visa declined to comment for this story, but pointed to a series of alerts it issued in November and December 2019 about cybercrime groups increasingly targeting fuel dispenser merchants.

A number of recent high-profile nationwide card breaches at main street merchants have been linked to large numbers of cards for sale at Joker’s Stash, including breaches at supermarket chain Hy-Vee, restaurant chains Sonic, Buca di Beppo, Krystal, Moe’s, McAlister’s Deli, and Schlotzsky’s, retailers like Bebe Stores, and hospitality brands such as Hilton Hotels.

Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals, and that data can then be used to create counterfeit copies of the cards.

The United States is the last of the G20 nations to make the shift to more secure chip-based cards, which are far more expensive and difficult for criminals to counterfeit. Unfortunately, many merchants have not yet shifted to using chip-based card readers and still swipe their customers’ cards.

According to stats released in November by Visa, more than 3.7 million merchant locations are now accepting chip cards. Visa says for merchants who have completed the chip upgrade, counterfeit fraud dollars dropped 81 percent in June 2019 compared to September 2015. This may help explain why card thieves increasingly are shifting their attention to compromising e-commerce merchants, a trend seen in virtually every country that has already made the switch to chip-based cards.

Many filling stations are upgrading their pumps to include more cyber and physical security — such as end-to-end encryption of card data, custom locks and security cameras. In addition, newer pumps can accommodate more secure chip-based payment cards that are already in use and in some cases mandated by other G20 nations.

But these upgrades are disruptive and expensive, and many fuel station owners are putting them off until it is absolutely necessary. Prior to late 2016, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip.

Yet in December 2016, Visa — by far the largest credit card network in the United States — delayed the requirements, saying fuel station owners would be given until October 1, 2020 to meet the liability shift deadline.

Either way, Wawa could be facing steep fines for failing to protect customer card data traversing its internal payment card networks. In addition, at least one class action lawsuit has already been filed against the company.

Finally, it’s important to note that even if all 30 million of the cards that Joker’s Stash is selling as part of this batch do in fact map back to Wawa locations, it’s highly unlikely that more than a small percentage of these cards will actually be purchased and used by fraudsters. In the 2013 megabreach at Target Corp., for example, fraudsters stole roughly 40 million cards but only ended up selling between one to three million of those cards.