Micro Deposits   (8/13/2008)

In April 2008, NCFTA was alerted to a script attacking an online payment processor and two brokerage firms that was executed with the intention of opening numerous accounts for the purpose of acquiring the “micro deposits”[1] deposited into each opened account. The fraudster(s) used a script to open the accounts that ran a series of Social Security Numbers (SSN) through the firm’s account setup. The first five digits of the SSN would remain the same, while the last four digits would incrementally increase by one with each subsequent account setup attempt. Approximately 25,000 accounts and nearly 70,000 ACH profiles (where the firms transferred the micro deposits) were created between the two brokerage firms. Since the initial notification, NCFTA has observed further incidents utilizing similar processes. Based on a sharp increase in reported occurrences of the scheme, it is believed this may be the onset of a growing trend. Through the assistance of industry partners, NCFTA is continuing to analyze this information.

Limbo 2 Trojan   (8/13/2008)

Recent information concerning the Limbo 2 trojan suggests the advertisement of this piece of malware may have been falsified, based on the reputation of the cyber criminal providing it for sale. Deemed a new variant of an older piece of malware, the Limbo 2 trojan was believed to have been able to evade all malware filters, and had been dubbed the “ultimate trojan.” The virus was purportedly a customizable piece of malware being sold for $1,300 on underground forums. The authors of this trojan claimed that if a variant of Limbo 2 was identified by anti-malware programs, the virus would morph and change into a new undetectable state. Although this method of hiding is nothing new, the advertised speed of this customization, along with the author’s “guarantee” of invisibility, made this supposed trojan very powerful. The description of the malware’s capabilities also noted that it not only would save all data entered into forms using a classic key logger, but it would also inject code into live banking sites. When a victim would log into an account, the trojan was apparently capable of hijacking the connection, and was able to add new fields to the login page in order to collect additional data. The Limbo 2 was designed to watch for credit card numbers, e-mail addresses, and other sensitive personal data, as well as to search the victim’s hard drive for any additional personal information. From the initial advertisement, this trojan was believed to infect a victim’s machine through botnet deployments, contaminated downloads, and web exploits.

Analysis of forum posts has brought about the uncertainty to the actual existence of this malware. Initial advertisement of the trojan was performed by the administrator of the Netcarding.ru forum, also known as “jerry.” Based on previous actions and historical characteristics of “jerry,” it is believed this user may have intentionally boasted about the malware for self promotion, or to preserve his high standing within the forum, thereby gaining industry attention. At this time, neither the malware itself nor the formal report from Prevx, the initial security company reporting the trojan, has been provided as proof of its existence.

BlackBerry Users at Risk   (8/13/2008)

Research In Motion (RIM), the makers of BlackBerry devices, recently published a warning which cautioned their customers to disable functions which read PDF files. A security flaw in BlackBerry Enterprise Servers (BES) allows for PDF attachments to be exploited and open to attacks. This vulnerability is particularly important to businesses who risk having their entire corporate network exposed to compromise. The company warns that not disabling the BlackBerry’s attachment services can allow BSE to access malicious PDFs on the device. “Vulnerable systems include BES software version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 5 (4.1.5). RIM has given the advisory a 'high' severity rating. If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer." Because most businesses connect the BES to email servers, hackers would have access to all computers/email accounts on the network.

Phantom Merchants   (8/13/2008)

NCFTA was notified by industry partners to the existence of multiple merchant names associated with the same merchant ID number, utilized for credit card test authorizations by online cyber criminals. These merchants have been referred to as “phantom merchants,” due to the randomization of merchant information (multiple names, cities, and states) for a single merchant ID number. Although the merchant names listed appear to be legitimate businesses, often times the cities listed do not match up with the merchants’ current location, nor do the states listed coincide with the cities. Due to these inconsistencies, it is believed that criminals may have gained access to a merchant account, acquired compromised credit card data, and used a script to perform test authorizations (each charge completed within 7-8 seconds) while randomly changing the merchant information from merchant name, city, and state data tables.

UPS Spam Trojan   (8/13/2008)

During the month, NCFTA was alerted by industry partners to the increasing level of spammed e-mail messages containing fraudulent UPS shipping information. The email explains that UPS was unable to deliver a recently sent package, and then instructs the recipient to open an attached invoice named UPS_INVOICE_978172.ZIP. When this zip file is opened, it installs a malicious file known as TSPY_ZBOT.PF onto the victim’s machine. The executable then connects to a remote site where it downloads an encrypted configuration file. This configuration file lists several banking URLs, which an included spyware program is instructed to monitor. When a victim accesses one of the listed websites, the spyware program is instructed to capture all data which is entered, including login credentials. All gathered information is bundled into a file and sent back to the remote site.

The Coreflood Trojan   (8/13/2008)

During the month, NCFTA and its industry partners witnessed a transformation of the Coreflood trojan. Over the past six years, the virus has mainly been used as a means for denial-of service attacks; however, the trojan has recently morphed into a password/account stealing piece of malware. Authors have managed to compromise hundreds of thousands of PCs including corporate networks in the hotel industry, academic world, financial sector, healthcare field, legal realm and government agencies. These criminals have caused their damage by scamming individuals into downloading malicious software onto their computers and then waiting for system administrators to log on. Using a Microsoft administration tool, the malware is then distributed to all machines connected to the network. The Coreflood hackers have had success because of a program called PsExec, which allows for network administrators to execute legitimate commands across their network. Security researchers have estimated that the Coreflood trojan has amassed approximately a 50GB database of banking and brokerage accounts.

Silentbanker Trojan Strikes Again   (8/13/2008)

NCFTA was alerted by cyber analysts to a new strain of the Silentbanker trojan. As the alias suggests, the trojan has a reputation of targeting banks which operate assorted versions of Windows operating systems. The malicious software collects screenshots of the victim’s login credentials and keystrokes inputted into the username and password fields. Upon successful infection, the virus accesses the compromised accounts and subsequently transfers funds out. The payload includes two files in %SYSTEM%, wuuasirvy.dll (the configuration file) and msacm32.drv (code that is injected into explorer.exe) and also a series of registry key modifications. At least one prominent internet research company believes that the malicious program emanated from the Russian Federation.

Malware Infected Multimedia Files   (8/13/2008)

A trojan that infects and modifies multimedia files has been discovered during the captioned month. The malicious program known as TROJ_MEDPINCH.A, infects popular multimedia formats such as MP3 and WMA by injecting them with malware. When a user attempts to access a compromised file, a pop-up message appears indicating a codec download; however, the codec file is actually another piece of malware. If the infected multimedia file is played again, the pop-up message will not be displayed and will mislead the user into believing the correct codec was installed. This malware has the ability to infect all multimedia files on the victim’s computer, and can easily spread to other computers through the use of peer-to-peer (P2P) file sharing services. If a user has 1,000 MP3 files being shared on a P2P file sharing network, the attacker could infect all 1,000 which could then spread to other users through the P2P network. This Trojan also has the ability to convert MP3 files to Windows Media Audio (WMA) files in order to force the file to open in Windows Media Player. The malware then injects a script which causes Windows Media Player to redirect to a malicious website.

Malware Plays on Olympic Games   (8/13/2008)

Security researchers have discovered a piece of malware targeting a Microsoft Word 2002 zero-day vulnerability. The weakness exists in Microsoft Word 2002 Service Pack 3 and, if exploited, may allow a remote attacker to gain complete control over a system. The malicious file being used to exploit this vulnerability is known as TROJ_MDROPPER.ZT, a file hidden within a .DOC file. Attackers are playing on the popularity of the 2008 Olympic Games in order to spread the malicious software. The .DOC file, which can arrive on a system as an email attachment or from an infected website, is disguised as one of the following file names:

•attachment.doc

•appeal_letter_of_fttj.doc

•attend_the_opening_ceremony_of_the_29th_olympic_games_in_beijing.doc

•lingotto_con_fiat.doc

•tibetan_independence_vs_beijing_olympic.doc

Once the infected .DOC file is opened, TROJ_MDROPPER.ZT executes a shell code which drops several malicious files into the victim’s System folder; thus, allowing the attacker to gain control of the victimized computer.

Turkish Botnet Infects Cartoon Fans   (8/13/2008)

Fans of the popular television show The Simpsons have been targeted by operators of the Turkish Botnet known as Kimya. In a 2003 episode, Homer Simpson establishes the email address chunkylover53@aol.com, which was subsequently used by the shows’ writers to answer fan emails. The AOL screen name chunkylover53, which is associated with the email address, has now resurfaced and has been disseminating malware which masquerades as a Simpsons movie file. Malware researchers have determined that this screen name is auto replying to messages left by fans who have added the profile as a buddy on their contact list. The instant messages allegedly contain links to an exclusive episode; however, the link is actually an executable file which launches a trojan. When the virus is downloaded, it presents victims with several error messages and then a blank screen. Upon restarting the infected machine, users will notice the PC runs extremely slow and is highly susceptible to crashing. The malware package includes a rootkit packet and remote control software which logs the computer into the Kimya Botnet. Because the trojan is only being spread via the screen name, it is believed that botnet operators have registered the profile as an instant messenger account. Cyber analysts warn that this botnet is capable of launching a much larger malware attack in the future.

Manually Operated Exploit or Bigger, Badder Danmec?   (8/13/2008)

Recent pronouncements by leading security researchers indicate that a Danmec-like piece of malware has been observed in the wild. The SQL injection attack tool targets both ASP pages and pages running on ColdFusion application servers. Researchers observed that the malware contains a unique reconnaissance feature. The malicious program issues a WAITFOR DELAY command in SQL, designed to check if a potential script is vulnerable to SQL injection. If the scan triggers an immediate response, the script is not vulnerable and no SQL injection is attempted. If it discovers vulnerability, the malware will delay executing the SQL injection for an arbitrary amount of time. One benefit to this form of compromise is that the attacker can condense time spent on attacks by targeting websites with definite SQL vulnerabilities. Another benefit to this method is that attacking sites with known vulnerabilities leaves a lighter footprint across the Web; therefore, it is less likely to garner the attention of cyber analysts and anti-virus vendors. Many researchers believe that the malware may not be Danmec at all but a manually operated exploit with Danmec-like qualities associated with a Chinese hacker group.

DDoS Attack Targets Georgian President   (8/13/2008)

During the month, NCFTA was alerted to a Distributed Denial of Service (DDoS) attack against the website belonging to Georgian President Mikhail Saakashvili. Georgia, a former member of the Soviet republic, has experienced growing political tensions with Russian. The cyber attack was directed at several government websites but was particularly aimed at the president’s; thus, all affected sites were rendered useless for several days. Cyber researchers have discovered that the attacks were launched from botnets appearing to come from Russia. According to one source, “Among the messages contained in the floods of spurious traffic (HTTP, SYN, ICMP) read ‘win+love+in+Rusia’ indicating a possible political motive for the attack.” Because Georgia is possibly on the brink of acceptance into NATO and with recent flexing of their military muscle, Russia appears as the most likely suspect to blame. This attack is very similar to the DDoS attack which crippled Estonia’s infrastructure over a year ago. Although just one ethnic Russian was arrested for that attack, it was widely believed that Russian authorities could have assisted; thus, similar political and diplomatic circumstances surround these attacks on Georgia

Russian Dating Scam   (8/13/2008)

Although these scams are not necessarily new or unique to the world of cyber crime, NCFTA and its industry partners have witnessed a significant rise in Russian dating scams during the month. The scam originates with spammed emails coming from young Russian women who are “without harmful habits” and are seeking male companionship in the U.S. When a potential victim replies to the message, additional photographs and personal information are exchanged with the intent of forming a long-term relationship. The scammer continues the relationship by attempting to send heartfelt and sincere messages which are designed to trick the victim into actually falling in love. Once the criminals believe they have adequately fooled the recipient and gained their trust, they will begin asking the victim to send money. For example, the cyber thieves may say that they want to come to the U.S. for a visit or that a family member is in desperate need of medical attention. In either case, some individuals are duped into sending money, sometimes repeatedly, without return. Over a period of time, the scammer may accumulate not just large sums of money, but ultimately enough personal information to compromise the victim’s identity. There is a significant amount of differing versions to this scam; however, some scams are actually designed to use the victim as a “mule” or method to launder money and goods. In these scams, the victims are asked to cash checks or money orders and then wire the money back to Russia. Ultimately, the checks are fraudulent and the victims are left as a target for law enforcement agencies and are held financially responsible by the banks.

New Storm Worm Campaign: U.S. Invades Iran   (8/13/2008)

During the month, the latest variant of the Storm Worm Botnet began preying on the public curiosity surrounding the fragile political relationship between Iran and the United States. The campaign’s emails claim that the U.S. has declared war and invaded the Persian Gulf nation. Other email headers describe newly imposed mass atrocities which have resulted in a full scale military conflict. The social engineering method at work is designed to compel curious recipients of the email to open a provided hyperlink to a news-related domain offering videos of the invasion. Users who click on the link do not receive the promised video but instead are infected by a malicious PHP or executable file. It is believed that security researchers have identified the overseas fast-flux servers and fast-flux DNS which are allegedly hosting the campaign.

Exploit Potential of Stumbeupon   (8/13/2008)

Stumbleupon is a social networking tool for people to locate new websites where other users with similar interests have visited. When a person on the Stumbleupon network finds a site of interest, they “stumble” it, or tag it, based on content. Once a domain has been tagged it may start to randomly be recommended for other users whose interests match the content of the website. With over 5.5 million users, Stumbleupon is capable of driving large amounts of traffic to any site that is “stumbled.” It is not uncommon for a stumbled site to see its visitor count increase by over 8,000 a day. If a stumbled webpage contains a malicious iframe the amount of successful infections could be massive. This creates a scenario where a user is the victim of a virtual drive-by attack when simply using Stumbleupon to find new and interesting websites. If a person at work begins using Stumbleupon, it is possible for a key logger or rootkit to be installed on their machine; thus, the entire organization’s network may become compromised and confidential information could be revealed. There are many groups capable of using this type of attack to gather confidential information which can be exploited.