Inside Illegal Underground Hacking Markets

Researchers at Dell SecureWorks released an update to 2013 research on black hat markets, noticing a number of noteworthy trends beyond the theft of personal credentials such as passports, driver’s licenses, working Social Security numbers and even utility bills as a second form of authentication.

Criminal gangs are also marketing their services, differentiating themselves based on respective service levels and guarantees on stolen data.

“It is apparent that the underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud,” the report said.

That doesn’t mean criminals operating online have abandoned the long-profitable stolen credit card as a revenue stream. Premium cards, including fullz, have gone up in price on average of $5 from 2013, selling at about $30; fullz is hacker slang for a full collection of stolen credentials, including name, address, phone number, email addresses, dates of birth, Social Security numbers, bank account numbers, credit card numbers and banking credentials.

While the price of individual credit card numbers remains flat or dropped from last year, the price for fullz on a U.S. victims is up to $30, while U.K, Australia, Canada, EU and Asia fullz are up to as high as $45 per record.

Premium Master Card and Visa cards that work worldwide and include Track 1 and 2 data are selling for $35 and $23 respectively, Dell SecureWorks said. Premium cards are classified Black, Platinum, Gold and others by credit card companies. Dell researchers said the number of data breaches has made cards plentiful on the underground, yet prices have not deflated, in particular for non-U.S. cards. One underground site, Dell SecureWorks said, claimed to possess 14 million U.S. cards, 294,000 from Brazil and 342,000 from around the world.

While online fraud remains a constant, the inclusion of identity kits, Dell SecureWorks said, are being used for in-person scams, including loan applications, check fraud and more. A new identity, which includes a scan of a working Social Security card, name and address nets $250 undergound—the valid utility bill will cost you an extra $100, Dell SecureWorks said. A counterfeit non-US passport, meanwhile, can fetch as much as $500.

Training tutorials, on the other hand, run the gamut from basic instruction on selling stolen credit cards to others on running exploit kits, spam, phishing and DDoS campaigns.

“These tutorials not only explain what a Crypter, Remote Access Trojan (RAT) and exploit kit is but also how they are used, which are the most popular, and what hackers should pay for these hacker tools,” the report said.

Many of these services also come with “satisfaction guarantees,” Shear and Stewart said. Carders are offering in some cases 100 percent guarantees stolen cards are still valid and have not been canceled. “All dead ones will be replaced,” the report quotes the site.

Malware continues to sell well in the underground, Dell SecureWorks said. Remote access Trojans are selling for less than last year, however, ranging from $20 to $50 for notorious RATS such as DarkComet, down considerable from as high as $250 a year ago. A number of free RATs have flooded the market, Dell SecureWorks said, deflating prices.

“Hackers are looking for a RAT that is easily available for purchase or to use for free and which they can run through a Crypter (a program which encrypts malware, making it FUD or fully undetectable to Anti-Virus and Anti-Malware programs),” the report said.

As for exploit kits, Nuclear and Sweet Orange seem to fetch the best prices with Sweet Orange going for $450 for a weekly lease to as high as $1,800 for a month.

See more at: Threatpost

read more

Phishing scam that penetrated Wall Street

Advanced tactics raise the bar on spearphishing attacks, making them harder to spot.

A malicious dialog that tricks high-profile targets into giving their Outlook credentials to attackers.
FireEye

 

Researchers have uncovered a group of Wall Street-savvy hackers that has penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.

FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will inject a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success.

E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns. Witness the following:

Subject: employee making negative comments about you and the company

From: [name]@[compromised company’s domain]

I noticed that a user named FinanceBull82 (claiming to be an employee) in an investment discussion forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances of his disagreements, and in doing so, may have unwittingly divulged confidential company information regarding pending transactions. I am a longtime client and I do not think that this will bode well for future business. The post generated quite a few replies, most of them agreeing with the negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through the appropriate channels before making his post. The link to the post is located here (it is the second one in the thread):

http://forum./redirect. php?url=http://%2fforum%2fequities%2f375823902%2farticle.php\par

Could you please talk to him?

Thank you for the assistance,
[name]

FireEye researchers said FIN4 members have compromised the accounts of C-level executives, legal counsel, regulatory and compliance personnel, scientists, and advisors of more than 100 companies. About 80 of them are publicly traded companies, while the remaining 20 are Wall Street firms that advise corporations on legal or securities matters or possible or pending mergers and acquisitions. As a result, the group stood to make a windfall if it used the insider information to buy or sell stocks before the information became widely known.

“Our visibility into FIN4’s activities is limited to their network operations,” FireEye researchers Barry Vengerik, Kristen Dennesen, Jordan Berry, and Jonathan Wrolstad wrote. “We can only surmise how they may be using and potentially benefiting from the valuable information they are able to obtain. However one fact remains clear: access to insider information that could make or break stock prices for dozens of publicly traded companies could surely put FIN4 at a considerable trading advantage.”

Embedded in the previously stolen documents are Visual Basic Applications (VBA) macros that prompt readers to enter the Outlook user names and passwords. The scripts then funnel the credentials to servers controlled by the attackers. In other, earlier cases, the spearphishing e-mails contained links to fake Outlook Web App login pages that prompted visitors to enter their passwords. Some of the attacks FireEye observed targeted multiple parties inside law firms, consultancies, and corporations as they discussed particular pending business deals. In one instance, attackers used previously acquired access to e-mail accounts at an advisory firm to harvest information being exchanged about an acquisition under consideration involving one of its clients. The attackers used a compromised account belonging to the advisory firm to compromise the company, which FireEye identified only as Public Company A.

“After news of the possible acquisition was made public, Public Company A’s stock price varied significantly,” Monday’s report stated. “It is likely the FIN4 used the inside information they had to capitalize on these stock fluctuations.”

FireEye

Many phishing campaigns are relatively easy to spot because the e-mail lures contain grammatical errors or embed malicious files that are readily detected by most antivirus. The FIN4 operations, by contrast, are notable for their organization, persistence, and familiarity of the organizations being targeted. In many respects, the operation resembles those of so-called advanced persistent threats (APTs) in which government-allied hackers case the networks of corporations, government agencies, and non-governmental organizations. Cyber criminals’ embrace of APT tactics and techniques in financially motivated online criminal activity is one of the trends researchers from fellow security firmKaspersky Lab expect to see increase in the coming year.

The FIN4 campaigns were ongoing at the time Monday’s report was being written. FireEye recommends firms protect themselves by disabling the execution of VBA scripts unless there is a strong need for them. FireEye also recommends administrators monitor their networks for computers that connect to TOR servers, since that’s another way attackers attempt to cover their tracks. Additionally, admins can check to see if employees have connected to any one of nine Internet domains known to be used to funnel insider information. Of course, the best thing any potential target can do is to educate employees how to spot phishing attacks. The FIN4 attackers have just raised the bar, so chances are most education programs should be revised to help employees spot these new and improved tactics.

read more

Phishing mails and websites could blank out your bank account

Fake wire transfer request e-mails is now seen as a growing trend

Symantec has recently seen a spam campaign involving fake wire transfer request e-mails which is now seen as a growing trend. The purpose of this type of email is very simple—to get the recipient to process a payment for non-existent goods or services by way of a wire or credit transfer. The scammers send an email to a target recipient usually pretending to be from the CEO or a senior executive of an organization. The scammers will usually send the fake wire transfer emails to employees working in the finance department of a company, as those employees will have the ability to action payment requests.

Another tactic the scammers use is registering domains very similar to the target domain. For example, if a scammer was targeting a user at exampledomain.com they might register the domain exampledoma1n.com or exaampledomain.com. So for example, you might receive an email sent to you at yourname@exampledomain.com from CEO@exaampledomain.com. The reason for this is that when a recipient replies to the email the scammer is hoping they might not notice the slight difference in the domain and think it’s from a trusted sender.

During our analysis, we noticed that the scammers are sending the emails out on the same day that they are registering the domains. This is likely in the hope that they can extract payment before the domain is reported and suspended.

Figure 1. Fake payment request supposedly from a senior executive

Many of the fake wire transfer emails contain a PDF document (see Figure 1) which contains the credit transfer instructions.

Figure 2. PDF document containing credit transfer instructions

However, we have also seen examples of these scam emails being sent with no attachments and just one line of text (see Figure 3). This version of the scam requires the email recipient to reply to the message; the scammers will then forward on the payment details.

Figure 3. Fake payment request

We have also seen variants where the scammers spoof the “From” address to make it look as though the email is coming from a company executive, even though the true sender’s address is different. The “Reply-To” address, usually a webmail address, can be seen when the user clicks reply.

Figure 4. Email header with spoofed ‘From’ address and webmail ‘Reply-To’ address

If you receive a wire transfer request that seems out of the ordinary, always check that the sender is who they say they are. Ask yourself: is it normal procedure for your CEO to decide that you’re the best (or only) person to help in that situation?

Check the email headers to see where the email has originated from.

If you receive an email with a thread that you’ve supposedly been sent before, check with the person who has supposedly sent the email. Reply to the sender but obtain their email address using your company’s address book in your email client.

If you have any suspicions about an email requesting a wire transfer, investigate it further before proceeding with the request.

Source: Deccan Chronicle.

read more

Business Email Users Fail to Identify Phishing Scams

Via SpamFighter:

Security firm McAfee has warned that four-fifths of business email users are not able to identify phishing scams making the enterprise vulnerable to cyber crime.

According to McAfee Labs Threats Report: August 2014, 79% of business users , who were subjected to McAfee Phishing Quiz, failed to detect at least one scam containing malicious links or malware out of the seven emails shown to them.

It is more alarming that the test seems to reveal that people in Finance and HR departments of organizations who hold some of the most sensitive corporate data are the worst in identifying such scams.

It will be disastrous for a business to click a link in a phishing email as it will enable hackers to install malware or redirect users to compromised websites making the corporate network exposed to attackers.

Researchers of McAfee observed that spoofed email addresses fooled respondents most effectively and explained in a report stating that a UPS (United Parcel Service) phishing email using this tactic coupled with branding elements was very much successful.

Infosecurity-magazine.com published a statement during first week of September, 2014 quoting raj Samani, EMEA CTO of McAfee as saying “Our latest report highlights that phishing continuous to pose significant security risks for consumers and businesses. Moreover, it is a matter of worry that due to lack of knowledge in identifying the phishing emails, we receive many such emails daily and it’s no longer enough to react to threats as and when they happen.”

Channelweb.co.uk published a report on 4th September, 2014 quoting a comment on the findings of quizzes by Amichai Shulman, Chief Technology Officer of security firm Imperva, as “end users should not be blamed for falling to phishing scams because of old-fashioned approach by McAfee to deal with security threat. Its one thing to expect an employee to refrain from opening an apparent executable file enclosed in a slurred out-of-context email. It’s absolutely unreasonable to expect a normal person to inspect carefully each and every attached or downloaded file which looks like a PDF especially if the enclosed message is in context (eg an unpaid invoice or an unsolicited CV).”

 

read more

The New Face of Social Engineering and Fraud

Via PC World:

 

You’ve probably heard by now that eBay is the latest victim of a massive data breach. The popular online auction site has asked users to reset their passwords as a precautionary measure, but the data that matters most is already compromised, and there is nothing you can do to “reset” it.

You’ve probably heard by now that eBay is the latest victim of a massive data breach. The popular online auction site has asked users to reset their passwords as a precautionary measure, but the data that matters most is already compromised, and there is nothing you can do to “reset” it.

Details are still sketchy–sort of standard operating procedure for data breach incidents. What we know is that the breach occurred between February and early March, but was just recently discovered. eBay claims that email addresses, encrypted passwords, names, addresses, telephone numbers, and user’s birth dates were compromised.

Because the passwords were encrypted, there is no immediate risk, but it’s only a matter of time before attackers are able to decrypt them. It definitely makes sense for eBay users to change their passwords. It’s also worth reiterating standard password security practices like making sure you use a strong password, don’t use the same one for multiple sites or services, and change them periodically.

But your eBay password may be the least valuable piece of information from the data that was compromised.

“The fact that user email addresses and physical addresses were taken in the breach is more concerning,” says Dwayne Melancon, CTO of Tripwire. “Criminals could use that information to masquerade as eBay customers on other sites, or perhaps ‘social engineer’ their way to users’ other accounts. Unlike the passwords, the other user-specific information was not encrypted and therefore it can be easily reused by attackers.”

“Many sites can be easily tricked into resetting passwords–requiring a minimum of personal information to do so,” says Paul Lipman, CEO of iSheriff. “The non-encrypted personal data that was stolen from eBay could potentially enable users’ credentials to become compromised on a wide array of other sites through this kind of social engineering technique.”

The attackers can also use information like your phone number, email address, and mailing address for targeted phishing campaigns.

You can’t trust any emails or phone calls you receive. You can’t even trust snail mail. Any communication you receive should be treated with skepticism, and you should contact the company in question yourself to make sure it’s legitimate.

Lipman summed up on a somber note: “Unfortunately, we likely haven’t yet heard the end of this story.”

read more

An Iranian Threat Inside Social Media

Via IsightPartners:

 

iSIGHT Partners believes Iranian threat actors are using more than a dozen fake personas on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated, long-term cyber espionage campaign.  At least 2,000 people/targets are, or have been, caught in the snare and are connected to the false personas.

This campaign, working undetected since 2011, targets senior U.S. military and diplomatic personnel, congressional personnel, Washington D.C. area journalists, U.S. think tanks, defense contractors in the U.S. and Israel, as well as others who are vocal supporters of Israel to covertly obtain log-in credentials to the email systems of their victims. Additional victims in the U.K. as well as Saudi Arabia and Iraq were targeted.

The targeting, operational schedule, and infrastructure used in this campaign is consistent with Iranian origins.

HOW DOES IT WORK?

The fake personas claim to work in journalism, government, and defense contracting.  These accounts are elaborate and have created credibility using, among other tactics, a fictitious journalism website, newsonair.org, that plagiarizes news content from other legitimate media outlets.

These credible personas then connected, linked, followed, and “friended” target victims, giving them access to information on location, activities, and relationships from updates and other common content.

Accounts were then targeted with “spear-phishing” messages.  Links which appeared to be legitimate asked recipients to log-in to false pages, thus capturing credential information. It is not clear at this time how many credentials the attack has captured to date.

Additionally, this campaign is linked to malware. While the malware is not particularly sophisticated it includes capability that can be used for data exfiltration.

WHAT DOES THIS MEAN?

The discovery and investigation of the attack reveals three critical insights:

  1. Social media offers a powerful and covert pathway for targeting key government and industry leadership through a third-party platform potentially outside of existing security measures.
  2. Given targeting associated with this campaign, Iranian actors may have used accesses gained through this activity to support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S.  Furthermore, it is possible that any access or knowledge could be used as reconnaissance-for-attack in advance of disruptive or destructive activity.
  3. Adversaries such as these are increasingly adept at finding and exploiting opportunities to carry out cyber espionage, even when lacking sophisticated capability.  NEWSCASTER’s success is largely due to its patience, brazen nature, and innovative use of multiple social media platforms.

WHAT KIND OF DATA WAS TAKEN?

We are unable to say with complete visibility.  However, it is reasonable to assume that a vast amount of social content was compromised in addition to some number of log-in credentials that can be used to access additional systems and information.

As users often maintain the same credentials for multiple sites, it is impossible to determine the scope, scale, and duration of data loss.

WHO SHOULD BE WORRIED ABOUT THIS THREAT?

Given the covert nature of cyber espionage, its impacts are often difficult to forecast or measure; however, in this instance, we expect any access obtained by the NEWSCASTER network will be ultimately exploited for intelligence value.

We infer, from our limited knowledge of NEWSCASTER targeting, that such intelligence could ultimately support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S., especially with regards to sanctions and proliferation issues.

It is also possible that the compromise of such high-ranking and influential people could be used to access the senior levels of as-of-yet unidentified organizations in the U.S., Israel, and elsewhere.  Furthermore, we surmise that access could be leveraged as reconnaissance-for-attack, supporting eventual disruptive or destructive attacks against targeted entities.  Though there is no evidence indicating the NEWSCASTER network was created to support such activity, previous incidents publicly attributed to Iran, such as Operation Ababil and the attacks on Saudi Aramco underscore this possibility.

The NEWSCASTER network appears to be primarily focused on targeting senior military and policymakers, firms associated with defense technology, and the U.S.-Israel lobby, however, we found victims in the financial and energy sectors, as well as elsewhere, and we recognize that we could only see a portion of the accounts connected to this network.  Organizations involved in critical infrastructure, or who have information that may be of strategic or tactical interest to a nation-state adversary should be concerned about a threat such as this.

WHY DOES ISIGHT PARTNERS THINK THIS ORIGINATES IN IRAN?

Though the timing of the social network attack may seem irregular at first, over multiple years the schedule behind the activity becomes apparent.  They maintained a regular schedule, including what appears to be a lengthy lunch break followed by the remainder of the work day.  These hours conform to work hours in Tehran.  Furthermore, the operators work half the day on Thursday and rarely work on Friday, the Iranian weekend.  Other clues, such as the targets on which the operators have chosen to focus and additional technical indicators, lead us to believe NEWSCASTER originates in Iran.

WHAT IS THE NEWSCASTER NETWORK AFTER?

Without seeing how the information stolen by the NEWSCASTER network is used, it is difficult to make a definitive assessment of their ultimate motivation.  However, the actors have intimated their interest in specific defense technology as well as military and diplomatic information by their targeting.  This type of targeting is inconsistent with cyber-criminal behavior.

It remains possible that the actors could selectively reveal information gained through this campaign to embarrass those who were targeted, or already have, but we have seen no evidence of this at this time.  Ultimately, we believe the sponsors of the activity are seeking information advantage over rival military forces, defense industries, diplomats, and others.

IS THIS TYPE OF ACTIVITY COMMON ON SOCIAL NETWORKS?

We have previously identified cyber espionage campaigns which originate from China using social network accounts to propagate, but never a campaign of such complexity working across so many platforms.  NEWSCASTER is unprecedented in complexity, scale, and longevity.

HOW DID ISIGHT PARTNERS UNCOVER THIS ACTIVITY?

We are protective of sources and methods, but we can confirm that these actors did not go unnoticed by some targeted entities and they left significant evidence of their activity throughout the Internet.  As with many other threats, iSIGHT Partners combined malware analysis, open source research, and research from our global collection network to create our assessment of the NEWSCASTER network.

IS NEWSONAIR.COM ALSO PART OF THE FAKE NEWS RUSE?

Newsonair.COM, a legitimate Indian news operation, is not the same as newsonair.ORG. We have no indication that newsonair.COM was in anyway linked to faux newsonair.ORG site that was part of this campaign.

IS THIS THE GOVERNMENT OF IRAN?

We can’t be certain.  We have no information implicating the ultimate sponsor.  In the past we’ve seen cyber espionage operations carried out by government organizations, corporate intermediaries, and other third parties.

WHAT STEP CAN AN ENTERPRISE TAKE TO PROTECT ITSELF?

In addition to blocking known NEWSCASTER infrastructure, an enterprise can protect itself by taking steps to mitigate the human elements of the NEWSCASTER threat.  Though the actors took pains to create a complex social engineering capability, they made many mistakes and were detected by potential victims.  Personnel can learn from these mistakes to better recognize similar incidents.

NEWSCASTER was brazen, complex multi-year cyber-espionage that used a low-tech approach to avoid traditional security defenses­–exploiting social media and people who are often the “weakest link” in the security chain.  This underscores the importance of cyber threat intelligence that enables enterprises to proactively tune defenses to combat a determined and persistent adversary utilizing constantly evolving tactics.

WHAT DOES THIS MEAN FOR THE GENERAL PUBLIC?

Don’t be worried, but do be vigilant.  As always, do not create trusted connections with unknown organizations and/or individuals.  Never provide login credentials with any site or person who contacts to you (rather than you contacting it), use strong passwords and regularly change them.

HAVE YOU COORDINATED WITH THE FBI ON THIS REPORT?

The intelligence development and analysis was completed independently by iSIGHT Partners.

iSIGHT Partners did coordinate with the FBI to:

  • Brief government agencies and our commercial clients
  • Coordinate on the release of the report
  • Identify the relevance/possible impact of the threat to critical infrastructure entities and agencies

 

read more