Fraud Intelligence Newsletter

November/December 2008

Table of Contents
CheckFree loses control of its domain names; millions affected
Shutdown of McColo hosting creates havoc for botnets
CastleCops shuts down
APWG Global Phishing Survey released
“Sex scandal” themed spam delivers malware that targets banks
ICANN Conference attendees show strong interest in battling e-crime
IC3 offers advice for preventing SQL injection attacks    
Mozilla lets anti-phishing feature die in Firefox 2.0


Upcoming Event Schedule

January 29 - 30, Internet Security and Operations Intelligence 6 , Dallas, TX.  Internet Identity CTO Rod Rasmussen will be speaking.

February 3, GTISC/ICANN Global DNS Security, Stability, and Resiliency Symposium , Atlanta, GA.

February 8 – 10, Credit Union Information Security Professionals Association CUISPA|2009 , San Antonio, TX.  Internet Identity CEO Lars Harvey will be speaking.

February 17 – 19, Messaging Anti-Abuse Working Group (MAAWG) 15th General Meeting , San Francisco, CA.

March 1 – 6, ICANN General Meeting No. 34 , Mexico City, Mexico.  Rod Rasmussen will be representing the APWG, and will be leading a half-day session about e-crime issues.

March 24 – 25, E-Crime Congress , London, United Kingdom.

April 20 – 24, RSA Conference , San Francisco, CA.

May 4 – 6, FS-ISAC Member Meeting and Conference , St. Pete Beach, FL.

May 12 – 14, Anti-Phishing Working Group (APWG) Counter e-Crime Operations Summit 2009 , Barcelona, Spain.


CheckFree loses control of its domain names; millions affected
On December 2, 2008, several key domain names owned by CheckFree, including checkfree.com and mycheckfree.com, were taken over by an attacker.  The attacker changed the authoritative DNS for those domains so that all web visitors to those domains were directed to a server in the Ukraine that attempted to download a malware program onto those visitors’ computers.  Although CheckFree was able to regain control of its domains within about eight hours, the nature of DNS meant that the malicious server was still having traffic directed to it for up to forty-eight hours after CheckFree regained control of its domains.

While the domains were compromised, and for up to 48 hours after CheckFree regained control of the domains, users of the CheckFree system who wanted to pay their bills were instead directed to the malware delivery server where some of them became infected with the password stealing Trojan software.

The attacker had gained possession of the username and password to CheckFree’s domain management account at Network Solutions.  The perpetrator logged into the account at Network Solutions, and changed the configuration so that the domains in that account used the default nameservers provided by Network Solutions (like ns75.worldnic.com).  Using the Network Solutions’ toolset, the attacker then configured all the DNS records for those domains so that any and all web requests for any hostnames on those domains would resolve to the attacker’s web server located in the Ukraine.  This DNS change affected e-mail for CheckFree as well, but it appears the attacker did not set-up their server to receive e-mail – a bit of good luck for CheckFree. 

The impact of this compromise was far reaching due to the network of financial institutions that use the CheckFree system for online bill pay and other functions.  The online bill pay functions for numerous banks and credit unions as well as utilities and e-commerce sites were affected by this compromise. Fortunately, the damage to consumers’ computers was limited because malware delivery server stopped responding about six hours into the attack. Initially, the large volume of traffic generated by the CheckFree domains may have overwhelmed the server and knocked it offline.  Ten hours after the takeover,  the web hosting company that administered the server confirmed that they had taken the malicious server offline permanently.

The CheckFree takeover appears related to a series of phishing attacks that occurred six weeks prior.  Those phishing attacks targeted both Network Solutions and eNom, two of the largest domain name registrars.  In those attacks, millions of spam messages were sent out that requested users to login and update their domain registration information at well-executed copies of the registrar websites.  Dozens of domains registered at those two registrars in unrelated accounts were also taken over at the same time as the CheckFree domains and pointed at the same malware server in the Ukraine.  Based on this evidence, it appears the attacker was attempting to divert general website traffic to the malware download site, and had not planned to create a major compromise within the website infrastructure of a large portion of the U.S, financial services industry!

The takeover of the CheckFree domains took advantage of weak security for control of mission critical domain names.  In that way, the incident is similar to the takeover of the Comcast.net domain in May 2008. (See our earlier article http://www.internetidentity.com/2008/June-2008.html). All financial institutions and online enterprises need to take risk-appropriate measures to protect the access credentials for their domain names or they could easily face the same situation.


Shutdown of McColo hosting creates havoc for botnets
McColo, a U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally, was effectively shut down on November 11 when its upstream providers ceased to provide service.  McColo apparently hosted the command and control servers for several of the major botnets that send billions of spam messages, including phishing e-mails, daily.  In the two weeks after McColo was shut down, major spam tracking services Ironport and SpamCop reported that spam volume remained at less than 50% of its previous volume.  Credit card fraud volume also dropped significantly at several Internet retailers immediately following the shutdown of McColo.  The criminals apparently used the botnets controlled via McColo to mask the origin of their fraudulent transactions.

Many botnets are architected so that the worker bots must communicate with a command and control server at a specific set of IP addresses in order to get their work orders.  With McColo’s IP address space offline, the worker bots could not get new work orders and therefore became dormant.  Unfortunately, it took only a few weeks before most of the botnets were able to reconfigure to operate their command and control servers at new ISPs – mainly outside of the US.

CastleCops shuts down
The all-volunteer security organization CastleCops shut down its operations in late December 2008.  CastleCops was best known for its Phishing Incident Response Team (PIRT) that took on the task of notifying ISPs about phishing sites hosted on their networks.

CastleCops’ founder Paul Laudanski told DarkReading, "I believe CastleCops' impact was a great and effective one against online fraud, malware, and spam.  CastleCops far surpassed anything I imagined for it, and to that end I, and in fact the community as a whole, are blessed." 

Laudanski joined Microsoft full-time in June 2008 and had been searching for someone to take over CastleCops.  The demise of CastleCops is a stark reminder that security is not free, and the “good guys” have to eat too.

APWG Global Phishing Survey released
The APWG released its Global Phishing Survey that analyzed the use of domains in the phishing activity that occurred in the first half of 2008.  The major findings of the study include the following points (as excerpted from the study):

“1. Phishers continue to target specific Top-Level Domains (TLDs) and specific domain name registrars, and shift their preferences over time. Metrics that measure the pervasiveness of phishing in TLDs provide a valuable way to identify exploitation by phishers who register domain names.

2. Anti-phishing programs implemented by domain name registries can have a noticeable effect on the up-times (durations) of phishing attacks. We see some direct correlation between the efforts of several large gTLD and ccTLD operators and the amount of time that phishing sites remained live within their TLDs.

3. Phishers are engaged in the large-scale use of subdomain services to host and manage their phishing sites. Such attacks even account for the majority of attacks in certain large TLDs. "

The study, which is available for download at http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey1H2008.pdf,  was co-authored by Internet Identity CTO Rod Rasmussen and Greg Aaron of Afilias.

"Sex scandal" themed spam delivers malware that targets banks
Researchers at the University of Alabama-Birmingham discovered that the purpose of several spam attacks perpetrated in October and early November was to infect personal computers with malware designed to steal banking credentials.  The spam used subject lines unrelated to banking, such as “New anjelina jolie sex scandal” and “You have received an eCard”.  The sophisticated malware delivered by the spam not only logged the user’s keystrokes when certain banking sites were visited, but also would inject additional information request fields into the legitimate pages downloaded from those banking sites.  The team identified 32 different bank login pages that were targeted by the malware.  For more details about the research, please refer to http://garwarner.blogspot.com/2008/11/enlisting-your-bank-to-steal-your.html.

ICANN Conference attendees show strong interest in battling e-crime
An impromptu panel discussion on e-crime drew approximately 10% of the attendees at the ICANN General Meeting held in Cairo, Egypt during the week of November 3.  The panel provided an overview of the current state of e-crime and focused on how domain names are being abused by the e-criminals.   Panelists included representatives from the APWG, FBI, ICANN’s Safety and Stability committee, Afilias, and HSBC. Due to the strong, positive response to this panel discussion, ICANN is expected to include a major session focusing on e-crime at its next General Meeting in Mexico City in March 2009.  ICANN meetings are open to the public and there is no fee to attend.

IC3 offers advice for preventing SQL injection attacks   
The Internet Crime Complaint Center (IC3) has published a dozen specific defensive tactics that financial institutions and others can implement to harden their Microsoft SQL servers against the prevalent forms of SQL injection attacks.  According to the IC3, criminals use SQL injection attacks to identify and gain access to card data and systems involved in processing card transactions.  The top three tactics recommended by the IC3 are as follows:
1.    Disable potentially harmful SQL stored procedure calls.
2.    Deny extended URLs.
3.    Implement specific approaches to secure dynamic web site content by applying best practices for secure coding.
The IC3 document containing the full set of recommendations with explanations and examples may be found at http://www.ic3.gov/media/2008/081215.aspx  

The IC3 was established as a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center to serve as a means to receive Internet related criminal complaints and to further research, develop, and refer the criminal complaints to federal, state, local, or international law enforcement and/or regulatory agencies for any investigation they deem to be appropriate.

Mozilla lets anti-phishing feature die in Firefox 2.0
Firefox 2.0, which was replaced by Firefox 3.0 in June and is now at the end of its support lifespan, ceased to provide anti-phishing protection with the release of its updated version 2.0.0.19 on December 16, 2008.  All Firefox users are strongly encouraged to upgrade to Firefox 3.0. which continues to offer both anti-phishing and anti-malware protection. The anti-phishing feature warns users when they attempt to reach a site suspected of hosting identity theft scams. The list of blocked sites is generated by Google.  Google has recently updated the protocol used to communicate the list of blocked sites and is no longer supporting the earlier version.  Mozilla has updated Firefox 3.0 to use the new protocol, but chose not to update Firefox 2.0 since it is at the end of its support lifespan.

Newsletter Archive

November 2009
January-March 2009
November/December 2008
October 2008
September 2008
August 2008
July 2008
June 2008

2010 Event Schedule

Jan 31 – Feb 3, BlackHat DC 2010 Briefings and Training, Arlington, VA

Feb 8 – 10, Credit Union Information Security Professionals Association (CUISPA) Annual Summit , Austin, TX.

Feb 15 – 18, Messaging Anti-Abuse Working Group (MAAWG) 18th General Meeting, San Francisco, CA.

March 1 – 5, RSA Conference, San Francisco, CA.

March 7 – 12, ICANN General Meeting No. 37, Nairobi, Kenya.  Rod Rasmussen will be attending as liaison for the APWG.

March 16 – 17, e-Crime Congress, London, UK.

April 12 – 14, Educause Security Professional Conference, Atlanta, GA

May 3 – 5, FS-ISAC, FSTC, BITS Annual Summit, St. Pete Beach, FL.

May 11 – 13, Anti-Phishing Working Group (APWG) Counter e-Crime Operations Summit 2010, São Paulo, Brazil.

View Full Event Schedule
© 2008-2009 Internet Identity | Privacy Policy | Home | News | Solutions | About Us | 888-239-6932 | +1 253-590-4100

Note: All advertised performance claims are based upon direct, real-world trials for clients and prospects against our competitors. References who can further substantiate these claims are available to qualified prospects upon request. We encourage you to compare our service performance against our peers head-to-head for yourself!