Internet Identity - January-March 2009

Fraud Intelligence Newsletter

January-March 2009

Table of Contents

APWG Releases Advisory on Abuse of Subdomains
SRI undresses Conficker
"The Analyzer" hacks banks for $10 million
Malware-based spying network discovered
U.S. convicts first foreigner of phishing
60 Minutes: The Internet is infected

Upcoming Event Schedule

April 20 – 24, RSA Conference, San Francisco, CA.

May 4 – 6, FS-ISAC Member Meeting and Conference, St. Pete Beach, FL. Lars Harvey will be speaking about the implications of the CheckFree domain takeover attack.

May 12 – 14, Anti-Phishing Working Group (APWG) Counter e-Crime Operations Summit 2009, Barcelona, Spain.

June 9 - 11, Messaging Anti-Abuse Working Group (MAAWG) 16th General Meeting, Amsterdam, The Netherlands.

June 21 – 26, ICANN General Meeting No. 35, Sydney, Australia. Rod Rasmussen will be attending as liaison for the APWG.

June 28 – July 3, Forum of Incident Response and Security Teams (FIRST) Annual Conference, Kyoto, Japan.

July 25 – 30, BlackHat USA 2009 Briefings and Training , Las Vegas, NV

October 19 – 21, Anti-Phishing Working Group (APWG) General Members Meeting and eCrime Researchers Summit , Tacoma, WA. This meeting is in our home city. Internet Identity will be coordinating many activities.

October 25 - 30, ICANN General Meeting No. 36 , Seoul, South Korea. Rod Rasmussen will be attending as liaison for the APWG.

October 27 - 29, Messaging Anti-Abuse Working Group (MAAWG) 17th General Meeting , Philadelphia, PA.

APWG Releases Advisory on Troubling Abuse of Subdomains for Phishing Attacks
The APWG released a new industry advisory that examines the abuse of subdomain registries by criminals engaged in phishing attacks. Over 10% of all phishing sites, representing tens of thousands of scams worldwide, originate on subdomains available for registration at subdomain registry services, the advisory reports.

Subdomains are easily exploited due to their low- or no-cost pricing model, anonymity, easy setup, and lack of internal organization, dispute rules, or policing. Misappropriation of dynamic IP addressing, proxies, bots, and scam sites that disguise themselves with bank or credit card logos then play havoc from a wide variety of services and platforms which "host" these accounts unawares. "Making Waves in the Phishers' Safest Harbors: Exposing the Dark Side of Subdomain Registries," investigated and authored by Dave Piscitello (ICANN) and Rod Rasmussen (Internet Identity), is available now at no cost from the APWG at: http://www.antiphishing.org/reports/APWG_Advisory_on_Subdomain_Registries.pdf

SRI undresses Conficker
Researchers at SRI International have published a complete breakdown of the inner workings of the Conficker malware. What their analysis reveals is that Conficker is a best-of-breed piece of malware that uses cutting edge cryptography, pushes the envelope on abusing the DNS system for "meeting point" style communications, implements a sophisticated peer-to-peer command and control structure, and works very hard to escape detection and prevent its removal. You can find the SRI analysis at http://mtc.sri.com/Conficker/addendumC/

"The Analyzer" hacks banks for $10 million
A recently released affadavit by a Canadian policeman details how Ehud Tenenbaum, an Israeli hacker arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks, also allegedly hacked two U.S. banks, a credit and debit card distribution company and a payment processor, resulting in at least $10 million in losses. Tenenbaum became famous as "The Analyzer" 10 years ago when he was arrested for breaching more than 400 Pentagon computers. Tennebaum was caught this time because he carelessly did not hide his IP address when conducting chat sessions with his fellow criminals. Police were monitoring those sessions and were able to locate Tennebaum based on the registered information for the IP address he was using.

The current scam is being referred to by law enforcement as the "PIN Cashout Conspiracy". Tenenbaum first used SQL injection to break into a financial institution's network. Once in the network, he found the database containing debit card information and collected information for the debit cards he planned to have cashed out. If necessary he would alter the PINs for those cards. Tenenbaum outsourced the actual cashing out by selling the card data to associates in Russia, Bulgaria, Sweden, Germany, Turkey, Canada, and the U.S. Tenenbaum was paid about 10 to 20 percent of the total take.

For a more in-depth look at this story, including the names of the involved institutions, please see this Wired.com article (http://blog.wired.com/27bstroke6/2009/03/the-analyzer-ha.html) and Gary Warner's analysis. (http://garwarner.blogspot.com/2009/03/bank-hacking-exposed-analyzer-affadavit.html)

Malware-based spying network discovered
Canadian researchers have uncovered a widespread spying operation that has stolen sensitive information from hundreds of mostly governmental offices in 103 countries. The University of Toronto researchers had been asked by the office of the Dalai Lama, the exiled Tibetan leader, to examine its computers for signs of malware. What they found was a network of infected computers, which they dubbed GhostNet, that was apparently focused on spying on the governments of South Asian and Southeast Asian countries.

The researchers were able to gain access to the command and control structure for GhostNet via a web page that had surprisingly not been password protected by GhostNet's operators. With that access, the researchers were able to monitor the names of files being stolen by the spies. Working with the Tibetans, the researchers also determined that GhostNet's operators had gained control of the Dalai Lama’s organization's mail servers.

The researchers also determined that three of the four control servers for GhostNet were hosted China, while the fourth was in in Southern California. GhostNet's command and control software had a Chinese-language user interface, but there has been no direct evidence released concerning the identities of GhostNet's operators.

For more information, please see this N.Y. Times news story (http://www.nytimes.com/2009/03/29/technology/29spy.html) and Gary Warner's in-depth analysis (http://garwarner.blogspot.com/2009/03/ghostnet-or-gh0st-rat-cyber-persecution.html).

U.S. convicts first foreigner of phishing
Ovidiu-Ionut Nicola-Roman, of Craiova, Romania, was sentenced on March 30 to four years and two months in prison for his role in an international phishing operation. The 23-year old Nicola-Roman was charged as part of a larger phishing indictment that also named six other Romanians, none of whom have been arrested.

Prosecutors said they found 2,600 credit and debit card numbers in e-mail accounts linked to Nicola-Roman, and that he had probably harvested more information. He set up a phishing site to snare customers of People's Bank in October 2005, and also had tools that would have allowed him to phish customers of Wells Fargo, Suntrust, Amazon.com, PayPal and eBay, according to court documents. According to data supplied to prosecutors by People's Bank, 78 of the 88 People's Bank card numbers that investigators found in Nicola-Roman's possession had been used for fraud. Nicola-Roman was able to take an average of $960 per card number collected, prosecutors said.

60 Minutes: The Internet is infected
The CBS program 60 Minutes aired a segment on March 29, called "The Internet is Infected", about the rise of malware on the Internet. The piece focused mainly on the current Conficker outbreak as its centerpiece. It also presented the anti-virus industry, and Symantec most especially, in a strongly positive light. Anyone in the security arena will find nothing new, and plenty missing, from the piece; however, ordinary computer users may have learned from it. You may view the piece on the CBS News site. (http://www.cbsnews.com/video/watch/?id=4901282n)