Krebs on Security

Subscribe to Krebs on Security feed
In-depth security news and investigation
Updated: 5 days 6 hours ago

Android 7.0+ Phones Can Now Double as Google Security Keys

Thu, 04/11/2019 - 10:14

Google this week made it easier for Android users to enable strong 2-factor authentication (2FA) when logging into Google’s various services. The company announced that all phones running Android 7.0 and higher can now be used as Security Keys, an additional authentication layer that helps thwart phishing sites and password theft.

As first disclosed by KrebsOnSecurity last summer, Google maintains it has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes.

The most commonly used Security Keys are inexpensive USB-based devices that offer an alternative approach to 2FA, which requires the user to log in to a Web site using something they know (the password) and something they have (e.g. a one-time token, key fob or mobile device).

But Google said starting this week, any mobile phone running Android 7.0+ (Nougat) can serve the same function as a USB-based security key. Once a user has enrolled their Android phone as a Security Key, the user will need to approve logins via a prompt sent to their phone after submitting their username and password at a Google login page.

Many readers have expressed confusion or skepticism about how Security Keys can prevent users from getting hooked by phishing sites or clever man-in-the-middle attacks. This capability was described in far greater visual detail in this video last year by Christiaan Brand, product manager at Google Cloud.

But the short version is that even if a user who has enrolled a Security Key for authentication tries to log in at a site pretending to be Google, the company’s systems simply refuse to request the Security Key if the user isn’t on an official Google site, and the login attempt fails.

“It puts you in this mode….[in] which is there is no other way to log in apart from the Security Key,” Brand said. “No one can trick you into a downgrade attack, no one can trick you into anything different. You need to provide a security key or you don’t get into your account.”

Google says built-in security keys are available on phones running Android 7.0+ (Nougat) with Google Play Services, enabling existing phones to act as users’ primary 2FA method for work (G Suite, Cloud Identity, and GCP) and personal Google accounts to sign in on a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 device with a Chrome browser.

The basic idea behind two-factor authentication (Google calls it “two step verification” or 2SV) is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via an app (like Authy or Google Authenticator), text message, or an automated phone call. But all of these methods are susceptible to interception by various attacks.

For example, thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device.

A Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.

A number of high-profile sites now allow users to enroll their accounts with USB- or Bluetooth-based Security Keys, including Dropbox, Facebook, Github and Twitter. If you decide to use Security Keys with your account, it’s a good idea to register a backup key and keep it in a safe place, so you can still get into your account if you loose your initial key (or phone, in Google’s case).

To be sure you’re using the most robust forms of authentication at sites you entrust with sensitive data, spend a few minutes reviewing the options at twofactorauth.org, which maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).

Please bear in mind that if the only 2FA options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.

I should also note that Google says Android 7.0+ phones also can be used as the Security Key for people who have adopted the company’s super-paranoid Advanced Protection option. This is a far more stringent authentication process for Google properties designed specifically for users who are most likely to be targeted by sophisticated attacks, such as journalists, activists, business leaders and political campaigns.

I’ve had Advanced Protection turned on since shortly after Google made it available. It wasn’t terribly difficult to set up, but it’s probably not for your casual user. For one thing, it requires users to enroll two security keys, and in the event the user loses both of those keys, Google may take days to validate your request and grant you access to your account.

Categories: Technology, Virus Info

Patch Tuesday Lowdown, April 2019 Edition

Tue, 04/09/2019 - 18:07

Microsoft today released fifteen software updates to fix more than 70 unique security vulnerabilities in various flavors of its Windows operating systems and supported software, including at least two zero-day bugs. These patches apply to Windows, Internet Explorer (IE) and Edge browsers, Office, Sharepoint and Exchange. Separately, Adobe has issued security updates for Acrobat/Reader and Flash Player.

According to security firm Rapid 7, two of the vulnerabilities — CVE-2019-0803 and CVE-2019-0859 — are already being exploited in the wild. They can result in unauthorized elevation of privilege, and affect all supported versions of Windows.

“An attacker must already have local access to an affected system to use these to gain kernel-level code execution capabilities,” Rapid7 researcher Greg Wiseman observed. “However, one of the 32 Remote Code Execution (RCE) vulnerabilities patched today could potentially be used with them in an exploit chain to obtain full control of a system.”

Aside from these zero-day privilege escalation flaws, Wiseman said, it’s a fairly standard Patch Tuesday.

“Which of course still means that there are bugs that should be patched as soon as possible, such as the eight vulnerabilities classified as critical in the scripting engine used by Microsoft browsers, and CVE-2019-0822 (an RCE in Microsoft Office that can be exploited by convincing a user to open a malicious file).”

Adobe’s Patch Tuesday includes security updates for its Flash Player and AIR software,  as well as Adobe Reader and Acrobat.

Flash updates are installed along with other monthly Windows patch rollups for consumers, and auto-installed by Google Chrome, but users may need to reboot the operating system (in the case of IE/Edge) or the browser (in Chrome) for the new updates to take effect.

Adobe’s actions also sound the death knell for Adobe Shockwave Player, which has at long last reached end-of-life.

That means no more security updates for Shockwave, which has always been something of an ugly stepchild to Flash. That is to say, Shockwave never really got the security attention Flash has received but nevertheless has been just as vulnerable and often lagging months or years behind Flash in terms of updates.

Chris Goettl, director of product management and security for security firm Ivanti, said Windows users need to get any existing Shockwave installations out of their environments now.

“There are 7 vulnerabilities that are going to be vulnerable for the majority of Shockwave installs still in existence,” Goettl said. “You can bet an exploit is imminent there.”

Standard advice: Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Further reading:

Qualys on Patch Tuesday

SANS Internet Storm Center’s Patch Tuesday Priorities.

Martin Brinkmann of Ghacks.net

Categories: Technology, Virus Info

A Year Later, Cybercrime Groups Still Rampant on Facebook

Mon, 04/08/2019 - 13:39

Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.

Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.

Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.

“Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers found. “While some groups were removed immediately, other groups only had specific posts removed.”

But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings.  This is precisely what I experienced a year ago.

Not long after Facebook deleted most of the 120 cybercrime groups I reported to it back in April 2018, many of the groups began reemerging elsewhere on the social network under similar names with the same members.

Instead of reporting those emergent groups directly to people at Facebook’s public relations arm — something most mere mortals aren’t able to do — KrebsOnSecurity decided to report the re-offenders via Facebook’s regular abuse reporting procedures.

What did we find? KrebsOnSecurity received a series of replies saying that Facebook had reviewed my reports but that none of the groups were found to have violated its standards. KrebsOnSecurity later found that reporting the abusive Facebook groups to a quarter-million followers on Twitter was the fastest way to get them disabled.

How else have Facebook’s public statements about its supposed commitment to security and privacy been undermined by pesky facts over the past few weeks?

  • KrebsOnSecurity broke the news that Facebook developers wrote apps which stored somewhere between 200 million and 600 million Facebook user passwords in plain text. These plaintext passwords were indexed by Facebook’s data centers and searchable for years by more than 20,000 Facebook employees.
  • It emerged that Facebook’s new account signup page urges users to supply the password to their email account so Facebook can harvest contact details and who knows what else. Yes, that’s right: Facebook has been asking new users to share their email password, despite decades of consumer advice warning that is exactly what phishers do.
  • Cybersecurity firm UpGuard discovered two troves of unprotected Facebook user data sitting on Amazon’s servers, exposing hundreds of millions of records about users, including their names, passwords, comments, interests, and likes.

  • Facebook is making users searchable by marketers and others via phone number, even when that phone number was only provided solely for the purposes of multi-factor authentication.

Once again, that old adage applies: If you can’t quite figure out how you’re the customer in a given online relationship, that’s probably because you’re best described as the product being sold to others.

I long ago stopped providing personal information via any Facebook account. But for my part, there remain probably three big reasons why I’m still on Facebook.

For better or worse, a great many sources choose to share important information this way. Also, sometimes Facebook is the fastest way to find a potential source and get their attention.

Secondly, many people unfortunately still get much of their news from Facebook and prefer to be notified about new stories this way.

Finally, I periodically need to verify some new boneheaded privacy disclosure or security screw-up manufactured by Facebook.

I would probably never delete my Facebook account, for the same reason I wouldn’t voluntarily delete my accounts from various cybercrime forums: For my part, the potential benefits of being there outweigh the potential risks. Then again, I am likely far from your typical Facebook (ab)user.

But what about you, Dear Reader? How does your Facebook cost/benefit analysis break down? Have any of the recent or not-so-recent Facebook scandals prompted you to delete your account, or to heavily restrict what types of information you store on the social network or make available to others? Sound off in the comments below.

Categories: Technology, Virus Info

Alleged Chief of Romanian ATM Skimming Gang Arrested in Mexico

Thu, 04/04/2019 - 16:44

An alleged top boss of a Romanian crime syndicate that U.S. authorities say is responsible for deploying card-skimming devices at Automated Teller Machines (ATMs) throughout North America was arrested in Mexico last week on firearms charges. The arrest comes months after the accused allegedly ordered the execution of a former bodyguard who was trying to help U.S. authorities bring down the group’s lucrative skimming operations.

On Mar. 31, police in Cancun, Mexico arrested two Romanian men, identified only as 42-year-old “Florian N” and 37-year-old “Adrian Nicholae N,” 37, for the possession of an illegal firearm and cash totaling nearly 500,000 pesos (~USD $26,000) in both American and Mexican denominations.

An uncaptioned photo published by the Mexican police. According to multiple sources, the individual on the left is Intacash boss Florian Tudor, along with his deputy Nicholae Cosmin.

The two men’s faces were partially obscured in the mugshots released to Mexican media. But according to multiple sources familiar with the investigation, the older man arrested (pictured on the left) is Florian “The Shark” Tudor, reputed to be in charge of a relatively new ATM company based in Mexico called Intacash. The man on the right has been identified as Nicholae Cosmin, Tudor’s deputy.

Intacash was the central focus of a threepart investigation KrebsOnSecurity published in September 2015. That story tracked the activities of a crime gang that was bribing and otherwise coercing ATM technicians to install sophisticated Bluetooth-based skimmers inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.

Meanwhile, Intcash’s machines were about the only ATMs in top tourist spots in Mexico that weren’t getting compromised with these bluetooth skimming devices.

Law enforcement and ATM industry sources cited in that story said they believe Intacash is controlled by Romanian nationals and that its key principals were the ones paying ATM technicians to compromise machines at competing ATM providers.

As I discovered in reporting that series, it was possible to tell which ATMs were compromised in Mexico’s top tourist spots just by approaching each with a smart phone and looking for the presence of a Bluetooth signal beaconing out a wireless network with the name “Free2Move”.

This functionality allowed the crime syndicate to siphon credit and debit card details and PINs from hacked ATMs wirelessly, without ever again having to touch the compromised machines (see the video below for more on that investigation).

In April 2018, KrebsOnSecurity heard from a Romanian person who claimed to have been working for Intacash. This individual seemed extremely concerned for their safety, but at the same time eager to share details about the company’s operations and owners.

The source shared photographs of Intacash’s chief deputies, as well as screenshots of card data allegedly hoovered up by the company’s various skimming operations. The source repeatedly told me the Romanian gang was paying large sums of money to Mexican authorities to stay off their radar.

The last time I heard from that source was June 2018, just after a like-minded associate at Intacash was shot dead in his car. The associate, 44-year-old Sorinel Constantin Marcu, was already wanted on a warrant from Interpol, the international criminal police organization.

In 2014, a Romanian court issued a criminal warrant for Marcu on allegations of attempted murder back in his hometown of Craiova, Romanian’s 6th-largest city. But Marcu was able to flee to Mexico before he could be tried. The court later convicted Marcu in abstentia, leveling a sentence of eight years in prison.

On  the evening of June 11, 2018, Marcu was shot in the head, reportedly while trying to kidnap a businessman in Mexico, according to multiple media accounts. A street surveillance video of the incident published by Romanian daily Gazeta de SUD shows a Dodge Nitro allegedly driven by Marcu hitting the businessman’s parked car.

The businessman manages to flee, and the passenger in Marcu’s vehicle briefly starts after him, before returning to the picture a few seconds later. Marcu’s passenger gets back in the vehicle, which then moves out of view of the security camera.

“Later, one of the businessman’s guards came out of the house and shot several gun shots in the car driven by Marcu, and he was killed on the spot,” Gazeta reported.

My source’s last communication was that they had tried to reach out to U.S. federal investigators but hadn’t had much luck. The source wanted the name and a number of someone to talk to at the FBI or Secret Service.

That source also said corrupt Mexican authorities were complicit in changing the news media narrative of what happened to Sorinel Marcu.

“Hi Brian do you have some news about your contact? Because the person who was going to testify now is dead,” my source wrote. “The boss of the gang do it, who I told you kill him, now he pay a lot of money to change the real story, and now that Cancun’s police work for him. Because the maybe guilty stayed 24 hours arrested (or less) for homicide. Please if this week you can do something for us, help us!”

Searching for others who might have knowledge of the shooting, I found a Facebook posting by Marcu’s brother — Aurelio Marcu — who commented on a Facebook video recorded shortly after Marcu’s execution in which bystanders can be heard telling those approaching the car not to move his brother’s body. The video was posted by a Mexican news channel, which reported the men questioned by police in connection with the incident were carrying Russian passports.

“They are from Romania, not Russia,” Aurelio Marcu wrote in a comment on the video, saying the boss of the gang is a guy named Tudor Florin, also known as “Rechinu” or “shark” in Romanian.

Police in Puerto Morelos seized weapons and a Cadillac Escalade from Romanians Florian Tudor and Nicholae Cosmin. Image: Riviera-maya-news.com.

In an interview with KrebsOnSecurity, Aurelio Marcu said his younger brother was killed in front of a new apartment complex being built and paid for by Mr. Tudor, and that the dead man’s body was moved to his car to make it look like he was slain there instead. He also said his brother and the passenger in the Dodge Nitro were following a man who worked in Tudor’s crew, not some random businessman.

“He was unarmed, and if you look at the pictures in the papers from his death, you can see he is wearing flip flops when he was shot,” Aurelio Marcu said, speaking through an interpreter. “How can you go kidnap someone wearing flip flops and with no weapon?”

BAD BODYGUARD

Marcu the elder said his dead brother long served as Tudor’s personal bodyguard, but at some point the two had a falling out over the money and women. Marcu said things got really tense between Tudor and his brother when the latter began sabotaging Intacash’s operations by applying superglue to the PIN pads and card acceptance slots of Intacash ATMs throughout Cancun.

A warrant for Constantine Sorinel Marcu, on attempted murder charges. Marcu was shot and killed in June 2018, allegedly by Mr. Tudor and/or his associates.

Marcu said Tudor’s crew had tried once before to kill his brother, but only managed to seriously wound him in a knife attack that ruptured his spleen.

Asked why he believes Florian Tudor was responsible for his brother’s death, Marcu said Sorinel “was an impediment for them, and Mr. Tudor was afraid that he would talk to the police.”

Marcu said Tudor and his associates are working with criminal syndicates in China, India and Indonesia to help cash out credit and debit card accounts stolen via Intacash’s extensive ATM skimming operations. He also said Mr. Tudor is reputed to keep up to USD $50,000 in cash on hand at all times, just in case he needs to buy himself out of a sticky situation with the police.

“This is so that if anything happens to him, he has a window to escape,” Marcu said. “He used to brag that he had days when he was making like $200,000 a day doing all this ATM and fake credit cards stuff.”

Additionally, Marcu said Mr. Tudor is working on building a theme park in the Puerto Morelos area of Quintana Roo, a Mexican state on the Yucatan Peninsula that encompasses Cancun and other tourist areas close by.

Aurelio Marcu says he and his brother are from the the same hometown as Tudor and his crew — Craiova, Romania, and that he’s been living under active protection from the Romanian police out of fear for his life.

Marcu is doubly worried now because he’s recently learned that both Tudor and Cosmin made bail on the weapons charges. He believes they are probably trying to figure out how to quietly wind down their operations in Mexico and flee the country.

KrebsOnSecurity has learned that Tudor and others alleged to be part of the Romanian ATM skimming ring in Mexico are the target of a more wide-ranging FBI investigation into the alleged Romanian crime family. The FBI did not respond to requests for comment.

According to people briefed on the investigation, Mexico is a central hub for hundreds of people from Romania who have moved into tourist areas of Mexico to help execute various ATM skimming and money laundering schemes there and across the border in the United States.

Those officials describe the Romanian crime network in Mexico as part of a far larger criminal syndicate that has foot soldiers who are ready and able to execute ATM skimming attacks throughout North America and in virtually every major U.S. city.

Sources say Romanian intelligence services also have been keeping tabs on this group’s operations south of the U.S. border — specifically on Mssrs. Tudor and Cosmin, as well as the now-deceased Sorinel Marcu.

Categories: Technology, Virus Info

Canadian Police Raid ‘Orcus RAT’ Author

Tue, 04/02/2019 - 08:50

Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

An advertisement for Orcus RAT.

As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”

Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”

“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.

Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity.

Rezvesz appears to have a flair for the dramatic, and has periodically emailed this author over the years. Sometimes, the missives were taunting, or vaguely ominous and threatening. Like the time he reached out to say he was hiring a private investigator to find and track me. Still other unbidden communications from Rezvesz were friendly, even helpful with timely news tips.

According to Rezvesz himself, he is no stranger to the Canadian legal system. In June 2018, Rezvesz shared court documents indicating he has been involved in multiple physical assault charges since 2007, including “7 domestic disputes between partners as well as incidents with his parents.”

“I am not your A-typical computer geek, Brian,” he wrote in a 2018 email. “I tend to have a violent nature, and have both Martial arts and Military training. So, I suppose it is really good that I took your article with a grain of salt instead of actually really getting upset.”

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty of such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

Earlier this year, Rezvesz posted on Twitter that he was making the source code for Orcus RAT publicly available, and focusing his attention on developing a new and improved RAT product.

Meanwhile on Hackforums[.]net — the forum where Orcus was principally advertised and sold — members and customers expressed concern that authorities would soon be visiting Orcus RAT customers, posts that were deleted almost as quickly by the Hackforums administrator.

As if in acknowledgement of that concern, in the Pastebin press release published this week Rezvesz warned people away from using Orcus RAT, and added some choice advice for others who would follow his path.

“Orcus is no longer to be considered safe or secure solution to Remote Administrative needs,” he wrote, pointing to a screenshot of a court order he says came from one of the police investigators, which requires him to abstain from accessing Hackforums or Orcus-related sites. “Please move away from this software without delay. It has been a pleasure getting to know everyone in my time online, and I hope you all can take my words as a life lesson. Stay safe, don’t do stupid shit.”

Categories: Technology, Virus Info

Annual Protest Raises $250K to Cure Krebs

Sun, 03/31/2019 - 02:51

For the second year in a row, denizens of a large German-language online forum have donated more than USD $250,000 to cancer research organizations in protest of a story KrebsOnSecurity published in 2018 that unmasked the creators of Coinhive, a now-defunct cryptocurrency mining service that was massively abused by cybercriminals. Krebs is translated as “cancer” in German.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted thousands of thank you receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”).

All told, thousands of Pr0gramm’s members donated more than USD $250,000 to cancer cure efforts within days of that March 2018 story. This week, the Pr0gramm administrators rallied members to commemorate that successful fundraiser with yet another.

“As announced there will be a donation marathon at anniversary day of Krebsaction,” Pr0gramm’s administrators announced. “Today, March 27th, we’re firing the starting shot for the marathon. Please tag your donation bills properly if they shall be accounted. The official tag is ‘krebsspende.’

According to a running tally on Pr0gramm’s site, this year’s campaign has raised 252,000 euros for cancer research so far, or about USD $284,000. That brings the total that Pr0gramm members have donated to cancer research to more than a half-million dollars.

As a bonus, Coinhive announced last month that it was shutting down, citing a perfect storm of negative circumstances. Coinhive had made structural changes to its systems following my 2018 story so that it would no longer profit from accounts used on hacked Web sites. Perhaps more importantly, the value of the cryptocurrency Coinhive’s code helped to mine dropped precipitously over the past year.

Categories: Technology, Virus Info

Man Behind Fatal ‘Swatting’ Gets 20 Years

Fri, 03/29/2019 - 16:19

Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.

Tyler Barriss, in an undated selfie.

Barriss has admitted to his role in the Kansas man’s death, as well as to dozens of other non-fatal “swatting” attacks. These dangerous hoaxes involve making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident.

On Dec. 28, 2017, Barriss placed a call from California to police in Wichita, Kan., claiming that he was a local resident who’d just shot his father and was holding other family members hostage.

When Wichita officers responded to the address given by the caller — 1033 W. McCormick — they shot and killed 28-year-old Andrew Finch, a father of two who had done nothing wrong.

Barriss admitted setting that fatal swatting in motion after getting in the middle of a dispute between two Call of Duty online gamers, 18-year-old Casey Viner from Ohio and Shane Gaskill, 20, from Wichita. Viner and Gaskill are awaiting their own trials in connection with Finch’s death.

Barriss pleaded guilty to making hoax bomb threats in phone calls to the headquarters of the FBI and the Federal Communications Commission in Washington, D.C. He also made bomb threat and swatting calls from Los Angeles to emergency numbers in Ohio, New Hampshire, Nevada, Massachusetts, Illinois, Utah, Virginia, Texas, Arizona, Missouri, Maine, Pennsylvania, New Mexico, New York, Michigan, Florida and Canada.

“I hope that this prosecution and lengthy sentence sends a strong message that will put an end to the juvenile and reckless practice of ‘swatting’ within the gaming community, as well as in any other context,” said Kansas U.S. Attorney Stephen McAllister said in a written statement. “Swatting is just a terrible idea. I also hope that today’s result helps bring some peace to the Finch family and some closure to the Wichita community.”

Many readers have commented here that the officer who fired the shot which killed Andrew Finch should also face prosecution. However, the district attorney for the county that encompasses Wichita decided in April 2018 that the officer will not face charges, and will not be named because he isn’t being charged with a crime.

As the victim of a swatting attack in 2013 and two other attempted swattings, I’m glad to finally see a swatting prosecution that may actually serve as a deterrent to this idiotic and extremely dangerous crime going forward.

But as I’ve observed in previous stories about swatting attacks, it would also be nice if more police forces around the country received additional training on exercising restraint in the use of deadly force, particularly in responding to hostage or bomb threat scenarios that have hallmarks of a swatting hoax.

For example, perpetrators of swatting often call non-emergency numbers at state and local police departments to carry out their crimes precisely because they are not local to the region and cannot reach the target’s police department by calling 911. This is exactly what Tyler Barriss did in the Wichita case and others. Swatters also often use text-to-speech (TTY) services for the hearing impaired to relay hoax swat calls, as was the case with my 2013 swatting.

Categories: Technology, Virus Info

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

Fri, 03/29/2019 - 13:22

On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.

Some 2.1 million+ credit and debit card accounts stolen from dozens of Earl Enterprises restaurant locations went up for sale on a popular carding forum on Feb. 20, 2019.

In a statement posted to its Web site today, Orlando, Fla. based hospitality firm Earl Enterprises said a data breach involving malware installed on its point-of-sale systems allowed cyber thieves to steal card details from customers between May 23, 2018 and March 18, 2019.

Earl Enterprises did not respond to requests for specifics about how many customers total may have been impacted by the 10-month breach. The company’s statement directs concerned customers to an online tool that allows one to look up breached locations by city and state.

According to an analysis of that page, it appears the breach impacts virtually all 67 Buca di Beppo locations in the United States; a handful out of the total 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando. Also impacted were Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles.

KrebsOnsecurity contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis.

Joker’s Stash typically organizes different batches of stolen cards around a codename tied to a specific merchant breach. This naming convention allows criminals who purchased cards from a specific batch and found success using those cards fraudulently to buy from the same batch again when future cards stolen from the same breached merchant are posted for sale.

While a given batch’s nickname usually has little relation to the breached merchant, Joker’s Stash does offer a number of search options for customers that can sometimes be used to trace a large batch of stolen cards back to a specific merchant.

This is especially true if the victim merchant has a number of store locations in multiple smaller U.S. towns. That’s because while Joker’s Stash makes its stolen cards searchable via a variety of qualities — the card-issuing bank or expiration date, for example — perhaps the most useful in this case is the city or ZIP code tied to each card.

As with a number of other carding sites, Joker’s Stash indexes cards by the city and/or ZIP code of the store from which the card was stolen (not the ZIP code of the affected cardholders).

On Feb. 20, Joker’s Stash moved a new batch of some 2.15 million stolen cards that it dubbed the “Davinci Breach.” An analysis of the cities and towns listed among the Davinci cards for sale included a number of hacked store locations that were not in major cities, such as Burnsville, Minn., Levonia, Mich., Midvale, Utah, Norwood, Ohio, and Wheeling, Ill.

Earl Enterprises said in its statement the malicious software installed at affected stores captured payment card data, which could have included credit and debit card numbers, expiration dates and, in some cases, cardholder names. The company says online orders were not affected.

Malicious hackers typically steal card data from organizations by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers.

Cardholders are not responsible for fraudulent charges, but your bank isn’t always going to detect card fraud. That’s why it’s important to regularly review your monthly statements and quickly report any unauthorized charges.

Categories: Technology, Virus Info

Alleged Child Porn Lord Faces US Extradition

Fri, 03/22/2019 - 13:32

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there.

“My suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the US,” FBI Special Agent Brooke Donahue reportedly told an Irish court in 2013.

Even before the FBI testified in court about its actions, clues began to emerge that the Firefox exploit used to record the true Internet address of Freedom Hosting visitors was developed specifically for U.S. federal investigators. In an analysis posted on Aug. 4, reverse engineer Vlad Tsrklevich concluded that because the payload of the Firefox exploit didn’t download or execute any secondary backdoor or commands “it’s very likely that this is being operated by an [law enforcement agency] and not by blackhats.”

According to The Irish Times, in a few days Marques is likely to be escorted from Cloverhill Prison to Dublin Airport where he will be put on a US-bound flight and handcuffed to a waiting US marshal. If convicted of all four charges, he faces life in prison (3o years for each count).

Categories: Technology, Virus Info

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Thu, 03/21/2019 - 09:17

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords in them dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert Facebook users today, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook light users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people within those organizations, and for far shorter periods of time.

Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

“This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening,” Renfro said. “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data.”

Facebook’s password woes come amid a tough month for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest tech companies.

Earlier in March, Facebook came under fire from security and privacy experts for using phone numbers provided for security reasons — like two-factor authentication — for other things (like marketing, advertising and making users searchable by their phone numbers across the social network’s different platforms).

Categories: Technology, Virus Info

Why Phone Numbers Stink As Identity Proof

Sun, 03/17/2019 - 17:25

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites.

BK: We weren’t always so tied to our phone numbers, right? What happened?

AN: The whole concept of a phone number goes back over a hundred years. The operator would punch in a number you know was associated with your friend and you could call that person and talk to them. Back then, a phone wasn’t tied any one person’s identity, and possession of that phone number never proved that person’s identity.

But these days, phone number are tied to peoples’ identities, even though we’re recycling them and this recycling is a fundamental part of how the phone system works. Despite the fact that phone number recycling has always existed, we still have all these Internet companies who’ve decided they’re going to accept the phone number as an identity document and that’s terrible.

BK: How does the phone number compare to more traditional, physical identity documents?

AN: Take the traditional concept of identity documents — where you have to physically show up and present ID at some type of business or office, and then from there they would look up your account and you can conduct a transaction. Online, it’s totally different and you can’t physically show your ID and can’t show your face.

In the Internet ecosystem, there are different companies and services that sell things online who have settled on various factors that are considered a good enough proxy for an identity document. You supply a username, password, and sometimes you provide your email address or phone number. Often times when you set up your account you have some kind of agreed-upon way of proofing that over time. Based on that pre-established protocol, the user can log in and do transactions.

It’s not a good system and the way the whole thing works just enables fraud. When you’re bottlenecked into physically showing up in a place, there’s only so much fraud you can do. A lot of attacks against phone companies are not attacking the inherent value of a phone number, but its use as an identity document.

BK: You said phone number recycling is a fundamental part of how the phone system works. Talk more about that, how common that is.

AN: You could be divorced, or thrown into sudden poverty after losing a job. But that number can be given away, and if it goes to someone else you don’t get it back. There all kinds of life situations where a phone number is not a good identifier.

Maybe part of the reason the whole phone number recycling issue doesn’t get much attention is people who can’t pay their bills probably don’t have a lot of money to steal anyways, but it’s pretty terrible that this situation can be abused to kick people when they’re down. I don’t think a lot of money can be stolen in this way, but I do think the fact that this happens really can undermine the entire system.

BK: It seems to me that it would be a good thing if more online merchants made it easier to log in to their sites without using passwords, but instead with an app that just asks hey was that you just now trying to log in? Yes? Okay. Boom, you’re logged in. Seems like this kind of “push” login can leverage the user’s smart phone while not relying on the number — or passwords, for that matter.

If phone numbers are bad, what should we look to as more reliable and resilient identifiers?

AN: That’s something I’ve been thinking a lot about lately. It seems like all of the other options are either bad or really controversial. On the one hand, I want my bank to know who I am, and I want to expose my email and phone number to them so they can verify it’s me and know how to get in touch with me if needed. But if I’m setting up an email account, I don’t want to have to give them all of my information. I’m not attached to any one alternative idea, I just don’t like what we’re doing now.

For more on what you can do to reduce your dependence on mobile phone numbers, check out the “What Can You Do?” section of Hanging Up on Mobile in the Name of Security.

Categories: Technology, Virus Info