Wednesday, October 28, 2009
FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms
FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms
Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week.
According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries like Moldova, Russia and Ukraine.
Steve Chabinsky, deputy assistant director of the FBI's Cyber Division, said criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and medium-sized businesses, and have successfully made off with about $40 million of that money.
Normally, the FBI isn't eager to discuss losses, or even acknowledge the existence of specific cases. What's more, the agency is keen to avoid making any statements that might spook consumers or businesses away from online banking. But Chabinsky said the FBI is taking the unusual step of floating financial loss figures in order to grab the attention of those most at risk so they can adopt safeguards.
"We don't believe there's cause for a crisis of confidence in online banking, but we want to make sure we message this early before this becomes a much larger problem," Chabinsky told Security Fix in an interview Wednesday. "Our concern is that these numbers will grow if we don't educate people now to take precautions, and if we could nip some of this in the bud, not only will it lessen the problem, but it will serve as a deterrent to the extent the bad guys see this as an easy way to make money."
The FBI said the $40 million loss figure stems from some 205 cases that date back to 2004, though it declined to offer a year-by-year breakdown of those cases. Several bank fraud experts interviewed for this story said they were aware of very few reports of this type of cyber crime before the latter half of 2008.
"There may have been a handful of cases of this specific type of crime before 2009, but attacks like this and in this volume really only picked up toward the end of last year," said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.
Companies that bank online enjoy few of the protections afforded to consumers. Individuals who have their online bank account cleaned out because of a password-stealing computer virus usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Businesses often are not so lucky and must take losses.
Chabinsky said businesses can insulate themselves from this type of fraud by doing their online banking from a dedicated, locked-down computer that is not used for everyday Web browsing or e-mail. That's because the malicious software that thieves use to steal online banking user names and passwords typically is installed when the recipient of a spam e-mail opens a poisoned attachment or clicks a link that leads to a booby-trapped Web site.
"What we're seeing is a trend towards [fraudsters] taking advantage of the weak link in the banking process, which is the customer," Chabinsky said.
While the biggest source of the vulnerability may reside on the customer's end, some fraud experts believe the perpetrators of this type of cyber crime are merely gravitating toward less obvious weaknesses in the commercial online banking system.
Avivah Litan, a financial fraud analyst with Gartner Inc., said many of the largest banks have taken a page from the credit card companies, investing heavily in anti-fraud solutions that look for transaction anomalies and other activity that may indicate a customer's account has been compromised.
But Litan said many companies being victimized by this type of crime bank at small and regional financial institutions that do not have fraud pattern detection technologies in place. Rather, she said, these institutions are relying on additional layers of customer protections, such as security tokens - approaches that can easily be subverted when the customer's computer is under control of the thieves.
"Many [commercial] institutions aren't even looking at new anti-fraud technologies because they don't take the direct loss when their business customers get hit," Litan said. "Banks may be worried about the reputation loss from these kinds of incidents, but so far these attacks aren't widespread knowledge."
Last week, I wrote about Genlabs Corp. a Chino, Calif. chemical manufacturing firm that lost $437,000 last month after thieves broke into the company's bank account and sent transfers to roughly 50 different money mules. The attackers succeeded despite the fact that the company's bank -- California Bank & Trust -- requires the user to enter their password in addition to the output from a key fob that generates a new six-digit number every 60 seconds.
Genlabs was just one of 48 victims I have heard from or reached out to over the past five months. While not everyone was willing to tell me the name of their bank, those that did almost universally named local and regional institutions.
If you review the chart below -- which details how much the thieves tried to steal from each victim and how much they made off with -- you'll notice that several of the figures in the "amount unrecovered" column total $0. In nearly all of those cases, the victim banked at a very small institution, the kind where employees apparently still know their customers by name and by sight.
Take the case of Holdiman Motor, a car dealership in Cedar Falls, Iowa. Earlier this year, hackers tried to initiate a series of bogus payroll transfers totaling $60,000 to several individuals the company has never done business with before. Owner Tom Holdiman said the perpetrators failed because the company's bank -- Lincoln Savings Bank -- noticed that the timing of the transactions was unusual and alerted Holdiman's controller.
"With the other banks you're just a number," Holdiman said. "That's why we're with them."
In the 48 attacks I've confirmed since May, thieves attempted to steal more than $7.3 million from these organizations. In many cases, I was unable to learn how much victims had actually lost. A number of companies told me they did not want to be identified by name, and have not responded to requests for follow-up interviews. Some victim companies that spotted the fraud early enough were able to work with their bank to retrieve some or all of the stolen funds. Other victims recovered nothing, and are in various stages of suing their banks to recover some of the losses.
Nevertheless, it is clear that the stories published here have encouraged more and more victims to come forward. In the month of September alone, I learned of at least 20 previously unpublicized cases in which hackers tried to take a total of more than $3.3 million from small- to mid-sized organizations across the country.
Below is a chart showing the victim entities that I have confirmed over the past five months. That same chart -- including monthly and cumulative dollar loss totals -- is available in Excel and HTML format. Some victims are identified only by their industry or specialty to preserve their anonymity. If a victim's name is hyperlinked, readers can click the link to read a prior Security Fix blog post that includes mention of their specific incident.
By Brian Krebs | October 26, 2009; 1:00 PM ET
Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week.
According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries like Moldova, Russia and Ukraine.
Steve Chabinsky, deputy assistant director of the FBI's Cyber Division, said criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and medium-sized businesses, and have successfully made off with about $40 million of that money.
Normally, the FBI isn't eager to discuss losses, or even acknowledge the existence of specific cases. What's more, the agency is keen to avoid making any statements that might spook consumers or businesses away from online banking. But Chabinsky said the FBI is taking the unusual step of floating financial loss figures in order to grab the attention of those most at risk so they can adopt safeguards.
"We don't believe there's cause for a crisis of confidence in online banking, but we want to make sure we message this early before this becomes a much larger problem," Chabinsky told Security Fix in an interview Wednesday. "Our concern is that these numbers will grow if we don't educate people now to take precautions, and if we could nip some of this in the bud, not only will it lessen the problem, but it will serve as a deterrent to the extent the bad guys see this as an easy way to make money."
The FBI said the $40 million loss figure stems from some 205 cases that date back to 2004, though it declined to offer a year-by-year breakdown of those cases. Several bank fraud experts interviewed for this story said they were aware of very few reports of this type of cyber crime before the latter half of 2008.
"There may have been a handful of cases of this specific type of crime before 2009, but attacks like this and in this volume really only picked up toward the end of last year," said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.
Companies that bank online enjoy few of the protections afforded to consumers. Individuals who have their online bank account cleaned out because of a password-stealing computer virus usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Businesses often are not so lucky and must take losses.
Chabinsky said businesses can insulate themselves from this type of fraud by doing their online banking from a dedicated, locked-down computer that is not used for everyday Web browsing or e-mail. That's because the malicious software that thieves use to steal online banking user names and passwords typically is installed when the recipient of a spam e-mail opens a poisoned attachment or clicks a link that leads to a booby-trapped Web site.
"What we're seeing is a trend towards [fraudsters] taking advantage of the weak link in the banking process, which is the customer," Chabinsky said.
While the biggest source of the vulnerability may reside on the customer's end, some fraud experts believe the perpetrators of this type of cyber crime are merely gravitating toward less obvious weaknesses in the commercial online banking system.
Avivah Litan, a financial fraud analyst with Gartner Inc., said many of the largest banks have taken a page from the credit card companies, investing heavily in anti-fraud solutions that look for transaction anomalies and other activity that may indicate a customer's account has been compromised.
But Litan said many companies being victimized by this type of crime bank at small and regional financial institutions that do not have fraud pattern detection technologies in place. Rather, she said, these institutions are relying on additional layers of customer protections, such as security tokens - approaches that can easily be subverted when the customer's computer is under control of the thieves.
"Many [commercial] institutions aren't even looking at new anti-fraud technologies because they don't take the direct loss when their business customers get hit," Litan said. "Banks may be worried about the reputation loss from these kinds of incidents, but so far these attacks aren't widespread knowledge."
Last week, I wrote about Genlabs Corp. a Chino, Calif. chemical manufacturing firm that lost $437,000 last month after thieves broke into the company's bank account and sent transfers to roughly 50 different money mules. The attackers succeeded despite the fact that the company's bank -- California Bank & Trust -- requires the user to enter their password in addition to the output from a key fob that generates a new six-digit number every 60 seconds.
Genlabs was just one of 48 victims I have heard from or reached out to over the past five months. While not everyone was willing to tell me the name of their bank, those that did almost universally named local and regional institutions.
If you review the chart below -- which details how much the thieves tried to steal from each victim and how much they made off with -- you'll notice that several of the figures in the "amount unrecovered" column total $0. In nearly all of those cases, the victim banked at a very small institution, the kind where employees apparently still know their customers by name and by sight.
Take the case of Holdiman Motor, a car dealership in Cedar Falls, Iowa. Earlier this year, hackers tried to initiate a series of bogus payroll transfers totaling $60,000 to several individuals the company has never done business with before. Owner Tom Holdiman said the perpetrators failed because the company's bank -- Lincoln Savings Bank -- noticed that the timing of the transactions was unusual and alerted Holdiman's controller.
"With the other banks you're just a number," Holdiman said. "That's why we're with them."
In the 48 attacks I've confirmed since May, thieves attempted to steal more than $7.3 million from these organizations. In many cases, I was unable to learn how much victims had actually lost. A number of companies told me they did not want to be identified by name, and have not responded to requests for follow-up interviews. Some victim companies that spotted the fraud early enough were able to work with their bank to retrieve some or all of the stolen funds. Other victims recovered nothing, and are in various stages of suing their banks to recover some of the losses.
Nevertheless, it is clear that the stories published here have encouraged more and more victims to come forward. In the month of September alone, I learned of at least 20 previously unpublicized cases in which hackers tried to take a total of more than $3.3 million from small- to mid-sized organizations across the country.
Below is a chart showing the victim entities that I have confirmed over the past five months. That same chart -- including monthly and cumulative dollar loss totals -- is available in Excel and HTML format. Some victims are identified only by their industry or specialty to preserve their anonymity. If a victim's name is hyperlinked, readers can click the link to read a prior Security Fix blog post that includes mention of their specific incident.
By Brian Krebs | October 26, 2009; 1:00 PM ET
Ex-Ford engineer charged with trade secret theft
Ex-Ford engineer charged with trade secret theft
Suspect allegedly stole trade secrets after accepting job with a competing Chinese company
Jaikumar Vijayan
October 16, 2009 (Computerworld) A former product engineer at Ford Motor Co. has been charged with stealing sensitive design documents from the auto maker worth millions of dollars.
Xiang Dong Yu, of Beijing -- also known as Mike Yu -- was arrested Wednesday at Chicago's O'Hare International Airport upon his entry into the U.S. from China, where he is working with a Ford rival.
Yu, 47, was charged with theft of trade secrets, attempted theft of trade secrets and unauthorized access to protected computers. Each of the theft-related charges carries a maximum of 10 years in prison and a fine of up to $250,000. Yu faces a maximum of five years and $250,000 in fines on the charge of accessing a protected computer. The arrest was announced by Terrence Berg, U.S. attorney for the Eastern District of Michigan.
According to the indictment papers, Yu was employed at Ford between 1997 and 2007. In his role as a product engineer, Yu had access to trade secrets contained in Ford system design specification documents. The documents contained detailed information on performance requirements and associated testing processes for numerous major components in Ford vehicles.
The documents, created and maintained by subject matter experts at Ford, are used by design engineers when building new vehicles and by suppliers providing parts to the company. According to the indictment papers, Ford has spent "millions of dollars and decades on research, developing and testing" to create the requirements in the system design documents.
In June 2005, Yu allegedly traveled to China in an attempt to find a job in the automotive industry. Before leaving on the trip, Yu allegedly downloaded several system design specification documents, including those unrelated to his work, onto an external hard drive which he took with him on his trip.
Yu resumed his job search in August 2006. In November of that year, he was offered a job with electronic and automobile component manufacturer Foxconn, PCE Industry Inc. A few days after Yu accepted the job, in December 2006, he allegedly downloaded more than 4,000 Ford documents to a hard drive. The documents included information on Ford's engine and transmission mounting subsystem, electrical distribution system, front and rear side door structure, steering wheel assembly and instrument panel and console subsystem.
Later that same month, Yu left to work at Foxconn, PCE's facility in Shenzhen, China, with the stolen Ford documents in his possession. Yu did not inform Ford about his new job until January 2007. Slightly more than a year later, Yu apparently attempted to use the stolen trade secrets when applying for a new job with an automotive company in China. When those efforts proved unsuccessful, he accepted another job offer at Beijing Automotive Co., which was described in court documents as a Ford rival.
It is not clear from the indictment papers how authorities learned about Yu's attempts to use the stolen information in his job search, or whether the companies that Yu applied to for jobs informed Ford. The court papers also mention that Ford's security controls included "marking" sensitive documents. It's also not clear whether any of companies where Yu worked used any of the information that Yu allegedly had stolen.
A call requesting comment from the U.S. Attorney's office for the Eastern District of Michigan was not immediately returned.
The incident is similar to other trade-secret thefts involving users with privileged access to corporate systems and data. Earlier this month, Hong Meng, a former research scientist at DuPont USA was indicted on charges related to the theft of trade secrets. Meng is alleged to have downloaded sensitive trade secrets pertaining to DuPont's new, thin-computer display technology called "organic light emitting diode" or OLED. The company charged Meng with attempting to profit from the information by using it to commercialize OLED products in China in conjunction with Peking University in Beijing.
In 2007, Gary Min, another former scientist at DuPont admitted to stealing an estimated $400 million worth of proprietary company information. He is serving an 18-month sentence in federal prison.
Brian Cleary, vice president of marketing at security vendor Aveksa, said the incident is another reminder of why companies need to implement a "governance framework" for managing, monitoring and logging all access and activity involving sensitive data. Companies should be implementing risk-based access controls to sensitive data where the focus should be on understanding what an individual's role is and then making sure that individual only has access to the specific information needed for the job.
Suspect allegedly stole trade secrets after accepting job with a competing Chinese company
Jaikumar Vijayan
October 16, 2009 (Computerworld) A former product engineer at Ford Motor Co. has been charged with stealing sensitive design documents from the auto maker worth millions of dollars.
Xiang Dong Yu, of Beijing -- also known as Mike Yu -- was arrested Wednesday at Chicago's O'Hare International Airport upon his entry into the U.S. from China, where he is working with a Ford rival.
Yu, 47, was charged with theft of trade secrets, attempted theft of trade secrets and unauthorized access to protected computers. Each of the theft-related charges carries a maximum of 10 years in prison and a fine of up to $250,000. Yu faces a maximum of five years and $250,000 in fines on the charge of accessing a protected computer. The arrest was announced by Terrence Berg, U.S. attorney for the Eastern District of Michigan.
According to the indictment papers, Yu was employed at Ford between 1997 and 2007. In his role as a product engineer, Yu had access to trade secrets contained in Ford system design specification documents. The documents contained detailed information on performance requirements and associated testing processes for numerous major components in Ford vehicles.
The documents, created and maintained by subject matter experts at Ford, are used by design engineers when building new vehicles and by suppliers providing parts to the company. According to the indictment papers, Ford has spent "millions of dollars and decades on research, developing and testing" to create the requirements in the system design documents.
In June 2005, Yu allegedly traveled to China in an attempt to find a job in the automotive industry. Before leaving on the trip, Yu allegedly downloaded several system design specification documents, including those unrelated to his work, onto an external hard drive which he took with him on his trip.
Yu resumed his job search in August 2006. In November of that year, he was offered a job with electronic and automobile component manufacturer Foxconn, PCE Industry Inc. A few days after Yu accepted the job, in December 2006, he allegedly downloaded more than 4,000 Ford documents to a hard drive. The documents included information on Ford's engine and transmission mounting subsystem, electrical distribution system, front and rear side door structure, steering wheel assembly and instrument panel and console subsystem.
Later that same month, Yu left to work at Foxconn, PCE's facility in Shenzhen, China, with the stolen Ford documents in his possession. Yu did not inform Ford about his new job until January 2007. Slightly more than a year later, Yu apparently attempted to use the stolen trade secrets when applying for a new job with an automotive company in China. When those efforts proved unsuccessful, he accepted another job offer at Beijing Automotive Co., which was described in court documents as a Ford rival.
It is not clear from the indictment papers how authorities learned about Yu's attempts to use the stolen information in his job search, or whether the companies that Yu applied to for jobs informed Ford. The court papers also mention that Ford's security controls included "marking" sensitive documents. It's also not clear whether any of companies where Yu worked used any of the information that Yu allegedly had stolen.
A call requesting comment from the U.S. Attorney's office for the Eastern District of Michigan was not immediately returned.
The incident is similar to other trade-secret thefts involving users with privileged access to corporate systems and data. Earlier this month, Hong Meng, a former research scientist at DuPont USA was indicted on charges related to the theft of trade secrets. Meng is alleged to have downloaded sensitive trade secrets pertaining to DuPont's new, thin-computer display technology called "organic light emitting diode" or OLED. The company charged Meng with attempting to profit from the information by using it to commercialize OLED products in China in conjunction with Peking University in Beijing.
In 2007, Gary Min, another former scientist at DuPont admitted to stealing an estimated $400 million worth of proprietary company information. He is serving an 18-month sentence in federal prison.
Brian Cleary, vice president of marketing at security vendor Aveksa, said the incident is another reminder of why companies need to implement a "governance framework" for managing, monitoring and logging all access and activity involving sensitive data. Companies should be implementing risk-based access controls to sensitive data where the focus should be on understanding what an individual's role is and then making sure that individual only has access to the specific information needed for the job.
ChoicePoint Fined $275K for 2008 Breach
ChoicePoint Fined $275K for 2008 Breach
FTC: Data Broker Turned Off Tool That Would Have Detected Hack Sooner
Linda McGlasson, Managing Editor
October 21, 2009
Data broker ChoicePoint has agreed to a stronger data security program and will pay a $275,000 fine for a breach in 2008, according to the Federal Trade Commission.
The FTC says the company failed to implement a comprehensive information security program to protect consumers' personal information, as required by the agency after ChoicePoint's 2004 breach, which affected more than 160,000 U.S. consumers.
The April 2008 breach compromised the personal data of 13,750 people, says a FTC press release. The company is accused of turning off a "key" electronic security tool used to monitor access to one of its databases, then failed to detect that the security tool was turned off for four months. If the tool had not been turned off, the FTC says, the breach would have been detected much sooner.
For a month, an unidentified hacker conducted thousands of unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers, says the FTC. After the breach was found, ChoicePoint alerted the FTC.
According to the modified court order, ChoicePoint will be required to report to the FTC detailed information about how it is protecting the breached database and certain other databases and records containing personal information. The ChoicePoint reports are required every two months for two years.
The 2004 ChoicePoint data breach resulted in 800 cases of identity theft, says the FTC. A settlement and 2006 court order required the company to $15 million in civil penalties and consumer compensation. As part of the settlement, the company is required to obtain independent assessments of its data security program every other year until 2026.
FTC: Data Broker Turned Off Tool That Would Have Detected Hack Sooner
Linda McGlasson, Managing Editor
October 21, 2009
Data broker ChoicePoint has agreed to a stronger data security program and will pay a $275,000 fine for a breach in 2008, according to the Federal Trade Commission.
The FTC says the company failed to implement a comprehensive information security program to protect consumers' personal information, as required by the agency after ChoicePoint's 2004 breach, which affected more than 160,000 U.S. consumers.
The April 2008 breach compromised the personal data of 13,750 people, says a FTC press release. The company is accused of turning off a "key" electronic security tool used to monitor access to one of its databases, then failed to detect that the security tool was turned off for four months. If the tool had not been turned off, the FTC says, the breach would have been detected much sooner.
For a month, an unidentified hacker conducted thousands of unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers, says the FTC. After the breach was found, ChoicePoint alerted the FTC.
According to the modified court order, ChoicePoint will be required to report to the FTC detailed information about how it is protecting the breached database and certain other databases and records containing personal information. The ChoicePoint reports are required every two months for two years.
The 2004 ChoicePoint data breach resulted in 800 cases of identity theft, says the FTC. A settlement and 2006 court order required the company to $15 million in civil penalties and consumer compensation. As part of the settlement, the company is required to obtain independent assessments of its data security program every other year until 2026.
Saturday, October 24, 2009
PayChoice Suffers Another Data Breach
PayChoice Suffers Another Data Breach
Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.
Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed onlineemployer.com - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll.
"After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday.
This week's attack appears to be the second stage of a sophisticated cyber assault launched last month against PayChoice customers. In that attack, hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The supposed plug-in offered in that e-mail was instead malicious software designed to steal the victim's user names and passwords.
The statement sent to customers Thursday said that in this week's attack the thieves appear to have stolen login IDs and passwords by exploiting a weakness in the Web site component that allows customers to change their onlineemployer.com password. PayChoice also said it has disabled the change password capability on the site until it can eliminate the vulnerability, and that it had modified all login IDs to prevent access to the site using potentially compromised credentials.
In response to questions, the company sent an e-mailed statement, attributed to PayChoice chief executive Robert Digby.
"On Thursday, PayChoice deployed additional security measures to protect client data after the company identified a key mechanism used by online attackers. PayChoice's Online Employer site was briefly taken off line after the company discovered a security breach that occurred on October 14. PayChoice reopened the site with limited functions as it continues to tighten the security based on forensic findings from Wednesday's attack," Digby wrote. "PayChoice has communicated directly with its clients with precautionary recommendations and will update them as more information is available."
Steve Friedl, a blogger and security expert who writes the Unixwiz blog and is also a consultant for Evolution Payroll - a PayChoice competitor - said the timing of this latest attack was notable: Friedl said most of the payroll industry leaders -- including PayChoice -- are busy exhibiting and attending talks at a major industry conference in Park City, Utah this week.
"The timing is impeccable," Friedl said. "Paychoice and many of their licensees are at a major payroll conference in Utah, so it's a ripe time to slip something by a short-staffed operation."
By Brian Krebs | October 15, 2009; 8:40 PM ET
Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.
Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed onlineemployer.com - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll.
"After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday.
This week's attack appears to be the second stage of a sophisticated cyber assault launched last month against PayChoice customers. In that attack, hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The supposed plug-in offered in that e-mail was instead malicious software designed to steal the victim's user names and passwords.
The statement sent to customers Thursday said that in this week's attack the thieves appear to have stolen login IDs and passwords by exploiting a weakness in the Web site component that allows customers to change their onlineemployer.com password. PayChoice also said it has disabled the change password capability on the site until it can eliminate the vulnerability, and that it had modified all login IDs to prevent access to the site using potentially compromised credentials.
In response to questions, the company sent an e-mailed statement, attributed to PayChoice chief executive Robert Digby.
"On Thursday, PayChoice deployed additional security measures to protect client data after the company identified a key mechanism used by online attackers. PayChoice's Online Employer site was briefly taken off line after the company discovered a security breach that occurred on October 14. PayChoice reopened the site with limited functions as it continues to tighten the security based on forensic findings from Wednesday's attack," Digby wrote. "PayChoice has communicated directly with its clients with precautionary recommendations and will update them as more information is available."
Steve Friedl, a blogger and security expert who writes the Unixwiz blog and is also a consultant for Evolution Payroll - a PayChoice competitor - said the timing of this latest attack was notable: Friedl said most of the payroll industry leaders -- including PayChoice -- are busy exhibiting and attending talks at a major industry conference in Park City, Utah this week.
"The timing is impeccable," Friedl said. "Paychoice and many of their licensees are at a major payroll conference in Utah, so it's a ripe time to slip something by a short-staffed operation."
By Brian Krebs | October 15, 2009; 8:40 PM ET
Fugitive hacker headed back to U.S. for arraignment
Fugitive hacker headed back to U.S. for arraignment
Edwin Pena faces 20 federal charges related to hacking and wire fraud in VoIP theft scam
Sharon Gaudin
October 15, 2009 (Computerworld) A Miami man who for three years had evaded prosecution in connection with the theft and reselling of VoIP services is being extradited to Newark from Mexico today and is set to be arraigned in a New Jersey federal courthouse on Friday.
Edwin Pena, 26, had been arrested in June, 2006, on multiple computer and wire fraud charges, and then allegedly fled the country about two months later. He had been free on $100,000 bail. Pena was apprehended in Mexico in February and federal prosecutors have been working to get him extradited back to the U.S. since then, according to Assistant U.S. Attorney Erez Liebermann.
"He's been a fugitive for over three years," said Liebermann, who is prosecuting the case. "We're looking forward to proceeding with the prosecution."
Pena faces 20 charges that include conspiracy to commit computer intrusion and conspiracy to commit wire fraud charge. The U.S. alleges that from November 2004 to May 2006 Pena and a cohort hacked into the computer networks of VoIP service providers and routed calls made by customers of Pena's VoIP service through them.
According to a criminal complaint filed in U.S. District Court in New Jersey, Pena and co-conspirator Robert Moore of Spokane, Wash., sold more than 10 million minutes of VoIP service that had been stolen from 15 telecommunications providers. Prosecutors have contended that the lost minutes were valed at $1.4 million to the providers victimized in the alleged scam. Federal investigators contend that Pena was the mastermind behind the scheme and Moore hacked the systems.
In the fall of 2007, Moore pleaded guilty to conspiracy to commit computer fraud and began a two-year prison sentence.
Voice-over-IP systems route telephone calls over the Internet or other IP-based networks.
Moore scanned telecommunications company networks around the world, searching for unsecured ports -- the criminal complaint said that between June 2005 and October 2005, Moore ran more than 6 million scans of network ports within the AT&T network alone.
The complaint alleges that once Moore found unsecured networks, he would then e-mail Pena the key information needed to access vulnerable networks.
Once the networks were accessed, prosecutors allege that Pena ran brute force attacks to find the proprietary codes needed to identify and accept authorized calls coming into the networks. He allegedly would used the codes to surreptitiously route his clients' calls through the systems.
According to court documents, Pena gained more than $1 million from the scheme. Some was spent to buy real estate in Miami, a 40-foot boat and luxury cars, including a BMW M3 and a Cadillac Escalade.
Edwin Pena faces 20 federal charges related to hacking and wire fraud in VoIP theft scam
Sharon Gaudin
October 15, 2009 (Computerworld) A Miami man who for three years had evaded prosecution in connection with the theft and reselling of VoIP services is being extradited to Newark from Mexico today and is set to be arraigned in a New Jersey federal courthouse on Friday.
Edwin Pena, 26, had been arrested in June, 2006, on multiple computer and wire fraud charges, and then allegedly fled the country about two months later. He had been free on $100,000 bail. Pena was apprehended in Mexico in February and federal prosecutors have been working to get him extradited back to the U.S. since then, according to Assistant U.S. Attorney Erez Liebermann.
"He's been a fugitive for over three years," said Liebermann, who is prosecuting the case. "We're looking forward to proceeding with the prosecution."
Pena faces 20 charges that include conspiracy to commit computer intrusion and conspiracy to commit wire fraud charge. The U.S. alleges that from November 2004 to May 2006 Pena and a cohort hacked into the computer networks of VoIP service providers and routed calls made by customers of Pena's VoIP service through them.
According to a criminal complaint filed in U.S. District Court in New Jersey, Pena and co-conspirator Robert Moore of Spokane, Wash., sold more than 10 million minutes of VoIP service that had been stolen from 15 telecommunications providers. Prosecutors have contended that the lost minutes were valed at $1.4 million to the providers victimized in the alleged scam. Federal investigators contend that Pena was the mastermind behind the scheme and Moore hacked the systems.
In the fall of 2007, Moore pleaded guilty to conspiracy to commit computer fraud and began a two-year prison sentence.
Voice-over-IP systems route telephone calls over the Internet or other IP-based networks.
Moore scanned telecommunications company networks around the world, searching for unsecured ports -- the criminal complaint said that between June 2005 and October 2005, Moore ran more than 6 million scans of network ports within the AT&T network alone.
The complaint alleges that once Moore found unsecured networks, he would then e-mail Pena the key information needed to access vulnerable networks.
Once the networks were accessed, prosecutors allege that Pena ran brute force attacks to find the proprietary codes needed to identify and accept authorized calls coming into the networks. He allegedly would used the codes to surreptitiously route his clients' calls through the systems.
According to court documents, Pena gained more than $1 million from the scheme. Some was spent to buy real estate in Miami, a 40-foot boat and luxury cars, including a BMW M3 and a Cadillac Escalade.
Avoid Windows Malware: Bank on a Live CD
Avoid Windows Malware: Bank on a Live CD
An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.
The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online.
I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way.
But regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer.
Why is the operating system important? Virtually all of the data-stealing malware in circulation today is built to attack Windows systems, and will simply fail to run on non-Windows computers. Also, the Windows-based malware employed in each of these recent online attacks against businesses was so sophisticated that it made it extremely difficult for banks to tell the difference between a transaction initiated by their customers and a transfer set in motion by hackers who had hijacked that customer's PC.
The now-infamous hack against Bullitt County, Ky. illustrated how thieves use malware to defeat two of the major lines of defense commonly used by banks to thwart unauthorized activity. Many banks offer customers the option for so-called "dual controls" - requiring at least two authorized employees to sign off on any money transfers. In that attack, thieves used malware planted on the treasurer's system to effectively add themselves as an authorized approver of transactions.
Banks also often keep track of the Internet addresses used by their customers, and erect additional security measures when those customers access their online accounts via unfamiliar addresses or computers. In the case of Bullitt County and at least three other victims I've interviewed in the past three months, the attackers used their malicious software to route their connection to the bank's Web site by tunneling through the victim's own Internet address and computer.
Malicious software also is helping thieves defeat so-called two-factor authentication, which generally involves requiring online banking customers to enter something they have in addition to their user name and password, such as the code generated by a key fob that creates a new, six-digit number that changes every 30 seconds.
Over the past two months, I wrote about the plight of two companies that were victims of online bank fraud despite the fact that their banks required the use of these security tokens.
David Johnston, owner of Modesto, Calif. based Sign Designs, lost nearly $100,000 on July 23 due to Windows-based malware. Johnston's bank requires customers to enter the code from a Vasco security token. But the thieves - armed with malware on the company controller's PC - were able to intercept one of those codes when the controller tried to log in, and then delay the controller from logging in. Indeed, Johnston said the company's computer logs show that the controller logged into the system while the series of thefts was already in progress.
Thieves used the same approach to steal $447,000 from Ferma Corp., a demolition firm in Santa Maria, Calif. whose bank also required customers to enter a code from a security token.
I'm not the only one recommending commercial online banking customers consider accessing their accounts solely from non-Windows systems. The Financial Services Information Sharing and Analysis Center (FS-ISAC) - a industry group supported by some of the world's largest banks -- recently issued guidelines urging businesses to carry out all online banking activities form "a stand-alone, hardened and completely locked down computer system from where regular e-mail and Web browsing is not possible."
In direct response to this series reported and published by Security Fix, the SANS Technology Institute, a security research and education organization, challenged its students with creating a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. Their conclusion? While there are multiple layers that of protection that businesses and banks could put in place, the cheapest and most foolproof solution is to use a read-only, bootable operating system, such as Knoppix, or Ubuntu. See the SANS report here (PDF).
Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom. The beauty of Live CD distributions is that they can be used to turn a Windows-based PC temporarily into a Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are compeltely wiped away after the machine is shut down. To return to Windows, simply remove the Live CD from the drive and reboot.
More importantly, malware that is built to steal data from Windows-based systems won't load or work when the user is booting from LiveCD. Put simply: even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, that malware can't capture the victim's banking credentials if that user only transmits his or her credentials after booting up into one of these Live CDs.
The Arc of Steuben, a Bath N.Y.-based not-for-profit that provides care for developmentally disabled adults, has taken this advice to heart. In September, I wrote about how thieves had used malware to steal nearly $200,000 from the organization. Since then, the organization has restricted access to its online bank account to a Linux system on its network, according to an Oct. 1 report in the local Star Gazette.
"I would strongly recommend looking at whatever systems you're using if you're doing electronic banking," the Gazette quotes Bernie Burns, the Arc's executive director. "And if it is a Microsoft system, perhaps looking at something different."
Of course, a Mac computer would probably work just as well, but the focus here is on Windows users who may be looking for a cheap way to harden their existing setup to avoid malicious software.
If you've never used a Live CD and are interested in learning how, or if you just want to take a Linux operating system for a test drive, check out my tutorial on this topic here.
By Brian Krebs | October 12, 2009; 2:00 PM ET
An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.
The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online.
I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way.
But regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer.
Why is the operating system important? Virtually all of the data-stealing malware in circulation today is built to attack Windows systems, and will simply fail to run on non-Windows computers. Also, the Windows-based malware employed in each of these recent online attacks against businesses was so sophisticated that it made it extremely difficult for banks to tell the difference between a transaction initiated by their customers and a transfer set in motion by hackers who had hijacked that customer's PC.
The now-infamous hack against Bullitt County, Ky. illustrated how thieves use malware to defeat two of the major lines of defense commonly used by banks to thwart unauthorized activity. Many banks offer customers the option for so-called "dual controls" - requiring at least two authorized employees to sign off on any money transfers. In that attack, thieves used malware planted on the treasurer's system to effectively add themselves as an authorized approver of transactions.
Banks also often keep track of the Internet addresses used by their customers, and erect additional security measures when those customers access their online accounts via unfamiliar addresses or computers. In the case of Bullitt County and at least three other victims I've interviewed in the past three months, the attackers used their malicious software to route their connection to the bank's Web site by tunneling through the victim's own Internet address and computer.
Malicious software also is helping thieves defeat so-called two-factor authentication, which generally involves requiring online banking customers to enter something they have in addition to their user name and password, such as the code generated by a key fob that creates a new, six-digit number that changes every 30 seconds.
Over the past two months, I wrote about the plight of two companies that were victims of online bank fraud despite the fact that their banks required the use of these security tokens.
David Johnston, owner of Modesto, Calif. based Sign Designs, lost nearly $100,000 on July 23 due to Windows-based malware. Johnston's bank requires customers to enter the code from a Vasco security token. But the thieves - armed with malware on the company controller's PC - were able to intercept one of those codes when the controller tried to log in, and then delay the controller from logging in. Indeed, Johnston said the company's computer logs show that the controller logged into the system while the series of thefts was already in progress.
Thieves used the same approach to steal $447,000 from Ferma Corp., a demolition firm in Santa Maria, Calif. whose bank also required customers to enter a code from a security token.
I'm not the only one recommending commercial online banking customers consider accessing their accounts solely from non-Windows systems. The Financial Services Information Sharing and Analysis Center (FS-ISAC) - a industry group supported by some of the world's largest banks -- recently issued guidelines urging businesses to carry out all online banking activities form "a stand-alone, hardened and completely locked down computer system from where regular e-mail and Web browsing is not possible."
In direct response to this series reported and published by Security Fix, the SANS Technology Institute, a security research and education organization, challenged its students with creating a white paper to determine the most effective methods for small and mid-sized businesses to mitigate the threat from these types of attacks. Their conclusion? While there are multiple layers that of protection that businesses and banks could put in place, the cheapest and most foolproof solution is to use a read-only, bootable operating system, such as Knoppix, or Ubuntu. See the SANS report here (PDF).
Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom. The beauty of Live CD distributions is that they can be used to turn a Windows-based PC temporarily into a Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are compeltely wiped away after the machine is shut down. To return to Windows, simply remove the Live CD from the drive and reboot.
More importantly, malware that is built to steal data from Windows-based systems won't load or work when the user is booting from LiveCD. Put simply: even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, that malware can't capture the victim's banking credentials if that user only transmits his or her credentials after booting up into one of these Live CDs.
The Arc of Steuben, a Bath N.Y.-based not-for-profit that provides care for developmentally disabled adults, has taken this advice to heart. In September, I wrote about how thieves had used malware to steal nearly $200,000 from the organization. Since then, the organization has restricted access to its online bank account to a Linux system on its network, according to an Oct. 1 report in the local Star Gazette.
"I would strongly recommend looking at whatever systems you're using if you're doing electronic banking," the Gazette quotes Bernie Burns, the Arc's executive director. "And if it is a Microsoft system, perhaps looking at something different."
Of course, a Mac computer would probably work just as well, but the focus here is on Windows users who may be looking for a cheap way to harden their existing setup to avoid malicious software.
If you've never used a Live CD and are interested in learning how, or if you just want to take a Linux operating system for a test drive, check out my tutorial on this topic here.
By Brian Krebs | October 12, 2009; 2:00 PM ET
IT analyst at NY Fed Reserve Bank pleads guilty to ID theft scheme
IT analyst at NY Fed Reserve Bank pleads guilty to ID theft scheme
October 6, 2009 by admin
A former employee of the Federal Reserve Bank in New York, Curtis L. Wiltshire, pleaded guilty today to one count of bank fraud and one count of aggravated identity theft for having obtained student loans using stolen identities.
Kenneth Wiltshire, Curtis Wiltshire’s brother, pleaded guilty to related charges on September 15, 2009.
According to the undictment to which Wiltshire pleaded guilty, other documents filed in this case, and
statements made in court during today’s plea proceeding:
Wiltshire 34, of Staten Island, New York, previously worked as an information and technical analyst at the Federal Reserve Bank of New York (”FRB-NY”) in lower Manhattan. In that capacity he had access to information about FRB-NY employees, including names, dates of birth, Social Security numbers, and
photographs. From 2006 to 2008, Wiltshire stole identities from the FRB-NY and used them to fraudulently obtain student loans from various federally insured banks. Over the course of the scheme, he sought multiple student loans, resulting in a total loss of approximately $200,000.
The bank fraud charge carries a maximum term of 30 years in prison and a maximum fine of the greatest of $1 million, or twice the gross gain or loss from the offense. The aggravated identity theft charge carries a mandatory two-year term of imprisonment, which must be consecutive to the sentence on the bank fraud charge, and a maximum fine of the greatest of $250,000, or twice the gross gain or loss from the offense.
Wiltshire is scheduled to be sentenced by United States District Judge P. Kevin Castel on January 8, 2010, at 3:30 p.m. Kenneth Wiltshire’’s sentencing before Judge Castel is scheduled for January 8, 2010, at 3:00 p.m.
October 6, 2009 by admin
A former employee of the Federal Reserve Bank in New York, Curtis L. Wiltshire, pleaded guilty today to one count of bank fraud and one count of aggravated identity theft for having obtained student loans using stolen identities.
Kenneth Wiltshire, Curtis Wiltshire’s brother, pleaded guilty to related charges on September 15, 2009.
According to the undictment to which Wiltshire pleaded guilty, other documents filed in this case, and
statements made in court during today’s plea proceeding:
Wiltshire 34, of Staten Island, New York, previously worked as an information and technical analyst at the Federal Reserve Bank of New York (”FRB-NY”) in lower Manhattan. In that capacity he had access to information about FRB-NY employees, including names, dates of birth, Social Security numbers, and
photographs. From 2006 to 2008, Wiltshire stole identities from the FRB-NY and used them to fraudulently obtain student loans from various federally insured banks. Over the course of the scheme, he sought multiple student loans, resulting in a total loss of approximately $200,000.
The bank fraud charge carries a maximum term of 30 years in prison and a maximum fine of the greatest of $1 million, or twice the gross gain or loss from the offense. The aggravated identity theft charge carries a mandatory two-year term of imprisonment, which must be consecutive to the sentence on the bank fraud charge, and a maximum fine of the greatest of $250,000, or twice the gross gain or loss from the offense.
Wiltshire is scheduled to be sentenced by United States District Judge P. Kevin Castel on January 8, 2010, at 3:30 p.m. Kenneth Wiltshire’’s sentencing before Judge Castel is scheduled for January 8, 2010, at 3:00 p.m.
Microsoft Security Fix Breaks Record Set In June
Microsoft Security Fix Breaks Record Set In June
Next week's "Patch Tuesday" will keep IT administrators busy. Fixes include two zero-day vulnerabilities, at least one of which is actively being exploited.
By Thomas Claburn, InformationWeek
Oct. 9, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=220600140
In June, Microsoft issued 10 security bulletins addressing 31 vulnerabilities, the largest number of vulnerabilities fixed in a single day since the company began issuing regular patches on the second Tuesday of every month in October 2003.
This coming Tuesday, the company's four-month-old record will fall: Microsoft's October patch cycle includes 13 bulletins that address 34 vulnerabilities.
Eight of the bulletins are rated "critical" and five are rated important. The bulletins affect Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server.
According to a blog post by Microsoft senior security program manager Jerry Bryant, the patch will resolve two issues described in recent security advisories: a Server Message Block (SMB) vulnerability and an FTP vulnerability in Microsoft Internet Information Services (ISS).
"Usually we do not go into this level of detail in the advance notification but we felt that it is important guidance so customers can plan accordingly and deploy these updates as soon as possible," said Bryant.
Microsoft has acknowledged that there have been limited attempts to exploit the FTP/ISS vulnerability.
The SMB advisory says Microsoft isn't aware of attempts to exploit the SMB hole.
Last month, Microsoft posted a temporary fix for the SMB vulnerability, a clickable link that disables SMB v2.
Windows 7, which won't officially be released until October 22, is scheduled to receive its first patch on Tuesday. Five of the 13 bulletins -- one "critical" and four "important" -- apply to Windows 7. The critical bulletin affects Internet Explorer 8 under Windows 7.
Next week's "Patch Tuesday" will keep IT administrators busy. Fixes include two zero-day vulnerabilities, at least one of which is actively being exploited.
By Thomas Claburn, InformationWeek
Oct. 9, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=220600140
In June, Microsoft issued 10 security bulletins addressing 31 vulnerabilities, the largest number of vulnerabilities fixed in a single day since the company began issuing regular patches on the second Tuesday of every month in October 2003.
This coming Tuesday, the company's four-month-old record will fall: Microsoft's October patch cycle includes 13 bulletins that address 34 vulnerabilities.
Eight of the bulletins are rated "critical" and five are rated important. The bulletins affect Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server.
According to a blog post by Microsoft senior security program manager Jerry Bryant, the patch will resolve two issues described in recent security advisories: a Server Message Block (SMB) vulnerability and an FTP vulnerability in Microsoft Internet Information Services (ISS).
"Usually we do not go into this level of detail in the advance notification but we felt that it is important guidance so customers can plan accordingly and deploy these updates as soon as possible," said Bryant.
Microsoft has acknowledged that there have been limited attempts to exploit the FTP/ISS vulnerability.
The SMB advisory says Microsoft isn't aware of attempts to exploit the SMB hole.
Last month, Microsoft posted a temporary fix for the SMB vulnerability, a clickable link that disables SMB v2.
Windows 7, which won't officially be released until October 22, is scheduled to receive its first patch on Tuesday. Five of the 13 bulletins -- one "critical" and four "important" -- apply to Windows 7. The critical bulletin affects Internet Explorer 8 under Windows 7.
Password Scam Widens To Google, Yahoo
Password Scam Widens To Google, Yahoo
Wednesday, October 07, 2009
The scale of the phishing attack on Hotmail could stretch further than first thought, with accounts on Google and Yahoo now threatened.
Microsoft confirmed on Monday that the popular email site had been the target of a scam which tricked users into revealing their passwords. This led to around 10,000 passwords being posted online.
The computer company said their servers were not responsible for the security breach and that individuals had been conned into handing over their details. But it has been reported that more lists have also been circulated with genuine account information relating to email on Google, Yahoo, Comcast and Earthlink, as well as other third-party web mail services.
Neil O'Neil, an ethical hacker and digital forensics investigator at secure payments specialist The Logic Group, said up to a million passwords could have been accessed.
"Making the breach public so soon after the attack occurred has allowed unethical hackers to access the passwords very easily, even though they were deleted a couple of days ago at the request of Microsoft," he explained.
"People tend to have the same password across many accounts — so there is a good chance that individuals have also compromised the integrity of their ebay or paypal accounts too.
"The list went through A and B, so you would think whoever released these has more. And if you do the maths, they could have more than a million passwords."
Hackers and cybercriminals attempt to trick people into handing over personal details, including email addresses and passwords. Internet users may be directed to false websites, set up to mirror legitimate websites, that feed information back to the criminals.
News of the scam broke when technology blog neowin.net reported an anonymous user had published confidential details on pastebin.com. Internet users are urged to change their passwords regularly and ensure anti-virus software is up to date to protect themselves from fraudsters.
A Microsoft spokesman said: "We are aware that some Windows Live Hotmail customers' credentials were acquired illegally by a phishing scheme and exposed on a website."
They added that they requested the details be removed from the internet and they launched an immediate investigation. The company are also taking measures to block the accounts which were hit.
A spokesman for Google said they were aware that some gmail accounts had been part of the phishing scam and said — while their servers were not responsible — they had taken steps to ensure security.
And a spokesman for Yahoo said they take great effort to protect their users' security and that they urge consumers to take measures to secure their accounts whenever possible, including changing their passwords.
Wednesday, October 07, 2009
The scale of the phishing attack on Hotmail could stretch further than first thought, with accounts on Google and Yahoo now threatened.
Microsoft confirmed on Monday that the popular email site had been the target of a scam which tricked users into revealing their passwords. This led to around 10,000 passwords being posted online.
The computer company said their servers were not responsible for the security breach and that individuals had been conned into handing over their details. But it has been reported that more lists have also been circulated with genuine account information relating to email on Google, Yahoo, Comcast and Earthlink, as well as other third-party web mail services.
Neil O'Neil, an ethical hacker and digital forensics investigator at secure payments specialist The Logic Group, said up to a million passwords could have been accessed.
"Making the breach public so soon after the attack occurred has allowed unethical hackers to access the passwords very easily, even though they were deleted a couple of days ago at the request of Microsoft," he explained.
"People tend to have the same password across many accounts — so there is a good chance that individuals have also compromised the integrity of their ebay or paypal accounts too.
"The list went through A and B, so you would think whoever released these has more. And if you do the maths, they could have more than a million passwords."
Hackers and cybercriminals attempt to trick people into handing over personal details, including email addresses and passwords. Internet users may be directed to false websites, set up to mirror legitimate websites, that feed information back to the criminals.
News of the scam broke when technology blog neowin.net reported an anonymous user had published confidential details on pastebin.com. Internet users are urged to change their passwords regularly and ensure anti-virus software is up to date to protect themselves from fraudsters.
A Microsoft spokesman said: "We are aware that some Windows Live Hotmail customers' credentials were acquired illegally by a phishing scheme and exposed on a website."
They added that they requested the details be removed from the internet and they launched an immediate investigation. The company are also taking measures to block the accounts which were hit.
A spokesman for Google said they were aware that some gmail accounts had been part of the phishing scam and said — while their servers were not responsible — they had taken steps to ensure security.
And a spokesman for Yahoo said they take great effort to protect their users' security and that they urge consumers to take measures to secure their accounts whenever possible, including changing their passwords.
FBI Arrests Dozens for Phishing ID Theft Scheme
FBI Arrests Dozens for Phishing ID Theft Scheme
Wednesday, October 07, 2009
ADVERTISEMENTLOS ANGELES — The FBI is arresting dozens of people in the United States and overseas to crack an identity theft ring that victimized thousands of people.
Laura Eimiller, an FBI spokeswoman in Los Angeles, says agents are making arrests Wednesday morning in Southern California, Nevada, North Carolina and overseas.
She says about 100 arrests are expected, many in the Los Angeles area.
Eimiller says an indictment accuses the suspects of running a "phishing" scheme. They allegedly used computer intrusion and fraud to obtain personal information that allowed them to withdraw money from bank accounts.
In "phishing," people answering an e-mail are directed to a bogus Web site where they are asked to update personal information, such as passwords and account numbers.
Wednesday, October 07, 2009
ADVERTISEMENTLOS ANGELES — The FBI is arresting dozens of people in the United States and overseas to crack an identity theft ring that victimized thousands of people.
Laura Eimiller, an FBI spokeswoman in Los Angeles, says agents are making arrests Wednesday morning in Southern California, Nevada, North Carolina and overseas.
She says about 100 arrests are expected, many in the Los Angeles area.
Eimiller says an indictment accuses the suspects of running a "phishing" scheme. They allegedly used computer intrusion and fraud to obtain personal information that allowed them to withdraw money from bank accounts.
In "phishing," people answering an e-mail are directed to a bogus Web site where they are asked to update personal information, such as passwords and account numbers.
Monday, October 05, 2009
Beware Hijacked Social Networking Accounts, FBI Warns
Beware Hijacked Social Networking Accounts, FBI Warns
Social networking sites are becoming a more popular attack vector for cybercriminals because people trust those they believe to be friends.
By Thomas Claburn, InformationWeek
Oct. 2, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=220300878
Think twice before wiring money to help a Facebook friend who claims to be in trouble in a foreign country.
Marking the commencement of National Cybersecurity Awareness Month, the Federal Bureau of Investigation (FBI) on Thursday warned that there's been an increase in hijacked social networking accounts and that cybercriminals are using these accounts to defraud victims' friends.
Since 2006, there have been 3,200 reports of account hijackings, according to the Internet Crime Complaint Center (IC3).
Such scams often begin with spam messages.
"When opened, the spam allows the cyber intruders to steal passwords for any account on the computer, including social networking sites," the FBI said. "The thieves then change the user's passwords and eventually send out distress messages claiming they are in some sort of legal or medical peril and requesting money from their social networking contacts."
Facebook's security blog includes a transcript posted in August of a chat conversation in which this very scam is played out.
"Pretending to be Derek's friend Jill, the scammer tells Derek that she was mugged at gunpoint in London, and that she needs him to wire her $890 immediately," Facebook explains. "Derek becomes more and more suspicious as the conversation progresses and ultimately realizes that the person he's talking to isn't his friend, and that the story he's being told is a lie."
Another common scam, the FBI said, involves phishing spam that presents a fake notice about some issue requiring attention, such as a terms of service violation, account expiration, or unexplained account activity. Messages of this sort often seek to prompt recipients to click on a link that leads to a malicious site and to provide personal information or account details.
The reason that cybercriminals seek to abuse social networking accounts is that messages from friends have an appearance of legitimacy.
As if to underscore the FBI's concern, Roger Thompson, chief of research at AVG Technologies, reported in a blog post on Thursday that his company had detected a series of identical Facebook profiles, differentiated only by profile names, set up to distribute fake anti-virus software through a link purporting to be a home video.
The FBI advises: that users check their privacy settings on social sites to make sure they're not exposing too much information; being selective about friends on social sites; disabling unused sharing options; being careful about links posted to social sites; and reviewing the security settings and procedures at social sites.
Social networking sites are becoming a more popular attack vector for cybercriminals because people trust those they believe to be friends.
By Thomas Claburn, InformationWeek
Oct. 2, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=220300878
Think twice before wiring money to help a Facebook friend who claims to be in trouble in a foreign country.
Marking the commencement of National Cybersecurity Awareness Month, the Federal Bureau of Investigation (FBI) on Thursday warned that there's been an increase in hijacked social networking accounts and that cybercriminals are using these accounts to defraud victims' friends.
Since 2006, there have been 3,200 reports of account hijackings, according to the Internet Crime Complaint Center (IC3).
Such scams often begin with spam messages.
"When opened, the spam allows the cyber intruders to steal passwords for any account on the computer, including social networking sites," the FBI said. "The thieves then change the user's passwords and eventually send out distress messages claiming they are in some sort of legal or medical peril and requesting money from their social networking contacts."
Facebook's security blog includes a transcript posted in August of a chat conversation in which this very scam is played out.
"Pretending to be Derek's friend Jill, the scammer tells Derek that she was mugged at gunpoint in London, and that she needs him to wire her $890 immediately," Facebook explains. "Derek becomes more and more suspicious as the conversation progresses and ultimately realizes that the person he's talking to isn't his friend, and that the story he's being told is a lie."
Another common scam, the FBI said, involves phishing spam that presents a fake notice about some issue requiring attention, such as a terms of service violation, account expiration, or unexplained account activity. Messages of this sort often seek to prompt recipients to click on a link that leads to a malicious site and to provide personal information or account details.
The reason that cybercriminals seek to abuse social networking accounts is that messages from friends have an appearance of legitimacy.
As if to underscore the FBI's concern, Roger Thompson, chief of research at AVG Technologies, reported in a blog post on Thursday that his company had detected a series of identical Facebook profiles, differentiated only by profile names, set up to distribute fake anti-virus software through a link purporting to be a home video.
The FBI advises: that users check their privacy settings on social sites to make sure they're not exposing too much information; being selective about friends on social sites; disabling unused sharing options; being careful about links posted to social sites; and reviewing the security settings and procedures at social sites.
Express Scripts: 700,000 notified after extortion
Express Scripts: 700,000 notified after extortion
Robert McMillan
September 30, 2009 (IDG News Service) Nearly a year after being hacked by computer extortionists, pharmacy benefits management company Express Scripts now says hundreds of thousands of members may have had their information breached because of the incident.
Last November, the company reported that someone had threatened to expose millions of customer prescription records, but it has come under criticism for being vague about how many of its customers' records were accessed. Now the company says that about 700,000 have been notified.
The trouble started for the St. Louis-based company in October 2008, when it received a letter containing the names, birth dates, Social Security numbers and prescription data of 75 patients. The extortionists threatened to turn the information public if they weren't paid. Express Scripts refused and instead notified the U.S. Federal Bureau of Investigation. The company is now offering a US$1 million reward for information leading to the arrest of the perpetrators.
Express Script has not said how the criminals managed to get hold of the data, but in an e-mailed statement the company said that "there have been no reported cases of misuse of member information resulting from the incident."
In a June court filing, the company said that three of its customers have also been approached by the extortionists.
Toyota is one of those companies. In November 2008 it received a letter that was similar to the October Express Scripts threat, from extortionists who threatened to release information on Toyota employees and their dependents.
Express Scripts manages pharmacy benefits for corporations and government agencies. It reported $22 billion in revenue last year.
Customers are not the only people who have been approached by the criminals. A few weeks ago, an unidentified law firm was also provided with more records, according to Express Scripts spokeswoman Maria Palumbo. That firm turned over the records to the U.S. FBI, which in turn informed Express Scripts.
"In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had recently taken action to prove that he possesses more member records from the same period as those identified in the 2008 extortion attempt," the company said on its Web site. "Express Scripts is in the process of notifying these members."
In May, Washington, D.C., law firm Finkelstein Thompson brought a class-action suit against Express Scripts on behalf of members whose data was stolen. Attorneys at the firm did not return messages seeking comment for this story.
It's troubling that Express Scripts has apparently been unable to figure out exactly whose data was accessed, said Dissent, a health care professional who runs the Databreaches.net Web site and uses a pseudonym to keep her privacy advocacy separate from her professional practice. "Given that they may not really yet know the full scope of this incident and that we really cannot be sure that the extortionist didn't acquire the entire database, it would seem prudent to notify everyone whose records were in the database," she wrote in an e-mail interview.
"This breach is certainly not the largest breach involving personal health information that we've seen," she said. "But it is nevertheless a very troubling breach because it signals that cybercriminals are recognizing the value of databases containing patient information even where no financial or credit card information is included."
Robert McMillan
September 30, 2009 (IDG News Service) Nearly a year after being hacked by computer extortionists, pharmacy benefits management company Express Scripts now says hundreds of thousands of members may have had their information breached because of the incident.
Last November, the company reported that someone had threatened to expose millions of customer prescription records, but it has come under criticism for being vague about how many of its customers' records were accessed. Now the company says that about 700,000 have been notified.
The trouble started for the St. Louis-based company in October 2008, when it received a letter containing the names, birth dates, Social Security numbers and prescription data of 75 patients. The extortionists threatened to turn the information public if they weren't paid. Express Scripts refused and instead notified the U.S. Federal Bureau of Investigation. The company is now offering a US$1 million reward for information leading to the arrest of the perpetrators.
Express Script has not said how the criminals managed to get hold of the data, but in an e-mailed statement the company said that "there have been no reported cases of misuse of member information resulting from the incident."
In a June court filing, the company said that three of its customers have also been approached by the extortionists.
Toyota is one of those companies. In November 2008 it received a letter that was similar to the October Express Scripts threat, from extortionists who threatened to release information on Toyota employees and their dependents.
Express Scripts manages pharmacy benefits for corporations and government agencies. It reported $22 billion in revenue last year.
Customers are not the only people who have been approached by the criminals. A few weeks ago, an unidentified law firm was also provided with more records, according to Express Scripts spokeswoman Maria Palumbo. That firm turned over the records to the U.S. FBI, which in turn informed Express Scripts.
"In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had recently taken action to prove that he possesses more member records from the same period as those identified in the 2008 extortion attempt," the company said on its Web site. "Express Scripts is in the process of notifying these members."
In May, Washington, D.C., law firm Finkelstein Thompson brought a class-action suit against Express Scripts on behalf of members whose data was stolen. Attorneys at the firm did not return messages seeking comment for this story.
It's troubling that Express Scripts has apparently been unable to figure out exactly whose data was accessed, said Dissent, a health care professional who runs the Databreaches.net Web site and uses a pseudonym to keep her privacy advocacy separate from her professional practice. "Given that they may not really yet know the full scope of this incident and that we really cannot be sure that the extortionist didn't acquire the entire database, it would seem prudent to notify everyone whose records were in the database," she wrote in an e-mail interview.
"This breach is certainly not the largest breach involving personal health information that we've seen," she said. "But it is nevertheless a very troubling breach because it signals that cybercriminals are recognizing the value of databases containing patient information even where no financial or credit card information is included."
Large online payroll service hacked
Large online payroll service hacked
Login data on unknown number of PayChoice customers stolen
Jaikumar Vijayan
October 1, 2009 (Computerworld) In a somewhat unusual data breach, hackers recently stole the login credentials of an unknown number of customers of payroll processing company PayChoice Inc., and then attempted to use the data to steal additional information directly from the customers themselves.
The breach, first reported by the Washington Post this week, took place on Sept. 23 and involved PayChoice's onlineemployer.com portal site. Hackers broke into the site and managed to access the real legal name, username and the partially masked passwords used by customers to log into the site.
They then used the information to send very realistic looking phishing e-mails to PayChoice's customers directing them to download a Web browser plug-in to be able to continue using the onlineemployer.com service. Each of the messages addressed people by their real names and contained their real username and passwords (partially masked), which had been harvested earlier from PayChoice.
Users who clicked on the link to download the plug-in instead got infected with a username and password stealing Trojan.
It is not immediately clear how many customers might have actually clicked on the malicious link.
PayChoice, based in Moorestown, N.J, provides payroll processing services and technology. The company bills itself as the "national leader" in the payroll services and software industry and claims over 125,000 business customers.
In an e-mail statement to Computerworld, PayChoice said it discovered the security breach in its online system last Wednesday.
"We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve," CEO Robert Digby said in the statement. Once the company discovered the breach, it immediately shut down the online system and instituted "fresh measures" to protect client information, the statement said.
The company has also engaged two outside forensic experts to help figure out the full scope of the intrusion. "PayChoice is determined to find the cause and extent of the breach and to take further measures to prevent a future occurrence," Digby said.
Steve Friedl, an independent security consultant, said he first heard of the breach last Thursday when a PayChoice customer informed him. He said that at this point, it is not clear what other information the hackers might have gotten access to.
But it appears very likely that the only data the hackers accessed was the information they included in the fake e-mails that PayChoice's customers received, said Friedl, who wrote about the incident in his blog.
If hackers had in fact accessed on more data, it is highly unlikely that they would have resorted to sending out those additional e-mails to PayChoice's customers, and thereby running the risk of being exposed, he said.
Friedl said the links in the phishing e-mails were to Websites hosted at Yahoo. The malware itself was a password-stealing Trojan that was designed to send the stolen information to a Web server in Sweden.
The relatively poor English in the e-mails appear to indicate that those behind the attack were from outside the country, he said.
Chris Wysopal, chief technology officer at application security vendor Veracode Inc., said the breach is interesting because it shows that hackers are looking for targets other than credit card numbers and social security numbers to steal.
"The market is saturated with [stolen] credit card data," Wysopal said. A credit card record that was worth $10 in the underground in 2007 today can be had for about 50 cents, he said.
As a result cybercrooks looking to monetize what they are doing are moving up to higher value attacks where possible, he said.
In this case, the hackers appear to have been trying to install keystroke loggers to get information that would have allowed then to access online banking accounts of PayChoice's customers, he said. "That is where they would have got tens of thousands of dollars," had they been able to pull it off.
An online payroll service company such as PayChoice presents a "huge attack surface" to those looking for ways to compromise it, Wysopal said. "An application like that, which is exposed to the Internet, is susceptible to SQL injection, cross-site scripting," and numerous other Web application attacks, he said.
Login data on unknown number of PayChoice customers stolen
Jaikumar Vijayan
October 1, 2009 (Computerworld) In a somewhat unusual data breach, hackers recently stole the login credentials of an unknown number of customers of payroll processing company PayChoice Inc., and then attempted to use the data to steal additional information directly from the customers themselves.
The breach, first reported by the Washington Post this week, took place on Sept. 23 and involved PayChoice's onlineemployer.com portal site. Hackers broke into the site and managed to access the real legal name, username and the partially masked passwords used by customers to log into the site.
They then used the information to send very realistic looking phishing e-mails to PayChoice's customers directing them to download a Web browser plug-in to be able to continue using the onlineemployer.com service. Each of the messages addressed people by their real names and contained their real username and passwords (partially masked), which had been harvested earlier from PayChoice.
Users who clicked on the link to download the plug-in instead got infected with a username and password stealing Trojan.
It is not immediately clear how many customers might have actually clicked on the malicious link.
PayChoice, based in Moorestown, N.J, provides payroll processing services and technology. The company bills itself as the "national leader" in the payroll services and software industry and claims over 125,000 business customers.
In an e-mail statement to Computerworld, PayChoice said it discovered the security breach in its online system last Wednesday.
"We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve," CEO Robert Digby said in the statement. Once the company discovered the breach, it immediately shut down the online system and instituted "fresh measures" to protect client information, the statement said.
The company has also engaged two outside forensic experts to help figure out the full scope of the intrusion. "PayChoice is determined to find the cause and extent of the breach and to take further measures to prevent a future occurrence," Digby said.
Steve Friedl, an independent security consultant, said he first heard of the breach last Thursday when a PayChoice customer informed him. He said that at this point, it is not clear what other information the hackers might have gotten access to.
But it appears very likely that the only data the hackers accessed was the information they included in the fake e-mails that PayChoice's customers received, said Friedl, who wrote about the incident in his blog.
If hackers had in fact accessed on more data, it is highly unlikely that they would have resorted to sending out those additional e-mails to PayChoice's customers, and thereby running the risk of being exposed, he said.
Friedl said the links in the phishing e-mails were to Websites hosted at Yahoo. The malware itself was a password-stealing Trojan that was designed to send the stolen information to a Web server in Sweden.
The relatively poor English in the e-mails appear to indicate that those behind the attack were from outside the country, he said.
Chris Wysopal, chief technology officer at application security vendor Veracode Inc., said the breach is interesting because it shows that hackers are looking for targets other than credit card numbers and social security numbers to steal.
"The market is saturated with [stolen] credit card data," Wysopal said. A credit card record that was worth $10 in the underground in 2007 today can be had for about 50 cents, he said.
As a result cybercrooks looking to monetize what they are doing are moving up to higher value attacks where possible, he said.
In this case, the hackers appear to have been trying to install keystroke loggers to get information that would have allowed then to access online banking accounts of PayChoice's customers, he said. "That is where they would have got tens of thousands of dollars," had they been able to pull it off.
An online payroll service company such as PayChoice presents a "huge attack surface" to those looking for ways to compromise it, Wysopal said. "An application like that, which is exposed to the Internet, is susceptible to SQL injection, cross-site scripting," and numerous other Web application attacks, he said.
