[SecurityRatty] tag: funds

Best Western Hotel Online Booking Breached, 8 Million Victims In Personal Data Theft

Mon, 25 Aug 2008 09:57:47 +0000

Criminal gang has stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds. Thursday night, an unknown hacker, possibly indian, successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it [...]

Corporate Identity Theft

Sat, 16 Aug 2008 05:58:30 +0000

I remember a talk by the value investor Mason Hawkins (Longleaf Funds) where someone asked him about investing overseas. He answered that he does, but mainly in places where the British flag flew at some point, where there is a rule of law. Here is one example of what he is worried about and why investing in places where your assets have no legal protection does not give the investor a margin of safety.

Hermitage Fund was until recently the largest fund in Russia. From the Business Week story "Hijacking the Hermitage Fund"

Corruption, intimidation, robbery, violent assault, forgery, large-scale fraud. No, not the subject of the latest John Grisham novel, but sensational allegations, made public Apr. 4 by Hermitage Capital Management -- until recently the largest foreign portfolio investor in Russia. In a detailed and damning report, titled Criminal Justice -- Russian-Style, Hermitage alleges the fund's Russian subsidiaries have fallen victim to an elaborate con designed to defraud the fund of hundreds of millions of dollars.

The most sensational part of Hermitage's allegations is that the attempted larceny was carried out with the direct connivance of officials in the Russian police. Hermitage alleges the police seized documents and equipment that were instrumental to the attempted fraud, which involved bogus court cases based on forged documents, the aim of which was to sue Hermitage subsidiaries for hundreds of millions of dollars. "The most shocking thing is not that there are corporate raiders in Russia who attempt to steal your shares," says Jamison Firestone, managing partner of Firestone Duncan, Hermitage's law firm. "The shocking thing is that the police worked hand-in-hand with them, and actually performed the theft of the documents so that the corporate raiders could then do their work."

From the most recent Hermitage Fund letter, here is the current state:

So the two-pronged scam worked in one area and failed in another. The perpetrators weren’t able to steal the assets from us based on the fake court claims, but they were able to steal $230 million from the Russian government by filing amended tax returns on behalf of our stolen companies. What makes this story even more shocking is that we filed six 255-page criminal complaints with the Russian authorities in December last year, one month before the tax fraud took place, and they did nothing to stop it. Two complaints were sent to the Russian General Prosecutor, two to the Russian State Investigative Committee and two to the Internal Affairs Department of the Interior Ministry. There was enough information to prevent the fraud and indict a number of people behind it if the government had acted.
Instead of doing anything to save the Russian state from this highly sophisticated and organized looting, two of our complaints were thrown out immediately; two were returned to the same Interior Ministry official we were complaining about (essentially, he was being asked to “investigate himself”); and one was thrown out for “lack of any crime committed.” Only one complaint was taken seriously. It was taken up by the Russian State Investigative Committee in early February, but before it could get any traction, the case was lowered to the South region of the Moscow district of the State Investigative Committee (the lowest level of the Committee) and by June, another senior Interior Ministry official whom we had named in our complaint had joined the “investigation” team (again, to “investigate himself”). To this day there has been no serious response by the Russian authorities to this massive fraud against the Russian state.
As we described in our April letter, the problem of corporate “raiding” is now so endemic in Russia that President Medvedev speaks about it as one of the biggest problems faced by Russian businesses. In this case, raiders have taken this problem to a new and absurd extreme by “raiding” the Russian state itself and so far getting away with it. Together with HSBC, we will shortly be filing new criminal complaints with the Russian General Prosecutor and Russian State Investigative Committee as well as with many law enforcement authorities outside of Russia. It is hard to predict what will happen next in this unfolding and unbelievable saga, but as always we will keep you updated on any further developments as they arise.

Of course we see individual identity theft on a regular basis (actually as Ross Anderson points out its not really identity theft but poor controls on the bank's parts using SSNs as secrets and so on), but you dont see a major corporation stolen every day.

419 Mail Targets Musicians

Wed, 06 Aug 2008 03:13:03 +0000

One of my musician colleagues received the following email:

------Original Message------
From: smith douglas
Subject: lovely song
Sent: Aug 5, 2008 5:50 PM

Hello Lovely vocalist

I am Olatunji Hassan a music lover and I must say I listened to
your song via the internet and was moved.I lived in the United
States all my life and now I am back in my father land(AFRICA)
I must also lay my emphasis on the fact that I still travel to
us when the country is pretty hot.
I am the C.E.O of Douglas compensations
The compensation company is a company which has gotten the
approval of the Government to dispatch lost funds and recovered
theft funds to individuals who seems to need the funds.
I am using the power bestowed on me by my Government to approve
the sum of 100,000 United states Dollars for you.
your urgent reply is needed in regards to this development.
Olantunji Hassan.

Of course, it's a scam. There are plenty of musicians promoting their music on their websites, blogs, fan sites and forums - which presents scammers with a huge selection of targets to choose from. Be on your guard...

VCsChoosing How to Invest

Mon, 04 Aug 2008 06:23:13 +0000

Don Dodge has a series going on about VCs and why startups fail, and he says VC’s say no to startups 99% of the time, yet still choose failing companies 33% of the time or so. Interestingly he compares the selection process to the way investors choose their stocks –

I would guess that every one of you reading this blog have a stock portfolio with 5 to 10 individual stocks or mutual funds. There are more than 5,000 publicly listed companies to choose from, and another 5,000 mutual funds. But, out of 10,000 possible companies you chose 10 to invest in. Why? Why did you reject the other 9,990 companies? Obviously there are more than 10 good companies to invest in. Other investors chose to invest their money in the other 9,990 companies…why not you?

I suppose the difference must be that many investors aren’t actively involved in their investments (maybe entrepreneurs are more so, since they have to know a certain investment space quite well)…

It sounds to me a lot like the editorial selection process for book manuscripts, articles, and so forth — editors receive a ton of submissions and they have to be choosy. Sometimes they don’t pick winners; sometimes they pick losers. More importantly, each has a personal style, opinions, preferences, and they are trying to appeal to a certain audience. It’s interesting to think that VCs are similar but makes sense–the end question of “What will be successful” really depends on the consumer base and industry, and VCs are just people who probably know and prefer to interact with a certain type of consumer base or audience.

The Magical ATM Card and SMS Message in Thailand

Sun, 03 Aug 2008 09:30:52 +0000

It was not too long ago that I penned Keyloggers: Why Banks Need Two-Factor Authentication. In that post, I briefly mentioned how a number of banks in Thailand use inexpensive SMS-based two-factor authentication (2FA) with one-time password (OTP) to authenticate transactions.

One of my favorite banks in Thailand is K-Bank. With K-Bank I can simply walk up to an ATM machine and pay a mobile phone bill, purchase mutual funds, buy insurance, or transact an ever-growing list of services payable at the modern and sleek K-Bank ATM.

For example, tomorrow I fly to Chiang Mai in Northern Thailand and found K-Bank’s service amazingly better than in the US. For example, I booked my flight as usual (over the phone, but could have used the Internet) and told the reservation agent I was going to pay by ATM. He simply gave me a PayCode and told me I had three hours to go to the ATM and enter the PayCode to perfect my reservation. I also got the PayCode via SMS. This gave me the time I needed to make sure I had booked the perfect boutique hotel in Chiang Mai, the Fern Paradise.

Then, I went out into the beautiful Thai weather and completely my airplane reservation at the ATM machine; which also printed out a receipt with my flight details and reservation number.

It sometimes amazes me how much further advanced some services are in Thailand compared to the US. To me, it feels more secure not to use an on-line payment center or give out my credit card details over the phone. I can simply book a ticket, take a PayCode, and complete the transaction at a nice modern, shiny, K-Bank ATM machine.

Who knows, maybe soon I can select the perfect window seat at the ATM and the receipt will act as my boarding pass!

Smash and Grab

Tue, 22 Jul 2008 09:27:42 +0000

Ever wondered how much damage can be caused with what is likely a few handily placed keyloggers and trojans?

Well, this is probably a good (bad?) place to start.

"Also while that was happening the person who stole my GoDaddy account also stole our paypal accounts and charged several thousand dollars to us. PayPal is working to get that money back, so far about 600.00 was retrieved but we are still waiting for news on the other funds."

Ouch....

Money Mule Recruiters use ASProx's Fast Fluxing Services

Fri, 18 Jul 2008 02:23:49 +0000

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc. ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.

2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.

3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information."

The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :

ns10.cashtransfers.tk
ns11.cashtransfers.tk
ns1.cashtransfers.tk
ns12.cashtransfers.tk
ns2.cashtransfers.tk
ns13.cashtransfers.tk
ns3.cashtransfers.tk
ns14.cashtransfers.tk
ns4.cashtransfers.tk
ns15.cashtransfers.tk
ns5.cashtransfers.tk
ns16.cashtransfers.tk
ns6.cashtransfers.tk
ns17.cashtransfers.tk
ns7.cashtransfers.tk
ns8.cashtransfers.tk

With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

The most insecure banking/sales terminal

Mon, 14 Jul 2008 09:27:20 +0000

Can you imagine an ATM running Windows XP Home Edition and being connected to the Internet or a Point of Sale terminal running Tetris? – Unlikely! Why then is allowing a customer to use any computer on the Internet to connect to the banking system, and transfer much more money than you can take out of a cash machine, a good idea? Why did arguably the most conservative organisations in the world – the banks – agree to lower their defenses so low that they practically invited the criminals in?

The answer is simple – the same reasons why even risk-averse investors were chasing after every Internet company in the late 90s – the attractiveness of the global scale and reduced costs of e-channels.

Over the years, payments and savings have always been a subject of the most advanced protection:

Banknotes have watermarks and other security features to resist counterfeiting
Cheques require the account holder's signature
ATMs require both your card and your PIN, run secure software, and are physically tamper-resistant
Point of Sale terminals in your favourite supermarket are protected from tampering and use dedicated secure connections to the payment processing network

These are all very sensible measures that work (to one degree or another) to protect customers' and banks' money.

Today, however, there is a huge imbalance between the value of electronically accessible funds and their security. This is being very effectively exploited by criminals and the banks are looking for a solution. Personal computers are not tamper proof sales terminals, therefore it is unfeasible to rely on the customer to keep them 100% secure. No one can take away online banking but banks can deploy new security measures, and solving this problem requires a new innovative approach that can equally address security, ease of use, and cost.

At Cronto, we identified this imbalance years ago. We also correctly predicted that the only solution to address this problem is transaction authentication (where the customer confirms each banking instruction). We then developed an innovative visual transaction signing solution. Based on our unique Visual Cryptogram, the Cronto solution supports multiple end user options allowing the bank to choose what is right for their customers whilst maintaining consistency in their backend systems.

Malware and Office Documents Joining Forces

Mon, 14 Jul 2008 07:20:34 +0000

Common office files as documents, presentations, spreadsheets and PDF files, are the most widely abused ones in targeted attacks, which when backed up with enough personal information and take into consideration the time of their attack if the social engineering campaign is either going to be based on a current/upcoming event, or on an event anticipated due to information gathered through open source intelligence, often make it through common signature based scanning solutions.

Despite the relatively easy to obtain, point'n'click DIY tools for backdooring common office files are available for the script kiddies to take advantage of, some are naturally remaining proprietary tools, making them harder to analyze unless a copy is obtained. Like this one, generating "undetected" by signatures based scanning, office documents and spreadsheets that would drop the actual malware on the PC.

Automatic translation of its description and core features :

"The program represents a generator OfficeJoiner macros in the language Visual Basic for Application (VBA), for introduction in the document Microsoft Office Word / Microsoft Office Excel executable file (win32 exe), followed by fully automatic recovery and launch, without any additional action by the user. The only requirement that formed in such a way xls / doc files is to support VBA macros on the computer end-user formed file and permission to launch macros.

The program uses NOT a vulnerability (exploit) or macro-virus tools for the introduction, extraction or running embedded files. This means that it has generated macros compatible with ALL versions of Microsoft Office products starting with Microsoft Office 97 package, with any established "patches" and the service pack. Macros generated by this program not detected antivirus, for the simple reason that they are not viruses or macro viruses. The program uses only "established" means products built into Microsoft Excel VBA language to achieve their goals.

- Fully automatic generation of macro for the introduction of documents word / excel any given exe-file with his persistence in the body and subsequent documents automatic recovery and launch, when opening a document word / excel.

- Generated macros are compatible with all versions of ms word / excel since version 97, employments and regardless of the presence / absence of any patches / servicepacs.

- Generated macros are not macro-viruses, exploits do not use and do not contain any malicious code, so do not be detected by any antivirus tools as viruses.

- Conversion body ex-file macro happening in such a way that while in doc / xls file it not detected any antivirus, and can be freely sent by mail safely passed all checks, even if in itself contains viral code defined antivirus.

- Sgenerirovanny and attached to the body of the document macro can be protected with a password or signed certificate, using funds established Microsoft Office, which does not affect him productivity or efficiency (macro, in any case remain fully workable).

- Box macro can be made both in the new document, and in any document containing data and-or other macros. Generated program code is fully compatible with any other embedded in the document macros or entering data, and will not interfere with their work, as well as maintain its efficiency.

- Added auto-finding ways to extract exe-file;

- Added possibility of a macro arbitrary text in the body of the instrument;

- Optimized algorithm macro-generation code;

Enabling this option will lead to the creation macro code, who himself will find a way to unpack and run embedded exe-file. Auto-search finds the current user folder and produces there extraction and launch embedded file. The peculiarity of this method is that this method will work on the computers of users with a limited account, because in its user folder in any case has the right to record / performance. Using this option is justified to improve the "punching" macro on computers with limited account or unknown file structure (let Windows installed on the disk is different from C).

You can specify a name for final file independently, or leave blank, then the name will be generated automatically.

On this possibility has asked for a user program, its essence is that after running a macro, retrieval and downloading exe-file the document with the introduction of exe-file will be withdrawn posed text. Perhaps in this way can improve the application of social engineering, designed to force the user to allow support for macros. For example, in the text of the document indicate:

"This document contains hidden text (password, a system of calculation formulas, interactive components, etc.), Which can be viewed only after the inclusion of support macros. Please enable support for macros and re-opening this document ".

After resolving support macros, and the implementation of embedded exe-file, the document will be withdrawn given a string containing probable "password" or any other textual information. "

Despite that the tool is proprietary, the underground economy's leaks are largely driven by bargain hunters who would exchange proprietary tool, whose often biased exclusiveness may increase the profit margins, for a service or a good that may be worthless for them in general, but impossible to obtain and take advantage of in the present. It will not just leak in one way or another, someone will inevitably backdoor the backdooring tool and trick the novice bargain hunters into running it, by having both their host infected and money taken.

Related posts:
The Underground Economy's Supply of Goods and Services
Yet Another DIY Proprietary Malware Builder
The Small Pack Web Malware Exploitation Kit - Proprietary
DIY Exploit Embedding Tool - A Proprietary Release
Skype Spamming Tool in the Wild - Proprietary Release

Your 419 Mail Roundup

Wed, 02 Jul 2008 13:11:42 +0000

A handful of scam mails currently in circulation, including one mention of "groundnut oil" that seems so bizarre I had to highlight it in bold text. All this and more, after the jump...
Subject:
FROM THE DESK OF MR. STEVEN JAMES
From:
"Steven James"
Date:
Mon, 30 Jun 2008 19:17:03 +0100
BCC:

FROM THE DESK OF MR. STEVEN JAMES
CHAIRMAN INTERNATIONAL RELATION
FIRST BANK OF NIGERIA PLC
# 1 BANK ROAD WUSE FCT
ABUJA-NIGERIA.
PHONE: +234-80-66520277
Email: stevenjames809@live.co.uk

Very Urgent Attention,

Please permit me to introduce my humble self to you, my name is Mr. Steven James, I am the Manager of International Relation with First Bank of Nigeria Plc, I 'm 38yrs old, and I got your email address from a friend of mine, and my confidence reposed on you. I hope you read this message carefully and reply me immediately. Although we have not met before, but I suggest that this transaction will bring us together.

My dear, we had a customer, a foreigner but base here in Nigeria, his Name was Mr. Hamilton Creek. He is from Atlanta Georgia United State of America, but based here with his wife and his two children, Mr. Hamilton has being banking with us for the past 4yrs and some time in August 2002, Mr. Hamilton was on his way to his house, and unfortunately ran into a Trailer load of Groundnut Oil, and died   immediately, Their car got burnt, no single soul was saved, Mr. Hamilton Creek and His entire family was confirmed dead.

My Board of Directors and the Management of First Bank has mandated and instructed me to look for Mr. Hamilton Creek? Relation(s) and his Next of Kin to come and claim his fund, Since August 2003 till date, I have been looking for his relation's or his next of Kin to come and claim his fund which he Deposited with our bank, I have contacted his Embassy and after 3days, his Ambassador told me that Mr. Hamilton Creek has no relation and no next of Kin, their Ambassador told me that he used his first son as His next of kin, but it is quite unfortunate that Mr. Hamilton Creek Died with all his family members.

The reason why I contacted you is thus, Mr. Hamilton is dead, and his only son who supposed to inherit his properties and money also died with him. As at this moment, nobody or person[s] is coming to   claim this Money from our bank. The Board of Directors and management of our bank told me that if nobody or person[s] apply for the claim of Mr. Hamilton Fund, the bank will return the entire Fund into our Federal reserve. In the Light of the above, I want you to stand as the next of kin to Late Mr. Hamilton Creek; it might interest you to know that he had a Domiciliary Bank Account with our Bank and he has a total sum of US$9.2M Nine Million Two Hundred thousand Dollars, this is the exact amount which he had in his domiciliary account before the ugly incident occurred, and this money is still in his account as unclaimed money.

This transaction is very easy and simple, and it is 100% risk free, I'm the Manager for International Relations with First Bank of Nigeria Plc, and the Management and Board of Directors of the Bank are waiting for me to provide to them the Relation or next of Kin to late Mr. Hamilton Creek, of which I told them that I am still searching the next of kin to the deceased. Finally, if you are interested with this transaction, I will front you to the bank as the only next of kin to late Mr. Hamilton Creek, and I will let the bank know that you are the only right person to inherit Late Mr. Hamilton Funds and properties. If you are interested, just email me or call me on my   direct and private line#: +234-80-27536038 and late Mr. Hamilton's Funds will be credited into your account and all his Properties will be released to you either through Courier Services or the Bank will Cargo all his properties to you in any were you want it.

So reply me immediately and feel free to ask any question with regards to this transaction. You will take 50% of the US$9.2M. Which is? US$4.600, 000.00 Four Million Six Hundred Thousand Dollars, while the Balance of the same amount will be mine.

Your swift response will be highly appreciated.

Thanks and have a nice day.

Friendly Regards

Mr. Steven James

*******************************************************************************************

Subject:
REPRESENTATIVE NEEDED
From:
DFS SALES LTD UK
Date:
Tue, 01 Jul 2008 23:00:55 +0800
To:
undisclosed-recipients: ;

COMPLIMENT OF THE DAY TO YOU.

I am PETER WOODS from DFS SALES LTD UK.(
Website: www.dfs-online.co.uk ) Visit our site

We are into furnitures and we sell shares to people in
Canada,America, Australia and Europe.

We are in need of a book keeper. someone who can represent our company
in his/her country.

Our client in your location will contact you and make the company
payment to you.

You will be entitle to 11% of every payment been made out to you.

This is because most of our officer are from china and they do not

understand english very well.its hard for them to contact our
customers.

Our head office is located in CHINA. But we have a sub-office in the
uk.

If you are interested, Kindly send the entries for more understanding.

NAME IN FULL :.........
COMPANY NAME: .....
POSITION:......
FULL ADDRESS: .......
CITY/TOWN:........
STATE:............
ZIP CODE:........
COUNTRY:.......
MOBILE:.......
HOME TEL: .....
EMAIL ADDRESS: ........
OCCUPATION: ...........
BANK NAME :.......
AGE:............

You are to send the above details to

NAME : PETER WOODS.
EMAIL : dfs_woods@yahoo.co.uk
PHONE NUMBER : +44-704-575-0212

HOPE TO HEAR FROM YOU

*****************************************************************************************

To:
undisclosed-recipients:;

Good day!!!

We have been waiting for you since to contact me for your Confirmable Bank Draft of ?18 Million (Eighteen Million Pounds sterling) but we did not hear from you since for a couple of weeks now. Then we went to the bank to confirm if the draft that expired or getting near to expire and Metropolitan Police Uk told us that before the funds will get to your hand that it will expire.So I told him to cash the ?18 Million (Eighteen Million Pounds sterling) to cash payment to avoid losing this fund under expiration as I will be out of the country for a 6 Months Course.

What you have to do now is to contact FED EX COURIER SERVICES as soon as possible to know when they will deliver of your funds to you because of the expiring date. For your information we have paid for the delivering Charge Insurance premium. The only money you will send to the FED EX COURIER SERVICES to deliver your cheque direct to your postal Address in your country is ?250.00 being Security Keeping Fee of the Courier Company so far. Again don't be deceived by anybody to pay any other money except ?250.00 for the Security Keeping Fee.We would have paid that but they said no because they don't know when you will contact them and in case of demurrage. You have to contact FED EX COURIER SERVICES now for the delivery of your Draft with this
information below:

CONTROLLER: Mrs.Helen Williams
NAME: FED EX COURIER SERVICES
ADDRESS: fedexofficeuk@gmail.com
PHONE NUMBER: +447024080684

IF YOU ARE THE OWENER OF THE FUNDS AND YOU WILL SEND YOUR INFORMATION TO US SO THAT WE CAN DELIVERY YOUR FUNDS TO YOU WITHIN THE NEXT 84HRS TIME.IF YOU DO NOT RECEIVED YOUR FUNDS WITHIN THE NEXT 72HRS TIME AND YOU REPORT US THE UK FBI AND THE METROPOLITAN POLICE (SCOTLAND YARD) or YOU CONTACT YOUR LAWYER TO TAKE UP PROCEDURES AGAINST US.

Let me repeat again try to contact them as soon as you receive this mail to avoid any further delay and remember to pay them their Security keeping fee of ?250.00 for their immediate action. The FED EX COURIER SERVICES don't know the contents of the funds. This is to avoid them delaying with the funds.

Thanks as you contact them today.

Yours Faithfully

Mrs Helen Williams.

(The above actually comes with a nifty graphic that they've thrown in, thinking it makes it all look more legitimate. It doesn't, but here it is anyway):

....altogether now: oooooh. A slightly shorter 419 roundup than usual, but I'm sure I'll have piles of the things next week.