[SecurityRatty] tag: profile

Localizing Cybercrime - Cultural Diversity on Demand Part Two

Tue, 25 Nov 2008 05:55:21 +0000

It's where you advertise your services, and how you position yourself that speak for your intentions, of course, "between the lines". There's a common misunderstanding that in order for a malware campaigner or scammer to launch a localized attack speaking the native language of their potential victims, they need to speak the local language. This misconception is largely based on the fact that a huge number of people remain unaware on how core strategic business practices have been in operation across the cybercrime underground for the last couple of years.

Outsourcing the localization process (translation services for spam/phishing/malware campaigns) has been happening for a while, courtsy of DIY servics ensuring complete anonymity of their customers. Interestingly, the translators may in fact be unaware that the advertising channels the service is using is directly attracting everyone from the bottom to the top of the cybercriminal food chain as a customer. Sometimes, it's services like this that open a new market segment covering an untapped opportunity, with this particular service already pointing out that it's charging cheaper than their competitors.

"We offer our services in translation. We are only competent translators profile higher education. Service is working with all types of texts. Languages available at this time of Russian, English, German. Average translation of the text takes up to 10 hours (usually much faster) through the full automation of the order and payment. Just want to note that we do not keep any logs on IP and does not require registration. In addition you can remove your order from the database after his execution. In addition to running more than 1000 translations already, we can use all the lessons learned to be more effective in our services. Prices vary depending on the complexity of the topic covered.

Prices and deadlines:
* Standard - the deadline is not more than 24 hours. Prices depend on the direction and guidance from the 'Order'.
* Term - work on your translation begins precedence. The price of the 50% more than the standard translation. Prices also depend on the direction and guidance from the 'Order'.

The cost of the transfer depends on the amount of work. The workload is measured in symbols. In calculating the characters are shown letters and numbers. Punctuation do not count. Minimum order 100 characters."

I'm particularly curious how is a contractor(translator) going to react to a situation when a large scale malware campaign speaking several different languages tell a fake story that the contractor might have recently translated for them. With the employer positioning itself as a fully legitimate company, whereas its customers requesting localized version of texts for the spam/phishing/malware campaigns are the "usual suspects", the contractors would continue allowing cybercriminals the opportunity to build more authenticity within their campaigns.

Related posts:
E-crime and Socioeconomic Factors
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit Localized to Chinese
Localizing Open Source Malware
Localized Fake Security Software
A Localized Bankers Malware Campaign
Lonely Polina's Secret (Localized malware campaign)

Another link spammer

Sun, 23 Nov 2008 16:45:45 +0000

Yet another link spammer is cluttering up my in-box. You’d think that after exposing this one, and this one, and this one, they’d know better.

The latest set of miscreants operates under the brand “goodeyeforlinks.com” and claim to “use white hat SEO techniques in order to get high quality, do-follow links to your website”. They also claim to be “professional” which in this case must mean you pay for their services, since sending out bulk unsolicited email is anything but professional.

Nevertheless, although their long term aim may indeed be to make money from legitimate, albeit foolish, businesses seeking a higher profile, the sites they have been promoting so far are anything but legitimate. In fact they’ve been fake sites covered with Google adverts (so-called “Made for AdSense” (MFA) sites).

They started by asking me to link to “entovation.net” which they claim is “page rank 3″. In fact it is page rank 3 (!) and a blatant copy of http://www.acentesolutions.com which appears entirely genuine (albeit only page rank 1). They have also been promoting “poland-translation-services.com“, which claims to be a site offering “A large team of 2,500 translators specializing in each sector, located in over 30 countries” …

However, this site is clearly fake as well. I haven’t tracked down where it all comes from, but much of this page comes from this Argentinian page, the text of which has been pushed through Google’s Spanish to English translation tools… which sadly (for example) renders

Comentarios: Se considera foja al equivalente a 500 palabras. Si el documento a traducir es menor a una foja, se lo considerará como una foja.

into

Comments: foja is considered the equivalent of 500 words. If the document is translated to a lesser foja, we will consider as a foja.

which makes the 2500 translators look more than a little bit foolish!

The fake websites are hosted by EuroAccess Enterprises Ltd. in The Netherlands (which is also where the email spam has been sent from). I’m not alone in receiving this type of email, further examples can be found here, and here, and here, and here, and here, and here, and even here (in Spanish).

EuroAccess have a fine ticketing system for abuse complaints… so I’m able to keep track of what they’re doing about my emails drawing their attention to the fraudsters they are hosting. I am therefore fully aware that they’ve so far marked my missives as “Priority: Low”, and nothing else is recorded to have been done… However, the tickets are still “Status: Open”, so perhaps a little publicity will encourage them to reassess their prioritisation.

The DDoS Attack Against Bobbear.co.uk

Wed, 19 Nov 2008 05:35:01 +0000

When you get the "privilage" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated countersurveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't

OAuth for Secure Mashups

Tue, 18 Nov 2008 14:41:00 +0000

Posted by Eric Sachs, Senior Product Manager, Google Security

A year ago, a number of large and small websites announced a new open standard called OAuth. This standard is designed to provide a secure and privacy-preserving technique for enabling specific private data on one site to be accessed by another site. One popular reason for that type of cross-site access is data portability in areas such as personal health records (such as Google Health or Microsoft Healthvault), as well as social networks (such as OpenSocial enabled sites). I originally became involved in this space in the summer of 2005, when Google started developing a feature called AuthSub, which was one of the pre-cursors of OAuth. That was a proprietary protocol, but one that has been used by hundreds of websites to provide add-on services to Google Account users by getting permission from users to access data in their Google Accounts. In fact, that was the key feature that a few of us used to start the Google Health portability effort back when it was only a prototype project with a few dedicated Googlers.

However, with the development of a common Internet standard in OAuth, we see much greater potential for data portability and secure mash-ups. Today we announced that the gadget platform now supports OAuth, and the interoperability of this standard was demonstrated by new iGoogle gadgets that AOL and MySpace both built to enable users to see their respective AOL or MySpace mailboxes (and other information) while on iGoogle. However, to ensure the user's privacy, this only works after the user has authorized AOL or MySpace to make their data available to the gadget running on iGoogle. We also previously announced that third-party developers can build their own iGoogle gadgets that access the OAuth-enabled APIs for Google applications such as Calendar, Picasa, and Docs. In fact, since both the gadget platform and OAuth technology are open standards, we are working to help other companies who run services similar to iGoogle to enhance them with support for these standards. Once that is in place, these new OAuth-powered gadgets that are available on iGoogle will also work on those other sites, including many of the gadgets that Google offers for its own applications. This provides a platform for some interesting mash-ups. For example, a third-party developer could create a single gadget that uses OAuth to access both Google OAuth-enabled APIs (such as a Gmail user's address book) and MySpace OAuth-enabled APIs (such as a user's friend list) and display a mashup of the combination.

While the combination of OAuth with gadgets is an exciting new use of the technology, most of the use of OAuth is between websites, such as to enable a user of Google Health to allow a clinical trial matching site to access his or her health profile. I previously mentioned that one privacy control provided by OAuth is that it defines a standard way for users to authorize one website to make their data accessible to another website. In addition, OAuth provides a way to do this without the first site needing to reveal the identity of the user -- it simply provides a different opaque security token to each additional website the user wants to share his or her data with. It would allow a mutual fund, for example, to provide an iGoogle gadget to their customers that would run on iGoogle and show the user the value of his or her mutual fund, but without giving Google any unique information about the user, such as a social security number or account number. In the future, maybe we will even see industries like banks use standards such as OAuth to allow their customers to authorize utility companies to perform direct debit from the user's bank account without that person having to actually share his or her bank account number with the utility vendor.

The OAuth community is continuing to enhance this standard and is very interested in having more companies engaged with its development. The OAuth.net website has more details about the current standard, and I maintain a website with advanced information about Google's use of OAuth, including work on integrating OAuth with desktop apps, and integrating with federation standards such as OpenID and SAML. If you're interested in engaging with the OAuth community, please get in touch with us.

OAuth for Secure Mashups

Tue, 18 Nov 2008 14:41:00 +0000

Three ways Internet crime has changed

Mon, 03 Nov 2008 02:00:00 +0000

Rather than taking down high-profile networks, today's cybercriminals are quietly taking over vulnerable Web sites as part of an elaborate process in the underground economy.

Money Mules Syndicate Actively Recruiting Since 2002

Tue, 28 Oct 2008 05:44:21 +0000

Money mules have already been an inseparable part of the underground ecosystem. And while others try to hide their activities by outsourcing their hosting needs to botnet masters partitioning their botnets, the experienced ones apply a decent level of OPSEC (operational security) by establishing a trust based model based on recommendations in order to even consider letting you register for their services. Their geographical location not only reflects the average time it would take to take action against their activities and expose yet another extensive network of fraudulent operations, but also, has the potential to increase or decrease the commissions that the mules take based on the risk factor of getting caught.

There are several different types of money mules, those serving themselves, and those offering their services to others, in this particular case, we have a money mules syndicate that's been operating since 2002, and is only serving the high profile customers. What happens when such a money mule syndicate (naturally) starts vertically integrating by offering value-added services like credit card balance checking and date of birth lookups? Profits apparently increase, since the syndicate is actively recruiting and is currently looking for 20 to 30 mules -- their current staff is said to be approximately 100 people -- to cash out anything from bank account logins, Paypal accounts, to stolen credit card data. Here's a translated description of the service :

"Who we are?

- First place at (cyber crime community) top list of trusted service providers for 2008
- We serve the big guys only since 2002
- We never scam, in business since 2002 without a single scam complaint
- We look for you, you don't look for us
- We offer outstanding working conditions and high commissions

Who you should be?
- Dedicated person with experience in the field
- Have been in the business for at least 6 months
- Have been recommended by at least 1 person from (cybercrime community) and from (cybercrime community)
- You take 45% commission of the processed check, minimal amount is $3000
- You pay a membership fee

In the next two months we draw the command of 20-30 people who will most satisfy our requirements. For the selected team will be Paradise conditions:

- Instant payment (a few hours after delivered)
- Large numbers to drop service in the USA and the UK (30)
- Individual drop in the number of large islands
- 3-5 fresh weekly drop
- Round-the-clock support"

In case some of their customers get scammed -- appreciate the irony here as scammers compensate the scammers getting scammed by the scammer's outsourced personnel -- by some of their money mules, the service is offering compensation for the stolen goods/amount of money, clearly speaking for the revenues it is to prone to be generating. OPSEC (Operational Security) has been taking place across high-profile cybercrime communities during the last quarter, mostly in response to their increasing awareness that in the very same way they keep track of the major anti-fraud features implemented across their services of (ab)use, those implementing them could be monitoring them as well.

Compromised Portfolios of Legitimate Domains for Sale

Fri, 24 Oct 2008 06:24:33 +0000

Is the demand for access to compromised legitimate portfolios of domains -- where the price is based on the pagerank and is shaped by the number of domains in question -- the main growth factor for the increasing supply of such stolen accounting data, or is it the result of cybercriminals data mining their botnets for accounting data that would provide them with access to such portfolios of high trafficked domains with clean reputation? Moreover, would such a data mining approach made easily possible due to the availability of botnet parsing services and stolen accounting data dumps streaming directly from a botnet, would in fact be the more efficient approach in injecting their malicious presence on as many hosts as possible, next to the plain simple massive SQL injection approach?

As always, it's a matter of who you're dealing with, and their understanding of the exclusiveness of a particular underground item at a given period of time. This exclusiveness is inevitably going to increase due to the fact that they're several "vendors" that are already purchasing access to such portfolios, as well as compromised Cpanel accounts as a core business, the access to which they would later on either resell at a higher price enjoying the underground market's lack of transparency, or directly monetize and break-even immediatelly. As for this particular proposition for an account with 404 domains in it, it's interesting to monitor how the seller is soliciting bids from multiple sources by leaving the price an open topic, clearly indicating his low profile into the underground ecosystem. How come? An experienced seller or buyer would be offering or requesting page rank verification respectively.

With nearly each and every aspect of cybercrime already available as a service, or literally outsourced as a process to those supposidely excelling into a particular practice, building capabilities for data mining botnets is no longer a requirement, with the people behind the botnets monetizing all the data coming from it by soliciting deals of accounting data dumps based on a particular country only.

OWASP European Summit - Portugal

Wed, 15 Oct 2008 14:27:22 +0000

Portugal/Algarve - 4th - 7th November 2008

Setting the Web Application Security Agenda for 2009: OWASP Invites You to Join Our Summit in Portugal

http://www.owasp.org/index.php/OWASP_EU_Summit_2008

With the theme ‘Setting the AppSec agenda for 2009′, the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks! This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today.

OWASP is a not-for-profit organization with the purpose of supporting the Web Application Security community around the world, and has granted $250,000 USD for web application security research. In addition to over 40 presentations from the OWASP Leaders and grant recipients, the OWASP Summit will host multiple Working Sessions designed to improve collaboration, achieve specific objectives and identify roadmaps for OWASP projects, chapters, and the OWASP community itself.

To facilitate this event, OWASP is investing $150,000 USD which will be used to cover air travel and accommodation expenses for OWASP leaders, active contributors, and select key industry leaders. With their confirmed presence, the OWASP Summit will provide a relaxed but professional environment to meet, discuss, influence and contribute to OWASP projects.

There are still funds available! If you are interested in attending and you meet the profile of the current OWASP supported attendees (see list here: http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA) contact Paulo Coimbra (paulo.coimbra@owasp.org). Please note that you should do so only if you meet the paid attendance criteria (see herehttps://www.owasp.org/index.php/OWASP_EU_Summit_2008_paid_participation_rules) and are unable to get corporate support to attend this event (for other corporate sponsorship opportunities see http://www.owasp.org/index.php/OWASP_EU_Summit_2008_Sponsors).

The OWASP Summit will also host a large and diverse selection of training courses, covering multiple OWASP specific and Web Application Security Topics.

The remarkable impact of OWASP is made possible only by the collaboration of many dedicated people and organizations worldwide. In that spirit of cooperation, OWASP invites all its members (who have 20% discount + 1 VIP Ticket) and interested individuals and companies to attend this thrilling event. Please join us and help to set the Web Application Security Agenda for 2009!

Please see below for additional details about the OWASP Summit or visit the OWASP Summit website: http://www.owasp.org/index.php/OWASP_EU_Summit_2008.

Projects

OWASP projects selected for Summit presentation include new documentation and innovative tools to help developers, architects, and security specialists ensure that applications are secure:

Application Security Verification Standard,
Code review guide, V1.1,
Ruby on Rails Security Guide v2,
Securing WebGoat using ModSecurity,
Testing Guide v3,
GTK+ GUI for w3af project,
Access Control Rules Tester,
AntiSamy .NET,
Live CD & DVD Project,
OpenPGP Extensions for HTTP,
Orizon Project,
Python Static Analysis,
WebScarab-NG,
And many, many others.

Working Sessions

Expecting the presence of the application security industry key players, the Working Sessions will cover a wide range of issues such as:

OWASP Top 10 2009,
Browser Security,
Web Application Framework Security,
Enterprise Security API Project,
Best Practices for OWASP Chapter Leaders,
OWASP Documentation Projects,
OWASP Tools Projects,
OWASP Education Project,
OWASP Strategic Planning for 2009,
OWASP Certification,
OWASP Winter of Code 2009
Two-way Internationalization of OWASP Content
And many more.

Training

These 2-day, 1-day or 1/2-day training courses cover a wide range of OWASP specific and Web Application Security Topics:

OWASP Top 10 - What Developers Should Know on Web Application Security
Uncovering WebScarab’s Secret Treasures
Securing WebGoat with ModSecurity
Secure Programming with Java
Advanced Web Application Security Testing
Building Secure Web 2.0 Applications
Building Secure Web Services
Building Secure Web Applications with OWASP’s Enterprise Security API (ESAPI)
Classic ASP Security using OWASP tools
Web Application Assessments
Hacking Owasp Orizon Project v1.0
Ajax Security
Practical Penetration Testing: Think Like an Attacker to Stop Attacks
Linux Software Exploitation
Web server/services hardening using SELinux

Main Contact:

Kate Hartmann
OWASP Operations Director
9175 Guilford Road, Suite 300
Columbia, MD 21046, USA
Phone: +1-301-575-0189
Facsimile: +1-301-604-8033
Email: kate.hartmann@owasp.org

Did Anti-Spam Group Create a Backstory For DarkMarket's Undercover Fed?

Tue, 14 Oct 2008 16:36:00 +0000

Until Monday, the U.K.-based spam fighters at Spamhaus had an extensive profile of "Master Splynter," the assumed identity of the FBI agent who took over the cybercrime trading post DarkMarket. Was it all part of a cunning plan to establish a back story for a crime lord who never existed?