Wednesday 25 September 2013

Newly launched E-shop offers access to hundreds of thousands of compromised accounts

In a series of blog poststhe ongoing commoditization of hacked/compromised/stolen account data (user names and passwords) have been highlighted , the direct result of today’s efficiency-oriented cybercrime ecosystem, the increasing availability of sophisticated commercial/leaked DIY undetectable malware generating tools, malware-infected hosts as a service, log files on demand services, as well as basic data mining concepts applied on behalf of the operator of a particular botnet. What are cybercriminals up to these days in terms of obtaining such type of data? Monetization through penetration pricing on their way to achieve stolen asset liquidity, so hosts can be sold before its owner becomes aware of the compromise, thereby diminishing its value to zero.
A newly launched E-shop is currently offering access to hundreds of thousands of compromised legitimate Mail.ru, Yahoo, Instagram, PayPal, Twitter, Livejournal, Origin, Skype, Steam, Facebook, and WordPress accounts, as well as 98,000 accounts at corporate SMTP servers, potentially setting up the foundation for successful spear-phishing campaigns.

Sample screenshot of the inventory of the service:
EShop_Hacked_Compromised_Accounts_Sale_Sell_Buy_Purchase_Cybercrime The prices are as follows:
  • 50, 000 hacked/compromised accounts go for $10
  • 100,000 hacked/compromised accounts go for $15
  • 500,000 hacked/compromised accounts go for $45
  • 1,000,000 hacked/compromised accounts go for $80
The service is also offering a discount for orders beyond 3,000,000 hacked/compromised accounts, which in this case are offered for $70 for “every other million”. This underground market proposition is a great example of several rather prolific ‘common sense’ monetization tactics applied by a decent percentage of cybercriminals who are attempting to monetize their fraudulently obtained assets:
  • Penetration pricing – penetration pricing is a common pricing technique aimed at quickly gaining market share, and in this particular case, efficiently supplying the stolen assets to potential customers. What’s also worth emphasizing on is that on the majority of occasions, the cybercriminal will automatically ‘break-even’ even if he’s actually invested hard cash into the process of obtaining the hacked/compromised accounting data at a later stage
  • Timeliness of a stolen asset in terms of achieving asset liquidity – whether it’s due to the (perceived) oversupply of a particular commoditized underground market item — like for instance compromised accounting data — or the plain simple logic that the fact that it’s been stolen will sooner or later come to the attention of its owner, cybercriminals are no strangers to the concept of achieving financial asset liquidity, and would do their best to reach out to potential customers as quickly as possible
We expect to continue witnessing the commoditization of hacked/stolen accounting data, with more similar propositions eventually popping up on our radars.

Future cyber attacks could attack medical implants – or wage “psychological war” in virtual reality, Europol warns

New hi-tech cyber attacks could threaten energy supplies, “wearable” computers – and even medical implants, according to a study conducted by Europol’s European Cybercrime Centre (EC3) and the International Cyber Security Protection Alliance (ICSPA).
Attacks in “virtual reality” or “augmented reality” could even be tailored to cause “psychological harm to individuals”.
The white paper, which examines emerging threat scenarios for the year 2020, also envisages bio-hacks which could allow criminals to defeat biometric authentication systems such as fingerprint authentication.
Many of the paper’s predictions are based on trends emerging now. This year, the FDA issued an alert about security flaws in 300 common medical devices made by 40 vendors.
In a detailed blog post outlining the challenges facing health care IT security, ESET Senior Researcher Stephen Cobb says, “Healthcare is a sector that has seen rapid growth in the deployment of digital systems aimed at delivering better medical care at lower cost. Unfortunately, despite an explicit regimen of rules aimed at safeguarding the privacy and security of patient data in the U.S. the sector is currently rife with security breaches.”
Attempts to defeat biometric security have also been in the news courtesy of Apple’s fingerprint sensor in the new iPhone 5S - although, at present, those “hacking” such systems are using basic and laborious methods. “Bear in mind the effort required to defeat the biometric, and also to crack your iPhone password, then ask yourself how many people want your iPhone data that badly,” says ESET Senior Researcher Stephen Cobb.
The study’s authors warn that cybercriminals will attack not only corporations and governments – but individuals – and envisage a world where, “society and second-generation digital natives depend on the secure running of deeply embedded technologies,” and the distinction between physical and cyber crimes becomes blurred.
“We don’t just have to ask ourselves ‘how can we fight these threats’, but also ‘who will fight them?’,” said John Lyons, the Chief Executive of ICSPA. “To meet the challenges of cybercrime, we need to become more creative and flexible. We must make sure law enforcement, criminal justice, governments and business pull in the same direction, but they have to do so without trampling on their citizen’s expectations of privacy and anonymity.”
“The Internet delivers tremendous societal and economic advantages to nations that have learned how to harness the significant benefits that derive from ubiquitous online computing and communications systems.  With Project 2020 we don’t predict the future, but we ask the questions that need to be answered to keep us all safe,” Lyons said.
Other experts have predicted such attacks for decades. ESET Senior Research Fellow David Harley, in a paper presented at EICAR in 2002 with Andrew Lee, predicted that viruses would evolve to attack the body – or technologies implanted within it, ““There is no doubt at all that commercial interests will continue to drive technology forward. If, as at present, the security and integrity of those systems is not paramount, then we will inevitably see no reduction of the
amount of malware developed to exploit such systems,” Harley wrote. The full paper can be read here.
“It is also likely that the amount of damage, whether commercial or otherwise, will increase in parallel with this trend. There are already moves towards wearable computers ,and experimentation is underway with computers that function as an extension of thehuman body. It is conceivably possible that such systems will be the norm, even replacing today’s desktop PC’s. It seems a logical step to move from palmtop and laptop devices todevices integrated into the human body or mind, simply because it is not unreasonable to state that the slowest part of a computer is its human user.”
“ Bearing this in mind, it is interesting to speculate about the nature of malware that could exploit this technology. Perhaps the analogue with biological viruses proposed by Cohen will become an actuality,with no distinction between biological viruses and human viruses.
“For instance, Lucent Technologies have been able to create molecular scale transistors, atechnological breakthrough that will certainly have application in wearable or symbiotic computers.”
“Further speculation might lead one to wonder about the effects that such malware couldhave. Today we talk about business systems and corporate networks being ‘taken out’ bycomputer viruses. However, were the business systems to be flesh and blood humans, the effects could be far more devastating.”
“There is a perennial debate in the virus world that deals with the reality or otherwise of malware that can physically damage hardware. This debate is fairly interminable, and the evidence mainly anecdotal or received by methods comparable to the old party game of Chinese whispers.  In some future reality though, where computers are an integral part of the human body,whether as enhancements to human function, or a means by which business is transacted,the spectre of malware being able to do physical damage to its host becomes ever more corporeal.”

GCHQ and NSA outsourcing cyber security tasks to third-party vendors


mikko-hypponen
Government agencies such as GCHQ and NSA are outsourcing their requirements to private security firms to boost their cyber capabilities, according to F-Secure.
F-Secure chief research officer Mikko Hypponen (pictured left) reported uncovering evidence that the NSA's Tailored Access Operations (TAO) unit and GCHQ are outsourcing missions to third-party security companies.
"One thing I've been doing for the past two years is finding where they get their expertise from. Do they recruit in house and train? Do they go to universities?" he said.
"I found these job posts listing experience with ‘the Forte Meade customer' as a necessary skill. The Forte Meade customer is the NSA."
Hypponen confirmed to V3 that he has seen similar job posts for roles with the UK GCHQ and several other government intelligence agencies. He added that the trend is unsurprising and is simply a sign that agencies are suffering the same effects of the ongoing cyber skills gap as private industry.
"It's no wonder they're outsourcing, because they can't build or find the skills inside. If you want to have a good cyber offensive capability you need a new arsenal of exploits. You need a fresh supply of weaponised exploits, which builds a demand in the market," he said.
A lack of skilled cyber security professionals is an ongoing concern within Europe. Within the UK the government has listed plugging the gap as a key goal of its ongoing Cyber Strategy. As part of the strategy, the government has launched several education-focused initiatives designed to increase the number of young people training to enter the information security industry.
Initiatives have included the creation of new higher education centres, apprenticeship schemes and open challenges. Most recently the UK GCHQ has launched a Can You Find It challenge to help find and recruit the next generation of cyber security code experts.
Hypponen said the outsourcing is troubling as it sheds further doubt on intelligence agencies' ethics, which have come into question since the PRISM scandal. The PRISM scandal broke when whistleblower Edward Snowden leaked confidential documents proving the NSA was gathering vast amounts of web user data from tech companies such as Google, Facebook, Microsoft and Apple.
Since word of the scandal broke the NSA has attempted to downplay its significance and justify its PRISM operations, claiming its agents looked at just 0.00004 percent of global web traffic. Hypponen dismissed the NSA's arguments, claiming there is no justification for PRISM.
"As the leaks came out they tried to explain ‘they're just monitoring the foreigners', which concerned me. I'm a foreigner. But then they said it's nothing to worry about as if it's not foreigners its part of the War on Terror. But then it emerged they'd targeted the EU. It's very difficult to list spying on an ally government department as being part of the War on Terror," he said.
"The next justification was ‘everyone's doing it' and this is no different. But it is different, as no country has the visibility the US does. How many businesses use US-based companies' systems? There used to be some people using Nokia, but that's been sold to the US. Skype used to be trusted but its been sold to the States. All the world is using a US-based cloud system that the US government has a legal right to. It's not the same."
The F-Secure chief added that the NSA's behaviour is doubly troubling as it has tarnished two of the most positive technology innovations of the age. "The two greatest tools of our time have been turned into government surveillance tools. I'm talking about the mobile phone and the internet. George Orwell was an optimist. This is what's happened."
Hypponen is one of many security experts to slam the NSA over PRISM. Renowned cryptographer Bruce Schneier attacked the NSA in August over its treatment of former anonymous email service provider Lavabit, claiming the agency has "commandeered the internet".
Lavabit was an anonymising mail tool used by Snowden. Lavabit owner Ladar Levison shut the service down earlier this year claiming unspecified requests from the NSA meant continuing the service would inevitably force him to commit crimes against the American people.

Cyber attacks will cause real world harm in next seven years

Digital security padlock red image
New technologies such as Google Glass and IPv6 will lead to new, deadly forms of cyber attack if current manufacturing security practices continue, according to experts from Europol, Trend Micro and The International Cyber Security Protection Alliance (ICSPA).
The experts made the warning in a recently published Scenarios for the Future of Cyber Crime white paper. The paper explored what threats the experts expect to emerge in the next six and a half years and is the result of collaborative research between law enforcement, academia, governments and industry.
Trend Micro's vice president of security research Rik Ferguson highlighted innovations moving us towards an "always-on society" as a key development leaving web users and businesses open to new forms of attack, during a press event attended by V3.
"The inevitable miniaturisation of technology, where Google Glass becomes Google Contact Lens and wearable tech means technology will eventually be embedded in everything we do and have – from your running shoes to your car, to any mobile devices that you carry around. For the more technically advanced younger generation we're even beginning to talk about implants, so it won't even be stuff you wear it'll be stuff that's with you all the time," he said.
"Everything will be connected, everything will be running an operating system and everything will be directly addressable. Think about IPv6. Consider the fact you can fit the entirety of the IPv4 internet into one allocation block of IPv6 and it should give you an idea of the scale of things – everything is going to be rootable."
ICSPA chief executive officer John Lyons said the interconnectedness of society could also leave users open to more dangerous attacks, with the potential to cause real world harm.
"At the moment cybercrime's damage is fairly ephemeral: you lose money from your bank account, the bank gives it back to you and nobody cares. We're going to see a development where some of these elements could actually cause real harm to citizens," he said.
Lyons' comments mirror widespread warnings within the security community about the danger of rushing new or unsuitable technologies online. Many security researchers have highlighted the government's misguided decision to get critical infrastructure areas, such as power plants, outdated Scada systems online as proof of the claim. These warnings were given weight in 2011 with the emergence of Stuxnet, a malware designed to physically sabotage Iranian nuclear plants.
"I put a call out to ICT manufacturers for less reckless behaviour, throwing out products without properly testing them, without checking for vulnerabilities that could be secured and as a result starting to put people in danger. I know they are pressed by marketing requirements and what have you, but they could be doing an awful lot better," he said.
Ferguson mirrored Lyons' sentiment, arguing that lacklustre security testing will also offer traditional cyber criminals a new avenue for financial gain. "If you look at a lot of business the goal seems to be 'release early, release often'. This means you address the vulnerabilities after release, as for them it's about being first to market," he said.
"They need to start addressing vulnerabilities during the manufacturing process, particularly when things like 4D printing become more widespread – things like 3D printed components that will then self assemble in some remote locations – here there's a real opportunity for criminals to hijack systems and have them appear at another location."
Europol assistant director and head of the European Cybercrime Centre (EC3) Troels Oerting added that law enforcement will need to rethink its current strategies to act at an international level if it hopes to protect businesses and citizens from the threats.
"The internet is probably one of the greatest things ever invented. It helps us in so many areas, but unfortunately it also makes crime much, much easier. My background as a Danish police officer from a small country that's very peaceful with a population of 5.5 million and 12,000 police officers designed to provide a service to these people," he said.
"But in cybercrime they're not tasked to look at these 5.5 million people, but at 2.7 billion on the internet. For the first time the police cannot block people out using border control."
Lyons supported Oerting's claim, citing the new threats as proof of the need for more international collaboration.
"We wanted to look at what the challenges might be and how we can collaborate. Even in the EU, with its 28 states, we're not co-ordinated, we're all moving at different speeds. Law enforcement is more advanced in some countries when it comes to combating cybercrime. There's an awful lot of good practice out there that we could share," he said.
The ICSPA chief highlighted improving the world's education as another key step, necessary to counter the increased threat. "If we don't take citizens on this journey with us and help them understand what the threats are and what they can do about them with some very simple measures, they won't change their behaviour," he said.
"We need a campaign to make them more aware of what's going on and a personal sense of responsibility for securing their own systems."
The security experts also announced plans to launch the Project 2020 film series to help educate web users about the new dangers facing them. The nine-episode web series showcases the potential dangers listed in the white paper using a fictional narrative.
The white paper and web series are two of many initiatives designed to alert web users and businesses to the dangers facing them. Within Europe both the UK government and European Commission have listed improving the region's cyber defences as key goals.
Most recently vice president of the European Commission and EU commissioner for justice Viviane Reding called for the creation of new cross-national privacy laws designed to help businesses and web users secure and manage what data they share online.

Hackers could turn toasters into Bitcoin mines as value rockets

toaster
HELSINKI: The humble toaster could become a security threat in the future due to the virtual currency Bitcoin.
For the uninitiated, Bitcoins are a cryptography-based digital currency, which allows users to send and receive money with a degree of anonymity without using traditional commerce networks, in effect cutting out middlemen such as banks. Many governments are also wary of their use as Bitcoin value is determined separately from them. Their uptake has rocketed over the past few years.
While hanging out in Helsinki with F-Secure, the firm's chief research officer Mikko Hypponen, never one to mince his words, said that the increasing value of Bitcoins is enticing criminal gangs to rework traditional malware targeting businesses to turn infected machines into Bitcoin mines.
Bitcoin mining refers to the way Bitcoins are actually earned. In a normal situation, a user runs an algorithm  on their computer to authenticate transactions on the Bitcoin platform. This is legal and the person running the process is rewarded with Bitcoins for their trouble. However, turning hoards of machines into your own army to generate huge numbers of Bitcoins is not. As such the crooks love it, as Hypponen explained.
"Bitcoins have been skyrocketing in value. At the moment the value per Bitcoin is currently $134. As this started happening and people started realising there's actual money in Bitcoin, people started mining them pretty seriously," he said.
"A big deal about crypto currency [such as Bitcoin] is the mining part. You can actually use other computers to mine and because of this, botnet-based mining is becoming a real problem. About a year ago we spotted a botnet not spreading malware or phishing, it was just mining bitcoins."
Hypponen went on to explain that Bitcoins' financial allure has already made established cyber criminals rethink their strategies and adapt some of the biggest, most dangerous botnets in the world to mine Bitcoins.
"ZeroAccess used to monetise itself with click fraud. They got on the machine and made it click on adverts to earn money. They changed their tactic in spring and went fully into Bitcoin mining. Some of our estimates suggest it is earning $58,000 a day. That's real money and something they will want to move to the real world," he said.
This is where the toaster idea comes in. Hypponen added that many of the gangs are so enthralled by Bitcoin's potential they've started experimenting with the idea of turning non-traditional devices into mines.
"[When mining Bitcoins] the user is irrelevant, it's the GPU, the computer and the network connection they need. This is especially interesting when you look at automation. I have a pebble watch, it has a GPU, it could mine Bitcoins, so does my fridge and my toaster – these are going to be used to mine Bitcoins," he said.
"We accepted toasters would eventually have computers, but didn't think it would be a problem – who would want to write malware for a toaster right? Well now they have a reason."
This may be a far-fetched example of how far the threat could go, but as recent hacks of IP-based lightbulbs have shown, the home of the future could be open to all kinds of attacks, even burnt toast.