Make money as a payment processor! (Not)

A security researcher speaking at the recent Black Hat conference in Las Vegas described a new, sophisticated and automated approach to check fraud which allowed one or more people in Russia to dupe (not very bright) online job seekers into wiring money to them.

Here’s how they did it:

First, they got access to images of checks which had been processed by lockbox services, which receive and process checks for vendors.  In some cases, they got malware on to machines used to process the checks and siphoned out the images over an encrypted VPN connection.  Other check images were gathered via hacking vulnerable web sites which sat in front of check image databases.

Using off the shelf software, they used the purloined images to print counterfeit checks with real company names and account numbers.  Each counterfeit check was made out for $3000 or less, to avoid procedures applied to larger denomination checks.

Next, the group posted “job offers” and scraped web sites to develop an email list of potential “money mules” who were then spammed with emails offering them with “jobs” as “payment processors” for legitimate sounding (if you are an idiot) firms.  Those who took the bait were sent checks and instructed to deposit them into their bank accounts and wire a portion of the funds to Russia.  Of course, once the bank caught on to the fact that the check was a fake, the “payment processor” was on the hook for the full amount of the check and the Russian gang had made a tidy profit from the wired cash.

These guys were thorough – they even mailed the checks to the victims via phony accounts with an overnight shipping firm, bilking the delivery compay out of $65,000 in services.

It is amazing to me that anyone still falls for these kinds of scams.  Yes, we all wish that we could make money from home by simply depositing checks and wiring funds, but you really have to be a bit dim to think that this is a legitimate business proposition.  I guess there will always be an abundant supply of stupidity for fraudsters to tap with ever increasing cleverness and sophistication.

Sigh…

You can find out more about check fraud as well as how to protect your accounts from this informative booklet offered by the US Comptroller of the Currency.

I just got a new radiola phone installed in my flivver!

Although I did not make it to Las Vegas for Defcon, I have been keeping an eye out for interesting information coming out of the conference.  This the first in a series of posts which will summarize the good stuff…

Intercepting GSM cellular phone calls (such as those on ATT and T-Mobile in the US and most cellular carriers worldwide) used to be a difficult and expensive proposition.  Solutions were available, but they required expensive customized hardware which was for sale only to law enforcement entities.  Not any more… Researcher Chris Paget demonstrated a system which uses widely available hardware and custom written software to impersonate a GSM cellphone tower, entices handsets to connect to this fake “tower” and relays calls to their destinations, allowing the the attacker to listen in on or record conversations.  The price tag for the system? US$1500 – at this price point, intercepting cell phone calls becomes feasible for criminals, corporate spies, and other nosey folks.

So, what does this mean for you, oh paranoid reader?     Well, Paget has not released the code he used to mount this attack (good news) but I would be very surprised if a number of enterprising hackers are not working to replicate his work.

One way to avoid this attack entirely is to disable your phone’s ability to switch from the normal 3G mode to the 2G mode which the attack requires to be successful.  Unfortunately, this does not seem to be easy to do.  Paget’s blog entry said that he had heard of an option to disable 2G on the BlackBerry, but looking at a BB, I saw options only for “3G and 2G” and “2G only.”  On the other hand, the encryption used for BlackBerry data should protect against email eavesdropping.  Vendors need to provide an option to allow users to disable 2G mode – call your carrier!  There is a downside to this; if you disable 2G mode, you may end up with no signal in places where 3G service is not available or the signal is weak.

What carriers need to do to really close this hole is to stop using GSM and upgrade their networks to newer, more secure standards.  Hopefully, this work will provide an impetus the carriers.

For now, the truly paranoid here in the US should probably stick with Verizon or another carrier that does not use the GSM standard.

More reading on this attack:

• Wired – Threat Level – Hacker Spoofs Cell Phone Tower to Intercept Calls
• More details and the presentation slides at Paget’s blog  (slides are in OpenOffice format, which will open in Powerpoint)
• PC World has a good FAQ on the attack

Paget also demonstrated the ability to read second generation RFID tags (such as those embedded in newer passports and drivers licenses) from a pretty significant distance.   The potential for abuse here is pretty significant… think government tracking of people by their driver’s license or passports, terrorists identifying people of a specific nationality for targeting, or corporations snooping on what products passers by have purchased.

In other wireless news, Spider Labs released a “rootkit” for cellphones running the popular Google Android operating system.  Once installed on the phone, this software allows an attacker to read emails and text messages.  Since Android apps are subject to less scrutiny than those for the iPhone, and since Android has an option to allow “non market apps” to be installed, getting this code onto a Android phone is going to be a lot easier than making a similar attack on Apple’s iPhone.  The code for the rootkit was apparently included on the DVD provided to conference attendees.  Android users should definitely think before installing any really cool new apps that come out in the coming weeks!

I’ll be here all week, folks, posting more interesting stuff from Defcon and BlackHat.

Not even a band-aid yet...

Some new developments in the Siemens SCADA trojan story…

It turns out that the trojan uses a well known default password to log in to the backend MySQL database used by Siemens’ software but Siemens has told users of the software (factories, power plants and the like) NOT to change the database password, as doing so would cause the software to stop working.  A fix is forthcoming, but plant operators are likely to have an anxious few days (?) until a solution is available.

A second version of the trojan program has been detected on the Interwebs.  The new variant seems to also be targeting SCADA systems and is also signed with a code certificate (this time from Taiwan based JMicron Technology Corp, which has offices in the same location as the firm whose cert was appropriated for the first version of the worm).

The whole default password thing is just plain embarrassing… this is a problem from another era, which should be an unpleasant memory by now.  It seems like it would be easy to eliminate this problem programmatically by creating a unique database password (derived from the license key and a secret, maybe?) by default when the software is installed.  Or at least require the installing user to enter a password during installation.  SCADA systems control the technological backbone of our civilization (power, water, sewage, manufacturing) and deserve better security than this.

As far as the underlying vulnerability used to spread the Stuxnet code, we are still at risk – a patch has not been released by Microsoft yet, and while the major anti virus vendors have released signatures which detect the SCADA worm, it is only a matter of time before we start seeing other, new malware using this vector to spread.   It seems like using a Group Policy Object to prevent executables launching from drives other than C might be the best way to protect your networks for the time being.

Stay tuned…

Over the past few days, reports of a new attack against Windows based SCADA systems (the computer software which control power plants, water treatment facilities and other parts of the critical infrastructure) have been making the rounds of the security blogosphere.  While the payload carried in the new attacks is aimed specifically at these vital control systems (specifically a system called Siemens SCADA WinCC + S7) , the vulnerability used to deliver it looks like it could be quite dangerous to all Windows XP, Server 200x, Vista and 7 users.  The previously unknown flaw allows arbitrary code to be executed simply by browsing to a folder containing a specially crafted .lnk file.  In the attacks seen to date, the malware attempts to access information from the control system, suggesting that it is meant to aid in corporate espionage or reconnaissance of electrical power distribution systems for purposes unknown, but probably nefarious.

In addition to raising the spectre of an attack against critical infrastructure, this series of attacks also provides makers of all sorts of malware targeting corporate and personal systems with a new 0-day vector for infection.  The flaw can be exploited by getting users to browse a USB drive, a Windows file share or a WebDAV file share.   The flaw seems to be able to bypass the No Autorun protections in Windows as well as Windows 7′s UAC protections.  If I were a malware author, I would be all over this as a way to get my creation installed on as many machines as possible before Microsoft issues a fix.

Microsoft is aware of the problem and has issued a tech bulletin with a workarounds that is are pretty unworkable for most corporate environments.  According to a blog post by Chester Wisniewski of Sophos, one way to effectively combat this attack in a corporate environment is to set up a GPO (group policy object) which prevents executables from running from drives other than the C: drive.  This may be the best way to respond to this threat until Microsoft issues a patch, hopefully before the next Patch Tuesday.

The malware arms race goes on…