Six people, five men and one woman, have been arrested for their parts in a huge phishing ring. UK authorities say that the group has so far stolen over $550,000 and compromised over 20,000 credit card and bank accounts but say the tab could potentially reach over $6 million once they are able to establish the full extent of the operation. The five were arrested in London and County Meath, Ireland by the Metropolitan Police as part of an investigation called Operation Dynamophone.

          “We have taken this action to shut down an organised criminal network running an online phishing and account take-over operation,” said the Met’s Detective Inspector Colin Wetherill.”A great deal of personal information was compromised and cleverly exploited for substantial profit. By disrupting the operation we have hopefully prevented further loss to individuals and institutions across the UK.”

The group sent out fake emails made to look like they came from legit banking institutions in an attempt to trick them into going to the lookalike sites they created and turning over their login info. Once the info was in their hands they went to town cleaning out bank accounts and maxing out credit cards. Detective superintendent Charlie McMurdie of the Police Central eCrime Unit (PCeU) said they are also trying to determine if the gang distributed malware as part of their operation.

          “In high-volume phishing, malware infection goes on,” said McMurdie. “One million emails through various channels and in various forms will get a certain percentage of response.”

The accused remain in custody in London on suspicion of conspiracy to commit online banking fraud and violations of the Computer Misuse Act.

A Russian ISP known to be friendly to cybercriminals has been knocked offline. PROXIEZ-NET was known to be hosting over a dozen command and control servers for the massive Zeus botnet. Zeus is an information thief that targets banking info and logon credentials for popular e-commerce sites like Amzazon.com and eBay. The bots C&C servers also allowed the attackers to have complete control over the computers it infected. They were able to do everything from shut the computers down to wiping their hard drives completely. Those servers are now cut off from the net because PROXIEZ-NET’s upstream provider DIGERNET has refused to provide further service to them.

          In a BBC News interview, ZDNet UK editor Rupert Goodwins said this takedown is yet “another skirmish in the fight to decapitate the malware networks, in this case by disconnecting the control networks used to co-ordinate trojans and rootkits”.

Any legitimate services that may have been using PROXIEZ-NET should probably be thankful for the action as it’s likely that they were or would eventually have been blacklisted. Should PROXIEZ-NET be able to find a new provider, they will almost certainly be ostracized by the online community due to their reputation.

The shutdown brings to mind the 2008 shutdown of notorious ISP McColo, which hosted numerous spammers and several of the top botnets at the time, including Rustock.  Those botnets were crippled by the shutdown and global spam levels plummeted by 75%. Sadly, that didn’t last for long as several months later new hosts had been found and the botnets returned with a vengeance.

Compromised computers spew spam.

John Leydon over at The Register posted an interesting article recently. It seems that botnet herders have learned how to avoid honeypots. Honeypots are the name given to traps set by security firms-groups of unprotected computers designed to lure botnets so that they can study their command structure and malware deliveries. This helps them come up with ways to detect and fight back against them. Now that the herders know how to spot and avoid them, they may lose this valuable tool.  While many firms say they are aware of this and working on the problem, some are skeptical and say the seriousness of the issue is being exaggerated.

I personally disagree. I mean seriously, does this surprise anyone? Botnet herders and other cybercriminals are getting better and better at avoiding detection and protecting themselves. When McColo was abruptly shut down in 2008 it knocked several botnets offline for MONTHS. Thanks to improved technology, recent similar shutdowns have resulted in botnet downtime shrinking to just hours or days. No matter how good we think we are at detecting malware, blocking spam and fighting botnets, the cybercriminals will always be a step ahead. They are constantly changing and evolving. These folks will never wind up on an episode of America’s Dumbest Criminals. These people are smart, creative, and determined and because of that we need to take every warning seriously. We are woefully unprepared for a major cyberattack or act of cyberwarfare, and until that changes we’ve got to stay on the ball.

The second man involved in a series of computer attacks on local ISPs back in 2006 is set to plead guilty. Thomas James Frederick Smith will plead guilty in a Dallas courtroom next month. He and partner David Edwards are looking at 5 years in prison after admitting they created  a botnet and used ISPs T35 and The Planet to test it on. The pair used the botnet, which boasted 22,000 zombies, to launch a DDoS attack on The Planet and to hack into T35, steal its user database and deface its website.  Smith then posted a message to a forum for webmasters where he tried to play innocent:

          “I found out today at around 11:40 PM that the t35 Website was Completly [sic] defaced,” he wrote in the post. “I posted it to a few news sites and noticed after posting them that the Mysql dumps were actually up for grabs… How are all the users going to be compensated? Im [sic] sure EVERYONES [sic] password was in that file…”

The pair was trying to rent out their botnet to other cybercriminals. The going rate was 15 cents per zombie. Botnet rental has become increasingly popular among cybercriminals and has become yet another way to cash in. In a similar vein, do-it-yourself botnet kits have also become very popular, so much so that the criminals that sell them have begun operating like legitimate software companies, offering warranties, upgrades, and even tech support.

Smith and Edwards are due to be sentenced later this summer.

The hacker responsible for the largest data breach in U.S. history was sentenced to 20 years in prison for his crimes. Albert Gonzalez hacked into Heartland Payment Systems computer network and stole tens of millions of credit card and debit card numbers. Heartland is one of the largest payment processors in the country with customers like Visa, Hannaford, American Express and 7-11.

“I am guilty of these crimes … I accept full responsibility for these actions,” Gonzalez said at the sentencing, “I plead for leniency,” he said. “I understand that the road to redemption is going to be long for me,” adding that it was his hope, however, that he would be able to be on that road someday.

Gonzalez, who had buried $1 million dollars of his illegally gained profits in his backyard, had been working as an informant with the U.S. Secret Service but double crossed them. He will also serve two 20 year sentences for his roles in data breaches that affected TJ Maxx, Dave & Busters, Barnes and Nobel, DSW, OfficeMax, and other major retailers. He and the gang of criminals he worked with stole millions more credit and debit card numbers and sold them on the black market.

Heartland lost over $130 million due to the breach and was forced to agree to multi-million dollar settlements with Visa and American Express. It is not yet known what, if any restitution Gonzalez will have to make. A hearing on the matter is scheduled for late June.

It has been a big year for the internet with social networks continuing to grow at an amazing pace, search engines scrambling to keep pace with user demand for fresh news, and as always spam and malware causing havoc around the world.

A look at the year’s major spam event shows some consistent trends.

• Season spam such as Valentine’s Day and Christmas remains predictable
• Spammers quickly move to exploit any major global news events such as celebrity deaths and wars
• Spam networks are becoming more distributed and resistant to shutdown attempts
• Social networking spam is on the rise as spammers attempt to exploit the perceived trust between people and their online “friends”
• Human error continues to be a big part of the spam landscape, both through inadvertent data exposure and through people falling victim to social engineering

Here is a look at some of these major events throughout the year.

January

Scams promising free money from US government grants attempts to exploit the news of corporate bailouts and the increase in unemployment.

Fake CCN news alerts take advantage of a clash between Israel and Hamas.

Global spam volume begin returning to normal levels after the McColo shutdown of November 2008.

The inauguration of US President Barack Obama leads to a wave of spam spreading rumours that his inauguration is invalid or that he resigned and attempts to trick users in downloading malware.

Spammers also get a head start on Valentine’s Day with malware-carrying love letters.

February

Human error at Google marked the entire internet unsafe (is it really that far from the truth?).

The poor economy continues to cause unemployment to increase, leading to a new wave of fake job spam.

Microsoft offeres a $250,000 reward for information leading to the arrest and conviction of the Conficker worm creators.

March

Citibank falls for a Nigerian 419 scam to the tune of $27 million, but is saved when the transfers fail due to invalid account numbers provided by the scammers. Continue reading 2009, The Year in Spam»

A security researcher recently discovered a new malware attack that has poisoned nearly 300,000 websites. The SQL attacks began last month and use a hidden iframe to redirect visitors to a malicious site that is programmed to look for and exploit known vulnerabilities in several different apps including Adobe Flash, ActiveX, IE, and several other Microsoft applications. If found, a rootkit called Backdoor.Win3.Buzus.croo is installed. This malware steals banking information and likely downloads even more malware to the infected system. It’s believed to be related to the Rustock botnet.

Rustock, along with Cutwail, Zeus and Mega-D, control over 5 million computers and send out billions of spam messages. The shutdowns of cybercrime friendly ISPs McColo and Real Host have done little to stop them-in fact current spam levels have exceeded pre-McColo ones. Experts say botnet herders no longer rely on a single ISP or domain so that if a shut down happens they will be back up in hours instead of weeks or months.

Experts say those with properly updated and patched systems are in no danger so make sure all your users are protected.

The FBI has issued a warning about a new phishing attack targeting PR firms and lawyers. The messages contain business specific subject lines designed to trick the recipient into thinking it is a legit message. The body of the message contains either a malicious link or attachment that when clicked will download a file called “srhost.exe” from a site called d.ueopen.xom (URL purposely mistyped to avoid accidental clicks). The FBI is warning IT departments to block any traffic discovered from ueopen, a domain registered in China as it is a definite sign their network has been compromised.

Security experts say attacks against legal agencies are increasing due to the large amount of personal and financial information they possess. Such personal data is highly sought after on the underground cybercrime market and can be used or sold for a handsome profit.

This latest warning came as the Government Accountability Office released a report saying that cyberattacks against the U.S. are rising sharply and that as a result of the increasing connections between the Internet and information systems, hackers are being presented with more and more opportunities to do things like disrupt telephone service or the power grid. The GAO says it is critical that the U.S. do more to protect its infrastructure and critical services and increase its level of cyber security.

I came across an article today written last week that proclaimed “We won the war on spam”.  The general thrust of the article is that “despite continued hysteria, unwanted e-mail is largely a thing of the past”.

This is an interesting point of view which I happen to disagree with, but in thinking further I realize that this is mostly a matter of perspective – business vs personal, or big vs small.

The writer, Mark Gimein, approaches the matter from his own personal experience.  Mark has a slightly more complex email setup than the average person – a series of email addresses for various purposes all forwarding into a Gmail account.  In Mark’s experience spam has all but vanished from his inbox, although a few false negatives remain.

I’m not disputing Mark’s account, I don’t see very much spam slip through the filters into my inbox either, but the war on spam is most definitely not won.  Mark hints at what I’m about to say with this paragraph in his article:

Stopping spam does take effort—without a doubt Yahoo and Google devote resources to it. But that’s just part of their business, no different from all the other things they need to do to keep their e-mail systems running. What matters is that from the point of view of users like me, what’s going on under the hood to keep junk out and legitimate messages in needn’t concern us.

For an email user in a business what goes on under the hood shouldn’t concern them, but it most certainly concerns the business.  Businesses spend thousands of dollars each year on protecting their email systems from spam and malware.  This is not a trivial expense and in itself stands as solid proof that the war on spam is far from over. Continue reading We Have Not Won The War On Spam»

Last week, a Wall Street Journal article entitled “The fallacy of identity theft” may have given some people the mistaken impression that there’s nothing to worry about, and that everyone’s identities are safe. Unfortunately, however, that’s not quite the case, and yes, you do need to be paranoid about it. It’s the real deal, and identity thieves can, and do on a regular basis, steal peoples’ identities and wreak havoc on their lives.

The article starts out by deconstructing the term “identity theft” which makes it seem less dangerous than it really is and states that “identity theft” doesn’t steal anybody’s true identity, or personhood of what makes them what they are. When you are a victim of this crime, you remain you, but that’s only a small consolation when a stranger is charging up luxury cruises and fur coats on your credit card. It’s a semantic bit of theory that was actually played out on the “Family Guy” cartoon when actor James Woods stole the identity of cartoon character Peter Griffin, to the point of moving into Peter’s home, sitting at his dinner table and sleeping in his bed. It was a funny episode, but of course, that’s not what identity theft really is.

The article comments about how experts “hounded” people into shredding bank statements and being vigilant about monitoring credit reports, but the fact is, doing so really is a good idea. It’s not a conspiracy by manufacturers of shredding machines, or of companies offering various fee-based monitoring and protection services. And here’s the real kicker, at the end of the article: “It turns out that ‘identity theft’ is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money—but your soul. Maybe it’s time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don’t need.”

Advice like this is what lulls people into a false sense of security and prevents them from taking the precautions that they need to take. Is it a fear campaign? To a degree, yes, it is. But it’s based on fear of something very real. So there is reason to be afraid and one must take the necessary steps to protect oneself – because you could be a victim.