pcAnywhere Source Posted

According to the Register, hacktivists affiliated with Anonymous have uploaded what they claim is the source code of Symantec’s pcAnywhere software today, after negotiations broke down with a federal agent posing as a Symantec employee.  Symantec confirmed that it had turned the case over to the Feds as soon as the hackers made contact.

According to the article, the release of the 1.27GB file coincides with the breakdown of the “negotiations” – which the group has now published on Pastebin – that took place between “Symantec” and the spokesperson of hacker group Lords of Dharmaraja, an Indian hacking crew affiliated with Anonymous.

Catch the details in the original article.  Beware downloading anything purporting to be a source code cache.  These things are tracked by the vendor, law enforcement agencies, and others, and are most often laced with some type of malicious software.  Stories like this are news-worthy, generating a lot of interest, and anything that generates conversation and controversy is fair game for miscreants.  And what better way to get their hooks into your computer than to offer you something enticing, like a peak at some commercial source code?

-=[BUSTED]=- Two Scareware Rings Taken Down

InformationWeek reports that the FBI has disrupted two scareware (fake anti-virus) crime rings, as part of “Operation Trident Tribunal.”  The FBI obtained warrants to seize 22 PCs and servers located across the United States that were used to support the scammers’ operations.  They also worked with law enforcement agencies in France, Germany, Latvia, Lithuania, Netherlands, Sweden, and the United Kingdom to seize an additional 25 PCs and servers.  It would appear the seizure of several servers hosted by DigitalOne in data center space it leased in Reston, Va. may have impacted some unrelated sites.

The first group bagged at least $72 million over a three-year period by tricking one million people into buying the scareware for up to $129 per copy.  The second criminal operation resulted in the arrest of 2 people in Latvia, and charges each with two counts of wire fraud, one count of conspiracy to commit wire fraud, and computer fraud.  The pair were apparently running a “malvertising” scam by creating a phony advertising agency, and purchasing advertising space on the Minneapolis Star Tribunewebsite.  Newspaper staff vetted the digital advertisement before posting it to the site.

The defendants altered the advertisement code to infect website visitors with malware that launched scareware applications on their PCs.  The scareware froze PCs until the user paid to purchase fake AV software.  Those that didn’t pay  found that all information, data, and files stored on the computer became inaccessible.  As part of this scam, the two Latvians allegedly netted $2 million.

These scams may sound lucrative, but it is good to hear that arrests are being made.  Watch for an increase in arrests as the FBI and other Law Enforcement Organizations get a handle on the scope and scale of this type of activity and trace it back to the nest.

LulzSec Hacks Arizona Law Enforcement Agency

LulzSec has announced the publication of a trove of over 700 leaked documents from an Arizona law enforcement agency on the notorious Pirate Bay file sharing site.  Arizona’s Department of Public Safety confirmed that it had been hacked.  The LulzSec press release included with the dump sounds more “hacktivistic” than usual, exposing a political agenda, opposing Arizona’s SB1070, the state’s broad and controversial anti-illegal immigration measure.

Amongst countless mundane documents covering hours worked, officers’ personal information and other stuff of minimal interest are a few fascinating stories of law enforcement activities, such as an encounter with off-duty Marines patrolling the U.S.-Mexico border with assault weapons, and tirades about illegal Mexicans and drug dealers.

LulzSec, Anonymous, & The End of The Internet

So it seems that LulzSec, the notorious hacking group, is not so altruistic and politically bent as they first appeared.

They apparently like to play computer games, and can’t resist showing off to the world just how kewl their new found skillz are.

They are looking more and more to me as an opportunistic bunch of parasites that have gotten drunk on their own intoxicating brew of exploits and media hype.  What used to sound like the kind of claims and warnings issued by supposed “whitehat hackers” and self proclaimed whilstle blowers is now sounding more and more like “look at me, I am the coolest kid on the block!  I wear my hat backwards, and I can spit real far!”

.

First, check out the Sony incidents timeline at attrition.org.  Then peruse the recent headlines gathered regarding LulzSec.

Continue reading →

Taking Back The Net

According to The Guardian, the hackers’ underground world has been so thoroughly infiltrated by law enforcement that it is now riddled with paranoia and mistrust.  It is estimated that one in four hackers are secretly informing on their peers, a Guardian investigation has established.  Online policing units have had such success in gaining online criminal cooperation through the threat of long prison sentences that they have managed to create an army of informants deep inside the hacking community.

Popular and illegal identity and credit card number exchange forums used by criminals as marketplaces have been run by FBI moles.  Undercover FBI agents pose as “carders”, hackers specialising in ID theft, and take over management of the forums using gathered intelligence, putting dozens of people behind bars.  Eric Corley, publisher of the hacker quarterly, 2600, estimates that 25% of hackers in the US may have been recruited by the federal authorities to be their eyes and ears.  “Owing to the harsh penalties involved and the relative inexperience with the law that many hackers have, they are rather susceptible to intimidation,” Corley told the Guardian.

Barrett Brown, who has acted as a spokesman for the otherwise secretive Anonymous, says it is fully aware of the FBI’s interest. “The FBI are always there. They are always watching, always in the chatrooms. You don’t know who is an informant and who isn’t, and to that extent you are vulnerable.”

Hackers, beware as the net grows tighter…

FBI – NATO – Affiliates Target of LulzSec

LulzSec has announced a new target for its particular brand of online harassment.  It has published details on users and associates of the non-profit organization known as Infragard.  Infragard is as a non-profit organization providing an interface between the private sector and the FBI.  LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.  One interesting point to note is that not all of the users’ passwords were cracked, because some users likely used passwords of reasonable complexity and length, making brute forcing attacks on the passwords far more difficult.  That should tell us all something about the basics of security.

In addition to stealing data from Infragard, LulzSec also defaced their website with a joke YouTube video and the text “LET IT FLOW YOU STUPID FBI BATTLESHIPS” in a window titled “NATO – National Agency of Tiny Origamis LOL”.  Let’s hope that this particular endeavour provides the traces and footprints that allow law enforcement to track and identify these online rascals.  I see no value or return in what they are doing.

Beware Email Frauds

The FBI is warning against common “News of The Moment” scams, where hot topics are abused to spread malware.  This sort of attack will often use cross site scripting (XSS), which allows an attacker to execute code on the target website within a user’s browser using crafted values in the target site’s URL, web forms, or in cases where sites allow users to place material directly in posted content.  These scams are not likely to go away anytime soon, and are increasing in their sophistication and cleverness.

Recently, social networking site users have fallen victim to “self” infecting XSS attacks where they actually perform the attack themselves by following directions to view the latest Osama bin Laden video.  Before users can view the video, they must complete a “5 second security check.”  Instructions to follow a few keyboard shortcuts allow users to cut and paste malicious code directly into their browser’s URL without any indications it is a viral scam.

They are also warning on scams misrepresenting the Financial Crimes Enforcement Network of The United States Department of the Treasury.  Perpetrators will commonly use the names of various government agencies or officials to legitimize their scams.  Most recently, there have been several complaints in which victims reported receiving an e-mail or phonecall claiming to be from the U.S. Department of the Treasury stating their lost funds, which were stolen and diverted to a foreign account registered in their name, have been recovered.  The e-mail advised them to cease all money transactions, especially overseas, and to respond to the e-mail so the lost funds could be returned.

The e-mail further stated the US government is making adequate arrangements to ensure outstanding beneficiaries receive their funds.  The e-mail is signed by James H. Freis, Deputy Director of the Financial Crimes Enforcement Network, and requires victims to provide personally identifiable information that could potentially result in identity theft.

The U.S. Department of the Treasury posted a scam alert on their website on April 13, 2011, stating they do not send unsolicited requests, do not seek personal or financial information from members of the public by e-mail, and recommend that recipients do not respond to these messages. The alert further provides links for victims to report solicitations claiming to be from the U.S. Treasury.

Microsoft Finds >427k Compromised Email Addresses

Microsoft spelled out the results of its ongoing investigation into the Rustock botnet server hardware obtained by law enforcement in a status report submitted Monday to a federal judge.  Operation b107 was the codename for the takedown of the huge Rustock botnet, responsible for sending as many as 30 billion spam messages a day.  The takedown was backed by international warrants to seize command-and-control (C&C) servers.

Custom-written software for assembly of spam emails and text files containing thousands of email addresses and username/password combinations for spam-dissemination were found. One text file alone contained over 427,000 email addresses.

Along with the email addresses, forensics experts also uncovered evidence that the criminals used stolen credit cards to purchase hosting and email services.  Payments for the hosting of some of Rustock’s C&C servers were traced to a specific Webmoney account, and after asking the Russian online payment service for help, the owner of that account was identified in a city 14 miles northwest of Moscow.  The status report cautioned that this person might not be the actual purchaser of the C&C hosting services, and is continuing to investigate.

18 of the 20 drives obtained had been used as “Tor nodes” to provide the attackers with anonymous access to the Internet, and to the hijacked Windows PCs that made up the Rustock botnet.  Tor relies on routing and encrypting traffic through a network of machines maintained by volunteers in numerous countries to hide the actual connections.  Tor is used by activists in nations where governments monitor or restrict web communication, and by hackers to thwart identification efforts.

If you believe your computer may be infected by Rustock or other type of malware, Microsoft encourages you to visit support.microsoft.com/botnets for free information and resources to clean your computer.

QakBot Infects Mass. Websites

Personal information about an unknown number of Massachusetts residents may have been stolen from the Massachusetts Executive Office of Labor and Workforce Development, after hundreds of the agency’s computers were infected with malware.  Anyone who conducted business from April 19 – May 13 requiring that a staff person access thier file on-line with DCS, DUA or at a One Stop Career Center should take the  precautions found at http://1.usa.gov/jcLaDY.

About 1,500 computers at the state’s One Stop Career Centers and other departments were infected with W32.QAKBOT, designed to allow remote control and to steal information.  There is a possibility that as a result of the infection, the virus collected confidential claimant or employer information. This information may include names, Social Security Numbers, Employer Identification Numbers, email addresses and residential or business addresses.  It is possible that bank information of employers was also transmitted.  About 1,200 of 180,000 employers that manually file with the agency may be impacted by the data breach, however the agency has no way to verify this number.

The agency first detected the malware on April 20th, and took immediate steps to contain and remove the infection.  Yesterday, the agency said that the virus was not remediated as originally believed, and that persistence of the malware resulted in a data breach.  “We were targeted by criminal hackers who penetrated our system with a new strain of a virus,” reports the secretary of labor and workforce development in a statement released this afternoon.  “All steps possible are being taken to avoid any future recurrence.”

Government Press Release

-=[Busted]=- 6 ID Theft Scammers

Six people have been taken into federal custody for their roles in an identity theft scheme that defrauded banks out of more than $3 million after an investigation by the FBI, United States Postal Inspection Service, and the Internal Revenue Service; Criminal Investigative Division.

On May 4, a federal grand jury in Los Angeles returned a 29-count indictment charging them in connection with involvement in the scheme to defraud financial institutions by using stolen identities of people with good credit scores to establish lines of credit, and then using the money for personal expenses. Each of the six is charged with bank fraud. One is also charged with making false statements to banks, and two are charged with aiding and abetting the false statements.

They carried out the fraud by obtaining stolen personal identifying information, including dates of birth, Social Security numbers, credit profiles, FICO scores, and driver’s license numbers, to
complete fraudulent applications for business lines of credit at Bank of America and Wells Fargo Bank.  The stolen identities were also used to provide bogus corporate officers of shell corporations that did not actually exist.  They then concocted profits for the bogus businesses and transmitted false tax documents to make it appear as though the businesses were fully operational.  The defendants rented virtual office space and installed rental equipment on premise.  They also went as far as to recruit folks to pose as employees in order to convince bank employees that the corporations were legitimate during on-site inspections.

Once the applications were approved by the banks, funds were deposited into corporate bank accounts linked to the credit lines, usually in the amount of $100,000 each.  Within a few days, the defendants liquidated the credit lines by issuing checks payable to the themselves.  The money was shared among the defendants, draining more than 70 credit lines through this scheme.

If convicted on all counts, the defendants face maximum statutory sentences ranging from 750 years to 870 years.