ZeuS botnet code keeps getting better....for Criminals

I read this from Network World's website. This article contains some good information about the continued threat of the ZeuS botnet. Please pass along the information to end-users & any customers you may have that would have access to financials. These are the users that are most at risk for being compromised.

By Ellen Messmer, Network World

New capabilities are strengthening the ZeuS botnet, which criminals use to steal financial credentials and execute unauthorized transactions in online banking, automated clearing house (ACH) networks and payroll systems. The latest version of this cybercrime toolkit, which starts at about $3,000, offers a $10,000 module that can let attackers completely take control of a compromised PC.

Zeus v.1.3.4.x (code changes are always underway by the author and owner, who is believed to be one individual in Eastern Europe) has integrated a powerful remote-control function into the botnet so that the attacker can now "take complete control of the person's PC," says Don Jackson, director of threat intelligence at SecureWorks, which released an in-depth report on ZeuS this week.

This new ZeuS feature, which was picked up from an older public-domain project from AT&T Bell Labs known as "Virtual Network Computing," gives ZeuS the kind of remote-control capability that might be found in a legitimate product like GoToMyPC, Jackson says. SecureWorks calls this a "total presence proxy," and it's so useful to criminals, just this one VNC module for ZeuS costs $10,000.

The Windows-based ZeuS Trojan software, which takes up about 50,000 bytes on a compromised Windows-based computer, is designed to plunder accounts in North American and United Kingdom banking systems via the victim's computer. The criminal might be located a continent away, directing unauthorized transfers of funds to accounts through elaborate command-and-control systems.

ZeuS, around since at least 2007, "was originally a spyware Trojan and it had good marketing" and became popular as botnets of all sorts proliferated, Jackson says.

A group called UpLevel was originally in a partnership working on the ZeuS source code. But today researchers suspect there's only one author of ZeuS, and this individual is now exerting tight control over the current ZeuS 1.3 (and later) versions by instituting a hardware-based copyright-protection mechanism.

SecureWorks researcher Kevin Stevens says the ZeuS hardware-based copyright mechanism is based on a hardware token method, similar to WinLicense, that takes into account a lot of hardware details about a computer before allowing the ZeuS Builder toolkit code to be unlocked by an individual.

Older versions of ZeuS are available for free, but the price for the current ZeuS and its modules, out since the end of last year, is not cheap. In the online criminal underground, fraudsters often pay for crimeware through Western Union or Web Money, according to SecureWorks.

According to a report published by SecureWorks this week, the basic ZeuS Builder kit runs $3,000 to $4,000, with another $1,500 for the "Backconnect" module to connect back to an infected machine to make financial transactions from it. This means banks that try to track money transfers will always trace it back to the computer of the account holder. To hack Windows 7 or Vista computers, criminals will have to ante up an extra $2,000 or be limited to Windows XP systems.

A "Firefox form grabber," costing another $2,000, lets a criminal grab data out of fields that are submitted using the Firefox Web browser, such as usernames and passwords for banks. A "Jabber (IM) chat notifier," costing another $500, will let the attacker get stolen data immediately in order to access the victim's account after the victim logs in using a token provided by the bank to randomly generate numbers. And the VNC module, which allows the attacker to get around any smartcard that's required for large-dollar transactions, is $10,000.

The latest version is also designed to blow through the most current defenses in place regarding two-factor and other authentication in banking systems, and is especially oriented toward facilitating high-dollar transactions of $100,000 or more, Jackson notes.

"Zeus automatically detects top-tier, gold-level targets" associated with online banking services, Jackson says. A signal is given to the botnet controller, and a highly automated transfer can be made into accounts the attacker desires.

There are many stories starting to appear of companies complaining about unauthorized ACH transfers, or fake employees fraudulently added to automated payroll systems, when high-dollar amounts are transferred into accounts where banks either can't or won't retrieve these sums.

Jackson says the latest version of ZeuS gets around most of the advanced online authentication mechanisms used by banks today, with perhaps the exception of a transaction approval process based on at least two people, often randomly selected from a pool of people trained for this purpose, who manually authorize a transfer. "It's an arms race," he says.

The upcoming version of ZeuS, v.1.4, is still in beta but promises yet more deadly features. Its "Web Injects for Firefox" capability, for instance, would let the attacker present a screen on the fly in the Firefox browser in order to elicit more sensitive information during the banking transaction by pretending the bank needs the information. The ZeuS Trojan is also getting polymorphic encryption to re-encrypt itself to appear unique each time, thus making it even more difficult for anti-virus software to detect it.

Bank Login-Stealing Botnet Found Hiding in Amazon Cloud

Here is a great article that proves most technical peoples fears of cloud computing. The popular botnet Zeus was found in Amazon's Cloud. This is exactly why more thought needs to go in the Cloud & how your data is stored & protected. Sure it would be nice to be able to access your information whenever & wherever, but is the risk of having all your information stored in an undisclosed & insecure location worth it?

We've all heard security nerds complain about the vulnerabilities of cloud computing; here's the news they've been waiting for.

Black-hat hackers got into an unnamed website hosted on Amazon's servers then proceeded to install an illegal command and control infrastructure. Named America's number one most wanted botnet, Zeus was discovered on Amazon's Elastic Compute Cloud (EC2) by security researchers yesterday.

The Zeus Trojan is a keylogger designed to steal data such as login credentials, account numbers and credit card information. It creates fake HTML forms on banking login pages to allow hackers to steal user data. This particular botnet has been linked to around $100 million in bank fraud in 2009.

Although we don't yet have details on exactly how the website in question was hacked, we have learned that the software has been removed from the Amazon cloud. This incident is the first example of malware being found on AWS' infrastructure.

As we were warned by black hats in April this year, cloud computing carries certain risks and opportunities for exploitation. Our own Sarah Perez wrote:

In another part of the Sensepost presentation, they looked specifically at vulnerabilities of Amazon's Web Services. To start off, they detailed the process involved in setting up a new instance on EC2... While Amazon has provided 47 machine images they built themselves, the remaining 2721 images were build by other EC2 users. Can you really believe that all of these images were built securely? Basically, the template directory is just a big archive of user-generated content. And you know what user-gen content is like... risky.

As John Pescatore told the Financial Times, "The security of these cloud-based infrastructure services is like Windows in 1999. It's being widely used and nothing tremendously bad has happened yet. But it's just in early stages of getting exposed to the Internet, and you know bad things are coming."

Will hackers continue to employ web services to carry out their schemes in 2010? Twitter, Facebook, Google Apps, and now Amazon Web Services have all been used for evil this year. How can websites, corporations, and end users be smarter about online security to avoid personal and financial loss next year? Let us know what you think in the comments.

How do spammers send from my email address?

I read a great article posted by Amir Lev on Computer World's website. Amir Lev is the CTO and President of Commtouch Software Ltd. (NASDAQ:CTCH), an e-mail and Web defense technology provider. For more background on Amir, visit this link.

In Amir's article, he touches on a very common problem everyone faces. If your experience is anything like mine with the average user, this is a concern that everyone has dealt with & usually cause a bit of panic for the end users. They receive an email that is spam, but says that it was sent from their own address, or more commonly, was made to look like it came from a company email address or another trusted, recognizable domain.

Here is what Amir gives as a basic explanation as to how this occurs & what can be done to help prevent it, but still not ultimate stop it completely.

This is absolutely a frequently-asked question. To answer it requires an understanding of SMTP -- the standard used for sending email between servers -- which stands for Simple Mail Transfer Protocol.

Like many "mature" Internet standards, SMTP was invented back in the days when the Internet was a kinder, gentler place. A time when there was no spam, and the only users of the network were experimental souls, with good karma, who were trusted by all the other users. Yes, there really was such a time!

Although SMTP has been enhanced quite a bit since then, many mail servers still operate with an assumption of trust. An evil spammer can pretend to be another mail server, connect to your mail server, and offer up a message that's not only addressed to you, but claims to have come from you as well! It's forgery, plain and simple; and forgery that's made simple by the implicit, blind trust that many mail servers have for each other.

In fact, the spammers can send messages that pretend to come from anybody -- that's one of the tricks in the phishers' toolbag, allowing them to forge messages "from" your bank. Not only that, but spammers can send email to your friends and business associates, while pretending to be you. Not good at all.


How to prevent the problem

The simple answer is that recipients need a spam filter that will detect and filter out those forged messages. (Well, I would say that, wouldn't I?)

There are also Internet standards that help other people's spam filters to detect forgeries of your email address. The main ones are SPF/SenderID and DomainKeys/DKIM. In simple terms, they allow you to publish information that tells a receiving email system whether a message "from" you is likely to be forged or not.

It's a good idea for email senders to support all these standards, to help prevent spammers forging your email addresses. First, your email administrator should publish an accurate SPF record for each domain you own. Second, your email system should sign all your outgoing email with DKIM. Talk to the people running your email system and ask them if they're doing both these things. (If they're not, ask them why and post their excuses below!)

For various reasons, the standards aren't 100% foolproof, but they're useful as part of the spam filtering process.

I hope that with this explanation, we can alleviate a bit of the sense of panic when the average end user runs into these types of forgeries. Better education for the end users means a little less work for the IT staff, & trust me, they appreciate all the help they can get.

ATM Fraud: Skimming Scheme Hits Banks

I read this informative article from http://www.bankinfosecurity.com. This is a very good article that everyone should read & become educated on. ATM schemes are becoming very popular & we need to learn how to mitigate the issues by changing the way data is stored on the cards. They make very good suggestions at the end of the article & some larger companies are already starting to implement some of these methods.

A member of my church was recently a victim of ATM fraud & had his account wiped out. This happened in a small town where you wouldn't normally think you would have issues like you would at a higher trafficked ATM location such as a busy city location. This threat needs to be on all our minds so we can watch our ATMs & as users of ATMs, protect our own transactions as well as those of our customers.

A series of skimming crimes that hit the Nashville, TN area recently is but one of many ATM fraud schemes preying upon financial institutions and their customers.

Nashville police reported last week that they were investigating an ATM card skimming scheme where at least 600 individuals were potential victims. Investigators say five Bank of America ATMs were hit, as well as an unknown number of US Bank machines. A total of 60 people had fraudulent withdrawals from their accounts for anywhere between $100 to $5,000 dollars. Investigators suspect that the skimming schemers have now moved on to other cities.

The problem is not isolated to Nashville, says Terrie Ipson, fraud expert at Diebold, an ATM manufacturer. "No one vendor or ATM type is more susceptible over another," Ipson says, "so everyone needs to be aware of this threat."

Ipson notes that a report from the ATM Industry Association (ATMIA) earlier this summer shows the growing nature of the international threat of card skimming. Among recent incidents:

* In Las Vegas, 75 skimming attacks were reported over a three-month period, as compared to previous rates of 2-3 incidents per year.
* In Sydney Australia, the New South Wales Fraud Squad reported 60 skimming attacks in the first four months of 2009, with a spokesman saying the devices used are "becoming smaller, more sophisticated and capable of storing more data."
* In California, investigators reported that skimmers and card duplicators could be bought from overseas sellers on the Internet for a few thousand dollars.

Card skimming is not new. Early forms of skimming device and even dummy ATMs installed in empty shop fronts were used to capture card information in the 1990s. What has changed are the scale and geographical spread of such attacks, Ipson says.

The ATMIA recommends these steps to help prevent ATM fraud:

* Build awareness among customers, branch employees and ATM service teams to help detect devices added to ATM exteriors. Visual clues include tape residue near or on a card reader that would show a skimming device had been placed on the ATM.

* Chip-based cards house data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce.

* Contactless cards, out-of-band authentication using cell phones and biometric readers are all new authentication technologies that can be used as alternate methods for conducting secure ATM transactions.

* Alert systems monitor routine patterns of withdrawals and notify operators or financial institutions in the event of suspicious activity.

"There is no single silver bullet that will solve ATM skimming," Ipson says. "Skimming continues to be an emerging threat. The criminals are investing lots of money to develop these devices, [and] consumers can be fooled into thinking they are legitimate."

10 Tips for Spotting E-mail Scams

For anyone that has an email account, you have unfortunately come across an email that falls into one of the categories below. We all get these types of emails & this will not be ending anytime soon. Spammers will continue their onslaught of spoof messages because generally, they trick 7% of all users that receive the message. These 7% of users have accounts compromised, identities stolen, accounts cleaned out, etc. To help prevent your self from falling into that 7%, read the below 10 ways to help spot an e-mail scam.


1. Requests for personal information
No legitimate organization will ask for your social security, bank account or PIN number via e-mail – and none will include a link, sending you to a form to enter it. No matter how authentic these emails may look, ignore 'em.

2. Watch for typos or spelling mistakes
Scam artists are street smart, but many flunked basic grammar (or barely speak English). Look for mistakes like inappropriate hyphens or confusing "your" and "you're." If the note has multiple typos or grammatical errors, odds are it's not legitimate.

3. Clickable Web links in e-mails
Don't trust links to Web sites in e-mails. What might look like a legitimate address is often linked to a third-party site that looks official, but is actually run by thieves and scammers. These are the fast track to identity and financial theft.

4. 'Market research' or surveys that ask you for personal information.
Disguising scam e-mails as marketing is a classic ploy. You'll be asked to fill out a survey or enter a contest – requiring you to give personal information or "log on" to your account. Once you've done so, the scammers can use it themselves.

5. Stock tips from random people or companies
Got a "hot stock tip" via e-mail? It's probably a "pump and dump" scheme. The sender already owns shares – and when you and others act on the "tip," the stock price soars and he sells fast – leaving you with virtually worthless shares.

6. Attachments in e-mails from anyone you don't know
It should be common sense, but just in case, we'll remind you again: Don't open an attachment from someone you don't know – even if it appears to be your bank or credit card company. It's almost always a virus or spyware meant to steal your personal information.

7. Wordless e-mails
Some legitimate looking "e-mails" are actually just images. The danger with these is that clicking anywhere in the body takes you to a suspect Web site – where you may be fooled into entering personal information, or the scammer may slip spyware onto your machine.

8. Outdated information
Some scammers like to pose as technical- or customer support from a company you associate with – but fail to keep up with current events. For example, in the example above, the senders forgot that Earthlink bought Mindspring in 2000.

9. Red-flag phrases
If you see the phrases "verify your account," "you have won the lottery" or "if you don't respond within XX hours, your account will be closed," it's a scam – every time. Hit the delete button and don't look back.

10. Generic greetings
While you can't trust every e-mail that knows your name, you can definitely ignore the ones that start "Dear member" or "Hello friend." If your bank or credit card company is writing you, it knows who you are. So do your friends.

Spammers Continue To Abuse The Names Of Top Government Executives By Misusing The Name Of The United States Attorney General

As always, keep your guard up. The spammers continue to use government agencies, as well as individual names from the agencies, in an attempt to lure in unsuspecting end-users. Make sure that all you notify everyone to keep their eyes open for these types of emails & to report them accordingly.

As with previous spam attacks, which have included the names of high-ranking FBI executives and names of various government agencies, a new version misuses the name of the United States Attorney General, Eric Holder.

The current spam alleges that the Department of Homeland Security and the Federal
Bureau of Investigation were informed the e-mail recipient is allegedly involved
in money laundering and terrorist-related activities. To avoid legal prosecution,
the recipient must obtain a certificate from the Economic Financial Crimes Commission
(EFCC) Chairman at a cost of $370. The spam provides the name of the EFCC Chairman and an e-mail address from which the recipient can obtain the required certificate.

Do not respond. These e-mails are a hoax.

Government agencies do not send unsolicited e-mails of this nature. The FBI, Department of Justice, and other United States government executives are briefed on numerous investigations, but do not personally contact consumers regarding such matters. In addition, United States government agencies use the legal process to contact individuals. These agencies do not send threatening letters/e-mails to consumers demanding payments for Internet crimes.

Consumers should not respond to any unsolicited e-mails or click on any embedded
links associated with such e-mails, as they may contain viruses or malware.

It is imperative consumers guard their Personally Identifiable Information (PII). Providing your PII
will compromise your identity!

If you have been a victim of Internet crime, please file a complaint at
www.IC3.gov.

FDIC fraudulent emails

I just received this in an email, right after receiving a phone call from an end user who actually received the fraudulent email. Everyone please beware of this & make sure to notify your end users & possibly even your customer if possible.

FDIC Consumer Alert - Oct.26, 2009

The Indiana Bankers Association has received notice that the Federal Deposit Insurance Corporation (FDIC) has received numerous reports of a fraudulent e-mail that has the appearance of being sent from the FDIC.
The subject line of the e-mail states: "check your Bank Deposit Insurance Coverage." The e-mail tells recipients that, "You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets."
The e-mail then asks recipients to "visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage" (a fraudulent link is provided). It then instructs recipients to "download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage."
This e-mail and associated website are fraudulent. Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to online banking services or to conduct identity theft.
The FDIC does not issue unsolicited e-mails to consumers. Financial institutions and consumers should NOT follow the link in the fraudulent e-mail.