Category Archives: Internet crime

Targeted iCloud accounts compromised

By now you’ve likely heard that dozens of celebrity accounts on Apple’s iCloud service were recently accessed by unscrupulous persons, and embarrassing photos from those accounts posted on various web sites.

This should server as a reminder to everyone who uses web-based storage like iCloud that such services are extremely tempting targets for nefarious hackers.

In this case, the invader discovered that the ‘Find my Phone’ app had no protection against brute force (rapid, automated) login attempts. This was used, along with a list of common passwords, to learn the passwords of some targeted iCloud accounts, at which point all data stored on those accounts became available.

If you use cloud storage, make sure to use strong passwords; otherwise, you might as well assume everything you store there is publicly accessible.

The SANS InfoSec Handler’s Diary has more.

Update 2014Sep07: Ars Technica has a followup, in which Apple CEO Tim Cook admits Apple could have done more to prevent the incident, and talks about upcoming iCloud security changes. Over on Bruce Schneier’s blog, he reminds everyone that strong passwords would have protected the victims’ accounts, and to use an offline password manager.

What we know about the recent theft of 1.2 billion passwords

On August 5, the New York Times ran a story calculated to cause panic among Internet users. According to the story, a Russian gang had obtained up to 1.2 billion (yes, billion) login credentials.

The source of the story was Alex Holden, of Hold Security. Unfortunately, Holden didn’t provide much in the way of details, which has given rise to a lot of speculation about the facts, and of Holden’s motives.

Hold Security followed up the story by announcing that they planned to offer a fee-based service that would allow anyone to check whether an email address or user id was in the database of stolen credentials. Many took this as a sign that Hold Security was involved in some kind of scam, but well-known security blogger Brian Krebs came to Holden’s defense in a recent post.

Bruce Schneier, another famous security analyst, isn’t sure. He says – and we agree – that there’s something squirrely about this story.

In any case, it’s simply too soon to know for sure what’s going on. Until someone starts using the purloined information for something other than spam, all we can do is wait. Hopefully Hold Security will either create a free tool for checking credentials, or they’ll hand the database over to someone else who will.

In the meantime, our advice remains the same: use complex, unique passwords, especially for critical accounts like online banking.

CryptoLocker defanged at last

Security researchers have cracked the encryption used by the horrible CryptoLocker ransomware.

Recall that once CryptoLocker infects a computer, it encrypts all documents it can find, making them inaccessible until you pay the perpetrators $300 for a key to unlock them. Thousands of users have been hit, with some paying the ransom, while many others lost their data forever.

The researchers have set up a free web site (2016Jan09: the site has been decommissioned) that allows anyone hit by CryptoLocker to decrypt their files. You must upload one encrypted file, after which you are sent the required key. After decrypting your files, you can then use a CryptoLocker removal tool to get rid of the infection.

Brian Krebs has more.

Microsoft gets careless in its anti-malware efforts

Up to now we’ve been happy to report on the successes of Microsoft’s work on hindering or shutting down botnets and other malware networks and sites. But their most recent actions in this area were heavy-handed, resulting in millions of legitimate domains going offline.

From Microsoft’s official blog post:

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.

That all sounds fine, except for one thing: No-IP was also being used for millions of domains with perfectly legitimate purposes. Microsoft says they knew this, and took measures to protect non-malicious domains.

Backlash against Microsoft’s actions is ramping up. Microsoft’s PR people are now saying that this is all due to a technical error, but given their characterization of No-IP (see above), it seems more likely that this is just spin, and they really did mean to kill all domains using no-IPs services.

Brian Krebs has additional details, as does Ars Technica.

Update 2014Jul03: Microsoft has returned control of the No-IP domains to No-IP. There’s still some doubt as to whether Microsoft acted in good faith: No-IP claims they were never contacted by Microsoft prior to the domain seizure; Microsoft claims otherwise. Regardless, I imagine No-IP will quickly move to remove clients using No-IP for nefarious purposes.

Update 2014Jul13: The EFF has a useful followup of the debacle.

Denial of Service attack against Feedly

I’ve been using Feedly as my main RSS feed reader for several months now, having tried several other alternatives to the now-defunct Google Reader.

Unfortunately, as I write this, Feedly is down. A Denial of Service (DoS) attack began when the site’s operators refused to pay extortionists to avoid the attack.

Feedly staff are working with their Internet Service Provider to mitigate the attack and hope to have service restored soon.

Graham Cluely has more.

Update 2014Jun12: Feedly seems to be back up and running normally. Feedly: 1; Internet extortionists: 0.

Gameover botnet targeted in takedown effort

An international law enforcement project to disrupt the Gameover botnet is underway.

Gameover, aka Gameover Zeus or GOZ, is currently installed on up to a million computers worldwide. The botnet is rented out for malicious purposes, including harvesting private information, sending spam email, denial of service (DoS) attacks, extortion, and distribution of various kinds of malware, including the awful CryptoLocker [1,2] ransomware.

This effort to disrupt GOZ has already been very successful: the botnet’s owners are no longer able to control clients. As for Cryptolocker, newly-infected machines can no longer communicate with their controlling servers, which means they are safe, at least for now. Infected machines that are already encrypted are not affected and must still pay the decryption ransom or lose all encrypted information.

Brian Krebs provides additional details on his Krebs on Security blog.

Update 2014Jun09: Brian Krebs has a behind-the-scenes look at what went into this takeover. To this point, the takeover seems to have been 100% effective, but the botnet developers may have more moves left.

Blackshades users being investigated

Krebs on Security reports that anyone who purchased the hacking toolkit known as ‘Blackshades’ should be prepared for the authorities to kick in their door and confiscate their computers.

Blackshades is “a password-stealing Trojan horse program designed to infect computers throughout the world to spy on victims through their web cameras, steal files and account information, and log victims’ key strokes.”

eBay systems hacked, users should change passwords

eBay just revealed that their systems were hacked earlier this year. Encrypted passwords and other non-financial data were stolen.

Anyone with an eBay account is strongly encouraged to change their password as soon as possible.

Oddly, when I logged into my eBay account to change my password a few hours ago, there was no mention of this breach or any warning about changing passwords. The only announcement of the breach from eBay seems to be this blog post on ebayinc.com. Ars Technica has more information about this unfortunate lapse on the part of eBay.

Update 2014May23: All the recent attention to their passwords is leading to some criticism of eBay’s password-handling procedures. Hopefully eBay will be quick to improve in this area.

Update 2014May25: Lost in all the concern about password changes is the fact that even if none of the stolen encrypted passwords are cracked, the other – unencrypted – information stolen (including eBay customer names, email addresses, physical addresses, phone numbers and dates of birth) will be very useful for anyone involved in credit card fraud and phishing efforts. And there’s not much you can do about that.

Canada Revenue Agency hit by Heartbleed, recommends changing passwords

Anyone who has filed a business or personal tax return online using the Canada Revenue Agency’s web-based tools should change their CRA passwords.

According to the RCMP, about 900 Social Insurance numbers were obtained from CRA systems by unknown persons over a six hour period around April 8. The affected account holders will be contacted by the CRA via registered mail.

The CRA systems’ vulnerability has now been patched, but the CRA is advising all account holders to change their passwords.