April 2017 – SurfWatch Labs, Inc.

Behind the Scenes of a $170 Million Payment Card Fraud Operation

On Friday, 32-year-old Russian hacker Roman Seleznev was sentenced to 27 years in prison for running a cybercriminal operation that stole millions of payment cards, resulting in at least $169 million in damages to small business and financial institutions. It’s the longest sentence ever issued in the U.S. for cybercrime, and the court documents and testimony that led to the sentence revealed the inner workings of a decade-long operation that helped to grow and evolve payment card fraud into what it is today.

Earlier this month, in documents urging the judge to issue a lengthy sentence, the prosecution said Seleznev may have harmed more victims and caused more financial losses than any other defendant that ever appeared before the court:

“Seleznev is the highest profile long-term cybercriminal ever convicted by an American jury. His criminal conduct spanned over a decade and he became one of the most revered point-of-sale hackers in the criminal underworld. … Unlike smaller players in the carding community, Seleznev was a pioneer in the industry. He was not simply a market participant – he was a market maker whose automated vending sites and tutorials helped grow the market for stolen card data.”

In total, the government was able to identify 2,950,468 unique credit card numbers that Seleznev stole, possessed, or sold related to more than 500 U.S. business, subsequently affecting 3,700 financial institutions around the world. And — as the government pointed out — that is just the known losses.

Driving Small Businesses to Bankruptcy

Photo of money taken from Seleznev’s iPhone, which was confiscated upon his arrest in July 2014. In addition, the laptop in his possession at that time contained more than 1.7 million stolen credit card numbers.

As we wrote when Seleznev was convicted on 38 of the 40 counts he faced last year, many of the organizations he targeted were small businesses, and the testimony of seven of those businesses were heard in the court case.

Seattle’s Broadway Grill has perhaps been the most publicized of the point-of-sale breaches. Owner CJ Saretto testified that bad publicity from the breach instantly reduced the restaurant’s revenue by 40 percent and eventually forced him to “walk away from the business, shutter the doors, [and file] personal bankruptcy.” Other owners testified that the effect on business was “horrendous,” that the breach forced them into heavy debt, and that business “has never been the same” since the incident.

It’s no coincidence those that testified in the case against Seleznev were small business owners. Seleznev tended to target small businesses in the restaurant and hospitality industry, particularly if they had poor password security around their point-of-sale devices.

Seleznev “developed and used automated techniques, such as port scanning, to identify retail point of sale computer systems … that were connected to the Internet, that were dedicated to or involved with credit card processing, and that would be vulnerable to criminal hacks,” the indictment stated.

“He quickly learned that many of these businesses’ point of sale systems were remotely maintained by vendors with poor password security,” the government said in its sentencing memorandum. “Because most of his victims were small businesses, they were unlikely to have in-house IT or security personnel. As a result, these companies made extremely attractive targets for someone with Seleznev’s skills as a hacker.”

Track2, Bulba, 2Pac, and POS Dumps

However, Seleznev went far beyond merely stealing payment card information, he also helped to develop and operate websites to market the stolen data and promote more individuals to get into payment card fraud. Seleznev was 18 years old when he began participating in the Russian underground “carding” community under the alias “nCuX,” and seven years later, in 2009 when the U.S. Secret Service tried and failed to coordinate his arrest, he had become a major provider of stolen credit card data, according to court documents.

Just three months after being tipped off to the potential arrest by contacts inside the FSB and retiring his “nCuX” alias, Seleznev was back in the game under the name “Track2.” He soon unveiled two new automated vending websites, “Track2” and “Bulba,” which allowed buyers to to automatically search and purchase his stolen credit card data by using filters such as a particular financial institution or card brand.

2017-04-26_SeleznevBulba — Screenshot of Bulba, an automated vending website used by Seleznev to buy and sell stolen payment card information.

Those features have become commonplace now, but as the prosecution noted, it was “a major innovation” at the time and the “Track2 and Bulba websites achieved instant success.”

“[The sites] made it possible for criminals to efficiently search for and purchase stolen credit card data through a process as easy as buying a book on Amazon,” the prosecution wrote. “Automated vending sites increased the efficiency [of] credit card data trafficking, and remain the gold standard for credit card trafficking to this day.”

2017-04-26_AlphaBayCarding — The popular dark web marketplace AlphaBay adopted a similar automated shop for stolen payment card information in May 2015, but it includes more search options and a more user-friendly interface than Seleznev’s 2009 Bulba site.

In April 2011, Seleznev was injured in a terrorist bombing in Marrakesh, Morocco, and hospitalized for several months. His co-conspirators ran the Track2 and Bulba websites in his absence until they closed up shop in January 2012 citing no new dumps to sell.

Once again, Seleznev choose to return to cybercrime by innovating his operations. Switching monikers to “2Pac,” he launched a new automated vending site that would not only sell his stolen data but would offer stolen cards from “the best sellers in one place.” Seleznev would take a portion of the proceeds for each sale, and he used this model to resell credit data stolen in popular breaches such as Target, Michaels, and Nieman Marcus on the 2Pac site.

2017-04-26_SeleznevATMDump — Someone chatting with Seleznev trying to get payment card data stolen via ATM skimmers listed on the 2Pac site.

In addition, Seleznev needed a continuous stream of dumps and customers to fuel his 2Pac site, so he began teaching others the basics of payment card fraud via a sister site, called “POS Dumps.”

2017-04-26_Seleznev2PacTutorial — The POS Dumps site linked to the 2Pac site and walked wannabe fraudsters through the steps necessary to become a criminal.

The POS Dumps website contained four categories to teach amateurs how to successfully commit payment card fraud:

Choosing and buying equipment
Choosing and buying dumps
How to generate Track1 and why it is needed
Writing the dumps onto cards

The website even had links to eBay to purchase the necessary equipment (an MSR206 manual swipe magnetic card reader/writer) and custom malware to help write the stolen payment card data onto other cards.

2017-04-26_SeleznevTheJERM — POS Dumps provided a “comprehensive” program to interface with the MSR206 magnetic reader/writer to help wannabe cybercriminals commit fraud.

The prosecution wrote that the POS Dumps website “trained thousands of new criminals in the basics of how to use the data to commit fraud.” Similar types of tutorials related to fraud and cybercrime remain among the most commonly listed items on dark web markets today, according to SurfWatch Labs’ data.

A Record 27-Year Prison Sentence

2017-04-26_SeleznevGuidelines — The prosecution argued that the U.S. sentencing guidelines stated that “unauthorized charges … shall not be less than $500 per access device.” Therefore, Seleznev’s 2.9 million stolen credit cards equated to more than $1.4 billion in losses.

Court documents from the defense called the long prison sentence “draconian.” However, Seleznev clearly knew his actions could have serious consequences. He monitored the U.S. court’s PACER system for any criminal indictments against him, and when agents arrested him in the Maldives as he attempted to board a plane in 2014, he immediately asked if the U.S. had an extradition treaty. The U.S. did not have a formal treaty with the Maldives, but an agreement was obtained in the days prior to take custody of Seleznev.

The prosecution described Seleznev’s sentencing guideline calculation as “literally off the charts.” A score of 43 recommends a life sentence, and Seleznev scored 16 points above that — a 59.

The judge agreed with the prosecution and sentenced Seleznev to 27 years in prison last Friday.

“The notion that the Internet is a Wild West where anything goes is a thing of the past,” said U.S. Attorney Annette L. Hayes. “As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind. Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands.”

Weekly Cyber Risk Roundup: Payment Card Data at Risk Due to POS Breaches and Ecommerce Vulnerabilities

Point-of-sale breaches were once again among the week’s top trending cybercrime targets, as InterContinental Hotels Group (IHG) announced that its previously disclosed POS breach had expanded from the dozen properties reported in February to at least 1,175 properties. Affected hotels include popular brands such as Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, Crowne Plaza, and more.

According to the company’s press release, the investigation discovered “malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.” The release doesn’t directly state the number of properties affected, instead it directs viewers to a cumbersome breach lookup tool that divides the nearly 1,200-strong list of affected properties into countries, states, and even hundreds of individual cities.

The release also states that hotels that upgraded their technology were not affected by the breach: “Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected. Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.”

That’s a sliver of good news; however, nearly 1,200 hotels were impacted and that list may grow in the future as “a small percentage of IHG-branded franchise properties did not participate in the investigation.” The lookup tool will be updated as new properties are added. Unfortunately, for heavy travelers that means returning to the clumsy tool periodically and checking every city they stayed in over the affected period for new breach updates.

Other trending cybercrime events from the week include:

More breaches due to poor practices and faulty updates: The accidental posting of a file containing the embedded personal information of 5,600 individuals to Rhode Island’s Transparency Portal and General Assembly website is the third recent data breach tied to UHIP, a new system for state benefits. The cybersecurity company Tanium is apologizing for exposing information related to El Camino Hospital in California in hundreds of presentations for potential customers from early 2012 through mid-2015 as well as several now-deleted YouTube videos. As many as 2,000 individuals in the UK may have had their personal information visible to other customers on the RingGo parking app due to a faulty software update.
Former employees continue to cause damage: A former employee of engineering firm Allen & Hoshall admitted to accessing the company’s servers repeatedly over a two-year period as well as accessing the email account of a former colleague hundreds of times in order to download and view data from his former employer. A man was arrested for attempting to steal proprietary computer code for a trading platform developed by his employer, an unnamed financial services firm with an office in New York. The online retailer Black Swallow has agreed to pay $60,000 to Showpo to settle a dispute alleging that a former Showpo graphic designer downloaded the company’s entire customer database and gave it to her new employer.
Old data breaches come to light: Allrecipes is warning its users that their email addresses and passwords may have been compromised when logging into their accounts prior to June 2013, nearly four years ago. There is not a lot information on what happened, as the notification email said that the company “cannot determine with certainty who did this or how this occurred.” While announcing a series of automated attacks against its InCircle, Neiman Marcus, Bergdorf Goodman, Last Call, CUSP, and Horchow websites, Neiman Marcus also noted that a similar automated attack in December 2015 provided access to full payment card details — not just the last four digits as initially reported.
Physical theft of sensitive data at hotel: Police seized bags of documents containing the personal information of guests staying at the Seasons Hotel at Sydney’s Darling Harbour, and one woman has been charged in relation to the theft, according to police. The information was likely stolen around March 21 and included dozens of guest registration forms, which feature photocopies of passports, driver’s licences, and other forms of personal identification.
Other notable cybercrime events: Over 2.4 million email addresses and MD5-hashed passwords were stolen from Fashion Fantasy Game, an online game and social network for fashion lovers, in 2016, and the game’s website appears to contain several existing vulnerabilities that could leak data. Cleveland Metropolitan School District is warning some employees, students, guardians, and affiliates that their information may have been compromised when multiple employees fell for a phishing email that compromised their email account credentials. Security and privacy concerns have been raised after London’s Metropolitan Police apparently gave the addresses of 30,000 gun owners to a marketing agency to help promote the sale of a “firearms protection pack.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

In addition to the wide-reaching POS breach that IHG announced this week, online retailers may also be at risk of potential payment card breaches due to an unpatched zero-day vulnerability in the Magento ecommerce platform.

Security researchers at DefenseCode said they discovered the high-risk vulnerability during a security audit of Magento Community edition. The researchers said the vulnerability “could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information.”

DefenseCode did not examine the Magento Enterprise version, but a researcher told Threatpost that both versions share the same underlying vulnerable code. The researcher also said that they have made repeated attempts to notify Magento of the issue since November 2016, but it has yet to be patched. In an email to customers, Magento said it plans on addressing the vulnerability soon:

This vulnerability will be addressed in our next release targeted for early May. Until then, we recommend enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks. To turn on this feature:

1. Logon to Merchant Site Admin URL (e.g., your domain.com/admin)

2. Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs

3. Select YES from the dropdown options

4. Click on Save Config

Magento is used by approximately 200,000 online retailers, so the vulnerability is a cause for concern, particularly since it is now public and likely will not be patched for at least several weeks. In addition, an attack could be carried out by targeting any Magento admin panel user.

“Full administrative access is not required to exploit this vulnerability as any Magento administrative panel user regardless of assigned roles and permissions can access the remote image retrieval functionality [at the root of the vulnerability],” the advisory noted. “Therefore, gaining a low privileged access can enable the attacker to compromise the whole system or at very least, the database.”

Do You Know Your Adversary?

Threat intelligence means a lot of different things to different people. Oftentimes organizations think of tactical information that helps defenders in their on-the-network battles with the bad guys. But, as Forrester Research recently noted in their report Achieve Early Success In Threat Intelligence With The Right Collection Strategy:

“Don’t fall into the trap of subscribing to tactical indicator feeds that you can just pump into your security information management and forget about.”

Tactical intel has it’s role and importance, but starting there can lead you down a rathole. To start off, you need to understand the big picture and then from there you need to understand your adversary, specifically:

Who is the actor, what is their motivation and intent, capability, and opportunity?
What is the threat campaign they are deploying? What is it targeting? How is it being carried out?
What are the associated events and supporting evidence that can be used to provide a level of confidence around the seriousness and impact of this threat to your business?
How can you reduce the adversary’s opportunity? What are the processes and/or tools to minimize this exposure?

On Wednesday, April 26 at 1pm ET, please join us for a threat intelligence discussion and see a live demonstration of SurfWatch Threat Analyst, which recently received 5 out of 5 stars from SC Magazine. Adam Meyer, our Chief Security Strategist and head of the SurfWatch analyst team (and formerly a CISO with the 2nd largest transportation system in the US) will lead this discussion and demonstration.

Slew of Source Code and Malware Leaks Increases Risk for Organizations

Earlier this month, an undergraduate student in Korea apologized for creating and making public the joke ransomware “Resenware.” The malware didn’t ask for money to decrypt files; instead, it required victims to score more than 200 million points on the “lunatic” level of the shooting game Touhou Seirensen ~ Undefined Fantastic Object.

The student told Kotaku that he released the joke malware on Github before falling asleep and by the time he woke up it had spread and “become a huge accident.” The source code was quickly removed from Github and a tool was released allowing infected users to decrypt their files without having to play the game. The creator then apologized for making a “kind of highly-fatal malware.”

That’s all well and good, but as Will Rogers once said, “Letting the cat out of the bag is a whole lot easier than putting it back in.”

A warning from Resenware shared by Malware Hunter Team.

The story highlights how quickly publicly available source code can be spread, copied, and potentially repackaged by malicious actors. That isn’t as likely to happen with Resenware due to the lack of a financial component, though it could be utilized by actors looking to cause harm rather than turn a profit. Nevertheless, profit-driven actors have numerous other recent source code leaks they can pull from.

For example, in December 2016, the source code for a commercial Android banking Trojan, along with instructions on how to use it, was released on a cybercriminal forum. Malicious actors quickly used that code to create the BankBot Trojan, which Dr. Web researchers noted can steal login credentials and payment card details by loading phishing forms and dialogs on top of legitimate applications, as well as intercept and delete text messages sent to the infected device. Since then, BankBot has made several appearances in the Google Play store, confirming Dr. Web’s January conclusion that the leak “may lead to a significant increase in the number of attacks involving Android banking Trojans.” In fact, just last week two malicious applications utilizing BankBot, HappyTimes Videos and Funny Videos 2017, were removed from the Google Play store after receiving thousands of installs.

The BankBot Trojan is just one example of the continuing evolution of malware as the stockpile of effective cybercriminal tools continues to accumulate. The leak of these tools, whether made as a joke by amateurs or for malicious purposes by professional cybercriminals, means that more polished malware is now at the fingertips of malicious actors than ever before.

Even if an inexperienced actor is unable to take and modify public malware source code, they can simply turn to professionally run as-a-service malware options that are likely doing so.

Last week MalwareBytes released a report with an interesting chart on ransomware trends. It shows that the Cerber ransomware-as-a-service (RaaS) has come to dominate the ransomware market with a nearly 90% share as its main competitor, Locky, has declined.

2017-04-19_Cerber — Cerber is dominating the ransomware market as Locky fell off sharply, according to MalwareBytes’ honeypots.

“Cerber [has spread] largely because the creators have not only developed a superior ransomware with military-grade encryption, offline encrypting, and a slew of new features, but by also making it very easy for non-technical criminals to get their hands on a customized version of the ransomware,” the report authors noted.

Those types of criminal operations can greatly benefit from the large amount of exploits and malware source code that has made its way into the public domain this year.

For example, since March 2017 we’ve seen:

The release of the source code for the NukeBot banking Trojan, a modular Trojan that comes with a web-based admin panel to control infected endpoints.
New allegedly NSA-developed exploits leaked by TheShadowBrokers, including last week’s release of a series of now-patched Windows exploits and a critical vulnerability that can hijack Solaris systems that was released a week prior (and patched today by Oracle).
More leaks of alleged CIA exploits and tools, some of which claim the CIA benefited by repackaging components of the Carberb malware source code, which was leaked in 2013, into CIA hacking tools.
A report last week claimed that the Callisto APT Group used tools leaked from the surveillance company HackingTeam, which was breached in 2015, in a series of targeted attacks last year.

Whether it’s nation-state actors, cybercriminal groups, or amateur hackers, they can all benefit by the leak of these tools over the past month. If past leaks are any indication, malicious actors will incorporate any effective tools and techniques from the recent leaks into their already-existing cyber arsenals.

As the collective knowledge grows on the cybercriminal side, it’s crucial that organizations harness their own threat intelligence in order to have their finger on the pulse of malicious actors. With that information they can more effectively counter the slew of new vulnerabilities, exploits, and as-a-service tools being used to infiltrate their networks and damage their organization.

Weekly Cyber Risk Roundup: Payment Card Breaches, Malicious Insiders, and Regulatory Action

Gamestop was the week’s top trending cybercrime target as the company is investigating reports that customer payment card information may have been stolen from gamestop.com. In addition to Gamestop, payment card information was also stolen from the restaurant chain Shoney’s and a series of car washes have issued breach notification letters tied to a compromise at an unnamed third-party point-of-sale (POS) provider.

Two sources told Brian Krebs last week that an alert from a credit card processor indicated gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017. The sources said that card numbers, expiration dates, names, addresses, and verification codes were stolen due to the breach. Gamestop also operates thousands of retail locations, but there is no indication that those have been affected.

However, dozens of Shoney’s locations were impacted by a recent POS breach. A week after Krebs reported the Gamestop breach, confidential alerts from credit card associations stated that similar payment card data was stolen from the restaurant chain. Best American Hospitality Corp., which manages some of Shoney’s corporate affiliated restaurants, later issued a press release saying that remotely installed POS malware led to breaches at 37 Shoney’s locations between December 27, 2016, and March 6, 2017.

In addition, Acme Car Wash, Auto Pride Car Wash, Clearwater Express Car Wash, Waterworks Car Wash, and Wildwater Express Carwash were all notified of a point-of-sale (PoS) malware infection by their unnamed third-party POS provider. The notification occurred on March 27, and customers who used a payment card at those business during various periods in February may have had their data compromised.

Other trending cybercrime events from the week include:

New data breaches announced: A backup database containing information on 918,000 people and belonging to telemarketing company HealthNow Networks was exposed on the Internet, compromising a variety of individuals’ personal and health information. The payday loan company Wonga is investigating a data breach that may have affected up to 245,000 customers in the UK and 25,000 customers in Poland. As many as 115 families had their private information compromised when the Victorian Education Department mistakenly published documents to its website for 24 hours. At least 83 University of Louisville employees had their W-2 forms accessed when an intruder gained access to W-2 Express, a product of Equifax used by the school to provide employees with access to tax documents.

More SWIFT attacks made public: The Union Bank of India faced an attack leveraging the SWIFT system that attempted to perform $170 million in fraudulent transactions last July, but the bank was able to block the transfer of funds, the Wall Street Journal reported. The bank’s SWIFT access codes were stolen by malware after an employee opened a malicious email attachment, and the codes were used to send fraudulent instructions in an attack similar to the one that successfully stole $81 million from the Bangladesh central bank’s account at the New York Federal Reserve in February 2016.

Ransomware continues to impact patient care: A ransomware infection at Erie County Medical Center blocked access to electronic patient records and forced the center to reschedule some elective surgeries, sources told news outlets; however, the hospital has yet to confirm the shutdown of its computer was due to ransomware. IT workers have been re-imaging about 6,000 desktop computers that had to be wiped clean as a result of the infection. Ashland Women’s Health reported a data breach affecting 19,727 patients after ransomware encrypted data on the practice’s electronic health record system, including its patient scheduling application. The practice was able to restore the encrypted data using a backup, and patient care was impacted for a couple of days due to the incident.

Amazon seller accounts being hacked: Hackers are using previously compromised credentials to hijack the accounts of third-party sellers on Amazon Marketplace, change the bank account information, and then post nonexistent merchandise at cheap prices to defraud customers. The buyers are eligible for refunds from the sellers, which may come as a surprise to the account owners as the hackers are targeting dormant accounts. A company spokesperson told NBC News that it is working to make sure sellers do not have to handle the financial burden of the hacks.

Other notable cybercrime events: Five inmates at the Marion Correctional Institution used computers built from spare parts and hidden in a ceiling in a closet to perform a variety of malicious activities while incarcerated. A team of Indonesian hackers gained access to the online ticketing site Tiket.com and stole approximately Rp 4.1 billion ($308,000 USD) worth of airline tickets from carrier Citilink. Dallas officials are blaming a hacker for setting off all 156 of the city’s warning sirens more than a dozen times.

Cyber Risk Trends From the Past Week

A variety of stories from the past week once again highlighted threats that originate not from external hackers, but from organizations’ employees and poor risk management practices.

To start, Allegro Microsystems has accused a former employee of causing $100,000 worth of damages by logging into the company’s network multiple times after resigning in order to implant malware. According to court documents, the man allegedly returned a computer meant for personal use rather than his work computer when resigning, and he used that work computer along with system administrator credentials to insert malicious code into Allegro’s finance module. The employee “designed the malicious code to copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless,” the documents stated.

Another case involved a DuPont employee who admitted to stealing data from DuPont in the months before he retired in order to bolster a consulting business he planned to run. The man allegedly copied 20,000 files to his personal computer, including formulas, data, and customer information related to developments in flexographic printing plate technology. He also took pictures of restricted areas of DuPont’s plant.

On the regulatory side, the FDA sent a letter to St. Jude Medical demanding the company take action to correct a series of violations related to risks posed by the company’s implantable medical devices — an issue that received quite a bit of attention last summer after a report published by Muddy Waters and MedSec shed light on the alleged vulnerabilities. St. Jude must respond to the FDA within 15 days with “specific steps [it has] taken to correct the noted violations, as well as an explanation of how [it] plans to prevent these violations, or similar violations, from occurring again” — or else St. Jude may face further regulatory action, including potential fines.

That is what happened to Metro Community Provider Network (MCPN), which agreed last week to pay $400,000 following a January 2012 phishing incident that exposed the electronic protected health information (ePHI) of 3,2000 individuals. An investigation conducted by the Office for Civil Rights revealed that “prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.” As a result, MCPN will pay the penalty and implement a corrective action plan to better safeguard ePHI in the future.

New Cryptocurrencies Gain Traction, Spark Concern For Law Enforcement

Last month a new ransomware emerged known as “Kirk Ransomware.” The malware was interesting not just because of the Star Trek-themed imagery of James Kirk and Spock that it used, but also because it may be the first ransomware to demand payment via the cryptocurrency Monero.

Victims of the Kirk Ransomware are walked through how to make their ransom payments using Monero.

There are literally hundreds of different types of existing cryptocurrencies like Monero that cybercriminals can choose from, but bitcoin is the most well known and has been the most widely used, by far, when it comes to ransomware. Bitcoin’s status as the reigning cryptocurrency king has been driven, in part, by the growth of cybercriminal markets and ransomware actors that greatly benefit by having a semi-anonymous payment option available. However, bitcoin is facing both growing pains and an expanding group of credible challengers that claim to have better answers to some of the current issues facing cryptocurrencies.

Cryptocurrencies are, for better or worse, intertwined with cybercrime, and dark web markets and malicious actors adopting new forms of payment such as Monero and Ethereum are helping push those currencies to new heights. With that growth comes new opportunities for cybercriminals as well as new concerns for law enforcement.

As we noted in a recent blog on AlphaBay’s plans to adopt Ethereum next month, the cryptocurrency has seen a dramatic increase in price on the heels of AlphaBay’s announcement and partnerships with legitimate financial institutions. Likewise, Monero was worth around $2.50 the day before AlphaBay announced plans to adopt the currency, and less than eight months later it has jumped to more than $26.

In December 2016 an AlphaBay support representative told Bitcoin Magazine that Monero accounted for about two percent of its sales, so bitcoin remains king. However, one can assume that the actors behind AlphaBay have plenty to gain financially by riding the wave created by the largest dark web marketplace adopting new cryptocurrencies — besides simply appeasing their customers.

Monero — which advertises itself as a “secure, private, untraceable currency” — is perhaps the most praised among cybercriminals. Bitcoin was not designed to be anonymous, and every transaction is publicly visible on the distributed ledger known as the blockchain. That’s why malicious actors use third-party tools such as bitcoin tumblers to help hide the origins of bitcoins. It’s also why law enforcement officials and security researchers have been able to “follow” bitcoins to bust those buying and selling illicit goods and services.

Monero, on the other hand, allows users to send and receive funds without transactions being publicly visible on the blockchain, which is one of the reasons some malicious actors prefer it.

“Bitcoin is much more vulnerable to chain analysis,” advised one AlphaBay member in September 2016, when the dark web market adopted Monero. “I can’t stress strongly enough how much more secure it is for darknet transactions.”

2017-04-06_ABMonero — Monero is safer for both the buyer and seller, wrote one AlphaBay user.

Although cryptocurrencies such as Monero have not been as heavily scrutinized by law enforcement as the more popular bitcoin, their adoption among malicious actors is a concern — even if Monero is not perfect.

“There are obviously going to be issues if some of the more difficult to work with cryptocurrencies become popular,” Joseph Battaglia, a special agent working at the FBI’s Cyber Division in New York City, said at an event in January. “Monero is one that comes to mind, where it’s not very obvious what the transaction path is or what the actual value of the transaction is except to the end users.”

As a case in point, the dark web marketplace known as Oasis, which beat AlphaBay by two weeks to become the first market to accept Monero, suddenly went offline in late September 2016 in what may have been an exit scam. Various users quickly reported that at least 150 bitcoin was lost in the potential scam, but guessing how much Monero currency was stolen proved to be much more difficult.

“If we can’t find out, that’s a good thing,” wrote one redditor.

However, the FBI likely has a different view.

Weekly Cyber Risk Roundup: Scottrade Exposes Data and ATMs Get Blown Up, Drilled and Infected

The CIA remained as the top trending cybercrime of the week as WikiLeaks released a fourth set of documents related to the agency. The new dump includes 27 documents from the CIA’s Grasshopper framework, which WikiLeaks described as “a platform used to build customized malware payloads for Microsoft Windows operating systems.” The leaked CIA tools will likely continue to dominate much of the cybercrime discussion in the coming weeks as WikiLeaks appears to have a slow-drip campaign designed around maximizing the leak’s publicity.

The top trending new cybercrime target of the week was Scottrade, which was one of several organizations to experience a data breach due to insecure, publicly exposed data. The Scottrade incident was caused by “human error” at third-party vendor Genpact, which uploaded a data set to one of its cloud servers without the proper security protocols in place. As a result, “the commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses” was exposed, Scottrade said in a statement.

Security researcher Chris Vickery, who discovered the exposed database, said it contained 48,000 lessee credit profile rows and 11,000 guarantor rows, and that each row contained various types of personal information, including Social Security numbers. The database also contained internal information such as plain text passwords and employee credentials used for API access to third-party credit report websites.

Those who read this roundup each week know that breaches due to insecure databases are common, and in addition to Scottrade, Vickery also discovered “a trove of data from a range of North Carolina government offices, including Dept of Administration, Dept of Health and Human Services, Division of Medical Assistance, Dept of Cultural Resources, Dept of Public Safety, Office of State Controller, Office of State Budget and Management, NC IT Department.”

Other trending cybercrime events from the week include:

IRS announces another data breach: The IRS is notifying 100,000 people that their tax information may have been compromised due to a data retrieval tool used when filling out the Free Application for Federal Student Aid (FAFSA). Officials first learned of the potential issue in September 2016, but the service was not disabled until suspicious activity was observed in February. Malicious actors could pretend to be students, start the financial aid application with relatively little stolen information, and give permission for the IRS to populate the form with tax data that could then be used for fraudulent returns.

Highly sensitive patient data sold on the dark web: A breach at Behavioral Health Center appears to have compromised thousands of patients’ sensitive data, including evaluations, session notes, and records of sex offenders and sex abuse victims. An actor on the dark web claims between 3000 and 3500 unique individuals are in the data, which has since been sold to another actor. “These are not just basic fullz, these are the COMPLETE clinician notes from EVERY session with a patient, sometimes spanning hundreds of sessions over years,” read a listing on the dark web. “Everything confessed/discussed in complete privacy is in here for thousands of patients. All records are from 2007 to current date.”

Healthcare organizations targeted: An amateur actor appears to be targeting healthcare organizations with spear phishing messages designed to infect victims with a variant of the Philadelphia ransomware, an unsophisticated ransomware kit that sells for a few hundred dollars. Researchers believe spear phishing messages containing a shortened URL that led to a malicious DOCX file on a personal storage site were used to infect a hospital from Oregon and Southwest Washington. ABCD Pediatrics said that its servers were infected with “Dharma Ransomware” and while investigating the incident the company also discovered suspicious user accounts that suggested a separate incident of unauthorized access.

APT10 hacking group makes headlines: The APT10 hacking group has gained access to the systems of an “unprecedented web” of victims by first targeting managed outsourced IT service companies with spear phishing messages and custom malware and then using those companies as a stepping stone into their clients’ systems. The group also inserted malicious links into certain pages of the National Foreign Trade Council’s website in order to target individuals registering for specific meetings.

Other notable cybercrime events: The International Association of Athletics Federations said information related to athletes’ therapeutic use exemption applications was compromised due to unauthorized access to its network by “Fancy Bear.” The Dutch National Charity Lotteries said that around 450,000 customers were impacted by a vulnerability in the computer systems of Lotteries’ supplier OpenOfferete. Cybercriminals stole $40,000 of direct deposit money meant for Denver Public Schools after numerous employees fell for a phishing email. A hack of digital content network Omnia affected a variety of popular YouTube channels. The New York Post app was hacked and used to send to out a series of false push notifications. Arrests were made in Dubai related to breaking into the emails of five senior White House officials and attempting to blackmail the officials with what a local law enforcement official described as “highly confidential information.”

Cyber Risk Trends From the Past Week

While business email compromise scams and other digital fraud continues to impact numerous organizations, several stories this week proved that criminals are still attempting to steal physical cash from ATMs around the world.

The flashiest story involved a gang based out England that used explosives and stolen high-powered vehicles to rip ATMs from walls. The gang would then put the stolen ATMs inside a large truck and drive away, in at least one instance right by the very police looking for them. Police announced that several recent raids had led to the arrest of the gang. Less flashy attempted ATM thefts from hotels in Edmonton led police to advise business last month that owners should bolt ATMs to the floor and place them in well lit, high-traffic areas that are monitored by surveillance cameras.

A new, more discreet method of stealing money from ATMs involves emptying the cash stored in certain models by drilling a three-inch hole in its front panel and using a $15 homemade gadget that injects malicious commands to trigger the machine’s cash dispenser. Kaspersky Lab researchers first became aware of the attack in September 2016 when a bank client discovered an empty ATM with a golf-ball sized hole by the PIN pad. Since then, similar attacks using the drill technique have been observed across Russia and Europe. The researchers did not name the ATM manufacturer, but they said the issue is difficult to fix since it would require replacing hardware in the ATMs to add more authentication measures.

Kaspersky Lab also released findings on another series of ATM attacks first hinted at back in February when a series of attacks that used in-memory malware to infect banking networks were reported. Code from the penetration-testing software Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities to create malware that could hide in the memory and invisibly collect the passwords of system administrators. That access was then used to remotely install a new breed of ATM malware called ATMitch, Kaspersky Lab researchers said in a report issued last week.

The ATMitch malware communicates with the ATM as if it is legitimate software and makes it possible for attackers to collect information about the number of banknotes in the ATM’s cassettes as well as dispense money at the touch of a button. The attackers may still be active, the researchers noted, but it is unknown how many ATMs have been targeted by the malware since the malware self-deletes after the attack. What is clear is that ATM machines remain a popular target for criminals, and businesses should be aware of the evolving methods — both crude and sophisticated — being used to steal the cash inside them.

AlphaBay to Begin Accepting Ethereum as the Bitcoin Alternative Grows More Popular

Beginning next month, malicious actors using the dark web marketplace AlphaBay will be able to buy and sell their goods using the growing cryptocurrency platform Ethereum. Ethereum will become the third payment option available on the market, joining the longstanding cryptocurrency king bitcoin as well as the privacy-focused Monero, which was adopted by AlphaBay last September.

The announcement is good news for fans of Ethereum, whose Ether cryptocurrency has seen a continued surge of growth in 2017 and is the second most popular cryptocurrency after bitcoin.

2017-04-06_AlphaBayEthereum — AlphaBay will begin accepting Ethereum deposits and withdrawals on May 1, an administrator announced on the site’s forum in March.

Bitcoin is by far the most well-known cryptocurrency, and it has been widely adopted by malicious actors and dark web markets as a convenient and semi-anonymous form of digital payment. In fact, cryptocurrencies like bitcoin, dark web markets like AlphaBay, and extortion payments like ransomware are interconnected in that the growth of one has helped spur the growth of the others.

However, bitcoin is currently experiencing growing pains, and Ethereum has emerged over the past year as its main rival. Ethereum’s proponents claim that is it is a more versatile and scalable cryptocurrency. In fact, the idea of Ethereum goes beyond just currency, which is why it and other blockchain companies have been described as bitcoin 2.0. If bitcoin was about creating a decentralized payment system, Ethereum is about using that same concept to radically re-architect everything on the web — as Ethereum creator Vitalik Buterin describes it.

Fortune magazine explained in a September 2016 profile:

Ethereum’s power lies in its ability to automate complex relationships encoded in so-called smart contracts. The contracts function like software programs that encapsulate business logic — rules about money transfers, equity stake transfers, and other types of binding obligations — based on predetermined conditions. Ethereum also has a built-in programming language, called Solidity, which lets anyone build apps easily on top of it.

There’s ongoing debate over just how secure other cryptocurrencies are compared to bitcoin. For example, in June 2016 a hacker was able to exploit a flaw in the smart contract used by The DAO, a crowdsourced venture capital platform based on the Ethereum blockchain, in order to steal more than $50 million worth of Ether.

A controversial solution to address the theft was proposed, known as a “hard fork.” Cryptocurrencies use the concept of a blockchain, which is essentially a decentralized and agreed upon ledger of all the transactions that have occurred. The hard fork would change the agreed upon rules and create a new path forward for the currency — one that would invalidate the theft. However, some Ethereum users argued that the idea of hard fork went against the very principles of a decentralized network that was designed to combat a single authority. Those that eventually rejected the fork are now on a parallel version of the blockchain, Ethereum Classic, while the rest of the community moves forward on the other fork as Ethereum.

Despite the troubles, Ethereum continues to thrive. The concept of disrupting existing business models with decentralized blockchains has gained Ethereum interest not just from dark web markets, but from legitimate companies. In February it was announced that 30 organizations — including JPMorgan Chase, Microsoft, and Intel — would team up under the Enterprise Ethereum Alliance to enhance the privacy, security, and scalability of the Ethereum blockchain.

Ethereum’s Value: Past 90 Days

2017-04-06_EthereumMarketCap — Ethereum’s market cap has grown significantly on the heels of recent announcements, according to CoinMarketCap.

All of that news has helped to more than quadruple the market cap of Ethereum in 2017, from less a billion in January 2017 to around $4 billion on April 6.

It’s still nearly a month before the option goes live, so it is unclear how many security-obsessed cybercriminals on the dark web will actually use the payment option — or if they will stick with bitcoin. Nevertheless, being adopted by AlphaBay, which is by far the most popular dark web market according to SurfWatch Labs’ data, could potentially be a huge boost for Ethereum.

Weekly Cyber Risk Roundup: More CIA Leaks, New Mirai Attacks, and LastPass Vulnerabilities

The CIA remained as the top trending cybercrime target of the week as WikiLeaks released a third set of documents related to the agency. The new release includes 676 source code files for the CIA’s secret anti-forensic Marble Framework, which WikiLeaks said “is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.”

“The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi,” WikiLeaks wrote in its announcement. “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion.”

The fact that an intelligence agency would have tools to cover its tracks is hardly surprising. However, it appears that WikiLeaks will continue to leak CIA documents for the foreseeable future, and those leaks may have yet-to-be known implications for governments, tech companies, and cybercriminal actors. After the initial CIA leak in early March, WikiLeaks tweeted that is has released less than one percent of its Vault7 series.

Another recurring story in these roundups is the Mirai botnet, and researchers said this week that a new variant is likely behind a 54-hour long DDoS attack that targeted a U.S. college. The attack peaked at 37,000 requests per second, the most Incapsula has seen out of any Mirai botnet. The company said 56 percent of all IPs used in the attack belonged to DVRs manufactured by the same vendor. IoT devices continue to make headlines for vulnerabilities – including certain devices that were allegedly targeted by the CIA – and this past week saw new warnings of methods for hacking smart televisions as well as a vulnerability in an Internet-connected washer-disinfector. As SurfWatch Labs chief security strategist Adam Meyer recently wrote, IoT devices have potentially become the largest digital footprint of organizations that is not under proper security management.

Other trending cybercrime events from the week include:

Data breaches expose more credentials: A hacker has stolen the email addresses and MD5-hashed passwords of 6.5 million accounts from Dueling Network, a now-defunct Flash game based on the Yu-Gi-Oh trading card game. Although the game was shut down in 2016, the forum continued to run until recently. Nearly 14 million stolen and fake email credentials from the 300 largest U.S. universities are for sale on the dark web, a rise from only 2.8 million last year, according to the nonprofit Digital Citizens Alliance. The stolen email addresses and passwords sell from $3.50 to $10 each.

Warnings of skimming and keylogging devices: Carleton University in Ottawa said it discovered USB keylogging devices on six classroom computers during a routine inspection, and the university is urging staff and students to change passwords for any accounts they may have accessed from classroom computers. The San Bernardino County Sheriff’s Department has received more than 70 reports of credit card fraud tied to a suspected card skimming device in Big Bear. A Romanian citizen pleaded guilty to a scheme to defraud customers of Bank of America and PNC Bank via ATM skimming.

Ransomware notifications continue: Urology Austin has notified 200,000 patients of a January 22 ransomware attack that may have compromised their information. Ransomware encrypted files belonging to Forsyth Public Schools and information such as lesson plans and schedules stored by teachers on the district server is likely lost due to the incident. Estill County Chiropractic is notifying 5,335 patients of unauthorized access to its system and a ransomware infection that may have compromised their personal information. Ransomware was found on the computer systems of the Tweede Kamer, the lower house of Dutch parliament.

Former employee causes serious problems: A former IT administrator of the Lucchese Boot Company pleaded guilty to hacking the servers and cloud accounts of his employer after he was fired, and the company claims it lost $100,000 in new orders in addition to the extra IT costs it had to endure due to the attack. According to the complaint, the former employee logged into an administrator account after being fired and proceeded to shut down the corporate email and application servers, deleted files on the servers to block any attempts for a reboot, and then began shutting down or changing the passwords on the company’s cloud accounts.

Other notable cybercrime events: The personal information of 3.7 million Hong Kong voters and the city’s 1,200 electors may have been compromised when two laptops were stolen. Approximately 95,000 individuals who applied online for a job at McDonald’s in Canada had their information compromised due to unauthorized access to the company’s database. Multiple employees of the Washington University School of Medicine fell for phishing emails designed to steal credentials used to access their email. While investigating a data breach related to employees’ W-2 forms, Daytona State College discovered a second data breach involving student financial aid forms. A Russian citizen has pleaded guilty to his role in helping spread malware known as “Ebury,” which harvested log-on credentials from infected computer servers, allowing the criminal enterprise behind the operation to operate a botnet comprising tens of thousands of infected servers throughout the world.

Cyber Risk Trends From the Past Week

The password manager LastPass has addressed a series of vulnerabilities that were discovered by Google Project Zero researcher Tavis Ormandy, including one now-patched “unique and highly sophisticated” client-side vulnerability in the LastPass browser extension.

In a March 31 update, LastPass advised its users to ensure they are running the latest version (4.1.44 or higher) of the extension so that they are protected.

The vulnerability, which could be exploited to steal data and manipulate the LastPass extension, required first luring a user to either a malicious website or a website running malicious adware and then taking advantage of the way LastPass behaves in “isolated worlds,” the company said.

An isolated world is a JavaScript execution environment that shares the same DOM (Document Object Model) as other worlds, but things like variables and functions are not shared. LastPass explained:

The separation is supposed to keep both sides safer from external manipulation. In some cases, these variables can influence the logic of the content script. It is difficult to inject arbitrary values into JavaScript using this technique. But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version.

Fixing the issue required “a significant change” to the browser extensions and LastPass urges other extension developers to look for this pattern in their code and ensure that they are not vulnerable to a similar attack.

The patch came just 10 days after LastPass issued another update to address two other issues discovered by Ormandy that could allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

The incident serves as a reminder that vulnerabilities continue to be discovered in a variety of products, including the tools used to help keep individuals and organizations safe. Having a full accounting of an organization’s technology infrastructure as well as policies and procedures to track new vulnerabilities and patch software is one of the most effective ways to combat malicious actors who rely on exploiting well-known vulnerabilities.