Of late, there’s no lack of news about information theft and data breaches, not only in Japan but also the rest of the world. But as these incidents get more common, so are these getting more blatant in the way that these are being carried out. Whereas we used to hear of stolen information being peddled at underground forums and bulletin boards, IRC, and so on, malware authors now seem to pay no mind to keeping things under the radar.

Blowing the lid off such transactions, they conduct illicit deals in the open through well-known sites—a tendency we would like to call the popularization of cyber crimes.

Back in February, we had an entry in the Japanese version of this blog about a similar case, in which a popular Korean net auction firm called Auction, Inc. (www.auction.co.kr) confirmed that the information of 10.81 million individuals had indeed been compromised. This is a large-scale theft that, to say the least, got its users worried; some groups even contemplated filing lawsuits.

Then there is the Chinese Internet portal O2SKY, in whose free market page were posted at least two entries seemingly related to the aforementioned Korean incident: the first on March 29, the second on April 11. These say: “Naver, I can sell the IDs of Auction, Inc.” Naver is one of Korea’s famous portals. The entries include the email addresses and telephone numbers of the vendors.

Here’s a screenshot of that entry:

O2SKY is owned by Yan Fan, Inc., which is located in Jilin Province, China. While it is a Chinese company, we can assume that the said entry was posted for Korean users, due to the geographical advantage of nearby Korea.

Taking a closer look into other related entries, we also found some that are encouraging readers to try out techniques to perform site breaches, hackings, compromises. These are a kind of advertisement dangling high salaries for those equipped with such skills. These are open invitations meant to lure the malicious-minded, making no secrets of its intentions.

Here’s a screenshot of the said ad looking for those with “skillz”:

In the two cases detailed above, there are several reasons why we believe these should not be classified as professional or organized crime. One is that the malicious users are openly posting their own easily traceable information in the public forums that almost anyone can anonymously visit.

So if these are perpetrated by neither professionals nor organized crime syndicates, then who is posting such entries? The possible figures would be as follows:

• Script Kiddies – they usually use the openly available cracking tools to steal individual information and sell it to others
• “Customers” of cyber criminals – they try to sell individual information that they initially bought from the professional criminals
• People who read media reports – those pretending to sell the individual information, but do not actually have said information. Another set of readers may be the adventurous type who want to recreate the same offenses based on the information they got from the media.

The existence of the so-called script kiddies should never be ignored. As the said hack and breach techniques are made more widely available, they also become more sophisticated that there will come a time when it will be harder to distinguish between a manually conducted breach and an automated one.

As part of the protection, some companies try to hire so-called ethical hackers who can help enhance their organizational security measures. In Sun Tzu’s The Art of War, the chapter on attack by stratagem shares this bit of wisdom: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” This statement is a basic principle that can be applied even—or perhaps especially—to cyber crime and our ongoing fight against it.

Updated by Mayee Corpin (Technical Communications)

At its official Web site, the U.S. Treasury Department Federal Credit Union (TDFCU) makes known that its mission is “to serve the financial needs of our members as a safe and sound cooperative financial institution under sponsorship of the Department of the Treasury.”

Its members include employees of the Treasury Department, Department of Homeland Security, U.S. Courts, and other similar companies & organizations in similar fields of government service. The TDFCU also has members who live, work, and do business with other similar governmental organizations located in Washington, D.C.

Recently, the TrendLabs Content Security team came across the phishing URL:

http://75.145.112.12/homepage/www.tdfcu.org/index.php

This loads a spoofed Web site that bears a close resemblance to the legitimate TDFCU’s online login page. This bogus site also lacks SSL security, as indicated by the absence of the lock icon in the status bar and the protocol used by the Web site.

One obvious indications that this is a bogus website is that no attempt has been made to disguise the phishing URL in the address bar, so it is quite easy for a user to determine that the website is not legitimate.

The phishing site asks also, of course, unwitting users for their IDs and passwords. After clicking the login button, the user will be redirected to a web page that prompts for information, which includes the Card Holder Name, e-Mail Address, Phone Number, Credit Card Number, Expiration Date, Code Verification Number, and ATM PIN.

Of course, this site is now blocked by Trend Micro’s WCS (Web Classify Server).

Like previous IRS-related phishing cases, this one could be targeting more high-profile personalities since members may belong to important government institutions (as mentioned in the beginning of this post). The TDFCU reminds its members that it does not send out e-mail requesting that the recipient download information onto their computers.

At the legitimate TDFCU website, they advise: “If you receive a request that appears to be from the Treasury Department Federal Credit Union with attachments requesting that you download information to your computer for security, DO NOT DO IT.”

That’s always good advice.

Updated by Mayee Corpin (Technical Communications) & Paul Ferguson (Advanced Threats Research)

I received today a strange e-mail about updating payment information for Google AdWords:

This message says that my payment hasn’t been successful and that I need to update my payment information.

As you can see, the link displayed in the mail body is hxxp://adwords.google.com/select/login which is the legitimate one. But the real accessed Web site is hxxp://www.adwords.google.com.fke21.cn/select/Login which has nothing to do with the real one:

A quick robtex research on google.com.fke21.cn shows the following associated IPs:

In this screenshot, you can see that you have to login first using your Google AdWords account, but actually any e-mail address and password will fit since no real checking is done to verify the credentials anyway. The user is also asked to fill out fields such as credit card number and address: