In passing, I recalled talking to my neighbor where I mentioned working in the area of information security. His next question quickly came out- “Why do these scammers want my information?” The more I’m asked this question, the more apparent it becomes that user information is highly valuable.

Would it be surprising to know that it would merely cost $5 (USD) to buy all of your personal information on underground forums and sites? Some of you may also be surprised to find out the information for sale isn’t just your name and address-it’s far more than that.

“Fullz”, as it is referred to in underground forums contain not just credit card numbers, names, and date of births. “Fullz” are typically delivered in one of several methods. First, it could be a text or .CSV file containing all of the information in a comma separated file. All of the details of the compromised individuals would be included in the file for easy perusal. In addition, “fullz” could be delivered via a portable database format, like a .MDF file for easy local database import. You can also find personal questions asked during account registrations as well as driver’s license information, social security number, and other information.

Just because these scammers are nefarious, it doesn’t mean they’re not entrepreneurial. For instance, one seller offers bulk discounts for orders as seen in figure 2.

These scammers also offer the sale of “dumps”, which is the raw data off the magstrip of your credit cards. In addition to dumps, they sell “plastics”, which are blank cards that are used for writing dumps too.

And finally, to make scamming even easier, attackers are selling direct logins for bank accounts as well as the transportation of high-end electronics. Bank accounts are being sold for direct access to the money- no more buying dumps and plastics, just use your bank login information and transfer the money.

High-end electronics are also peddled on the black market for reasonable prices. These scammers buy devices at retail price using stolen credit card information, and proceed to sell it at discounted rates online for cash.

Read the rest of this entry »

Much is being talked about the Oracle fix being incomplete for the recent Java 0-day for CVE-2013-0422. In this post, we would like to take this opportunity to clear a few items around it.

Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete. There are two issues in this CVE. One is with the findclass method of com.sun.jmx.mbeanserver.MBeanInstantiator class. The other is with invokeWithArguments() method of the java.lang.invoke.MethodHandle class. Oracle has fixed the latter but findclass method can still be used to get a reference to restricted classes. To simplify, the issue in findclass method still leaves a hole that could be used with another new vulnerability.

We would also like to clarify another point, this time concerning CVE-2012-3174. As opposed to some reports, it is NOT the issue with the Reflection API. The Reflection API issue is fixed as a part of CVE-2013-0422. To quote the National Vulnerabilities Database (NVD) verbatim “NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422.”

Read the rest of this entry »