Tweet

Monitoring the cybercriminal underground sometimes leads us down some interesting paths. We recently encountered a cybercriminal posting in a Russian underground forum which led to the discovery of more than 136,000 stolen credit card credentials.

Help in all the wrong places

The trail started with the following post on a Russian underground forum.

Figure 1. Post in underground forum (click to enlarge)

The post from user acmpassagens asking for help with the well-known Virtual Skimmer point-of-sale (PoS) malware family was not particularly unusual. However, two things stood out: first of all, the post, despite being written in Russian, was not written by a native speaker. The sentence construction did not look right. The poster also claimed that he had access to more than 400 PoS terminals in gas stations and shops… in Brazil. This was a user from Brazil asking questions in a Russian underground forum.

As part of his post, acmpassagens left both his e-mail address (acmpassagens3@yahoo.com.br) and Skype address (acmpassagens). Together with his username, one can follow some of this person’s other online activities. For example, on an official Microsoft forum, he replied to a question about credit card readers with a post offering to sell software:

Figure 2. Post on Microsoft Developer Network (MSDN)

Videos related to card-skimming contained his e-mail address so curious viewers who wanted to “join the business” could contact him directly as well.

Figure 3. Youtube video

However, initially there didn’t appear to be anything online that could help us uncover the identity of acmpassagens. We were able to obtain some of the e-mail addresses he used, as well as two of his Skype accounts: acmpassagens and _brenosk815. 

However, just before we were about to set this case aside, diligent Google searching led to an incredible jackpot: an account used by acmpassagens on the online file storage service 4shared. Moreover, all of the contents of his account – all 1GB of it – were open for anybody with Internet access to see, without the need for a user name or password.

Figures 4 and 5. Publicly available 4shared account

What was in this account?

The files in the 4shared account contained what appeared to be a log of the cybercrime activities that acmpassagens had carried out. It contained malware, phishing templates, and various documents with what appeared to be the personal information of cybercriminals, accomplices, and victims.

First, who is acmpassagens? According to the account, he is a Brazilian national named Breno Franco. He describes himself as a “businessman”, with an official address in Salvador, the eighth most populous city in Brazil. There were also multiple pictures of himself on the account:

Figure 6. Picture of Breno Franco

Mr. Franco used multiple addresses to communicate with others:

• acmpassagens@hotmail.com
• acmpassagens2@yahoo.com.br
• acmpassagens3@yahoo.com.br
• brenosk@gmail.com
• buracoclub@yahoo.com
• faelballestero@gmail.com

In addition to this, there was ample information relating to Mr. Franco’s money mules. We found various documents including Visa card slips and printouts of bank account statements.

Figure 7. Scanned identity card

Some of these documents may not be authentic. However, there also appeared to be private information of these mules, including scans of passports and official Brazilian identity cards (see above). It is hard to determine if these documents belong to actual people or whether the passports are fakes, since we also found Photoshop files for fake passports in 4shared. In addition, there was a recording of a VoIP call between a mule and Mr. Franco:

Figure 8. Recorded VoIP call

What about Mr. Franco’s cybercrime haul? In the account, we found what appeared to be 136,000 credit card numbers stored for future usage.

Table 1. Stolen cards

More than 107,000 of these numbers are for Visa, and more than 20,000 for MasterCard, with other networks picking up the small remainder. Visa is an official FIFA Partner, which may explain why Visa customers were frequent victims.

The 4shared account also contained the tools that Mr. Franco may have used to carry out his attacks. There was PoS malware belonging to the Virtual Skimmer and BlackPOS families, which may have been used to carry out the attacks that Mr. Franco described in some of his posts.

Aside from the above malicious tools, there were two other files useful in processing stolen card information. One was a file used to generate credit cards with stolen valid credit card numbers. The other is used to verify card numbers and is known as T3ST4D0R C0D3R (CC VALIDA). (Legitimate software has been abused by cybercriminals for the latter role.)

There were also templates for various phishing sites stored inside the 4shared account. Some of these sites had been found in the wild very recently. These phishing sites took advantage of the ongoing World Cup:

Figure 9. Phishing site

One of these phishing templates was uploaded to the compromised site of a Brazilian restaurant and shop. The files on the said site can be grouped into two: files from around 2011, when the legitimate site was last created/modified, and 2014, when Mr. Franco took control of the site and used it to host his phishing page.

Conclusion

In the past, the cybercriminal underground has operated in distinct groups. There was separate Russian underground communities, Latin American underground communities, etc. That is no longer the case: cybercriminals are now crossing borders and combining the various tools and resources available to them.

As cybercriminals become increasingly able to work together, attacks will become truly global. Trend Micro will continue to work closely with, and support and share information with law enforcement whenever possible to bring cybercriminals to justice.

Tweet

Internet Explorer and Microsoft Windows are some of the affected applications addressed in this month’s round of security updates.  For their July patch Tuesday, Microsoft has released six security bulletins, two of which are tagged as ‘critical’.  The three other bulletins are rated as ‘important’ and one bulletin as ‘moderate.’

MS14-037 resolves about 23 vulnerabilities found existing in Internet Explorer, which may lead to remote code execution when exploited successfully via a specially crafted webpage. These vulnerabilities affect Internet Explorer versions 6 to 11. One of the vulnerabilities covered in this bulletin is Extended Validation (EV) Certificate Security Feature Bypass Vulnerability (CVE-2014-2783), which has been disclosed publicly. However, as of this posting no exploit is seen in the wild abusing this particular vulnerability.

While Microsoft isn’t saying if the latest IE vulnerabilities affect IE 6 on Windows XP, we can reasonably suppose that it is affected since IE 6 on Windows Server 2003 is vulnerable. Users with Windows XP and have OfficeScan with the Intrusion Defense Firewall running are protected against attacks using these vulnerabilities.

Another critical bulletin, MS14-038 addresses vulnerability in Microsoft Windows. If exploited, attackers can also execute remote code via a specially crafted Journal file. As such, this can compromise the security of user systems. Bulletins which are rated as ‘important’ also affect Microsoft Windows and pose risks since it may lead to elevation of privilege once exploited by remote attackers.

Adobe has also rolled out its security patches for vulnerabilities found in Adobe Flash Player. When exploited, these vulnerabilities can allow a remote attacker from compromising the system and consequently, taking control of it.  These vulnerabilities are covered under the following CVEs:

• CVE-2014-0537
• CVE-2014-0539
• CVE-2014-4671

Users are strongly advised to update their Adobe Flash Player to its latest version. Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities via the following DPI rules:

• 1006123 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1765)
• 1006124 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2787)
• 1006114 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2795)
• 1006115 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2797)
• 1006116 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2801)
• 1006125 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2804)

We highly recommend users to apply these patches immediately. For additional information on these security bulletins, visit our Threat Encyclopedia page.

Tweet

Figure 1. Motto taken from the InstallBrain website (http://www.installbrain.com) on July 3, 2014”

“Monetize On Non-buyers” is the bold motto of InstallBrain—adware that turns out to have been developed by an Israeli company called iBario Ltd. This motto clearly summarizes the potential risks adware companies can introduce to users, especially when they install stuff on systems without their consent.

Adware is often perceived as low-risk, because these usually display unwanted popups and pop under advertisements. However, they can pose serious security risks when used by adware companies to load malware onto systems wherein their adware has been installed. In our latest research paper, On the Actors Behind MEVADE/SEFNIT, shows that iBario’s InstallBrain adware installed MEVADE/SEFNIT Trojans in significant number of systems in 2013.

One of the major threat stories in 2013 was the sudden and dramatic increase of Tor users. In August 2013, the number grew from a million to five million users. Fox-IT was the first to publish the cause of the spike: the MEVADE/SEFNIT malware downloaded a Tor component related to its command-and-control (C&C) communications. This malware does click fraud and Bitcoin mining.

Microsoft was the first to point out the InstallBrain-SEFNIT connection—a connection also seen by Trend Micro. iBario Ltd removed the brand name Installbrain from its corporate website and replaced it with Unknownfile, which basically is just a successor of Installbrain. Feedback from Trend Micro’s Smart Protection Network shows that there are InstallBrain detections in about 150 countries—a clear indication of how widespread this adware is.

Adware Company Hosts Malware

In recent media interviews, iBario described itself an entirely Israel-based company with an estimated worth of US$100M. The 9-figure number is probably an exaggeration, and we also believe that iBario outsources a lot of technical work to Ukraine as there are clear links between iBario and Ukrainian contractors. In fact we found the organizational chart of iBario Ukraine on the Internet headed by the CTO of Installbrain.

Figure 2. Organizational chart for iBario Ukraine; screenshot taken on June 20, 2014

One interesting thing we noted is that while Mevade.C was widespread in more than 68 countries, even sparsely populated ones, there was virtually no infection in Israel. This is perhaps to avoid trouble with the local law enforcement.

It becomes even more interesting when we found that a domain name of a Ukrainian contractor called Denis R, also known as Scorpion, had one of its hostnames pointing to the IP address of iBario’s source code repository. The said file repository hosted Sefnit malware in 2011, so there was Sefnit malware on the corporate source code repository of iBario in 2011. We cannot provide the exact details of this finding publicly, but we are willing to hand over proof to law enforcement partners.

The fact that iBario’s Installbrain has installed Sefnit on systems, the presence of Sefnit malware in a code repository of iBario in 2011, and the links between iBario and several suspicious contractors from the Ukraine make us believe that iBario is involved with Sefnit.

Gateway to Infection

We believe that deceit, or any indication that a user has given no real consent to the download and installation of a file or to what that file is actually doing, is grounds for us in the security industry to block and detect a file as malware.

InstallBrain is one real example of the risks of having adware on user systems, and of how attractive and beneficial it can become for adware companies to abuse their access to user computers—to the point of discreetly downloading malware. In this case, the downloaded malware takes over computers to commit click fraud or to mine bitcoins.

For more information about the threat actors, download our research paper On the Actors Behind MEVADE/SEFNIT.

Tweet

We noted a while back that Apple-related scams tend to grow when rumors of new Apple devices are in the news. With the launch of the iPhone 6 expected sometime in September, we expected to see some scams tied to leaks surrounding the latest Apple product. As it turns out, that is exactly what happened.

Some journalists covering Apple reported last week that they had received emails with a fake “the wait is over” announcement for the iPhone 6. We can confirm that such emails were sent out, as our own sources got a few themselves:

Figure 1. Sample spam message

Users who don’t keep track of Apple rumors or the iPhone release schedule might be caught out by this email, as it uses language that wouldn’t be out of place in a real Apple announcement. However, two things are worth noting: a July release would not fit the recent Apple release calendar (both the iPhone 5 and 5S were released in September), and the design in the email does not match recent mockups released by Apple rumor sites.

As the release date of the iPhone 6 (and perhaps the iWatch) draws closer, we can expect to see more scams and attacks that use these (rumored) Apple products as bait. We ask users to be careful of these “announcement” emails, as they are fertile ground for phishing and other threats.

We block the spam message spotted in this particular attack, and block access to all websites related to this threat.

Tweet

Whenever I hear about the Internet of Everything, I find myself somewhat conflicted. There’s no doubt that it is the new “mega trend” in technology, but at the same time I wonder how secure it is. Let me explain.

When a company creates a smart device, they not only need to create the hardware for the device, they also need to write the software for it. This is not a simple task, particularly for complex items. Take, for example, a modern car. Think of all the features it has: distance assistance, lane assistance, and even notification of emergency services if I crash. It can even compile various statistics about how I drive and compare it to other drivers of that model.

All this results in a very large amount of software that needs to be written. A modern car has more than 100 million lines of code. This is more than double that of an office suite like Microsoft Office (45 million); or seven times more than that of a Boeing 787 Dreamliner (14 million). More code not only means more features, but also more opportunities for various security flaws and vulnerabilities.

Software vulnerabilities are something that, unfortunately, we’ve learned how to deal with. Software vendors all over the world regularly send updates to their customers; smart devices should be no different. All of my cars in the past decade have received regular updates, including changes in their steering. Given how on the autobahn, 140 miles per hour (or 225 kilometers per hour) is normal cruising speed, it’s rather important that there be no blue screens of death in these situations.

We already know that vulnerable devices are under attack by cybercriminals. For example, routers are under attack all the time, and can be quite easily compromised. We need the vendors of smart devices to realize that their products, too, can become targets. Security vendors like Trend Micro will do what we can to protect users, but it’s better for all parties that smart devices be as secure as possible in the first place. Not only must the vendors of these devices try to develop their products in line with sound security practices; they must also test these devices so that they stay safe in the face of new threats.

More of my thoughts on the Internet of Everything are in the video below:

For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.