CounterMeasures - A Security Blog � Bad guys always lose

How to check if you are a victim of Ghost Click

Rik Ferguson — Wed, 09 Nov 2011 22:27:22 +0000

used by permission from flattop341 Flickr photostream

Trend Micro and the FBI are very pleased to announce today the dismantling of a criminal botnet, in what is the biggest cybercriminal takedown in history.

This concerted action against an entrenched criminal gang is highly significant and represents the biggest cybercriminal takedown in history. Six people have been arrested through multinational law enforcement cooperation based on solid intelligence supplied by Trend Micro and other industry partners. more than 4 million victims in over 100 countries have been rescued from the malign influence of this botnet and an infrastructure of over 100 criminal servers has been dismantled with minimal disruption to the innocent victims.

If you are worried that you might have been a victim of this criminal activity, the FBI have made an online tool available which will allow you to check if your DNS server settings have been tampered with.

First you will need to discover what your current DNS server settings are:

On a PC, open the Start menu by clicking the Start button or the Windows icon in the lower left of your screen, in the Search box type “cmd” and hit return (for Windows 95 users, select “Start“, then “Run“).This should open a black window with white text. In this window type “ipconfig /all” and hit return. Look for the entry that reads “DNS Servers” and note down the numeric addresses that are listed there.

On a Mac (yes they can be victims too), click on the Apple icon in the top left of your screen and select “System Preferences“, from the Preferences panel select the “Network” icon. Once this window opens, select the currently active network connection on the left column and over on the right select the DNS tab. note down the addresses of the DNS servers that your computer is configured to use.

You can check to see if these addresses correspond to servers used by the criminals behind Operation Ghost Click by using this online tool provided by the FBI, simply enter the IP addreses, one by one and click the “check ip” button.

If you feel that you computer may have been infected, you can visit Trend Micro’s HouseCall for a free scan and clean-up and notify the FBI by submitting this form. You should also contact your Internet Service Provider for advice on restoring your legitimate DNS settings.

Ongoing updates on this threat can be found on our Operation Ghost Click landing page.

The Facebook kidnap & robbery

Rik Ferguson — Fri, 29 Jul 2011 10:05:38 +0000

In what appears to be a well-planned and pre-meditated crime the safe in a Carrefour supermarket was emptied by criminals with the help of a Facebook friendship.

At the beginning of February, the manager of the supermarket made an interesting new friend on Facebook, a girl by the name of Katrien Van Loo. The relationship blossomed and pretty soon, the victim was invited over for a cosy dinner for two, presumably to further his acquaintance with his new-found friend. This was on the 15th of February this year. Police are now releasing images in an appeal for witnesses. The Belgian Police report is here.

When the victim arrived at ten-thirty that evening, he discovered that he had in fact been lured to an empty building with the bait set by this fake Facebook profile. He was quickly overpowered by two men who gagged and blindfolded him and forced him to hand over the keys to his own apartment.

While one of the criminals stayed with the victim, the other took the stolen keys and visited the unfortunate supermarket manager’s home. He found the keys to the supermarket and left the building and while doing so was filmed on closed-circuit cameras in the building.

Suspect in Belgian burglary from CCTV footage

Shortly after midnight, the vault of the store was emptied by a third accomplice, he was also caught on camera. The suspects can be seen in video footage prepared by the Belgian police. Suspect in Belgian Facebook burglary. It is worthy of note that both suspects are left-handed.

If you recognise these suspects, or have any information regarding this crime, the Belgian authorities would love to hear from you. You can call the local toll-free number 0800 / 30.30.0 or use this online form.

If you are a Facebook user, remember, anyone can be anyone online. Never admit unknown people to your circle of trust; you jeopardise your own safety and privacy as well as that of the friends who may be posting on your wall. If you ever decide to meet a stranger, don’t repeat this guy’s mistakes. Do it first in a public place and do not go alone. Trust should be earned, not given.

If you receive a friend request from someone you don’t recognise there are a few things you can check. Do you have any friends in common? If you do not, this should raise a suspicion flag. If you can see any info on the person do you have anything else such as schools or workplaces in common? Does the profile have a photo and if so is it one that you recognise? If you cannot see any info, mutual friends or photo, it’s a definite no-no.

Even if this stuff all checks out and you are still suspicious, begin by simply sending a message to the person, asking how they know you or how they found you on Facebook. If it turns out to be a speculative friend request, my recommendation would be to ignore it and go out for a beer instead.

3 steps to protect yourself from Facejacking

Rik Ferguson — Thu, 26 May 2011 10:16:35 +0000

It’s sometimes difficult to believe but our social networking accounts have become, in many cases, a part of our lives which we entrust with a wealth of sensitive information and personal correspondence. Social media is rapidly overtaking email and instant messaging as the preferred communication medium of a generation, our personal and professional lives coexist within a single inbox that holds in some cases not just our messages but also our more frivolous chats.

I still vividly remember the day when I discovered that my brother had found and read my diary, he marked a star on every page where I had called my girlfriend so he could tell mum how long I had spent on the phone. My anger at the violation of a place to which I had committed my deepest teenage angst was of course incandescent, not to mention I got a phone ban… (I still have the diary, so there’ll be no denying this story, bro).

Anyway, as you can tell, the anger still simmers, it led me to consider today that not only is the social network replacing email and instant messaging, in many ways it is also replacing our diaries or journals. My own Facebook represents a much more complete log of my thoughts and activities than I ever managed to commit to a diary (Samuel Pepys I was not) and I am sure that the more committed facebookers out there post a lot more often than I.

So, what am I here to tell you? How to put the strongest possible lock on your Web 2.0 diary, keep out prying eyes and avoid whatever kinds of bans parents are dishing out these days.

Facebook have built in some great features to stop even a person who has your password from accessing your account, this stuff isn’t new, it’s just underused and under-publicised. If you regularly log in from the same device or devices, you can train Facebook to recognise those machines. You can ensure that if someone tries to log in from an unrecognised device that you are notified immediately (if you’re logged in). You can even make that person enter a code that will be sent as an SMS to your registered mobile phone. So unless the snooper has direct access to your personal computer or your mobile phone, they won’t be facejacking (or the less salubrious term, fraping) you, and if they do have that kind of access, well, your problems might be bigger than just Facebook.

So here’s how:

1 – Log into Facebook and in the top right drop-down Account menu select “Account Settings“.

2 – In the Settings screen that appears, click the Edit link next to “Account Security“.

Make the following changes:

a - Tick the box to enable secure browsing, this will ensure that your communication with Facebook is always encrypted where possible and guard and password stealing tools like Firesheep.

b – Under Login notifications, select whether you would like an email or SMS notification when an unrecognised device tries to access your account.

c – Under Login approvals tick the box to have a security code sent to your mobile device, and you’re all set. Even if someone knows your password, they still won’t be able to login without the security code.

Bredolab, dead, dying or dormant?

Rik Ferguson — Tue, 26 Oct 2010 16:14:07 +0000

As I blogged earlier today, Dutch law enforcement took action to remove 143 servers from the internet which were acting as command & control servers for the Bredolab botnet.

In an update to that news, they have also announced the arrest of a 27 year old Armenian citizen suspected of being the brains behind the operation.

So is Bredolab, dead, is it dying or is it simply dormant?

The glib answer is that we don’t know, but let’s consider the current situation. Many if not most of the victim machines infected by Bredolab remain infected, the botnet has simply been decapitated. How effective has that decaptiation been? The graph below shows the marked decrease in the number of Bredolab samples collected from a pool of Bredolab C&C servers, this shows clearly the effectiveness of the law enforcement action.

Bredolab binaries downloaded over time

What we do know though, is that there is at least one Bredolab C&C server still active and that it is not hosted in the Netherlands, where there is one, there is the potential for more.

TrendLabs continue to monitor the situation, but it is clear from past experience with botnets such as Mega-D and Cutwail that criminal software displays remarkable tenacity and a disturbing ability to rise phoenix-like from the ashes of a concerted take-down attempt. Let’s hope that is not the case with Bredolab.

Dutch Authorities move on Bredolab

Rik Ferguson — Tue, 26 Oct 2010 10:53:49 +0000

According to a press release today from the High Tech Crime Team of the National Crime Squad in the Netherlands, action has been taken to isolate 143 servers from the Internet.

The servers were actively involved in the Bredolab botnet, from the release they would appear to be command and control servers. The servers were hosted by a company called LeaseWeb, one of the largest hosting providers in the Netherlands, who fully cooperated in the coordinated takedown operation.

Bredolab infection mails

Bredolab is primarily a downloading platform and has served to distribute fake AV and ZeuS to victim computers. The botnet, which originated in Russia, only rose to prominence in August 2009. Dutch Authorities estimate that it was capable of infecting 3 million computers per month at its peak. The primary initial trigger for infection with Bredolab was usually though mail, but infection vectors have been widely abused and also include drive-by download and even propagation through other forms of malware, for example, Cutwail has been seen to drop Bredolab as a payload, and Bredolab has been known to return the favour!

It is unclear right now whether the botnet has been effectively decapitated or it this only represents a setback to the criminals behind it. The bots remain infected with the malware so if alternative command & control servers exist, then reconfiguration and regrouping remains a possibility. TrendLabs are investigating current activity levels of the botnet and I will update this blog as soon as new information is available.

Facebook users… Don’t Panic!

Rik Ferguson — Mon, 12 Jul 2010 11:34:18 +0000

from cogdogblog's Flickr photostream under Creative Commons

You might have noticed in the news today, Facebook have agreed to make the ClickCEOP app available to their users. This app, often referred to in the media as a “Panic Button” gives concerned Facebook users a place where they can go to get help and advice related to many aspects of online safety.

CEOP (the Child Exploitation and Online Protection Centre) encourages Facebook users aged between 13 and 18 to add a ClickCEOP tab to their profile, the tab contains a link through to the CEOP Abuse Reporting site. This site is aimed at providing direct links to report or get advice on cyberbullying, hacking (by this they mean account takeover), viruses, mobile problems, harmful content or inappropriate or unwanted sexual behaviour.

While the ClickCEOP app will not be installed by default into every teenager’s profile, Facebook have stated in this interview that they will support the app with a site-wide awareness campaign aimed at their younger users and the app itself is clearly designed to spread by word of mouth and recommendation.

It is great to see Facebook taking the safety of their more vulnerable users more seriously. Education and awareness are powerful tools against online threats, hopefully as people notice their friends adding this app to their profile pages it will rapidly become almost a default installation.

The reason why predators are so successful on social networks and online in general, is because they work diligently to allay any suspicions or fears that their victim my feel. They use stolen photographs, misappropriated identities and outright lies to appear to be something they are not. For some commentators, this is the reason the Panic Button may not be as effective as could be hoped. But surely something is better than nothing at all?

One argument that says that the simple presence of the button will help to raise awareness and help to raise the suspicion level of the more vulnerable. It could also be the case that repeat offending will be uncovered more rapidly if even one potential victim sounds the alarm.

Unfortunately an alternative outcome is that this functionality could drive bullies and predators into more devious tactics, for example the creation of “use once and destroy” alter-egos making finding and stopping them all the more complicated.

At the very least for the younger or more vulnerable there should be no more confusion about where to go or what to do when they feel somehow targeted. One of the aggravating factors when it comes to online crime, is the absence of any central reporting facility. For Facebook users this small part of the problem, at least, is now solved.

Are you being stalked? Yes. By scammers. Again.

Rik Ferguson — Tue, 29 Jun 2010 14:58:39 +0000

One of my favourite singer songwriters once wrote “There is nothing new, only forgotten” and today is an object lesson in short term memory loss.

Once again facebook scammers are fooling users en masse into believing that they can find out who has been checking their profile pages. You may notice several of your friends posting something like the below at the moment:

Bogus message from bogus app

It’s a variation on a theme I blogged about only three months ago but it seems the attraction has not worn off. As I said back then, there is no officially sanctioned Facebook functionality that will allow you to view who has been checking your profile. Don’t click the links, don’t install the app.

If you do authorise this scamware you will be asked to grant permission for the app to post to your wall and to access your information.

Don't be tempted...

Once you grant that permission you will be put in the unenviable position of enticing your friends and family to fall for the same scam with an automated post to your wall.

In the meantime you are redirected to yet another affiliate marketing based moneyspinner for the scammers.

"Please click this link and make me some cold hard cash"

Unless of course you’re using Trend Micro, in which case you’ll see this…

Not on my watch, sonny Jim.

I have informed Facebook incident handlers of this latest ruse and doubtless it will be gone very soon.

Japanese Porn Extorters – Busted.

Rik Ferguson — Thu, 27 May 2010 10:40:41 +0000

Image from Jason Clapp's Flickr photostream under Creative Commons license

Just a quick blog. As the original blog entry Japanese Porn Extortion attracted so much interest from around the globe, I am happy to report that Japanese law enforcement have arrested two men in connection with the Kenzero malware and associated fraud.

Yomiuri Online reports that two men have been arrested, one Oka Akira, 27 years old and another who remains anonymous because of his age (20). The arrests were made on the grounds of suspicion of fraud as the creation of malware is reportedly not a criminal act in Japan. The article states that the number of victims is around 5,000 but expected to rise and that the pair are charged with defrauding “tens of thousands” of Japanese Yen.

Chalk one up to the good guys.