Category Archives: Underground Economy

loveme, kissme, catch me, try me.

Picture by dprotz used under Creative Commons

Yesterday evening the FBI issued a press release regarding the legal action against Aleksandr Andreevich Panin, a Russian national perhaps better known as “Gribodemon” and “Harderman”, the online aliases behind the notorious SyEye banking Trojan and Hamza Bendelladj a Tunisian national who went by the online moniker of “Bx1”. Panin has entered a guilty plea to the charges of conspiracy to commit wire and bank fraud, the charges against Bendelladj are still pending. The FBI press release gives thanks to Trend Micro’s Forward Looking Threat Research team for their assistance in the investigation.

Bendelladj is alleged to have operated at least one command and control server for SpyEye, although as our TrendLabs blog and our investigation make clear, his involvement seems to be far deeper. He was arrested at Bangkok airport on the 5th January 2013 and Panin was arrested on July 1 last year when he flew through Atlanta.

The FTR team at Trend Micro began a particularly focused investigation into the person or people behind SpyEye almost 4 years ago. Over the intervening period, we mapped out the infrastructure used to support the malware, we identified weak points in that infrastructure and pursued a number of important leads pointing to the identities of individuals behind this pernicious banking Trojan. Once we felt that we had sufficient information we involved law enforcement who drove it to the successful conclusion you see today.

Our ongoing research turned up a wealth of data, much of which it would be imprudent to share while legal action is still ongoing, however it might interest you to know that some of the most frequent passwords used by one of the accused include “loveme”, “kissme” and “Danny000”. I’ll let you draw your own conclusions regarding OpSec.

The arrests last year and yesterday’s guilty plea are another illustration that Trend Micro’s strategy of going after the people behind online crime, instead of simply the infrastructure they exploit, is the right one. You may more often see stories that a botnet has been “taken down” resulting perhaps in a massive drop in the number of infected computers or Spam, but these types of activity while laudable are only temporary. Criminals will very soon come back and often come back stronger, having learned from their previous failures, the network of compromised computers will be rebuilt and the crime spree begin anew.

As with DNS Changer, as with the Reveton Ransomware, Trend Micro has proactively provided information and assistance to law enforcement that has led to arrests of individuals rather than the simple switching-off of criminal computers. It is through activities such as these that we hope to fulfil our mission of creating a world safe for exchanging digital information.

E-currency, E-wallet, staying safe into the future.

Image courtesy of epSos.de

Commerce is certainly heading ever more towards the E. While alternative digital currencies still hover on the verges of mainstream today, the speed of their adoption indicates a positive future for e-money. Credit cards are already becoming out-dated as a form factor. In fact in many parts of the world the plastic card itself has simply become an emotionally comfortable way to get people to pay using NFC (PayPass, payWave etc.) and it does not take a large leap of faith to imagine the transition to the mainstream of the logical next step of e-wallets on an NFC enabled mobile device. Many financial institutions already offer NFC “stickers” to slap on the back of non-NFC enabled devices but the battle is still on for the dominant form-factor for delivery; SD cards, external devices (stickers or sleeves), embedded hardware, Cloud (via QR) or SIM integrated technology all have roles to play, some as short-term bridge technologies, some as the basis for longer-term solutions. For the foreseeable future, these digital links to traditional currency will vastly outnumber the alternative digital currencies.

If you do use digital currencies or NFC, how to secure those e-wallets? Mostly e-wallets are held on mobile devices that are no strangers to vulnerabilities from an Operating System perspective. On the app front Google’s own e-wallet was easily subverted through an escalation of privileges attack. The dominant platform, Android, suffers not only from vulnerabilities, but also from fragmentation. This means that there are many different flavours of Android, from many different manufacturers, many of which will never see an upgrade or security patch. The mechanism for getting a patch from Google to handset is simply too convoluted, relying on both handset manufacturers and carriers to act as middlemen. Middlemen who actually have an interest in getting you to buy a new phone rather than fix your old one… On top of that the (currently) under-explored area of vulnerabilities in the apps themselves and the widespread abuse of app store platforms for spreading Trojan type malware and there’s a perfect storm of threat brewing for e-wallets.

Much of the burden for securing these technologies lies with app developers and handset and OS manufacturers and perhaps the greatest step toward effective security would be the development of, and adherence to, an open standard that includes security mechanisms such as TPM on the mobile platform. Unfortunately Visa are already talking about waiving the need for merchants need to validate their PCI compliance if 75% of their transactions originate from NFC technology!

Of course consumers have a role to play too, making sure they keep their devices physically safe, using effective device locking passwords, enabling remote lock and wipe functionality and making sure that any sensitive information (or preferably all information) is wiped from the device when it will not be in their hands for a period of time, or when they are disposing of it.

As for the Bitcoin type currencies, dividing your assets between multiple wallets and keeping the lion’s share on a secure device that is not used for regular Internet access is your best defence, breaking wallets up into “spending” and “saving” functionality. There is currently no regulator in the Bitcoin world, so every transaction is effectively final.

By 2020, we fully expect digital currency to be embedded in the economies of the early adopter geographies and consequently there will be greater level of malicious interest in your digital pockets. On the security side, we would hope that those standards are more than just a pipe-dream and that effective multi-factor (biometric) authentication has, by then, been integrated into many of the sensitive transactions that we will increasingly carry out online.

For a wider look at our security predictions for 2014 and beyond check out “Blurring Boundaries” and of course 2020: The Series

Mobile threats accelerate in 2013

Android malware growth 2013

Android malware growth 2013

At the end of last year we released our predictions for 2013; chief among them was the eye-catching assertion that mobile malware would hit the 1 million mark by the end of the year. At the time, it may have been tempting to dismiss this prediction as a marketing stunt, however the facts and the figures are unfortunately bearing out the truth of this prediction. By the end of the first quarter, we were already over halfway there and by the end of June we counted 718,000 malicious and high risk Android apps in our collection.
Continue reading