Tag Archives: fraud

Don’t be dumb, keep schtumm!

1 Reply

This quote “The sweep was part of a civil suit brought by Microsoft in its increasingly aggressive campaign to take the lead in combating such crimes, rather than waiting for law enforcement agencies to act” from this article is what motivated me to tweet “Opening civil proceedings “without waiting for law enforcement”, against 39 John Does and citing their online handles is a very dumb idea.”
 
The security industry and research organisations should work with law enforcement, not against it. All 39 of the online handles mentioned in the court submission (covered in my blog yesterday) are now fully aware that they are under active investigation and have the chance to “disappear”, probably to resurface elsewhere and carry on business as usual.
 
It is disturbingly similar to how the identities of the Koobface gang were exposed without waiting for due legal process, even though the intelligence behind this “exposé” was mostly generated in an industry group working with law enforcement towards an eventual prosecution. Once the information is published, without waiting for due legal process the criminals have a chance to go to ground.
 
Again in the Microsoft civil suit example, there is a reliance on information that was shared within working groups. The normal model is to collaborate across industry and come up with a shared result in terms of law enforcement. Marketing actions like this very much break that model.
 
The successful dismantling of the Esthost botnet with the arrest of the criminals involved is a true model of how the security industry and law enforcement can and should work together to better secure the internet and internet users. That investigation was 6 years in the making and led to the arrest of an entire crime ring and the dismantling of their infrastructure.
 
Long term law enforcement success should not be sacrificed on the altar of marketing initiatives.
 

Beginning of the end for ZeuS/SpyEye?

3 Replies

Bortusk Criminal Swag by bixentro

used by persmission from bixentro's Flickr photostream


 
In a court submission that runs to 162 pages, Microsoft and the Information Sharing and Analysis Center (FS-ISAC), a trade group representing 4,400 financial institutions, and NACHA, the Electronic Payments Association, are pursuing the criminals they believe to be behind the ZeuS, SpyEye and Ice IX botnets
 
The codebase behind ZeuS, Ice-IX and SpyEye has a long and infamous history in internet crime, ZeuS has been around since 2006 (2007 is specified in the court submission) and is responsible for hundreds of individual botnets stealing millions of pounds from consumer and business bank accounts. SpyEye was originally set up as a competitor to ZeuS and even went as far as to remove ZeuS if it found it on a computer that SpyEye was trying to infect. More recently the two code bases have been merged into a single piece of crimeware.
 
The court submission from Microsoft, while it openly states that the identities of the “John Does” are currently unknown, does go a long way towards exposing the huge infrastructure behind crimeware of this nature. It specifies, three individuals identified as the original ZeuS, SpyEye and Ice-IX coders and two further code developers, two PDF and Flash exploit vendors responsible for creating malicious files that drop the bot onto your PC, three web-inject vendors who create the scripts that inject fake content into legitimate banking web sites, four individual botnet hosters and fifteen individual botnet operators, seven money mule recruiters, three specialists in cashing out stolen funds and one individual responsible for handling “incoming notifications of newly compromised victims”.
 
The court submission identifies malicious network infrastructure that spans the globe, from North America through the UK and Germany via Iran, Hong Kong and even Laos all the way to Australia. A total of 3357 domain names across 35 registrars have been identified as being related to what they are collectively calling “the ZeuS botnets”, with 1703 of those domains registered with Verisign. In raids on two hosting locations on March 23rd servers were seized leading to disruption of botnets and criminal activities. However, as Microsoft notes, this enforcement action only closed down two IP addresses and secured 800 monitored domains (from 3357), so the immediate effect can be expected to be minimal.
 
Of course, cybercrime is bigger than just 39 people and currently no specific individuals have been identified, but if nothing else, this indictment serves as a graphic illustration of the maturity of the criminal business model. Criminals such as Slavik and gribodemon have successfully evaded justice for many years, but let’s hope that this continued focus and international cooperation across the security and law enforcement communities can eventually make a significant dent in their illegal operations.
 
The ZeuS Tracker project, which lists Command & Control servers around the world is today listing 806 ZeuS and Ice IX servers, 343 of which are currently online and active. SpyEye Tracker lists 487 servers globally, of which 16 are currently active.
 

Anonymous isn’t Sabu and Sabu certainly wasn’t anonymous

3 Replies

Isn't it ironic? Don't you think?


 
The news broke today via Fox that the LulzSec/Anonymous figurehead Hector Xavier Monsegur a.k.a. AnonymouSabu was under arrest and being charged with 12 counts of computer hacking conspiracy and other crimes. The case was initially opened last summer and the charges were filed via a criminal information, making it appear likely that Monsegur has since been cooperating with law enforcement in their investigations into other online criminal activities and individuals. In fact Monsegur had already been identified as the real person behind Sabu in other unrelated online investigations, but this was understandably downplayed.
 
The release from the FBI also details charges against Ryan Ackroyd (a.k.a. kayla), Jake Davis (a.k.a.Topiary), Darren Martyn (a.k.a pwnsauce) and Donncha O’Cearrbhail (a.k.a. palladium) for hacks on Fox, PBS, Fine Gael, HBGary and Sony Entertainment (among others), and Jeremy Hammond (a.k.a anarchaos) for the Stratfor hack. O’Cearrrbhail is also individually cited as the individual responsible for the recording and release of the infamous FBI conference call.
 
The same FBI release also makes it very clear that these allegations are based in part on information given at Monsegur’s guilty plea.
 
This news certainly looks like the endgame for the splinter group known as LulzSec and possibly AntiSec too. It should certainly be expected that law enforcement have gathered all evidence they feel is necessary to proceed effectively against those individuals they are currently charging. Sabu was certainly not their only source of intelligence, but undoubtedly their most important.
 
It’s worth remembering that LulzSec and Anonymous were never one and the same. In several cases, most notably the Stratfor hack, an Anonymous release was posted which passionately denied any involvement in hacking a “media organisation”.
 
Anonymous is a very different organisation to LulzSec and other more closely linked groups. Anyone can and does act in the name of Anonymous and their activities do not require individual hacker publicity or disclosure of personally identifiable details. The very fact that Sabu became the “celebrity” he was, illustrates the real difference between LulzSec and Anonymous. LulzSec may be finished, but it would be premature to say the same about Anonymous.
 
Does this undermine “trust” in Anonymous? If anything would make that community laugh, that proposition certainly would! The hackers we really need to worry about are those that trusted no one and sought no glory in the first place and the best place to look to thwart them is in better securing our own networks and assets.
 
I am reminded of one of my all time favourite films, Angels with Dirty Faces. Maybe if Sabu has been informing on his erstwhile associates that is the most good that can come of this. Just like Rocky Sullivan eventually “turned yeller” much to the disillusionment of the street kids, maybe Sabu’s dramatic fall from hacker glory will also serve as an object lesson.