Sophos

Archive for September, 2008

UAE bank customers shaken by spree of ATM card fraud

ATM cash machine

It has been a jittery week in the United Arab Emirates for several banks and their many customers.

Citibank, Dubai Bank, Emirates NBD, HSBC, Lloyds TSB, and the National Bank of Abu Dhabi (NBAD) are just some of the banks to have contacted their customers in the region, advising them to change their security PIN codes. The advice follows reports this week that there has been a marked jump in the number of fraudulent transactions made from ATMs in other countries.

In essence, the belief is that criminals have managed to steal card details and PIN numbers of bank customers in the UAE, made counterfeit cards, and then used them to withdraw money in other countries such as Kuala Lumpur and the Philippines.

Details of how precisely the criminals might have accessed the card and PIN code data is presently unclear, but it is clear that several banks have been rattled by the rise in incidents, and thought it wise to warn their customers to take preventive steps. A number of financial institutions thought the situation serious enough to send an immediate SMS text warning to their customers in the region, rather than rely upon the post.

Banks in the United Arab Emirates issued advisories to their customers

There have been reports, however, that the banks’ warnings have only caused some of their customers to panic. For instance, it is reported that the HSBC hotline told customers to change their PINs before 6pm, or face having their ATM cards cancelled. Long queues were said to be building at ATMs of various as people rushed to alter their security codes.

One interesting point to note is that this is not the first time that banking customers in the area have been troubled by a hacked ATM machine. In March of this year it was reported that thieves had stolen bank card details from an ATM in the UAE over a seven day period, copying details from all cards used in the machine during the period 19-25 February.

What was disturbing about that case was that the gang fitted a card reader inside the ATM, rather than the more normal situation of having it installed externally.

Is it possible something similar has happened again? And, if so, how are the criminals managing to install their devices inside the ATM without being noticed? Alternatively, rogue software inside the banks’ systems could potentially send confidential information out to criminals, or wireless-enabled devices transmit information to hackers waiting nearby.

Clearly if anybody knows what happened in this new case, they’re not talking about it at the moment. It will be interesting to find out what new snippets of information emerge in the days and weeks to come.

* Image of cash machine buttons: Leo Reynolds’ Flickr photostream (Creative Commons 2.0)


Hackers strike Large Hadron Collider website

According to media reports, a website associated with the Large Hadron Collider (LHC) atom-smashing experiment at CERN has been compromised by computer hackers.

A group of hackers called the “GST” or “Greek Security Team” has claimed responsibility for the attack, and posted a lengthy message on the site to prove that they had managed to breach computer security.

Part of a message left by the Greek Security Team on the hacked LHC website. Click for a larger version

The hackers signed off their message with the words: “We are 2600 - dont mess with us.”

According to reports, as boffins were preparing to turn the experiment on Wednesday, hackers had already begun uploading unauthorised files to the website.

With the huge amount of interest worldwide in the LHC the thought that hackers were able to compromise and change data on a website is highly disturbing. Theoretically, hackers could have planted malicious code which could have stolen identities or installed malware onto the computers of millions of web visitors.

Fortunately, there’s no evidence, as far as we can ascertain at the moment, that the Greek Security Team planted a err.. Trojan Horse. Well, Greeks have some history of doing that y’see.. :-)

Scientists at the world’s largest particle physics laboratory appear to have disconnected the affected website (cmsmon.cern.ch) from the intenet until they are confident any remaining security problems have been fixed.


Your internet access is going to get suspended - NOT

Sophos has been intercepting many spam emails containing a malicious attachment overnight.

The emails all claim that “your internet access is going to get suspended”, as the receipient has committed “illegal activities” such as pirating software, movies or music.

The emails, which say they come from the “ICS Monitoring Team”, claim that a report of the user’s activities in the past six months is attached in a file called user-EA49943X-activities.zip.

Your internet access is going to get suspended

However, if you open the contents of the user-EA49943X-activities.zip file you risk being infected by a malicious Trojan horse designed to communicate with remote hackers. Criminals can then break into your computer and use it for their own money-making purposes.

user-EA49943X-activities.zip

Sophos is identifying the malicious files seen being used in the campaign so far as Troj/Meredrop-A and Troj/Agent-HQK. Users of other anti-virus products would be wise to check their vendor to see if an update is available.

With so many people suffering from internet addiction (also known as ‘discomgoogolation’), it’s not hard to imagine how many people would react to receiving an email like this.

Not only would many people be prone to clicking before thinking at the accusation that they have been engaged in illegal activities, but also a disturbing proportion would be alarmed about the prospect of not being able to surf the internet.

If you receive this email in your inbox and you feel your palms begin to sweat and you can sense that your mouse finger is getting trigger-happy to open the attachment, ask yourself whether you have your priorities right in life.

Shouldn’t your head be ruling your decisions rather than the evil daemon inside you which demands you constantly feed your addition to all things internet?


Paedophile pleads guilty after wife installed spyware on his PC

Gavel

It’s an unpleasant fact of life in the computer security field that sometimes things come to our attention that can make you feel pretty disheartened about the world.

For instance, while the folks in our labs are analysing malware and spam it is possible they might come across content connected to child abuse (calling it child pornography seems wrong to me - this isn’t porn, it’s children being sexually abused.)

We have specfiic staff who have been trained to handle these situations, and we work closely with bodies such as the Internet Watch Foundation to ensure that the correct action is taken against these websites, and the people behind them.

Of course, it doesn’t mean that we are regularly involved in the fight against people who are responsible for the demand for such offensive and illegal content.

According to a report in the Reno Gazette-Journal, a 36-year-old man has pleaded guilty to possessing images of young girls under the age of 10 in a variety of sexual positions.

Paul Kistner, of Verdi, Nevada, who until he resigned last month was a deputy for Washoe County’s sheriff, was reported to the police by his own wife. Monique Kistner had grown suspicious of his online activities after noticing that his internet browsing histories were always purged, and installed spyware on his computer with the help of a friend.

Having discovered that her husband had been accessing pornographic and child abuse material, Monique Kistner delivered detectives her husband’s computer at Washoe County Sheriff’s office on August 7th. A subsequent search of the family home found further child abuse images on three portable USB flash drives.

Days after his arrest in August, Kistner resigned from his job at the sheriff’s office, where he had been working for the last 12 years. He is scheduled to be sentenced in November, and could face up to six years in jail.

We’re used to hearing about spyware stealing our identities, our passwords, our credit card numbers for the benefit of internet hackers - but it seems that we are going to be hearing more of how surveillance software can actually uncover criminal acts too. For instance, earlier this week I reported on how a child abuser was sent to jail after his victim’s parent used spyware to discover he was in contact with their daughter.

As more and more people become aware of the ability to snoop on their family’s online internet activities with spyware we’re likely to see more cases like this.


Nuclear email malware attack?

SophosLabs has intercepted a widespread malicious spam campaign that claims there was a powerful explosion at a nuclear power station outside London two days ago.

You don’t hear about it in the newspapers? Quelle surprise. According to the email, the government have stopped the media reporting about the incident and prevented anyone affected by it contacting the outside world.

nuclear.gif

According to the email, news of the incident has leaked out onto internet message boards and if you click on the attachment (called victims.zip) then you’ll be able to see images of the devastation left by the explosion and pictures of victims’ bodies.

Of course, this is all nonsense.

victims.zip

In fact, clicking on the attachment will not open any pictures of the supposed explosion but will instead run a Trojan horse detected by Sophos at Troj/Agent-HQE, which will drop itself as oembios.exe in the System directory on your Windows PC. Once installed, the hackers can use the malware to spy on the victim’s computer and steal information for financial gain.

Rather than use a real life event, the hackers have turned to fictional explosions and conspiracy theories in the hope they will strike a nerve with potential victims who will then click on the attachment without a second thought.

All computer users need to show some common sense and delete these messages. It would be some media conspiracy to cover up such a large explosion for two days! Alarm bells should be sounding, but until everyone wakes up to these social engineering tactics, the cybercriminals will continue to use them.

As always, it’s a good idea to ensure that all of your computers are defended with up-to-date anti-virus protection, and that your company runs a consolidated solution at the email gateway to defend against these kind of spam and virus attacks.


Lost USB drive leads to lost contract

USB memory stick

PA Consulting, the firm that misplaced a USB memory stick containing the unencrypted personal details of convicted British criminals, has had its £1.5 million contract with the UK government terminated.

The British Home Office sent the sensitive data via email to PA Consulting in encrypted form, but it was then copied - unencrypted - to a USB data stick that was subsequently lost.

Home Secretary Jacqui Smith says that PA Consulting’s remaining contracts - worth some £8 million a year - would be reviewed.

“Our investigation has demonstrated that although the information was transmitted in an appropriately secure way to PA Consulting and fed to a secure site, it was subsequently downloaded on to an insecure data stick and that data stick was then lost,” she was reported to have said.

It’s no surprise that the Home Secretary is taking a “zero tolerance” approach to firms being careless with personal information, after a string of high profile incidents.

Internal documents from the Association of Chief Police Officers (ACPO) leaked to The Daily Telegraph newspaper have revealed that the USB memory stick was lost after it was put in an unlocked drawer over the weekend by a female employee of PA Consulting.

A confidential briefing note from ACPO president Ken Jones to Andrew Hooke, the chief operating officer of PA Consulting, “expressed his deep dismay at the loss of such data and highlight the potential risks to the public that this may bring.”

Too right mate. It is alarming how many of these accidental data loss incidents are coming to light - all of which could be mitigated by best practices such as ensuring that all sensitive information is properly encrypted.

* Image source: James F Clay’s Flickr photostream (Creative Commons 2.0)


Guest blog: Credit, credibility and credulousness

"Time to hand over the reins again to another guest blogger. Paul Ducklin, Sophos’s head of technology in Asia Pacific, discusses the recent United Airlines debacle. Over to you Paul…"

Paul Ducklin

What is news? The word itself is simple: imagine that there were a noun “new”, so that you could go to the shop, for example, and buy “a new” - something, anything, which isn’t old, which hasn’t appeared before. If you were to buy two of them, you’d have “news” - stuff which isn’t old.

(These days, ironically, the noun “new” has become old, and has largely died out. You can only get news two or more at a time. And, by golly, can you get news these days. On TV, on the radio, in papers, on websites, in blogs, via email. Sometimes it might be as well if they still came singly.)

Theoretically, then, and etymologically, you can only have news once. In practice, news gets repeated for a while, after which it is forgotten, or turns into history. Certainly, if you take a news story you published six years ago, and republish it identically - whether by accident or by design - it isn’t news, by definition. It’s just the same story over again. It might be interesting, or even important. But it isn’t news.

So it should have been nothing more than an absurdity over the weekend when a story resurfaced from 2002 telling of United Airlines filing for Chapter 11 bankruptcy protection, as indeed they did in December 2002.

Amazingly - and there are numerous accounts circulating of how this came about - this story was turned back into news, and was, apparently unsceptically, treated as both true and current by sufficiently many influential people that United’s share price imploded, plummeting from around $12 to around $3 as investors sold shares in the “newly bankrupt” company. Fortunately, trading was suspended and the price later recovered to just under $11.

What can one say to this? All I can think of is, “Earth to Wall Street Investors! Earth to Wall Street Investors!”

Come on, folks! Was NO-ONE suspicious that United had filed for Chapter 11 again, and that the story written about it was EXACTLY the same as one written six years ago? Not just that the circumstances were familiar (which they would not have been), but that they were described IDENTICALLY by the SAME author? Did NO-ONE think to check the facts?

Here at Sophos, we have been warning people for years not to be credulous when they are online. (Note to Wall Street investors. Credulousness is not a positive attribute, like being credible or in credit. It means that you are inclined to believe nonsense much too easily, or to swallow stories without bothering to check up on them properly, or even at all. It’s similar to what we used to call “gullibility”, before that word was removed from the dictionary.)

Let’s face it: people who abuse social networks (spammers, scammers, phishers, pharmers, social engineers) must be clapping their hands with glee over this. It seems that some people really will believe anything, provided that it is published on the internet in a way which makes it easy to believe. More importantly, people with investments, or access to other people’s investments, really will believe anything.

So let us repeat our warning once again.

The internet is a great source of content, but you simply must double-check that content before treating it as fact. You are not being cynical if you do this. You should do it all the time.

It is far too easy for fraudsters to lead you down the garden path thanks to the ease and speed which which stories, whether true or false, can be published, indexed, aggregated, syndicated and thus, apparently, imbued with False Authority.

Think like a carpenter. Measure twice. Cut once.


Barack Obama Sex Video malware campaign

The US Presidential fight between John McCain and Barack Obama is heating up, with even the millions of us around the world who aren’t allowed to vote following the latest news with great interest.

Malware authors, hackers and virus writers, of course, are never slow to jump on an opportunity and today we have been seeing malicious emails spammed out claiming to link to a sex video of Barack Obama.

The emails, which have subject lines like “Obama Sex Video!!!”, claim to come from infonews@obama.com and read as follows:

Sensation!!! United States Senator for Illinois Barack Obama in 2007 was travel to Ukraine and have sex action with many ukrainian girls! You may view this private porno in a flash video. Download and view now. Please send this news to your friends!

Obama it’s not right choice!!!

Obama sex video

As is par for the course, clicking on the link is a very bad idea as it will install the Mal/Hupig-D Trojan horse onto your Windows computer.

Unusually for a malware attack however, the malicious code is installed while you are watching an X-rated video (albeit not one starring Barack Obama). The video which gets displayed appears to be homemade, rather than a product of the adult entertainment industry. You have to wonder that if this is homemade, what a sick way of getting revenge on your ex-partner…

Sex Video

The good news is that Sophos customers have been proactively protected against this piece of malware since April, and so even if you are foolish enough to click on the link you won’t have your banking information and passwords stolen from you. Users of other security products would be wise to ensure that their anti-virus protection is up-to-date.

Credit where credit’s due: Thanks to Sean McDonald at SophosLabs Australia for providing additional information about this malware attack.


Troop secrets on lost USB stick found on nightclub floor

In July I blogged about how the British Ministry of Defence has lost over 120 USB flash drives since 2004. A tabloid newspaper has now revealed the latest careless incident involving a USB stick, in this case the portable drive outlined a military training exercise for 70 soldiers.

Details of locations, travel and accommodation for the troops from the 3rd Battalion, Yorkshire Regiment, were included on the device which was found on the floor of a nightclub in Newquay, Cornwall. A clubber found the memory stick and passed it on to the national press.

In June, the Ministry of Defence published a report by Sir Edmund Burton identifying weaknesses in the British army, and ways in which it needs to do more to protect data on its laptops and USB sticks. The Burton review was instigated by a number of high profile and embarrassing data losses for the British authorities, including the theft of a Royal Navy laptop containing the personal information of 600,000 people in January.

This latest incident of a USB stick being lost predates the publication of Sir Edmund’s report, but has only just come to light.

From these latest reports it sounds like while a soldier was enthusiastically doing the Macarena, the thumb-sized USB stick must have dropped out of his pocket and onto the disco floor. This wouldn’t matter of course, if the data was properly encrypted. If the information on the drive had been properly encrypted then the clubber who picked it up would never have known that the garbled data on it belonged to the military, and the newspapers wouldn’t have had their story.

What’s that? You don’t believe that soldiers do the Macarena?

Military Macarena
(Image source: Soldiersmediacenter’s Flickr photostream.)

Boogying soldiers aside, the litany of stories of lost data are not just a PR nightmare for the organizations involved. They also put the identities and - in some cases - lives of individuals at risk. Everyone, whether they be a home user or an employee at a multinational, needs to ensure that they are doing what they can to reduce the chances of identity theft.

* Image source for USB stick: Nedko’s Flickr photostream (Creative Commons 2.0)


Hack, pump, dump, jail

Behind bars

According to Wired magazine, an Indian man was sentenced yesterday to two years in an American jail for his part in an international fraud ring that hacked into the internet accounts of American brokers and manipulated stock prices.

35-year-old Thirugnanam Ramanathan, a native of Chennai, India, and legal resident of Malaysia, hacked into stock market investment accounts held with online brokerages TD Ameritrade, Fidelity, E*Trade and several others.

Having gained unauthorized access to the victims’ accounts, Ramanathan and his two accomplices sold the victims’ holdings and bought shares in lightly-traded stocks pumping up their price. The gang had previously purchased the same stocks in their own brokerage accounts, and after the stock price had artificially risen they swiftly dumped their own holdings for a profit.

IP addresses revealed that the hackers had used ISPs located in Bangkok, Thailand and Chennai, India to break into the accounts.

An FBI investigation found that the three men had stayed in the same Bangkok hotel at the time as some of the stock market manipulations.

Two other defendants, Jaisankar Marimuthu and Chockalingam Ramanathan (a resident of Chennai), have also been indicted. Marimuthu is currently detained in a Hong Kong prison awaiting extradition following his conviction on similar offences related to the Hong Kong stock market. Chockalingam Ramanathan remains at large.

We have often heard about spammers using junk email to pump up the price of a thinly-traded stock, only to make their riches shortly afterwards when they dump their own holding. This case is somewhat more sophisticated as the hackers broke into online trading accounts to do all of the stock purchases themselves - it’s almost as if they didn’t trust people to fool for the “Buy this stock now” ruse so loved by spammers in the past.

The authorities should be congratulated for their efforts in bringing such criminals to justice. Cases like this demonstrate the international nature of cybercrime today - where the criminals can be based on the other side of the world, far away from their victims.

Not only do hackers like this shake people’s confidence in online trading, but they can also commit identity theft when stealing an innocent person’s account.

Everyone - be they a large firm or an individual investor - has a responsibility to properly secure their computer systems to prevent hackers like this making a quick profit.

More information about the case can be found on the Department of Justice website.