Sunday, July 24, 2011

Confessions of a Cyber-stalker: CA Criminal gets 4 years

A recent cyber-stalking case in a Californian court has highlited the weakness of password reset 'security questions' which can be easily guessed by the attacker when some basic details of the victim are already known or even already public on social media sites like Facebook.

George Bronk, of Sacramento, California, was sentenced to more than four years in prison after being convicted of computer intrusion and the cyber-stalking of 46 women across 17 states. He carried out the cyber-stalking for a total of 10 months, from December 2009 through to September 2010, when he was eventually caught. The case illustrates the vulnerability of all Internet users, said prosecuting attorney Robert Morgester of the state attorney general's office. "The victims we went to said `I had very robust passwords.'. But it didn't matter how robust the password was if the recovery question is easy." he said.

The method he used has revealed a major weakness in many password reset systems where a supposed secret question is posed to the account holder in order to recover a lost password. Such questions often include such basic choices as 'What is your favorite color?', 'Name of your high school?', 'Name of your first pet?', 'Town where you were born?'. Often, the answers to these questions can be quite easily gleaned from Facebook or other social network pages, which is exactly what Bronk did in this case.

His first step was to identify the email address of a potential victim on Facebook, and then try to determine the answer to their secret password reset question. After he changed their password and took over their email account, Bronk then searched email folders for nude or semi-nude photographs or videos they had sent to their husbands or boyfriends and then distributed them to the victims' contact list, prosecutors said.

The hacking method is similar to that of the famous Sarah Palin email hack, in which the hacker managed to reset her password simply by Googling for the answer to her secret question, which was “Where did you meet your spouse?”.

Academic research back in 2009 ran a user study to measure the reliability and security of the questions used by the four big webmail providers (AOL, Yahoo!, Microsoft and Google). They asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances were able to guess 17% of their answers on the first attempt. The researcher's conclusion was that the security of personal questions appears significantly weaker than passwords.

Another study showed that password recovery security questions are usually answered honestly. This study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.

The conclusion then is that password recovery security questions should probably not be answered honestly. Experienced users fill them out with password like characters which makes the answers significantly harder, and even more or less impossible to guess. These answers can then be stored in password managers as notes.

Further Reading:

Friday, July 15, 2011

The Global Battle Against Cybercrime

Some Recent Developments
  • Eugene Kaspersky, founder of Kaspersky labs and cybersecurity expert has used his blog to take a swipe at the state of current multilateral efforts combatting cybercrime. In his post he mentions that the Council of Europe Convention on Cybercrime is largely a waste of time and that the UN's IMPACT Alliance, which is based in Cyberjaya, Malaysia (and of which he is a member of the advisory board) is moving too slowly to be of any use. He has put his weight behind a newly launched non-profit organisation called the International Cyber Security Protection Alliance (ICSPA), which is based in London, and hopes that it can get things moving quickly. He points out that cybercriminals in most cases are beyond the borders of the country of their victims and that the mammoth task of bringing the majority of cybercriminals to justice will require joint efforts on a global scale.
  • On a more positive note, June 2011 did bring some notable successes for international law enforcement in the battle against cybercrime, with several successful operations resulting from joint efforts. The FBI and a team of international law enforcement organizations have shaken up two scareware (fake antivirus software) operations that infected nearly 1 million users worldwide and cost victims some US$74 million in losses, charging up to $129 to each victim for the fake software. The so-called Operation Trident Tribunal, an ongoing initiative fighting international cybercrime, has netted arrests of two Latvians and the seizure of some 40 computers and bank accounts, including 22 computers in the U.S. that supported the illegal operations. Another 25 systems overseas that were used by the scammers were shut down as well.  The Department of Justice, FBI, and authorities from Germany, Latvia, Cyprus, the Ukraine, Lithuania, France, The Netherlands, Sweden, Romania, and Canada teamed up in the operation. 
  • In Russia, Pavel Vrublevsky, the owner of ChronoPay, Russia’s leading payment processing provider, was arrested on charges of organizing a DDoS attack on a competing company, Also in Russia, researchers at Kaspersky Lab have discovered a new piece of malware targeting Russian users that silently runs a Bitcoin mining application on infected computers. The idea is to steal computer resources from infected computers to generate units of the valuable peer-to-peer virtual currency. The hacker behind the Trojan did not generate any riches from this attack however because the Bitcoin mining system detected the suspicious mining activity coming from multiple IPs and blocked the account.
  • In Brazil, cybercriminals used Amazon’s cloud to host and distribute malware that targeted Brazilian users and was designed to steal data from customers of nine large Brazilian banks. To improve its chances of success, the malware blocked the normal operations of Antivirus software as well as browser plug-ins that are supposed to make online banking secure. The malware also stole digital certificates and credentials from Microsoft Live Messenger.
  • In a sweeping move, Google has removed all of the sites hosted on domains from its search results, explaining that because such a large percentage of the sites on that sub-domain are low-quality and malware-ridden they decided to de-index all of them. The space is not an officially authorised second-level domain like or Instead, it is run independently by a Korean company ( that just happens to own the domain name The .cc top-level domain belongs to the Cocos (Keeling) Islands, a small Australian territory in the Indian Ocean. Regular .cc websites are unaffected by Google's changes.
  • The US Department of Defense released the DoD Strategy for Operating in Cyberspace (DSOC) - the first ever DoD unified strategy for cyberspace. “By sharing timely indicators about cyber events, threat signatures of malicious code, and information about emerging actors and threats, allies and international partners can increase collective cyber defense,” the document notes. “Cyberspace is a network of networks that includes thousands of ISPs [Internet Service Providers] across the globe; no single state or organization can maintain effective cyber defenses on its own.” As General James “Hoss” Cartwright told reporters, “This strategy talks more about how we are going to defend the networks, the next iteration will have to start to talk about here’s a strategy that says to the attacker, ‘If you do this, the price to you is going to go up. It’s not just free.’ Today, we are on a path that is way too predictable. It’s purely defensive. There is no penalty for attacking right now, we’ve got to figure out a way to change that.”
  • Microsoft has released a detailed report on Rustock, the take-down effort it led in March, and the impact of its anti-botnet campaign. The number of Windows PCs infected with the Rustock malware has dropped worldwide from 1.6 million at its peak, to just over 700,000 by June. In the U.S., an estimated 86,000 Rustock-infected PCs in March had been reduced to some 53,000 by June, a drop of 38%. Other countries saw even bigger reductions: In India, the March tally of 322,000 infected machines plummeted by 69% to approximately 99,000 in June.

Saturday, July 9, 2011

Fake Anti Virus Software: A New Business Model Emerges

Researchers from the Departments of Computer Science and Economics of the University of California (Santa Barbara) have recently released the results of their yearlong investigation into three fake anti virus companies (named Fake AV1, AV2 and AV3). They were able to infiltrate and monitor the backend servers of the three companies, all of which were controlled by East European cybercriminals. Summarised daily and yearly sales figures below.

Total Sales per Day (USD)Total Sales per Year (USD)Infection¹ rate (no. users per day)Infection¹ rate (no. users per year)Purchase² rate (no. users per day)Purchase² rate (no. users per year)Average Selling Price (USD) Conversion Rate³
Fake AV1$123,288$45,000,00092,05533,600,000 2,209806,400$55.802.4%
Fake AV2$10,411$3,800,00013,5624,950,000 285103,950$36.552.1%
Fake AV3$132,603$48,400,000100,055 36,520,000 2,201803,440$60.242.2%
Total$266,302$97,200,000205,672 75,070,000 4,6951,713,790$56.712.3%
Source: Extrapolation of data contained in the UCSB research report over both a yearly and daily basis.
¹ Infection refers to users who have installed the Fake Anti Virus software trial, but not necessarily purchased it.
² Purchase refers to users who have both installed the Fake Anti Virus software trial, and then purchased a license for it.
³ Conversion Rate refers to the number of purchases as a percentage of the number of infections.

They uncovered a sophisticated method of flying under the radar of credit card fraud detection by minimising chargebacks (credit card refunds) which in turn meant that no suspicion would be raised by the victim's bank or credit card company. They did this simply by maintaining a 24/7 support hotline, thereby keeping a track of the customer's suspicions, and when necessary, issuing refunds directly back to the customer. Fewer than 10% of all victims asked for a refund, meaning that the cybercriminals could issue a full refund to all complainants, and still make massive profits. But in fact the criminals only issued enough refunds to keep their chargeback ratio under the suspicious limit (such as 3%) thereby squeezing the maximum amount of cash from their victims.
The flow of money in the Fake Anti Virus Business Model
The researchers were able to follow the money trail from the victim, on to the payment processing company, which happened to be exclusively ChronoPay, on to rouge merchant accounts at banks in Europe and Asia. From these merchant accounts, money was transferred back to the Fake AV affiliate members exclusively via a virtual electronic currency called WebMoney. The affiliate members, who provide the original victim's computer details to the controlling gang, are very highly rewarded, taking in anywhere from 30% to 80% commission on sales. The most successful affiliate was able to bank approx. US$30,000 per day from Fake AV1.

A typical Fake Anti Virus popup that leads to the initial infection
Follow @dodgy_coder

Subscribe to posts via RSS