Thursday, June 11, 2015

A Nigerian in Spain arrested for phishing and online shopping with stolen credentials


From Spanish news source "ElComercio" we bring you this phishing story - about a Nigerian citizen arrested in Spain.  Click the Spanish headline for the original story.   A Google-translate-assisted version of the story is shared below for the convenience of our English-speaking readers with permission from Olaya!)

Detenido un nigeriano por realizar compras 'on line' con datos robados a cien víctimas

(A Nigerian Arrested locally for online shopping with a hundred victims' stolen data)
Olaya Suarez, Gijon @OlayaSuarez0

 A 44 year-old Nigerian citizen was arrested locally for defrauding hundreds of people by using their bank details to make purchases online and then resell these products on the black market. The National Police estimates that he gained more than 50,000 euros in this way.
 
The investigation began in September 2014 after receiving the first reports of victims whose banking data had been used illegally for various internet shopping portals. Police work was arduous and complex, but eventually determine that all the fraud in Spain was the work of a single author, but that he used different identities and operated using WIFI connections in private homes, cafes and public  spaces, thus trying to hinder their location.

After months of investigations, officers of the Economic Crime group of the Brigade of Judicial Police Station Gijon found that the suspect had fixed his residence in Gijon, "where he received shipments getting their illicit activity," sources said the police station.

A job as a lure

"The person under investigation belonged to a criminal organization operating transnational nature of the internet and dedicated to credit card fraud and debit cards. The network operated by credentials and numbers for bank cards using different methods, from cloning, 'phishing' or 'hacking' of online data, "says the police.
 
After obtaining this data, the fraud is facilitated through servers and private links to other members of the organization in exchange for financial compensation. The Nigerian resident in Gijon, allegedly, took this information and using it, effected purchases of technological devices such as televisions, tablets, laptops or mobile phones.
 
Each week they conducted three or four purchases of items using many identities and facilitating different directions for collection, "but always expecting the dealers on the street to avoid the reliable verification of your address." "Under the pretext of facilitating the work identified in the street before the workers of delivery companies and so getting the immediate delivery of the item, the cost would be charged to the person who had fraudulently obtained card information» , reports the National Police.
 
All of the material obtained in this way coming back into the virtual market since it was offering immediately in Internet-based ad pages to people unaware of its illicit origin and not belonging to this criminal network. Despite all the precautions taken by the investigation to hide his true location, the officers managed to identify and establish a means for his arrest. His precise location was noted when he was picking up one of his orders and he was taken to the police station.

49 Corporate Email Phishers arrested in Operation Triangle

The Europen Union's Judicial Cooperation Unit, EUROJUST, along with Europol's European Cybercrime Center (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) have announced one of their most successful cyber actions to date.   The case, known internally as Operation Triangle, involves three lead agencies - Italy's Postal and Telecommunications Police through its office in Perugia, Spain's Investigative Court no. 24 in Barcelona, and Poland.  (EUROJUST Press Release: "Eurojust and Europol in massive joint action against cybercriminals")

(Click for article:J-CAT operations)
58 search warrants were executed in Spain, Poland, Italy, Belgium, Georgia, and the United Kingdom, resulting in 20 arrests in Italy, 18 arrests in Poland, 10 arrests in Spain, and 1 arrest in Belgium.  Most of those arrested were from Nigeria and Cameroon. 

By gaining control of the email accounts of well-placed individuals in corporations across Europe, the criminals were able to alter requests for payment to send the payments to themselves rather than the business bank accounts that were the intended destinations.  In a short period of time, more than 6 million euros were transferred to accounts controlled by the criminals.

In the United Kingdom, where the J-CAT task force is headquartered, recent government reports indicated that 81% of large businesses (>250 employees) and 60% of small businesses (less than 50 employees) experienced an information security breach in 2013.
(Report available here)

Next week, many European governments will be represented in the Octopus Conference 2015: Cooperation Against Cybercrime. Through the work of Octopus and others, European agencies are gradually coming into agreement on how to address multi-jurisdictional cybercrime.  At last year's Octopus conference, delegates were encouraged to work together through 18 Cybercrime Scenarios.  Fascinating puzzles that we NEED agreement on if we are truly going to stand a chance against the multi-national criminals who steal from our citizens.


UPDATE!  La Stampa article -- 

(Click for LaStampa article, which includes a short video of Italy's Polizia di Stato Cybercrime group)

 

For the convenience of my mostly English-speaking readers, I offer an English translation via Google Translate below.  This article is available to the Italian reader by clicking the story headline in Italian:

Phishing contro aziende: 62 arresti in Italia e all’estero, smantellata rete internazionale

Phishing Against Companies:  62 arrested in Italy and Abroad, International network dismantled: 
An operation that goes from Perugia to Turin and expands throughout Europe.  Here's how the scammers did it.

Via "LaStampa" journalist Carola Frediani and Google Translate -- 

It all started with a payment of 33 thousand euro. A routine, a transfer made ​​by a company of the Venetian food, which through its Spanish subsidiary had paid a supplier. Or rather, what he thought to be a provider, not suspecting that behind the request for a change of code Iban which paid the money was concealed an organization dedicated to computer fraud to the detriment of businesses and recycling. He had before hacked supplier and now he was impersonating online through email.
So that money, rather than to the real suppliers of the Veneto, end up on a postal account in Perugia made ​​out to a citizen of Cameroon. Which in turn has contacts with a criminal group based in Turin, specializes in money laundering and run by Nigerians, as revealed recently in an investigation of Europol and the Guardia di Finanza Piedmont.

 Operation Phishing 2.0

This episode started then the footage of another Italian international investigation, codenamed Phishing 2.0, which has once again at the center of the fraud against companies, and this morning has resulted in 62 arrest warrants in various countries, including 29 issued by prosecutors in Perugia.
An investigation then born and coordinated in Perugia, bounced on Turin had already been identified where a hub of illicit proceeds, and extended between Italy, Spain and Poland, with the support of Europol and Eurojust, the judicial cooperation unit of 'European Union.

The victims

Fifty (7 of which are Italian) companies all over the world were victims of digital fraud, 800 scam transfers were identified, 800 thousand euro taken away from businesses and recovered during the investigation, around 5 million euro estimate of the economic damage caused by the group in its business that dates back to 2012. The offenses: unauthorized access to computer systems, impersonation, aggravated fraud, and receiving stolen property.

How did it work

The mechanism of the scam started with a series of computer intrusions in the mailboxes of the companies targeted - characterized by having many foreign relations - through an advanced form of phishing, a technique that consists of sending email fake trying to trick the recipient, and then infect and / or [carpirgli] information. After obtaining the credentials of the emails of employees of a company, cybercriminals were monitoring the exchange of mail identifying commercial relationships, creditors and debtors; then they sent an email to the debtor to turn communicating a change of Iban [online payment destination address?]. Iban that actually corresponded to an account managed by a member of the organization.
 
To manage the assets of phishing was a network of Nigerians, Cameroonians and Senegalese, some of whom were residents in Italy. Once at the bank, also on many giro Italian, the money were taken quickly and redistributed abroad through various systems, including money transfer. "There was a division of roles," he told La Stampa Anna Lisa Lillini, assistant chief of the police post Umbrian added. "Who identified the victims took 50 percent of the amount; who was offering the bill received 30%; and the mediator that the hacker got in touch and took the 20%. " The amount stolen went from 800 up to 250 thousand euro. "In one case we have intercepted one wire of 300 thousand euro from America to  Turin," explains Lillini.

Between Umbria and Piedmont

Turin made ​​from recycling center, and here the investigation Perugia converges with what we previously reported from Turin, [LaStampa's article "Nigerian Drops: Women and Companies Cheated Online"] . In that system, the money stolen from the companies were sent to other parties, with dozens of credit transfers and of people involved, up to a stage where cash was taken piecemeal. A branched system, which were scattered in many streams ([ribattezzatto] precisely Nigerian Drops by investigators) and that has been traced through some specific analysis tools used by Europol. "In one case, one person has taken 150 thousand euro in eight hours making dozens of drops in different branches," says La Stampa Captain David Giangiorgi of the Financial Police of Turin. "The fraud was perpetrated by persons residing in Nigeria. The money was sent in the form of assets purchased with the proceeds of the scam and then shipped to the African country. "

A growing phenomenon

This kind of scams are increasingly common. "Just this week, carrying out a survey of defense on behalf of an Italian company that had lost many thousands of euro through a similar system, we were able to triangulate who had sent the phishing emails, and these seem to come just from Lagos (Nigeria) ", explains Paolo Dal Checco, the Turin studio of computer forensics, Digital Forensics Bureau (Di. Fo. B) that has long followed precisely such cases.
 
The interesting aspect is that the story in question fraudsters had been in touch with the company through Skype, as well as email. And through the program of VoIP (and with some tracking systems of the email), computer forensic experts have identified the IP address of the interlocutors. "By now using increasingly sophisticated techniques," says Dal Checco. "In some cases they go even to call pretending to be a creditor of the company contacted."


UPDATE #2 -- The News from Spain

The Spanish National Police have also released information about this case, in their press release of June 10, 2015.   As with the Italian article above, click the Spanish headline below for the original article.  For the convenience of English-speaking readers, we share a Google-translate-assisted version below:

Operación simultánea en España, Italia, Bélgica y Polonia contra una red de fraude cibernético

 (Images, courtesy of Spanish National Police press office - prensa.policia.es)
Spanish National Police perform on-site mobile forensics during one of their raids



Two suspects detained by Spanish National Police

Simultaneous operation in Spain, Italy, Belgium and Poland against cyber fraud network

National Police
Spain, Italy, Belgium, Poland, 06/10/2015
 
Joint operation of the National Police, NCA and the British Police in Italy and Belgium, coordinated by Europol and Eurojust
 
There are 49 detainees -10 of them in Spain and there have been 28 homes in which 9,000 euros have been seized along with laptops, hard disks, phones, tablets, credit cards and extensive documentation on the activities of the network.
 
Those arrested by means of intrusion techniques and social engineering, were able to control corporate email accounts and to interfere in international financial transactions between different companies and thus were able to modify the target bank accounts and thus appropriating money illegally
 
National Police agents have participated in a simultaneous operation conducted in Spain, Italy, Belgium and Poland against a network of cyber fraud. In this joint operation coordinated by Europol and Eurojust also they participated British NCA agents and police in Italy and Belgium. There are 49 detainees -10 of them in Spain and there have been 28 homes in which 9,000 euros have been seized laptops, hard disks, phones, tablets, credit cards and extensive documentation on the activities of the network. Those arrested by intrusion techniques and social engineering, were made to the control of corporate email accounts to interfere in international financial transactions between different companies. Thus they managed to change the target bank accounts and thus appropriate the money illegally.
 
The international coordination was established effectively through Europol headquarters in The Hague and link to cybercrime agent of the National Police. In this way it has enabled the operation has been developed jointly and simultaneously in all countries where they lived active members of the criminal structure dismantled. It also has received support personnel and Europol mobile office moved to places where it has intervened.
 
Modus operandi
The cyber attack used by this criminal group is called man-in-the-middle, which is to control email accounts, in the case of medium and large European companies. The members of the network were reviewing the messages sent and received from corporate accounts to detect requests for payment. Then modified the messages for payments were transferred to bank accounts controlled by the criminal group.
 
These payments were charged by the criminal organization immediately through different means. The investigation, originating mainly from Nigeria, Cameroon and Spain, then transferred the money out of the European Union through a sophisticated network of money laundering transactions.
 
The investigation culminated with the arrest of 49 people in Spain (10), Italy, Belgium and Poland. In addition there have been 28 homes, 8 in Spain, 2 in the UK and 18 in Italy, where agents have seized 9,000 euros in cash (5000 in Italy and 4000 in Spain), laptops, hard drives, mobile tablets, credit cards and extensive documentation on the activities of the network.
 
The operation was carried out by officers of the Unit for Technological Research and the Police Headquarters of Catalonia of the National Police, the Italian Polizia di Stato, the Polish National Police and the British National Crime Agency.  

UPDATE #3 -- The News From Poland

The Polish National Police have also issued a press release about the arrests made in Poland.  Click the Polish language headline below for the original article.  A Google-translate assisted version follows for the benefit of our English-speaking readers.  (stills from video http://cbsp.policja.pl/dokumenty/zalaczniki/3/3-165386.mp4 )

Police in Poland prepare for a raid.

The Phishing suspect is apprehended


Laptops, passports, cell phones, and cash seized in the raid

Międzynarodowa operacja Europolu i Eurojustu - w sumie zatrzymano 49 cyberprzestępców

(International Operation of Europol and Eurojust - a Total of 49 Criminals Arrested)

Officers Coordination Team Central Bureau of Investigation Police and Border Guard as well as police officers Municipal Police Headquarters in Krakow and the Department for Combating Cybercrime Regional Police Headquarters in Krakow, acting under the supervision of Appellate Prosecutor's Office in Krakow together with the police and law enforcement authorities from Italy and Spain, with collaboration with investigators from Belgium, Georgia and the UK and support of Europol and Eurojust, figured out an international organized criminal group, engaged in money laundering, originating, inter alia from phishing attacks carried out against citizens of European countries. On the Polish territory had been detained this matter for a total of 18 people.
 
On June 9th and 10th,  Europol and Eurojust conducted an international action against cyber criminals. A total of 49 suspects have been detained. The activities were also conducted in Poland.
Yesterday, in the province of Malopolska police activity was carried out in this case, one of the most important leading to the arrest of five people, including the man who organized criminal dealings on Polish territory. The Central Investigation Bureau Police seized more than 160 thousand from phishing.
 
In total, the Polish were detained in that case 18 people. According to estimates investigators, members of criminal group could "launder" a total of over 7.7 million (this amount coming only from the crimes committed in our country).
 
Detained charges of fraud, money laundering and participation in an organized criminal group.
On account of the suspect threatened penalties and fines secured property value of 1.8 million.
 
Results of "Operation Triangle" are the result of large-scale investigations carried out in Italy, Spain and Poland (Central Bureau of Investigation Police Department with the participation of cybercrime Police Headquarters in Krakow under the supervision of Appellate Prosecutor's Office in Krakow). The aim was to break organized crime groups engaged in phishing on the Internet. These types of crimes are carried out by specialized criminals who use the Internet to commit fraud. In addition criminals from exploiting cyberspace to "laundering" of money, proceeds of crime. In this way, embezzlement made substantial amounts of money from victims throughout Europe.
 
In parallel, the investigation showed the existence of international fraud on a massive scale, extortion million in short time. The suspects, mainly from Nigeria and Cameroon, upload illegal profits outside the European Union through a complex network of transactions related to money laundering.
In preparation for the run yesterday and today operations, Eurojust coordinated the gathering of information from various law enforcement agencies, as well as organized several coordination meetings with representatives of national authorities from Italy, Spain, Polish, Belgium and Great Britain. With all these joint efforts, coordination center was established who carried out the operation with the support Team. Analysis Affairs Eurojust, the European Centre for the fight against Cybercrime Europol (EC3) and the Joint Task d. Cybercrime (JCAT) - a new European institution created to assist investigations to combat cybercrime.
 
Joint action brought excellent results, while she realized that joining forces selected EU agencies and national authorities can successfully contribute to the fight against one of the most difficult to detect forms of contemporary crime.
 
Teresa-Angela Camelio, National Assistant Representative of Italy to Eurojust, commented: "Eurojust played a key role in promoting the agendas of EU efforts in combating this type of crime, which requires knowledge, cooperation and coordination between all involved national and international actors. The results of the two-day operation are a clear signal to criminals that they will be prosecuted in every jurisdiction. "
 
Phishing on the Internet: This type of cybercrime, carried out by organized criminal groups, depends on gaining access to passwords and names (nicknames) of users for illegal activities. Criminals replace respective owners information through "phishing" their data and thereby gain access to their accounts, which means access to the money the victims and their customers. Credentials obtained in this way by organized criminal groups hurts many Internet clients, while generating billions of euros of profits for organized crime groups.

Monday, March 30, 2015

Tech Support "pop-ups"

There is a new trap on the Internet that seems to be growing in popularity in the form of a Tech Support pop-up Window.  The first of these I saw was last Tuesday, March 24, 2015.

Norton Scam


While reviewing some pharmaceutical spam web pages, we were suddenly forwarded to the page:

alert.norton.com.pctechhelpforyou.com/index-15mac.html

Immediately after this page rendering, a pop-up window is repeatedly displayed insisting that we need to call the telephone number 1-888-884-7058, ringing a bell each time the window is displayed.  The pop-up is so insistent that it is very difficult to get past the pop-up to close the browser.

Despite the fact that this pop-up is warning me about my APPLE COMPUTER, the original trigger that we encountered was in a Windows 7 Virtual Machine.

Looking at the source code for the page we see that we are dealing with JavaScript that has several tricks, including "right-click disable" and an annoying command "window.onbeforeunload = PopIt".  Actions such as "document.onmouseup" and "document.captureEvents(event.MOUSEDOWN)" help to keep control of the window, making it nearly impossible to close the browser, which also sets itself to appear in the Center of the screen, obscuring other opportunities to deal with the warning.

iPad / Mac Pop-ups


This weekend, I found myself looking at a very similar variant, this time on an iPad, where it was even more difficult to get rid of the pop-up!

Because of the lack of mouse or keyboard on the iPad, this version of the browser pop-up was especially hard to deal with.  The pop-up prevented me from being able to exit Safari!  In the end, it was necessary to power off the iPad, power back on, and then use the "Settings" tab to clear my history and settings.  By default an iPad Safari browser returns you to the most recently visited page, which unfortunately was this pop-up!

As I explored this version, I found that the current domain was hosted on the IP address 198.143.166.36.   This same IP address was also hosting a great number of other suspicious domain names,which began to show up on March 9, 2015, according to the Passive DNS service from Internet Identity.  Checking several of these domains on the Apple forums indicates that victims are charged between $150 and $399 to clean-up an imaginary malware attack.

  • mac-issue-online.com -- https://discussions.apple.com/thread/6684596 (800 680 4131)
  • apple-alert-online.com -- https://discussions.apple.com/thread/6850245
  • safarisecurityissue.com -- https://discussions.apple.com/thread/6516787
  • mac-security-alerts.com -- https://discussions.apple.com/thread/6897787
  • online-window-security.com -- (Windows - see below)
  • window-system-error.com -- suspended (why only this one??)
  • mac-pc-alerts.com -
  • safarisystemalert.com
  • online-system-alerts.com
  • safarialerts.com
  • window-security-issues.com
  • instantcomputerfix.com -- https://discussions.apple.com/thread/6669786
  • techcarelive.com -- https://discussions.apple.com/thread/6527487
  • safarisystemissue.com
  • online-warning-support.com
  • quickbo0ks.com
  • iexpertstech.com
  • ixperts.net
  • joinremote.me
  • i-xperts.us
 The last several of the links on that page appear to belong to a company that does support for Intuit Quickbooks, however "JoinRemote.me" is a remote control tool.  When the telephone number is called, the tech support person walks the customer through entering a tech support code by visiting "JoinRemote.me":
When that is done, the customer service technician is provided remote control access to the computer to "clean it up."

A friend from MalwareBytes has documented similar scammy behavior where a tax-season Intuit helper website ends up charging for a malware removal.  See Jerome's blog here:  https://blog.malwarebytes.org/fraud-scam/2014/03/the-tax-season-tech-support-scam/


By reviewing the Apple Discussion boards, we also saw evidence that several other people were struggling with these pop-up messages:

 


 Continuing to explore through the Apple discussion forums, we found evidence that this was also discussed back on September 2, 2014 in this post by Carlton Chin:

The September file had a different domain name, and a different telephone number, but could it be shown to be the same scammers?  Was applesecurityalert.com on 1-866-782-9808 related to safarisystemissue.com on 1-800-632-9078?

Back to Passive DNS to try to find out.

According to the Internet Identity Passive DNS system, AppleSecurityAlert.com was hosted on the IP address 50.87.153.101 beginning on August 8, 2014.

That IP address ALSO hosted i-xperts.us, ixperts.net, joinremote.me, and quickbo0ks.com, all of which were also found on both the August/September IP (50.87.153.101) and the March 2015 IP (198.143.166.36).

Several of the attack sites that share these IP addresses are Microsoft imitators rather than Apple.  One example is "online-window-security.com" pictured below:

Imitating Microsoft Security Essentials

Bottom line - anyone seeing one of these pop-ups suggesting that a telephone number be called for support is DEFINITELY dealing with a scammer and should terminate the session immediately.
















Tuesday, February 24, 2015

Connected World Conference 2015

This week I've been attending the Connected World Conference 2015, hosted here in Birmingham,  Alabama.  Connected World's editor-in-chief, Peggy Smedley, hosts a weekly radio program that focuses on the Internet of Things (IoT) which their industry has called M2M for many years before the IoT tag came along.   Peggy's website has a great tutorial on the Machine To Machine networking technologies and the many ways in which they communicate, but I think nothing really brought the point home to me until I attended the Connected World Awards dinner last night.

If you are thinking about Cyber Security and the Internet of Things, here are quite a few interesting applications I learned about in the dinner last night.  The full range of Connected World Award winners are listed here, but these were a few that really caught my attention.

AT&T Drive Studio - The AT&T Drive Studio in Atlanta, Georgia - The AT&T Drive Studio™ is the first connected car innovation center in the U.S. to be opened by a wireless carrier. And AT&T is inviting the world's most innovative companies and developers to come create the future of connected cars.

ApartmentGuardian, powered by RacoWireless, won the Gold award in the PERS category.  Property managers can use the technology in many ways, from protecting their Lone Workers with a personal safety button (reminiscent of the "I've Fallen and I Can't Get Up!" button that you might buy for your grandmother) to a system for identifying guests to the property in a combined ID card and biometrics solution for visitors to the property, and innovative Security Panels.  The use of low-power radio technology as a backup to "wall power" for keeping your building security and alarm systems online and active during power failures.

Two companies won awards in the Lighting/Manufacturing category.  In both situations the recipients, Atlantic States and Clow Water Systems, were able to achieve amazing savings in both energy and true financial savings by putting in intelligent lighting systems.  Synapse Wireless allows the light fixtures in both organizations to be controlled remotely and through connecting all of the lights in a "Mesh" system - a cloud of lighting services that are in constant communications with one another.

SNAP LightSense from Synapse Wireless

Mesh Systems was the IoT-enabler for BUNN who received an award in the Remote Equipment Management category.   You have heard of the IoT refrigerator, but BUNN has created the IoT Coffee pot!

One of the most interesting M2M applications was SOLARKIOSK, which is using Gemalto's Cinterion modules to deliver remote connectivity and a web-interface for monitoring power production to a mobile unit about the size of a food truck that can be deployed in remote areas, including extremely rural Africa, to provide power and cellular connectivity to areas that lack reliable power.  The first such unit was featured in this story "First SolarKiosk opened in Ethiopia."  The creator, Lars Krückeberg, was featured in a TED talk about the technology as well.

The IoT enables some interesting Fleet Management capabilities as well.  CalAmp and the City of Dayton received an award for their system for monitoring and protecting their fleet of 210 snow removal vehicles.  The system, called GovOutlook, turns itself on when a key is inserted into a vehicle, and requires a City of Dayton employee id badge to be scanned to prevent lockdown and alarming.  The system also provides safety for the drivers, who are out on the roads, often in the middle of the night, plowing the 1800 lane miles of snow-covered roads in the city of Dayton.


The focus of our Connected World Conference this year has been on Cyber Security ... speakers including myself and John Grimes from UAB, JD Sherry from Trend Micro, Seth Danberry from Grid32, Jonathan Ratner from Sixgill, Brian Zaugg from Authentic8 and others joined to share our thoughts on Cyber Security to those who have come from the Internet of Things / Machine 2 Machine world.  I was glad I participated and learned much more about the IoT world!

Thanks, Peggy!

To learn more about the IoT, please do check out Connected World Magazine and check in with the Peggy Smedley Radio show.