Author Archives: Peter Kruse

Multiple times, a specific gang of criminals has targeted Denmark with a phishing campaign aimed at NemID users. NemID is the official log-in solution for Danish Internet banks, government websites and some other private companies (http://en.wikipedia.org/wiki/NemID).

The campaigns have tried to lure people into giving away their usernames and passwords and also their NemID one-time-password cards working as a form of two factor authentication. We have warned about this several times:

•    https://www.csis.dk/da/csis/blog/4245/
•    https://www.csis.dk/da/csis/blog/4237/

In the second article we even used pictures to document that people actually upload their OTP to the criminals.

We have been monitoring these campaigns and as a result we have obtained a lot of information including data which can be used to identify the victims.
Below, there is a picture that illustrates who jumps at the bait based on age and gender.

We are working closely with law enforcement to arrest the criminals behind these attacks. Apart from that, we are shooting down the compromised webservers abused in these phishing campaigns.

So far we have observed five campaigns. The estimated number of spam mails coming out of the “botnet” (likely rented) is approximately 250.000 per campaign. Despite the fact that only 117 people have fallen victims to the scam so far, it still seems to be a very profitable business for the criminals behind the campaigns.

Interestingly, primarily males between the age of 65 and 74 have provided the criminals with both their usernames and passwords and a photo of their NemID OTP’s. In fact, mostly males fall victim to these campaigns and, as the statistics have taught us, it’s primarily older people passing on sensitive data to the bad guys.

We are trying to prevent further losses by blocking access to the phishing websites with the Heimdal Security Agent. Check out the website of Heimdal Security here:
https://heimdalsecurity.com/

Continue reading CSIS News: Who are the victims of phishing?→

Due to its data stealing capabilities, ZeuS P2P (aka Gameover) is a prevalent and serious threat towards both online banking services, companies and ordinary end-users .

Most people have already heard of ZeuS P2P, but in short, it is an improved and complex code based on the ZeuS/Zbot source code that was leaked in 2011: https://www.csis.dk/en/csis/blog/3229/

ZeuS P2P is a black-market Crime as a Service setup (CaaS). It hosts several unique campaigns/BOTids in a bullet proof hosting (BP) infrastructure and provides a full featured multiservice for organized and hardcore cybercriminals.

Upatre
The dropper identified as “Upatre” is often seen attached in spam mail campaigns and acts basically as the door opener which downloads the ZeuS P2P main component using various filenames to camouflage the hostile action and also implements SSL to encrypt the download traffic. This approach is used to effectively bypass most perimeter defenses.

Resilient: rootkit, P2P, DGA, BP hosting
The malware itself consists of several components and advanced features. Obvious ZeuS P2P rely on Peer to Peer, a DGA (Domain Generating Algorithm) and other fallback functions, which makes it both more resilient and less transparent.

The masterminds behind the ZeuS P2P CaaS have clearly obtained technical knowledge and experience in takedowns and have made this botnet much more robust and stabile as compared to other threats we are monitoring. ZeuS P2P supports both UDP and TCP for communication tasks including peer list exchange, Command & Control (C&C) server registration and malware updates.

To make ZeuS P2P harder to remove from a compromised host, it recently implemented a rootkit dropped with a random filename into kernel user land: [%windows system folder%]drivers. This rootkit is known as Necurs.

The ZeuS based webinjects
The malware also includes a basic ZeuS webinject template, but each customer in the ZeuS P2P CaaS can modify and add new advanced webinjects and increase the number of targets.

Below, there is an overview of unique webinjects used by ZeuS P2P in Q1 2014.

Analyzing the above stats, it becomes obvious that the different perpetrators utilizing ZeuS P2P as a digital data harvesting weapon, are not surprisingly still maintaining, developing and improving their webinjects to hit a broader range of victims and targets. From 1097 unique “brands” targeted in the beginning of 2013 has now expanded to 1515 by the end of Marts 2014. That’s an increase in 418 new targets in just a quarter!

Amongst the “new countries” being significantly targeted by this malware family we are seeing: South Africa, Nigeria, India, Singapore, Turkey, UAE, Saudi Arabia, Australia, Croatia, Greece,  but in general we are seeing brands from all over the world being attacked.

We have noted significant geographically wider spread targets, which means different gangs of ZeuS P2P have begun attacking targets in countries that have previously not been hit as hard as they are as a result of this. As a direct consequence, the new targets will need to improve their security to prevent losses related to the ongoing attacks coming out of the ZeuS P2P CaaS.

We estimate that the complete infrastructure of ZeuS P2P has infected and controls several million unique PCs across the globe.

Continue reading CSIS News: Increase in ZeuSP2P targets→

To look deeply into the crystal ball to predict a threat landscape which changes dynamically and at great speed is not a task to be taken lightly. Nevertheless, we have in the CSIS e-Crime Unit tried to bring together the trends and tendencies, which we believe will create IT security headlines and challenges in 2014.

1» Data Leaks

With the digital development and not at least the digitization of paperwork, the big-data phenomenon will result in more and larger data leaks than we have seen so far. This combined with the fact that we over the last 2 years have observed an increase of infected machines in Denmark.

An increase in data leaks is a natural consequence of the fact that digitalization has been carried out at a speed, where IT security aspects have not been adequately assessed and therefore have not been implemented properly. We expect data leaks – also in Denmark – and with a tightening of rules from the European Union, the 2014 may cost Danish companies and public authorities dear.

2» Drive-by attacks and patch management

The technique where the IT criminal misuse vulnerabilities in popular software packages will continue. Requirements will be made that companies and authorities implement solid patch-management solutions.

That patch management is important, and that drive-by attack is a real risk of any enterprise is unequivocally shown in ENISA’s publication “ENISA Threat Landscape 2013 – Overview of current and emerging cyber-threats” which can be downloaded from the address:
https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats

3» DDoS and digital demonstrations

We have already seen how so-called commercial DDoS mitigation services (Distributed denial of service, also known as booters) has given rise to concerns during the past year. Services, where ordinary people can buy into at moderate cost and drive political or strategic objectives to their knees.

Demonstrations in the form of DDoS attacks and random web page defacements will continue to affect private enterprises and public institutions.

4» Attacks on mobile devices

We have heard it from the security industry before and frequently, but we believe that exploits and malware targeted at mobile devices, including operating systems such as Android, Windows mobile, and iOS, will increase significantly in 2014. Mobile devices take up a gradually significant market share and will attract more and more attention from IT criminals who will try to make fortunes on it.

At the same time we know a massive rise in malware specifically targeted at Android all too well, even if we in Denmark so far have been relatively spared of malware for mobile devices.

5» ByoD

Devices, gadgets, and generally miscellaneous mobile equipment can be a challenge for enterprises and public authorities to manage and control. We expect that 2014 will be the year where there will be a number of new technologies, which will make this work easier, but also that significant resources are expected to be earmarked for this work. The work and the challenges with ByoD (Bring your own Device) have only just begun.

6» Post-Snowden and data privacy

Surveillance from state authorities, in particular in the wake of the many revelations of NSA’s systematic monitoring and surveillance, will force the market to higher encryption and data protection initiatives. Surveillance has given a dented image to several data centers and Cloud providers, and as a consequence, these – to regain customers’ confidence – will be compelled to a number of initiatives for better protection of data that is stored outside the enterprise’s network.

But in addition we also foresee that a number of enterprises in 2014 will begin to implement strong encryption of e-mail and other popular Internet based transport channels.

The race to protect data with strong encryption has in several places been referred to as an upcoming “Cryptowar”.

7» Targeted Attacks / spear phishing

In 2012 and 2013 we have seen numerous spear phishing and targeted attacks that make use of a mixture of zero-day vulnerabilities and APT (Advanced Persistent Threats). In Denmark, and in a number of countries we compare ourselves with, large funds have already been allocated for a defense against targeted attacks.

That job postings at the same time openly advertise for people with specific technical offensive skills, signals an escalation of state sponsored digital attacks, and as a consequence also demands for increased focus on protection of sensitive data.

8» More sophisticated crimeware

Stealing digital values on the Internet is a bargain. It has created a vibrant underground economy where hackers and talented developers on the one hand continue to develop and sell commercial “Crime as a Service” products and regular Crimekits, and on the other hand the affected stakeholders who are trying to protect the customers’ assets.

As a consequence of the fact that several of the targets that the IT criminals in the past ten years have selected as their primary targets, being financial institutions, these have also upgraded their security in several areas. To circumvent the security of systematic and comprehensive attacks makes considerable technical demands, why we expect that the IT criminals will shift their focus from ordinary bank customers to enterprises and public institutions that have significantly more financial resources in their accounts. A weapon that the IT criminals will build in these tools and services is the possibility to make “real time attacks” and “social engineering”.

9» Windows XP support dead

In April 2014 Microsoft will stop supporting Windows XP. This also means that the software giant will cease to launch updates to one of the most popular and widely-used operating systems ever.

With the end of Windows XP support millions of machines, which have not made and upgraded or changed to a different operating system, will potentially be left behind as cannon fodder for damaging code.

Windows XP is not only an end user product but is also found in numerous consoles which are not easy to upgrade. This applies, for example, to payment card terminals, terminals at airports, ATMs, and terminals in production environments. Obviously the end of the support of Windows XP will leave a lot of these installations without the opportunity for mending arising vulnerabilities unless a separate and expensive agreement is made with Microsoft. In this connection we anticipate that many of these systems will be left in operation but at the same time also in danger of potential misuse/infections.

10» Code signed malware

We have already in the course of 2013 seen a significant increase in malware that has been digitally signed with stolen certificates from legitimate enterprises and developers.

The purpose of misusing code signing is obvious to achieve a higher degree of trust/confidence as the issuer of the binary code is validated through signing the code. IT criminals have misused this both in connection with targeted attacks, but also more widely scattered attacks with net banking and information thieves, ransomware, and false security products have been observed making use of digital code signing.

When IT criminals do code signing, it is thus the aim to make the code appear legitimate. Several security solutions, including anti-virus products, assess the code by, among other things, looking at whether it is digitally signed and whether the source is confident. This way, signed malware can escape security solutions.

Conclusion

2014 shows signs of becoming busy within the IT security industry but especially for the many Danish enterprises and public authorities who must try to protect their digital values in a complex threat landscape where attacks and threats come from several sources.  CSIS concludes this in “10 Danish IT security challenges in 2014” which has just been published.

The company expects to see more infected machines, more data leaks, increased fear of surveillance, and a generally increased focus on IT security next year.  As opposed to previously, the management in several Danish enterprises has also realized that IT security must be treated as an urgent priority.

Continue reading CSIS News: 10 security challenges in 2014→

For public release TLP:Green:

The documentary program, OperationX aired on Danish TV2 last night, have the past two months been investigating and tracking a large reshipping scam orchestrated from Vilnius in Lithuania.

The criminal setup have involved abuse of a large volume of stolen credit cards, which then was used to buy expensive electronic goods and bikes from ecommerce stores both in Denmark and Germany and probably elsewhere in Europe.

With the use of packet mules, working out of Denmark, the goods was then shipped to Lithuania and sold using various Internet forums.

The CSIS eCrime Unit was called in to support the investigation and we managed through several digital channels to track the person running the criminal outfit. How we exactly managed to do this will not be made publicly available. As a result of this work, the Lithuanian police arrested Aleksandrs Mirakovskis and subsequently have pleaded guilty to several charges.

Apparently, the apartment of Aleksandrs Mirakovskis, which was raided by the local police, also contained facilities to produce large amounts of fake credit cards.

In Denmark alone, one single ecommerce store, have lost millions of kroner due to this scam and have reported more than 600 incidents to the national police which only have led to a single charge.

The magnitude of package reshipping and fraud using stolen credit cards to buy expensive electronic goods is difficult to estimate, but it’s clearly costing Danish eCommerce stores millions of kroner every year.

Continue reading CSIS News: Keyplayer in reshipping network arrested→