Category: General Cyber Intel

As reported in the upcoming release of the Cyveillance Intelligence Report, overall phishing attack volume declined during the second half of 2010 compared to the first half of the year, averaging over 19,000 confirmed, unique attacks per month. However, the level of sophistication and emphasis on targeted attacks continues to rise. As a result, despite the number of attacks going down, the ability of phishers to be successful has risen significantly as evidenced by the growing number of spear phishing attacks and Advanced Persistent Threats (APTs) reported during the half.

The amount of attacks seen monthly is down compared to the first half of the year and could be related to the recent decline in spam, but the overall volume confirms that the problem of phishing is still easily one of the top threats on the Internet. Specifically, the use of more sophisticated and targeted attacks result in greater success and lucrative opportunities for online criminals. A recent story regarding socially-engineered attacks against High Value Targets (HVTs) in the Canadian government provides a great example of the danger this new breed of attack poses to organizations.

Organizations should continue to monitor for suspicious activity related to the attack described in the article above as well as educate their users on the latest threats that plague the Internet. Users can minimize the potential for falling victim to email and Web-based attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

Recent law enforcement activity against a couple of high profile Russian cyber criminals reminds us that while some major cyber criminals continue to act with impunity, it appears that progress is being made on some fronts.

Cyveillance recently asked the United States Embassy in Moscow to comment on cooperation between our countries in the fight on cybercrime for publication on CyveillanceBlog.com. Below, the responses to our inquires from the U.S. Embassy in Moscow:

Cyveillance: Is there regular dialogue between the American and Russian governments at the diplomatic level on the topic of international cybercrime? If so, how often does such engagement occur?

U.S., Embassy in Moscow: Yes, on more than one level. For example, there is ongoing dialogue between U.S. and Russian diplomats concerning matters of Internet governance, of which law enforcement efforts against cyber crime are an integral part. These discussions typically occur in a multi-national setting such as the United Nations. Additionally there is ongoing dialogue and cooperation between our respective investigators on particular cyber crime cases. This dialogue occurs in several ways, including through periodic face-to-face meetings several times per year. In some instances, these discussions focus on a particular area of cyber crime. For example, there is a bilateral United States – Russia IPR Working Group which meets regularly to discuss issues related to intellectual property protection, including in cyber space, with special focus on enforcement.

Cyveillance: With the shutdown Russia-based Spamit this fall and the investigation into the activities of alleged spammer Igor Gusev, it appears Russian authorities may be taking steps to curtail cybercrime. From the U.S. Embassy in Moscow’s perspective, are these isolated incidents or does it appear that there may be a shift in the climate for cybercriminals in Russia?

U.S., Embassy in Moscow: We are hopeful that these examples mark the beginning of the creation of a much more difficult environment for cyber criminals, not only in Russia, but worldwide. As you know, cyber crime transcends national boundaries not only in the perpetrator-victim sense, but also in the sense that members of the same cyber-driven criminal organization are often based in several countries. It is more important than ever that each nation take steps to clamp down on cyber crime.

Cyveillance: Russia traditionally enjoys a population that is well educated in math and engineering. Some authors suggest that the lack of opportunities in traditional business environments may tempt talented programmers into criminal activity. Is the State Department aware of any formal efforts that will help encourage Russian technologists to pursue legal opportunities using their skills, as opposed to those offered by cybercrime?

U.S., Embassy in Moscow: President Medvedev has made technological development a very high priority in his administration’s vision for the future of Russia. One example of this is the plan to develop a cyber industry, along the lines of Silicon Valley, based in the town of Skolkovo near Moscow. The prioritization of economic development in the tech sector, provided it is coupled with a strong law enforcement response to cyber crime, should incentivize individuals with technical skills to seek legitimate career paths.

Cyveillance: While there have been some recent notable exceptions, Western cybercrime researchers and even some in law enforcement sometimes feel that Russian cybercriminals are out of reach and enjoy a de facto immunity from prosecution. What is the State Department’s position on the amount and quality of cooperation received from Russian officials in international cybercrime investigations?

U.S., Embassy in Moscow: There has been some cooperation on cyber crime matters, but there is a need for far more. That is an overarching goal of the ongoing dialogue between our countries on these issues. Certainly, enhanced cooperation in this area would support the goals announced by President Medvedev for technological development in Russia, as those who consider investing in that development will expect a consistently strong law enforcement response to cyber and other crimes to protect their investments.

Cyveillance: From the State Department’s perspective, how much of American success in combating cybercrime of Russian origin is amenable to American law enforcement’s efforts? Are there inroads that remain to be made at the diplomatic level first?

U.S., Embassy in Moscow: The United States plays a leadership role in combating cyber crime, but no one nation can tackle this multi-national problem. The United States has law enforcement partnerships around the world with dedicated and highly professional counterparts in the area of cyber crime. We are striving to strengthen our partnership with our Russian counterparts in this area, which is certainly in our mutual interest.

Cyveillance: Is there anything else the State Department thinks cybercrime researchers or the general public should know about efforts to combat cybercrime in Russia?

U.S., Embassy in Moscow: Cyber crime presents complex problems that require a complex, multi-faceted response. This includes coordinated efforts not only by the governments of the United States, Russia and other countries, but also by those in industry and academia. We appreciate the opportunity to participate in this important dialogue.

Many thanks to U.S. Embassy staff for taking the time to answer our questions.

Cyber security awareness continues to gain interest in every industry and market. With the dramatic increase in online activities and social media networks, organizations are realizing the need to educate their employees on the everyday risks, threats and how to safely navigate the Internet. We are pleased to announce that as a result of our work with Mind & Media to create a dynamic and effective online training course, “Cyber Safety 101”, has just won the MarCom 2010 Platinum Award.

Mind & Media took our content and subject matter expertise and packaged it in an engaging, interactive online training course that educates users on the risks found on the Internet. Knowing that employees are extremely busy, it was critical for us to present this information in comprehensive and efficient way to ensure the transfer of knowledge, safeguarding them and their companies. The fact that Mind & Media was able to pull together an exciting education program that incorporates the unique perspective our experts have acquired over the years in an easy to view presentation, should not be overlooked. Congratulations to Mind &Media for a job well done.

For more information or to download the report, please visit this press release.

This October marks the seventh annual National Cyber Security Awareness Month. The effort comes to us from the United States Department of Homeland Security, and is a welcome effort in the continuing public education of the importance of safe internet use. The US Government has designated the internet as critical infrastructure, acknowledging its importance in our country’s ability to grow industry, share valuable resources, and conduct commerce.

The criminals and foreign adversaries who would compromise American internet users’ computers are highly sophisticated and very motivated. National Cyber Security Awareness Month is terrific because it provides an opportunity for the broader public to learn about the very real threats that are targeting them. Perhaps they’ve heard these basic yet vital messages before:

• Always run anti-virus software.
• Keep all software updated with the latest versions.
• Don’t click on links or visit websites that look suspicious.

Unfortunately the last time these words of advice were offered, maybe three out of the ten people who heard them actually put them into practice. (And even those who “get” the message will still make the occasional mistake! We all have bad days.) With continued repetition provided through opportunities like National Cyber Security Awareness Month, perhaps we can bump that up to six out of ten. Next time around, we can build on that success.

Like many things, how well educated the public becomes about cyber security depends on how much money is spent doing so. We will be as successful as the budgets for education efforts and our education strategies will allow us. Regardless of how much funding is available to spend on public education, lessons can be learned from strategies and tactics that have already been developed by other government agencies. The Department of Health and Human Services, along with entities like the Centers for Disease Control and the Food and Drug Administration, have done a very good job over the years educating citizens about the dangers of smoking, epidemic preparedness, and other risks to one’s health. Government agencies tasked with protecting our nation’s cyber security should take liaise with those agencies to learn what works, and what doesn’t work so much. Reinventing the wheel is expensive and time consuming for all involved.

In closing, National Cyber Security Awareness Month is a welcome and important part of that effort. IT departments in the public and private sector should take advantage of NCSAM to reinforce safe internet use again. There are resources available for organizations to promote awareness available on the official NCSAM website, StaySafeOnline.org. Let’s keep moving forward in the fight against cyber crime together.

Cyber Criminals Don’t Limit Themselves to Just One Area of Fraud

Cyveillance has monitored the activity of rogue online pharmacies for several years. Websites which internet users may come across which sell viagra, levitra, and soma online without a prescription are everywhere. These websites come and go as the affiliate webmasters who run them come in and out of the business. However the big players that run the affiliate programs in this dangerous online pharmacy market don’t change very often and while some new ones continue to appear on the radar, in general the old ones are unfortunately doing well.

Back in July we wrote about one such group and their expansion into new but equally illegal territory. This crew of Russian cyber criminals who traditionally specialized in illegally sending unapproved and sometimes counterfeit drugs to patients in the United States now announced their plans to offer counterfeit luxury goods. Since writing that piece we have observed another Russian online pharmacy network announce a similar move into counterfeit luxury goods. They don’t want to miss out on the action.

So it was no surprise when we recently discovered yet another Russian online pharmacy network (who also primarily targets American citizens) moving into new territory. In the screenshot below, you can see a website that their web designer was working on but had not yet finished.

An illegal online pharmacy in the process of becoming a distributor of illegal copies of Microsoft Windows. Click to enlarge.

You will notice that parts of the page are identical to one of the online pharmacy templates they offer to their affiliate webmasters. Down the left hand side, it still lists drugs they wish to sell illegally, and in the search box at the top of the page it reads, “search medicine by name”. But the title of the page reads “Discount Software” and the items named in the center of the page all read “Windows 7 Ultimate”.

Note the phone number, which is the same as found on hundreds of illegal online pharmacies currently online. Click to enlarge.

The stolen logos of Microsoft, Adobe, Verisign, CNet, and Autodesk are likely included to suggest the legitimacy of their software sales.

In the screenshot below of rogue online pharmacy hqdrugs.com, we can see the same phone number (800-998-7978) and the same exact listing of categories going down the left hand side of the page.

This illegal online pharmacy has the same phone number and product categories as the site shown in previous screenshots above. Click to enlarge.

So there’s a pretty good chance that the first two screenshots reveal this rogue online pharmacy network directing its attention to illegal software sales. This will not only give them entry into a new market, exposing them to new (and unlucky) customers, but provide them new income should increasing scrutiny be given to the dangerous world of online illegal pharmacies.

As always, Cyveillance warns against doing business with such operations. If you’re curious whether the site you stumbled across is legitimate, see if it passes all of the criteria offered by the FDA regarding online pharmacies. Software downloads should only come directly from the original software company.

Cyveillance has fought for many years against the seemingly endless barrage of counterfeit goods online, especially focusing on illegal online pharmacies (example, example, example) and even the US companies who support them.

It was especially encouraging to see the dangers of counterfeit goods covered this morning on NBC’s Today Show. Serious video coverage can also be found at CNBC. Consumer education about the dangerous risks in ordering medications online without a prescription, as well as the inferior quality of other counterfeit products is always welcomed.

While such crooks are traditionally found in the notorious 3 P’s (porn, poker, and pills) sometimes these criminals will diversify into other areas. One major illegal online pharmacy marketing group from Russia recently announced their intention to enter the fashion market:

The project is aimed at selling clothes, shoes and accessories of the most well-known brands like Gucci, Armani, Galliano, Diesel, Burberry, Calvin Klein, Gianfranco Ferre, Cartier, DelMaro, Prada, Dolce & Gabbana, Guess, Dsquared, Hugo Boss, Moschino, etc. (There are more than 100 (!) different brands presented at the site).

Because we think it unlikely that a group of illegal online pharmacy operators from Russia has signed distribution and marketing agreements with 100 legitimate brands, we believe the merchandise from this site and others in its network are most likely counterfeit.

Indeed, here is one of their sites from this new effort:

A screenshot from a website that appears to sell all counterfeit goods.

The marketers for fake or “replica” clothing sites use the old fashioned spammy tactics often associated with online pharmacies to get the word out about their websites. In these next two screen shots, you can see the comment moderation panel for this very blog, where devious marketers of counterfeit goods have submitted comments to cyveillanceblog.com in the hopes that we will publish the comment and the accompanying link to their site. (Click the images to enlarge them).

As is clear, online criminals have no intention of slowing down their illegal tactics on the internet. We look forward to a public who is more informed about the serious risks involved in counterfeit products and will continue working hard to negate the threat posed to consumers by such cybercriminals.

Rogue online pharmacies offer prescription medications to consumers without requiring a prescription, and often sell medications that are not approved by the FDA. This leaves ample opportunity for dangerous, untested and even counterfeit products to be purchased and abused by consumers.

International Drug Mart is just such an rogue online pharmacy. They will sell a large number of prescription drugs to anyone with a credit card. LegitScript, an online pharmacy verification service used by Google, Yahoo!, and Bing, has confirmed that InternationalDrugMart.com is a rogue online pharmacy due to unlawful, unsafe, or deceptive practices.

In mid-May Cyveillance wrote that International Drug Mart had employed the services of noted certificate authority Thawte, which is based in South Africa. International Drug Mart did so to give the impression that it is a reputable business and that it cares about its customers’ wellbeing. However this is a ruse and does not change the fact that dependence-forming painkillers, powerful anticancer medications and other drugs are available from International Drug Mart to anyone with a credit card.

Shortly after our publication of this information, Thawte canceled its services to International Drug Mart. Cyveillance commends Thawte for doing the right thing and withdrawing support to a business that clearly endangers the health of consumers.

Thawte’s responsible behavior was promptly mirrored by two other peers in the SSL certificate industry:

• After being denied by Thawte, International Drug Mart procured an SSL certificate from a certificate authority in the United Kingdom. Upon being informed of the nature of International Drug Mart’s business, the British certificate authority immediately canceled its service to International Drug Mart.
• After being denied by the British certificate authority, International Drug Mart procured an SSL certificate from a certificate authority in Romania. Upon being informed of the nature of International Drug Mart’s business, the Romanian certificate authority immediately canceled its service to International Drug Mart.

Now International Drug Mart has gone to Secure Trust, also known as Trustwave for its SSL certificate. (It should be noted that for quite some time, International Drug Mart has also used Trustwave’s Trusted Commerce program as well). Trustwave is based in the United States.

Cyveillance has reached out to Trustwave on multiple occasions in recent weeks. On June 22 Cyveillance received an email from a Trustwave vice president who wrote, “We have reviewed our validation of this site and it does meet all criteria to demonstrate organization control of the web domain and therefore we will not revoke the certificate at this time.”

By the logic offered in Trustwave’s response, anything on the internet, no matter what the content, is fair game for Trustwave’s services as long as the site meets certain technical requirements.

Just this week, Vice President Joe Biden offered (emphasis ours):

I applaud Google, Yahoo and Bing for the steps they’ve taken in recent weeks to stop selling advertising to illegal Internet pharmacies. But — but — we need to go further. It’s time for others to step up to, it’s time to stop supporting ads for drugs sold illegally over the Internet — and for a simple reason: for the public health of American — of our population.

The same goes for companies who support illegal Internet pharmacies in ways other than advertising. When we look at International Drug Mart, we see a site that is in clear violation of federal law and has serious potential for physical harm. We are disappointed that Trustwave, unlike its peers, does not have a problem doing business with such an organization.

A story by The Plain Dealer posted on www.cleveland.com last week sheds light on the numerous issues associated with social media and the workplace. Providing real life examples of problems experienced by companies such as Petland and Nestle, the story gives an excellent overview of many of the decisions that need to be made in the implementation of a company-wide social media strategy.

Companies can take proactive steps to strengthen their security posture and minimize potential damage from problems that arise in the social media environment. The steps start with addressing challenges effectively with a solid understanding of the authorized and vast numbers of unauthorized social media users within the company. Next, companies should have a formal education and training plan in place that meets the needs of all sides of the business. Further, documented social networking policies, ongoing monitoring and a strong organizational feedback structure are essential. For more information, see The Impact of Social Media on Corporate Security: What Every Company Needs to Know published by Cyveillance in Spring 2010.

Cyveillance recently had the opportunity to interveiw Joseph Menn, the author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet, released in January 2010. Menn has reported on security and other technology issues for more than a decade at the Financial Times and the Los Angeles Times, mostly from his base in San Francisco. He is a two-time finalist for the Loeb Award, the most prestigious in financial journalism. Earlier, he won a “Best in Business” award from the Society of American Business Editors and Writers for tobacco coverage at Bloomberg News, where as legal editor he directed stories that revealed the landmark settlement talks between the cigarette companies and the states.

His latest nonfiction book follows two protagonists that were successful in bringing down a small group of cyber criminals. It also highlights the growing threat and active participation of organized crime syndicates in online criminal activity.

Cyveillance asked Menn for some comments on this serious problem.

Cyveillance: Your book covers a time frame from approximately 2000 through 2009. Based on the experiences of the book’s protagonists, what would you say the large scale trends in cyber crime during that time frame are?

Menn: It’s night and day. In 2000, hackers would knock down sites such as eBay and Yahoo for momentary fame. They were isolated teens or those with small circles of like-minded friends. In 2003, the first purely commercial viruses appeared, compromising tens of thousands of machines for illicit purposes. The initial motive for the people in charge was to make money by sending spam from addresses that would evade blacklists, which were growing more effective. But once they had the botnets, they began finding other ways of making money, including denial-of-service attacks for hire. They would take out a sponsor’s competitor for a price at first, but then the criminals became more enterprising and wiped out sites unless they were paid off, a freelance extortion gambit. The same gangs and bots are now engaged in mass identity theft and financial fraud against consumers and small businesses, as well as theft of trade and military secrets. By now, the vast majority of serious cyber crime is mob-related, and more than 90 per cent goes overseas.

Cyveillance: In the book both Barrett Lyon, an American citizen, and Andy Crocker, a British law enforcement officer, experienced frustration with domestic and international law enforcement’s ability to understand and take action against the cyber criminals they faced. Why do you think this is, and has the situation improved? If you think it has not improved, what do you think needs to change in law enforcement to more effectively take on sophisticated cyber crime?

Menn: Cyber crime cases are hard to prove. The Internet might as well have been designed with plausible deniability in mind. And law enforcement cooperation is hard to get even from allies, due to logistical issues, differing priorities and varying laws. But the overarching problem, which nobody in power wants to talk about, is that the worst of the worst are knowingly protected by corrupt governments or those that view the mobsters as intelligence assets or strategic weapons. The enforcement outlook has not improved substantially, while the crime has gotten much worse over the years. Britain, which during the period in the book was well ahead of US efforts overseas, has gone backward with the dismantling of the National Hi-Tech Crime Unit. The only ray of light is that people inside the Obama administration are paying more attention and thinking about the issue.

Cyveillance: How would you describe the connection between the cyber criminals described in your book and with traditional organized crime?

Menn: In Russia, both petty criminals and legitimate business owners typically need a “roof”, or mob patron, to whom they pay tribute in exchange for fending off other criminals and officials looking for bribes. So even independent hacking rings, once they got large, depended on traditional mobsters to perform such services. Once the old mob saw how lucrative Internet crime was, it began taking a more direct supervisory role, as it did with the Russian Business Network in St. Petersburg.

Cyveillance: The criminals in Fatal System Error were largely Russian in origin. What is it about Russia that seems to produce such sophisticated cyber criminals, and do you see that situation improving?

Menn: Russia has had first-rate math and computer education for decades. But there are limited legitimate career opportunities. In addition, crime isn’t viewed through the same moral lens we have in the West, it just isn’t seen as that bad a choice. The corruption is staggering. And now it is even worse, because the major criminal hacking groups have protection from intelligence and military wings of the national government. The same people are being used to attack Kremlin enemies, both internally and externally, including government and media sites in countries such as Estonia and Georgia.

Cyveillance: Based on your book’s findings and other accounts, there appears to be casual if not formal links between the Russian government and the online criminal enterprise known as the Russian Business Network. While botnets that are under the control of groups like the RBN are harmful by definition, is it your belief that the weaponization of criminal resources reportedly found here is an isolated incident, or is this a growing risk from other governments?

Menn: It is a pattern that is spreading. The second most serious threat comes from China. Hacking there has evolved the other way, beginning with state-sponsored and patriotic attacks and now with a major profit motive as well. Criminal outfits with bot networks may look for personal financial data first, but they share commercial and military goodies with the officials who protect them.

Cyveillance: If there is one lesson from Fatal System Error, what is it?

Menn: The internet as we have come to use it–for financial and business activities–cannot survive without drastic action that is highly unlikely to occur. We need to make the protection of criminals a major diplomatic priority, and we need massive funding for an opt-in protocol more secure than TCP/IP.

Cyveillance: Thank you for your time. Any other thoughts you would like to add?

Menn: I’ve covered cybersecurity for almost a dozen years at major newspapers. Since 2004, I’ve been convinced the topic needed a thorough but also entertaining book on the subject. I got very lucky in finding heroes like Barrett, who infiltrated both Russian and Gambino cyber-mob operations, and Andy, who was nearly killed while conducting the most successful West-Russian collaborative prosecution of hackers in history, yet had never told his story. With the New Yorker comparing Fatal System Error to Stieg Larsson’s trilogy and Slashdot saying it’s on par with The Cuckoo’s Egg, I feel I accomplished what I set out to do.

Many thanks to Menn for taking the time to answer our questions.