Tag Archives: Cybercrime

Underground black market: Thriving trade in stolen data, malware, and attack services

The underground market is still booming after recent major data breaches. The price of stolen email accounts has dropped substantially, but the value of other illegal goods and services has remained stable.

Twitter Card Style: 

summary

underground-header-662x348.jpg

During the holiday season, shoppers scour the internet to find the best deals for the perfect gifts. Ordinary consumers aren’t the only ones looking for bargains at this time of year. A host of cybercriminals are looking to shop at other people’s expense and use underground marketplaces to buy and sell illegal goods and services. Stolen data, compromised online accounts, custom malware, attack services and infrastructure, fraudulent vouchers, and much more can be bought if you know where to go.

Prices for illegal goods and services can vary widely, depending on what’s offered, but bargains exist even for cybercriminals on the tightest budgets. Attackers can pick up stolen data and compromised accounts for less than a dollar. Larger services, such as attack infrastructure, can cost anything from a hundred dollars to a few thousand. However, considering the potential gains that attackers could make by using this infrastructure, the upfront cost may be worth it for them.

Considering all of the data breaches and point-of-sale (POS) malware incidents that occurred in the last 12 months, you may think that underground markets are flooded with stolen data, causing prices to drop. Interestingly enough, this does not seem to be the case for all illegal goods on these marketplaces.

Shopping in the underground
While some illegal marketplaces are viewable on the public internet, news coverage around underground sites has increased this year, forcing many scammers to move to darker parts of the internet. For example, some forums are now hosted on the anonymous Tor network as hidden services. Other markets are only accessible with an invitation and require a buy-in, which could involve money or goods—like 100 freshly stolen credit cards. Other markets are run on private chat rooms and have rigid vetting procedures for new users. In these closed circles, prices are usually much lower and the traded amount of goods or services is higher. 

Stolen data for sale
Prices have dropped for some of the data offered, such as email accounts, but they remain stable for more profitable information like online bank account details. In 2007, stolen email accounts were worth between US$4 and $30. In 2008, prices fluctuated between $0.10 and $100. In 2009, the price hovered between $1 and $20. Today, you can get 1,000 stolen email accounts for $0.50 to $10.  The latest pricing is a good indication that there is now oversupply and the market has adjusted accordingly.

Credit card information, on the other hand, has not decreased in value in recent years. In 2007, this information was advertised at between $0.40 and $20 per piece. How much you pay can depend on a number of factors, such as the brand of the card, the country it comes from, the amount of the card’s metadata provided, volume discounts, and how recently the card data was stolen. In 2008, the average asking price for credit card data was slightly higher–$0.06 to $30–and later in the year it rose to from $0.85 to $30. Today, prices for stolen credit card information range between $0.50 and $20. In general, credit card data prices have fallen slightly over the last few years, especially in cases where cybercriminals trade in bulk volumes.

Of course, we have no visibility into transactions and do not know how many buyers actually pay the upper end of the price range. The quality of the stolen goods is also questionable, as some sellers try to sell old data or resell the same data multiple times. This may also explain why there has been a boom in additional service offerings that verify that the seller’s accounts are still active or that a credit card has not yet been blocked. Most underground marketplaces even provide a guarantee for the data’s freshness and replace blocked credit cards within 15 minutes of purchase. As expected, where there is demand, someone will step in and address the gap in the market.

Attack services for hire
Crimeware-as-a-service has also become popular on underground marketplaces. Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams. This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.

A drive-by download web toolkit, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. The online banking malware SpyEye (detected as Trojan.Spyeye) is offered from $150 to $1,250 on a six-month lease, and distributed denial-of-service (DDoS) attacks can be ordered from $10 to $1,000 per day. Any product or service directly linked to monetary profit for the buyer retains a solid market price.

Cashing out with fraudulent vouchers and tickets
Cybercriminals are always coming up with new strategies to cash out their profits. Vouchers and online gift cards are currently in vogue, as they can easily be traded or sold online. Attackers pay for them using stolen credit cards or generate them from hijacked online retailer accounts. They then sell the vouchers and online gift cards for 50 to 65 percent of the nominal value. Cybercriminals can also sell hotel, airline, and train tickets for approximately ten percent of the original asking price. Of course, this is very risky for the people who buy these tickets. Recently, 118 people were arrested in a global operation on suspicion of using fake tickets or obtaining stolen card data to purchase airline tickets. The airline industry believes that fraudulent tickets are costing it around $1 billion annually.

Older methods such as packet re-sending agents have declined in popularity. This method involved buying expensive goods with stolen credit cards and having them shipped to an uninvolved volunteer, who then reships the goods to the attacker’s  anonymous PO box.  This is getting harder to do, as many shops will only ship to the registered home address of the credit card. This also led to some attackers picking up the items in a physical store nearby, rather than shipping them somewhere first.

The expansive underground marketplace
These examples aren’t the only goods and services on offer on underground marketplaces. Also for sale are:

  • Scans of real passports ($1 to $2), which can be used for identity theft purposes
  • Stolen gaming accounts ($10 to $15), which can yield valuable virtual items
  • Custom malware ($12 to $3,500), for example tools for stealing bitcoins by diverting payments to the attackers
  • 1,000 followers on social networks ($2 to $12)
  • Stolen cloud accounts ($7 to $8), which can be used for hosting a command-and-control (C&C) server
  • Sending spam to 1 million verified email addresses ($70 to $150)
  • Registered and activated Russian mobile phone SIM card ($100)

Protection
The booming underground marketplace is another reason it’s important to protect your data and identity. Otherwise, you may find your personal information in the shopping basket of a cybercriminal during this holiday season.

Symantec recommends the following basic security guidelines:

  • Always use strong passwords, and never reuse them across other websites.
  • Update the software on all of your devices regularly to prevent attackers from exploiting known vulnerabilities.
  • When entering personal or financial information, ensure that the website is encrypted with a Secure Sockets Layer (SSL) certificate by looking for the padlock icon or “HTTPS” in the address bar. Report any suspicious behavior before submitting sensitive information online.
  • Use comprehensive security software, such as Norton Security, to protect yourself from cybercriminals.
  • Exercise caution when clicking on enticing links sent through emails or posted on social networks. If something looks too good to be true, then it likely is.

underground-price-list-662x1870.jpg

Sony PlayStation Network down due to hacker attack

Poor Sony. They are getting it from all directions these days.  On Sunday, the PlayStation Network, the online store for games, movies, and TV shows, suffered a hacker attack and was knocked offline. Visitors to the store got a message that said, ‘Page Not Found! It’s not you. It’s the Internet’s fault.’ I just visited […]

??????????????????? Snifula ???????????????

      No Comments on ??????????????????? Snifula ???????????????

Snifula の亜種は、セキュリティ製品 PhishWall のインストールを推奨する画像が銀行の Web サイト上に表示されないよう妨害します。

GameOver Zeus May not be as Over as You Think

The FBI, along with the Department of Justice, announced a multinational effort on their website that has disrupted a botnet called GameOver Zeus. GameOver Zeus has infected millions of Internet users around the world and has stolen millions of dollars.   The UK’s National Crime Agency (NCA) has worked closely with the FBI to crack […]

iBanking: Exploiting the Full Potential of Android Malware

3509155_-_mobile_device_iBanking.png

Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model. 

Operating under the handle GFF, its owner sells subscriptions to the software, complete with updates and technical support for up to US$5,000. For attackers unable to raise the subscription fee, GFF is also prepared to strike a deal, offering leases in exchange for a share of the profits. 

iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile botnets and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection. 

Its high price tag meant that use was initially confined mainly to well-resourced cybercrime gangs but, with the recent leak of its source code, Symantec has seen a significant increase in activity around iBanking and attacks are likely to grow further in the near future.

How it works
Attackers use social engineering tactics to lure their victims into downloading and installing iBanking on their Android devices. The victim is usually already infected with a financial Trojan on their PC, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure. 

iBanking_infection_diagram.png
Figure 1. How an iBanking victim is infected

The user is prompted for their phone number and the device operating system and will then be sent a download link for the fake software by SMS. If the user fails to receive the message for any reason, the attackers also provide a direct link and QR code as alternatives for installing the software. In some cases, the malware is hosted on the attackers’ servers. In other cases, it is hosted on reputable third-party marketplaces. 

iBanking can be configured to look like official software from a range of different banks and social networks. Once it is installed on the phone, the attacker has almost complete access to the handset and can intercept voice and SMS communications. 

History
iBanking has evolved from a simple SMS stealer into a powerful Android Trojan, capable of stealing a wide range of information from an infected handset, intercepting voice and text communications, and even recording audio through the phone’s microphone.

Early, pre-sale versions were seen in August 2013. They had limited functionality and could simply redirect calls and steal SMS messages. iBanking’s owner, who operates under the handle GFF, has continually refined the malware. By September 2013, it had gone on sale on a major Eastern European underground forum and was already replete with a broad range of functionality. 

iBanking can be controlled through both SMS and HTTP. This effectively provides online and offline options for command and control. By default, the malware checks for a valid Internet connection. If one is found, it can be controlled over the Web through HTTP. If no Internet connection is present, it switches to SMS.

iBanking’s main features now include:

  • Stealing phone information –phone number, ICCID, IMEI, IMSI, model, operating system
  • Intercepting incoming/outgoing SMS messages and uploading them to the control server 
  • Intercepting incoming/outgoing calls and uploading them to the control server in real time
  • Forwarding/redirecting calls to an attacker-controlled number 
  • Uploading contacts information to the control server
  • Recording audio on the microphone and uploading it to the control server 
  • Sending SMS messages
  • Getting the geolocation of the device 
  • Access to the file system 
  • Access to the program listing 
  • Preventing the removal of the application if administrator rights are enabled 
  • Wiping/restoring phone to the factory settings if administrator rights are enabled 
  • Obfuscated application code  

While iBanking was initially only available from GFF at a premium price of US$5,000, the source code for the malware was leaked in February. Not surprisingly, this resulted in an immediate increase in bot activity relating to iBanking. Symantec predicts that this upsurge in activity will continue as news of the leaked source code spreads through the underground. 

However, we believe that the more professional cybercrime groups will continue to pay for the product, allowing them to avail of updates, technical support and new features. The leaked version of iBanking is unsupported and contains an unpatched vulnerability.

GFF continues to develop iBanking and add new features. They have also claimed that they are developing a version for BlackBerry, although this has yet to go on sale. 

How one hacker’s search for stolen Bitcoins led to an attack on the BBC and the leak of iBanking’s source code
The source code for iBanking was leaked following a bizarre series of events in which a hacker went on an attacking spree as part of a quest to retrieve 65,000 stolen Bitcoins. 

3509155_-_ReVOLVeR_Twitter_1.png
Figure 2. ReVOLVeR uses Twitter to brag about attacking the BBC

It began in December 2013 when hacker ReVOLVeR began investigating the theft of 65,000 Bitcoins from a friend. ReVOLVeR traced the theft to the friend’s mobile phone and found an iBanking infection which they believed had leaked the username and password for their Bitcoin wallet. At the time, one Bitcoin was worth approximately US$1,000, which means that ReVOLVeR’s friend had lost over US$70 million. 

ReVOLVeR discovered that the infected phone was communicating with a C&C server, myredskins.net, which they went on to compromise. On this server, they discovered leaked FTP credentials for the BBC’s website. The credentials may have been stolen from an SMS sent to a mobile phone owned by a BBC staff member infected with iBanking. Alternatively, they may have been taken from a third party who had been given access to the server. 

ReVOLVeR then used these credentials to log into the BBC server, root the account and begin cracking additional credentials. He posted about his progress on Twitter, updating his followers with screenshots and dumps on SendSpace. 

Once finished with the BBC, ReVOLVeR then turned his attention to iBanking and attempted to sell the malware as his own on an underground forum. He did little to cover up the origin of the malware, simply reusing the post GFF had originally used to advertise iBanking on a different forum. Not surprisingly, ReVOLVeR was promptly banned from the forum. 

Not long after this, in February, another hacker who uses the handle Rome0 posted the source code to iBanking on a carding forum along with a simple script which could re-configure the iBanking application. Instead of charging for the malware, this version was made available for free. It is unclear whether Rome0 acquired the source code from ReVOLVeR or simply read about his attack on the C&C server and imitated it, but the two incidents appear to be linked. 

The release of the source code coincided with a significant uptick in iBanking activity. Despite the availability of a free version, our research suggests that most of the large cybercrime actors are continuing to opt for the paid-for version. They appear to be willing to pay a premium for the updates and support provided by GFF.

The gangs using iBanking
One of the most active iBanking users is the Neverquest crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe. 

Another threat actor utilizing iBanking is Zerafik, who also appears to operate from Eastern Europe. Zerafik operated a command-and-control (C&C) server located in the Netherlands which was subsequently hacked, with details posted publicly on ProtectYourNet. The leak revealed that iBanking installations controlled by this C&C server were configured to target customers of Dutch bank ING, with the app disguised to look like an official app from the company. The iBanking campaigns uncovered by this breach involved multiple segregated botnets that could be controlled through a single panel, allowing for the attacker to control multiple campaigns from a single user interface. 

One of the first users of iBanking was an actor known as Ctouma, who has a history of involvement with scam websites and trading in stolen credit card data. Their email address (Ctouma2@googlemail.com) had been used to set up a service which sells stolen credit card information. 

Ctouma employed one of the earliest versions of the malware, which wasn’t even for sale at the time. It was disguised as a mobile application for a Thai bank. While Thailand itself is not typically associated with financial fraud attacks, it is possible that these attacks may have served as a test bed for early versions of the malware, in order to test its effectiveness. 

Protection
Symantec detects this threat as Android.iBanking

Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. 

You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK. 

Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection

Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data.

Halloween tricks move online

      No Comments on Halloween tricks move online

Back in the good ol’ days of Halloween, you only had to worry about your house getting egged or your big brother stealing the good candy. Halloween tricks have moved online, and along with any significant event or holiday, this spooky celebration marks an increase in malware. Cyber ghouls pull out their bag of tricks […]

Cybersecurity is Our Shared Responsibility

      No Comments on Cybersecurity is Our Shared Responsibility

AVAST is a proud champion of National Cyber Security Awareness Month (NCSAM) and European Cyber Security Month (ECSM) recognized this October. The month begins with the awareness that no individual, company, or government is solely responsible for securing the internet – it is Our Shared Responsibility. Individual computer users are the first line of defense […]

A Cyber Bank for Cybercriminals Meets Its Demise

This week the Federal Government scored a major victory over a massive worldwide network of cybercriminals by shutting down Liberty Reserve, a criminal business venture disguised as a bank that was fronting a secret money system for everyone from credit card and identity thieves to Ponzi scheme peddlers, hackers for hire, and money launderers. Liberty Read more…

NCCDC 2013 – Red Team Recap

          This past April (4/19 to 4/21) I had the great pleasure and experience of joining the Red Team at 9th NCCDC competition.   It was actually my 2nd year on the Red Team and 4th year to attend in total (I judged in 2010 and 2011).  McAfee is actually a perpetual Read more…