Ransomware Will Win The War Kaspersky Lab is calling for a massive group effort to break the encryption used by the latest Ransomware. But is it misguided?
SANS Internet Storm Center Starts Monthly Podcast If you dont have the time or interest to read about the latest IT security news the SANS.org podcast or some of the other security podcasts might help you keep up.
Peculiar Patch Pits iPhone Security vs. Safari Earlier this year, Security Fix criticized Apple for making iPhone users wait for security updates that Apple had fixed in its other products four months earlier. Now, it appears that iPhone users may have received a patch for a critical security hole four months before Apple fixed the flaw in its other products.
Taking a look at the vulnerability summary from the update Apple released last week to fix critical vulnerabilities in Mac and Windows versions of its Safari browser, we can see that Apple corrected a serious flaw in WebKit, the rendering engine used by Safari on Mac OS X, Windows and the iPhone:
WebKit
CVE-ID: CVE-2008-2303
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.
It looks like Apple fixed this same vulnerability in the iPhone's version of Safari back in July, when it shipped its 2.0 version of the iPhone's software. From that vulnerability advisory:
Safari
CVE-ID: CVE-2008-2303
Available for: iPhone v1.0 through v1.1.4,
iPod touch v1.1 through v1.1.4
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.
Apple hasn't responded to a request for comment. It's possible that Apple's security team failed to realize the problem reported by Google was not limited to Safari but extended also to WebKit. Still, it seems odd that Apple would not check for that possibility back when this was first reported. If I were a bad guy looking for a way to attack Safari users, I would have definitely been interested in that July advisory.]]>
Web Fraud 2.0: Faking Your Internet Address One of the casualties from the unplugging of McColo Corp. is fraudcrew.com, a Web service that offered paying customers the ability to hide their identities online by routing their traffic through computers controlled by others.
Fraudcrew, which has not been charged with any crime, offered subscribers a point-and-click way to mask the source of their Internet connections, so that Web sites could not tell the true location of visitors using the service. The site was advertised heavily on Russian online forums catering to computer hacking and identity theft.
There are a number of services like those offered by Fraudcrew (Security Fix profiled another one earlier this year) that not only aid in hiding one's identity online, but could also defeat security measures put in place by financial institutions. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives.
These masking services provide a software program that allows the user to pick from a drop down list of Internet addresses to proxy through. For example, if a user in Ukraine, has stolen the user name and password that Joe from St. Louis uses to access his bank online, that user can simply select a node in the proxy list that's in St. Louis, and the bank site will be none the wiser that the person logging in is not actually in St. Louis.
(I took this screen shot about a month ago, as I was visiting some of the more interesting properties hosted by McColo.)
While people have long used Web proxies to mask their real online location, these services allow the user to be much more specific, said Dave Marcus, director of security research and communications McAfee AVERT Labs.
"Probably the day after the Internet came around is when people started looking at ways to scrub their real Internet address," Marcus said. "Although this type of technology isn't new, it's the first time I've seen it used like this for obviously criminal reasons."
Fraudcrew's homepage boasted that potential customers should not be put off by previous experiences with other proxy services, and that their solution is unique. From their commercial pitch:
We are glad to present to you our new project whch was developing since 2005. It not the another clone of any proxy service, where the first half of proxies are low-speed dial-up users and the other half doesn't work at all. You will not deal with such a proplem with the Fraud Crew - Proxy Service. We offer only high speed proxies, easy-to-use service, and complete and high class anonymity.
Our software doesn't use any known public source codes, it is completely unique. Our team members are not some unknown people, we are well experienced people and we know what we do.
Fraudcrew's operations came to a screeching halt on Tuesday, after its hosting provider -- McColo -- was taken offline following the publication of allegations by the security community that McColo was serving as a gateway to organizations engaged in spam activity. (McColo has not been charged with any crime, and has not responded to requests for comment.) But Fraudcrew's owners appeared to have a sizable customer base, so it is likely this service will resurface at another hosting provider at some point.]]>
So Much Spam From One Place? Washingtonpost.com today published a follow-up story to the pieces we ran last week on the unplugging of a California Web hosting company and the subsequent worldwide drop in spam levels. Today's piece tries to answer the question we heard from so many readers: "How Can So Much Spam Come From One Place?"
Some of the less newsy but just as interesting stuff was cut from the piece for space and story flow reasons. One of those was a section on what security experts think the incident will mean for the evolution of botnet technology and its use by the bad guys:
Security experts worry that botnet creators will learn from the experience and make key changes to improve the security, stealth and resiliency of their herds. One of the largest and most advanced spam botnets ever designed, "Storm," was successful in large part due to its decentralized nature.
As the incident in my story demonstrates, botnets that have their control servers at a single hosting provider are at constant risk of being shut down, because that host or the host's Internet providers can always pull the plug. But Storm lacked this single point of failure in part because information relayed by the bot masters about new spam runs to execute or malicious software updates to install could be passed from one bot to the next, without the need for the bots to check in at a central server.
This type of peer-to-peer information sharing technology is not new, but it is still relatively rare to find in spam botnets. The development and public adoption of P2P technology first took off after the recording industry took on music swapping service Napster. Soon after legal pressure from the Recording Industry Association of America (RIAA) forced Napster offline in 2001, a host of P2P software titles and networks sprang up to fill the void, allowing users to share music, movies and files online without ever having to connect to a central server.
Then in January 2007, the Storm worm emerged and quickly became one of the largest botnets ever built, infecting millions of PCs almost overnight. The Storm worm used the "Overnet" protocol, a P2P communications medium that powered the popular Overnet and eDonkey music and file-trading networks.
In late 2006, the Web sites where users could download new copies of the file-trading software for both Overnet and eDonkey were forced offline, once again by RIAA. Yet, the Storm worm was able to continue using the Overnet communications language to pass new updates and communications among infected nodes, until its authors inexplicably allowed the botnet fizzle out in September.
Adam O'Donnell, director of emerging technologies at Cloudmark, an e-mail security company in San Francisco says the recording industry was directly responsible for the rapid evolution of P2P technology, and by extension the abuse of the technology by virus writers and spammers.
"The RIAA provided the evolutionary pressure for something that otherwise probably would have taken a lot longer to evolve," O'Donnell said. "If you want to see what the future of botnet command and control infrastructure is going to look like, it will probably be whatever the kids are using to trade music."
Vincent Weafer, director of development for Symantec Security Response, said the success of Storm, combined with so many criminal operations having been burned by the McColo takedown, strongly suggests botnets are going to continue adopting P2P technology.
"This incident will drive the botnet developers toward the continued use of peer-to-peer botnets, which are more resilient to any single point of failure," Weafer predicts.
]]>
'Network Identity Theft' Politely Avenged A massive swath of some 65,536 unique Internet addresses that appear to have been swiped from early Internet pioneers by a convicted spammer has been reclaimed by Internet regulators, Security Fix has learned.
In April, Security Fix reported that a huge block of Internet addresses once assigned to San Francisco Bay Packet Radio -- an organization that was involved way back in the 1970s in testing the predecessor to the global commercial Internet that we all use today -- was being used to send e-mail for a company called MediaBreakaway. That company's chief executive is Scott Richter -- a self-avowed "spam king" who has been sued by a number of the Internet's biggest players -- including Microsoft and Myspace -- for sending spam.
When I was first presented with this information, I put the relevant questions to the American Registry for Internet Numbers (ARIN) -- one of five regional Internet registries worldwide that is responsible for allocating IP addresses. At the time, the ARIN people were very interested in the information I was reporting, but very reluctant to comment about it.
It seems ARIN is still shy. In a posting on Monday to the North American Network Operators Group (NANOG) -- a mailing list frequented mostly by geeks who run ISPs -- ARIN's current chairman left this nugget:
Media Breakaway and ARIN have cooperatively reached an agreement
whereby Media Breakaway will be returning to ARIN the legacy address space 134.17.0.0/16 originally issued to San Francisco (SF) Bay Packet Radio.
Media Breakaway will be returning this space upon completion of renumbering to a new IPv4 allocation made based on their qualification under existing policy. ARIN is grateful for
Media Breakaway's cooperation in this matter.
Regards,
/John
John Curran
Chairman, ARIN Board of Trustees
Reached by cell phone shortly after his posting, Curran was reluctant to go into much more detail about the agreement, saying that nearly all of ARIN's dealings with any of its members are conducted under binding non-disclosure agreements on both parties. ]]>
Critical Security Updates for Firefox, Safari Apple and Mozilla have each issued updates to fix a large number of critical security flaws in their respective Safari and Firefox Web browsers. The Apple update, which brings Safari to version 3.2, is reportedly causing many users to experience frequent browser crashes.
According to an article Friday at MacFixIt, some of the problems seem related to several Safari plug-ins, including "Concierge" bookmarks manager, "PithHelmet" ad-blocking software, and "AcidSearch" search enhancement software.
Other problems with this update may be related to a new anti-phishing feature built into Safari 3.2 (Firefox and Microsoft's Internet Explorer have had this feature for more than two years now). MacFixIt and other forums suggest those having trouble with the Safari update should disable the phishing filter and see if that helps. If not, check to see if removing any installed add-ons fixes the problem.
While the Safari update fixes more flaws in the version built for Windows (all 11 flaws fixed in this bundle affect Windows vs. just four on the Mac version), I haven't yet seen any reports of major problems with the Windows flavor.
The Firefox patch is an overall "critical" update that corrects at least nine security holes in the browsers. The update brings Firefox 3 users to 3.0.4, and Firefox 2 users to 2.0.0.18. It looks like Mozilla somehow skipped 2.0.0.17, and Mozilla has said that its last update for the 2.0 version would be 2.0.0.19, which is probably due out before the end of the year. ]]>
A Closer Look at McColo Yesterday, we published a story about Web hosting firm McColo being knocked offline after being accused by the computer security community of serving as a gateway to organizations engaged in spam activity.
In trying to get a sense of the activity attributed to McColo, I put together a flow chart, or mind map, showing McColo's relationship to various sites associated with botnet activity, spam, pharmacy domains, etc. I created the flow chart with the excellent and gratis FreeMind software. I've included a screen shot for those who don't have or want this software installed (click on the image to enlarge it).
For those who do have FreeMind installed, check out this file, which allows you to click any arrow in the graphic and view some of the source data for those citations. Others can view the source material at the end of this post.
The upper right-hand section of the graphic highlights the numeric Internet addresses assigned to McColo that experts, such as Joe Stewart, the director of malware research for Atlanta-based SecureWorks, say were used by some of the most active and notorious spam-spewing botnets -- agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world's spam on any given day (for that sourcing, see the colorful pie chart at below, which is internet security firm Marshal.com's current view of the share of spam attributed to the top botnets -- again, click on it to enlarge). In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo.
Bear in mind, this is by no means a comprehensive account of the sites and activity that experts say were funneled through this provider: I have redacted some of the data -- for example, the list of domains accused of hosting child pornography. Others, including additional domains allegedly offering fake anti-virus solutions, simply wouldn't fit on the map.
Additional Source Material:
Host Exploit: McColo Cyber Crime
Fireeye: Srizbi & Rustock
Fireeye: Rustock
SecureWorks: Mega-D
ThreatExpert: Pushdo/Cutwail
SecureWorks: Warezov
Matchent: Asprox
Security Fix: Virtual Heist Nets 500,000+ Bank, Credit Accounts
Dancho Danchev: Fake Security Software, Part 9
Dancho Danchev: A Diverse Portfolio of Fake Security Softwtware - Part Eleven
Robtex: McColo Corp. Autonomous System Report
]]>
Spam Volumes Drop by Two-Thirds After Firm Goes Offline The volume of junk e-mail sent worldwide plummeted on Tuesday after a Web hosting firm identified by the computer security community as a major host of organizations engaged in spam activity was taken offline. (Note: A link to the full story on McColo's demise is available here.)
Experts say the precipitous drop-off in spam comes from Internet providers unplugging McColo Corp., a hosting provider in Northern California that was the home base for machines responsible for coordinating the sending of roughly 75 percent of all spam each day.
In an alert sent out Wednesday morning, e-mail security firm IronPort said:
In the afternoon of Tuesday 11/11, IronPort saw a drop of almost 2/3 of overall spam volume, correlating with a drop in IronPort's SenderBase queries. While we investigated what we thought might be a technical problem, a major spam network, McColo Corp., was shutdown, as reported by The Washington Post on Tuesday evening.
Spamcop.net's graphic shows a similar decline, from about 40 spam e-mails per second to around ten per second -- if I'm reading that graphic correctly.
A number of other spam-fighters today reported a similar drop in junk e-mail volumes. I heard from a reader named Martin who works at a small hosting facility in Germany. He wrote in after noticing a lack of spam banging on his company's e-mail servers. He sent in this graphic and asked that we not use his full name or identify his employer.
Security Fix reader Ted wrote in to say his small Internet service provider also charted a massive collapse in spam volumes yesterday and into today. Ted, who also requested we use only his first name, writes:
Dear Mr. Krebs,
Thank you for your outstanding contribution to bringing down McColo Corp.
I can clearly see the impact you've had, by looking at the spam graph of the small ISP which hosts the web site [omitted] for me:
The daily 15 minute graph reports the rate of spam over a 29 hour period. Time is UTC. As I write, it is about 12:00 UTC, and detected spam is arriving at less than half the rate of the same time yesterday.
The world saw a similar -- if short-lived -- drop in spam volumes in September, following the demise of Intercage, a.k.a. "Atrivo," another Northern California based ISP that security experts identified as a major source of badness online. In that case, it only took the spammers a few days to find a new home. It seems likely that the same will happen in this case as well, and that this minor victory will be short but sweet.
Nilesh Bhandari, product manager with IronPort, said the company sees an average of about 190 billion spam e-mails each day. Then, at around 4:30 p.m. ET yesterday, IronPort saw a huge decline in spam levels. For the 24 hour period ending Tuesday, the company tracked about 112 billion spam messages.
Bhandari said he expects the spam volume to recover to normal levels in about a week, as the spam operations that were previously hosted at McColo move to a new home.
"We're seeing a slow recovery," Bhandari. "We fully expect this to recover completely, and to go into the highest ever spam period during the upcoming holiday season." ]]>
Major Source of Online Scams and Spams Knocked Offline A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about suspicious activity emanating from the network.
For the past four months, Security Fix has been gathering data from the security industry about McColo Corp., a San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today.
On Monday, Security Fix contacted the Internet providers that manage more than 90 percent of the company's connection to the larger Internet, sending them information about badness at McColo as documented by the security industry.
On Tuesday afternoon, I heard back from Global Crossing, one of McColo's major Internet providers. Their spokesman declined to discuss the matter, except to say that Global Crossing communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity.
Two hours later, I heard from Benny Ng, director of marketing for Hurricane Electric, the Fremont, Calif., company that was the other major Internet provider for McColo.
Hurricane Electric took a much stronger public stance: "We shut them down," Ng said.
"We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."
As of this writing, McColo's Web site is no longer available. In fact, I pinged no fewer than three different researchers who have tracked activity at McColo for many months: None could find a single Internet address assigned to the hosting provider that was still reachable.
Officials from McColo did not respond to multiple e-mails, phone calls and instant messages left at the contact points listed on the company's Web site before the site was taken offline.
There's more to come with details about this story later tonight or early tomorrow, but I wanted to get this post published before we got scooped on our own story.]]>
Pharmacy Processor Offers $1M Reward to ID Extortionists Express Scripts, the nation's third largest pharmacy benefits management company, is offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company.
The St. Louis-based firm said last week that in early October it received a letter that included the names, birth dates, Social Security numbers and in some cases prescription data on employees from 75 of its customers. The authors also threatened to expose millions of consumer records if the company declined to pay up, Express Scripts said. Express Scripts handles roughly 500 million prescriptions a year for about 50 million Americans.
Since the company has said it has no intention of paying the ransom, the attackers appear to be trying new tactics. Express Scripts said the extortionists have now moved on to directly contacting companies who use their services, by sending letters to the companies, which include personal and medical information of their employees.
Express Scripts spokesman Stephen Littlejohn said the company is still working with the FBI to track down the extortionists, but that there were no new leads to report. He said the new round of extortion demands targeted a "small number of clients and some members for each of those clients," but he declined to disclose how many.
Express Scripts is among the largest pharmacy benefit management firms, which process and pay prescription drug claims. While it doesn't interact with consumers directly, the company's name is printed on prescription cards of health care plans that use its services.
The company has set up a Web site where consumers can go to learn more about the incidents. In announcing the reward today, Express scripts also said it had contracted with Kroll Fraud Solutions, a New York based risk consulting group, to offer consumers free identity restoration services if they become victims of identity theft as a result of these attacks.
Anyone with information about the extortionists can reach the FBI at 800-CALL-FBI.]]>
Microsoft Patches Four Windows Security Holes Microsoft today released a pair of security updates to plug at least four security holes in its Windows operating systems and other software. The software patches are available through Windows Update or via Automatic Updates.
One of the patches earned Microsoft's most dire "critical" rating, while the other carries the less severe "important" label. Microsoft assigns a critical rating to vulnerabilities that hackers can exploit to break into vulnerable systems without any help from the victim. Important updates address flaws that usually require the victim to help the exploit along in some key way.
The critical update involves at least three flaws in a key component of Windows called Microsoft XML Core Services. This vulnerability is present in every supported version of Windows, as well as certain versions of Office. The second patch addresses an important flaw in the Microsoft Server Message Block (SMB), a component of Windows used to provide shared access to files, printers, and other communications over a network.
Microsoft says two out of four of the vulnerabilities fixed by these updates were publicly disclosed prior to today, so criminals may already have a head start in figuring out how to exploit them.
As always, please leave a note in the comments section below if you experience any problems after installing these updates.
As it does every Patch Tuesday, Microsoft also updated its "malicious software removal tool," which runs in the background looking for some of the most common strains of malware found on Windows PCs. This month's update includes Win32/Gimmiv, the malware first spotted last month that took advantage of a security hole for which Microsoft recently issued an emergency patch. ]]>
VISA to Enforce Payment Card Security in Europe Update, 1:20 p.m.: A major correction is in order for this story: A spokesman for Visa just contacted me to say that the new deadlines actually apply to all non-U.S. retailers except those in Europe. The spokesman said Visa Europe is its own association and is subject to a different set of timetables. I will update this story with exactly what the European timetables are when I hear back from Visa Europe.
Update, Nov. 15, 1:15 p.m. ET: Visa Europe sent me a lengthy response about their PCI requirement timelines. Stanley Skoglund, Senior Vice President Policy Compliance, said: "Visa Europe has the same philosophy as Visa Inc as regards PCI DSS; everybody in the payment chain must adopt PCI DSS.
"However there are regional differences in the compliance validation regimes and these differences reflect the individual nature of the markets and merchant segments involved".
I have included their entire statement -- which includes specific timetables for Visa Europe merchants -- after the jump.
Original post:
Visa Inc. on Monday dramatically expanded its credit and debit card security requirements to retailers in Europe, an unexpected move that could be a financial boon to security auditing companies, but a huge cost for European merchants already feeling the pinch from the global financial crisis.
The new payment card industry (PCI) mandates (PDF) that certain on- and offline European retailers stop storing the data read when the customer's credit or debit card is swiped through the cash register reader. This requirement has applied to U.S. based retailers for years now.
"Hackers are looking for this type of data because of its use in counterfeiting payment cards, and that is why Visa prohibits its storage," Eduardo Perez, head of global data security for Visa Inc., said in a statement.
Retailers included in the new mandate are those that Visa classifies as Tier 1 -- merchants that process more than six million Visa transactions annually -- and Tier 2, which include sellers that process between one and six million Visa transactions a year.
Taken together, these two tiers make up about 80 percent of about 20 million businesses that accept credit cards worldwide.
Avivah Litan, a fraud analyst with Gartner Inc., called the change "a huge announcement," noting that Visa has until now only placed these requirements on U.S.-based merchants. She estimates that European retailers will need to spend between $2 billion and $4 billion to implement the requirements, which take effect in September 2009.
In some cases, merchants may need to upgrade payment card software and hardware. More importantly, they will need to pay outside experts to certify that their systems meet the new standards.
The new requirements are aimed at preventing cyber crooks and hackers from gaining access to more than just the credit card number. Stores will often also keep on file the customer's name, the card's expiration date and digital copies of the very ones and zeros that make up the data stored on the magnetic stripe located on the back of the credit card itself.
This data, if intercepted or stolen (along with PIN codes in the case of debit cards) can be written to the magnetic stripe of fabricated cards, making it easy for criminals to create counterfeit cards that they can then use at Main Street stores to make purchases in the victim's name.
Banks have been among the strongest advociates of these payment card standards, said Litan. When these fradulent cards are used in stores, it generally becomes the responsibility of the bank who issued the credit card to pay a retailer back for the loss, including both the value of the merchandise and for the transaction fee retailers are required to pay Visa to accept their cards.
"VISA has been responding to squeakiest wheel here, which in this case is U.S. card issuers who have been all over VISA because of high rates of counterfeit card fraud," Litan said.
While VISA says some 80 percent of Tier 1 and Tier 2 U.S. merchants that accept credit cards no longer store payment card information, that number is considerably lower among European merchants. Visa declined to share exact numbers, but Litan said only about 5 percent of European retailers are compliant with Visa's new guidelines.
Perhaps the toughest part of VISA's new requirements for European retailers is that they offer no compensation for retailers who have adopted a so-called "chip and pin," approach, a technology widely implemented in Europe that encodes the data from the magnetic stripe in a computer chip embedded on the card, which is cryptographically signed and cannot be forged. Under such a system, even if the data stored on the card's magnetic stripe is forged, that data will not match the same information stored on the card's computer chip, thereby potentially triggering a warning for retailers.
Unfortunately for many European banks, these cards must also be readable by U.S. retailers that are not equipped to verify the cryptographic data on the chips. As a result, fraudsters who have stolen magnetic stripe data from European retailers merely need to fabricate the cards and ship them to accomplices in the United States, who use them to run up charges at U.S. retailers or to pull money out of local ATMs.
Litan said while European retailers have recently suffered major breaches in which fraudsters have made off with mag stripe data and used it to counterfeit cards that were used in other countries, most European countries do not have the same laws in place as most U.S. states, which require merchants that experience a data breach or loss to report the incident to consumers and in some cases state regulators.
"While European retailers recently have seen a tremendous surge in ATM fraud -- especially cross-border fraud -- the retailers in those countries aren't required to disclose the incidents," Litan said.
Litan said the VISA requirements are likely to be a huge thorn in the side for European merchants who have spent the past few years and billions of dollars implementing the chip-and-PIN approach, as VISA's requirements offer those retailers no leeway or remuneration for adopting that technology. Meanwhile, the United States is among a dwindling number of major nations that have NOT adopted or moved to adopt more physical security on credit and debit cards, she said.]]>
Extortionists Target Major Pharmacy Processor One of the nation's largest processors of pharmacy prescriptions said Thursday that extortionists are threatening to disclose personal and medical information on millions of Americans if the company fails to meet payment demands.
St. Louis-based Express Scripts said that in early October it received a letter that included the names, birth dates, Social Security numbers and in some cases prescription data on 75 of its customers. The authors threatened to expose millions of consumer records if the company declined to pay up, Express Scripts said in a statement.
The company's chief executive George Paz said Express Scripts has no intentions of paying the extortion demand and said his company is working with the FBI to track down the person or persons responsible for the scam.
Express Scripts is among the largest pharmacy benefit management firms, companies that process and pay prescription drug claims. It handles roughly 500 million prescriptions a year for about 50 million Americans.
The ransom note was delivered through the mail, said company spokesman Steve Littlejohn. However, he declined to say how much money the extortionists were demanding. He added that the company is still trying to determine how the data was stolen.
"We know where the data came from by looking at it, but precisely how it was accessed is still part of the investigation," Littlejohn said.
The company has set up a Web site to give concerned consumers tips on how to protect their identity. While Express Scripts doesn't interact with consumers directly, the company's name is printed on prescription cards of health care plans that use its services, Littlejohn said.
Alan Paller, director of research for the SANS Institute, a Bethesda, Md., based computer security training group, said cyber and data extortion incidents rarely make the news because most victims find it more expedient to simply pay up.
"There are thousands of companies that have already paid off extortionists in return for not having their customers' data exposed," Paller said. "This especially true in the financial industry, as some banks are now getting more than one new extortion demand per day."
Paller said for years he has been expecting extortionists to begin targeting the health care industry.
"In many ways, this is the perfect extortion target," Paller said. "Nobody is going to want to go to a health care provider if they think their private medical history is going to be revealed to the world online. Hospitals wouldn't have to think too hard about that before paying off an extortion demand."
Graham Cluley, a senior technology consultant for Sophos, a computer security company based in the United Kingdom, said Express Scripts made the right move in contacting the FBI and refusing to pay the ransom.
"Data extortion is not like if your daughter gets kidnapped: Even if something is returned to you, you can never be sure they're not going to carry on taking advantage of the situation," Cluley said. "The bad guys can always just make a copy of what they've stolen, and they can keep on coming back and asking for money, or they can still go and sell the data online." ]]>
Researchers Hijack Storm Worm to Track Profits A single response from 12 million e-mails is all it takes for spammers to turn annual profits of millions of dollars promoting knockoff pharmaceuticals, according to an unprecedented new study on the economics of spam.
Over a period of about a month in the Spring of 2008, researchers at the University of California, San Diego and UC Berkeley sought to measure the conversion rate of spam by quietly infiltrating the Storm worm botnet, a vast collection of compromised computers once responsible for sending an estimated 20 percent of all spam.
The teams at Berkley and UCSD conducted the experiment by impersonating a key component of the Storm worm network used to hand off instructions from the worm's master control servers to the "worker bots" -- the tens of thousands of infected end-user systems that do all the spamming.
This allowed them to redirect a subset of the spam to virtual storefronts created by the researchers to mimic the pharmaceutical Web sites advertised by the real Storm spam.
The dummy sites were fully functional until the instant when a visitor, who had loaded up his shopping cart, tried to check out. Before entering credit card and shipping information, the servers were designed to return a site error message, so that the researchers never gained access to their personal information and the buyer was unable to make a purchase.
After 26 days, the Storm worm sent 350 million e-mails advertising the researchers' counterfeit pharmacy sites. Only 28 would-be sales resulted, and all but one of the potential clients ordered male enhancement drugs. The average "buy" from each "sale" was about $100, which would have totaled roughly $2,731 for the researchers.
"Our study interposed only a small fraction of the overall Storm network - we estimate roughly 1.5 percent based on the fraction of worker bots we proxy," the researchers wrote. "Thus, the total daily revenue attributed to Storm's pharmacy campaign is likely closer to $7,000 or $9,500 during periods of campaign activity."
While the researchers hijacked hundreds of millions of Storm worm e-mails pitching knockoff drugs and bogus sites designed to foist malware on unsuspecting users, their actual results were based only on a relatively few missives that actually made it into recipients' in-boxes. The research team estimates that about three-quarters of all e-mail sent by the Storm worm was snagged by junk e-mail filters, ISP blacklists, and other e-mail security applications.
"Under the assumption that our measurements are representative over time, we can extrapolate that... Storm-generated pharmaceutical spam would produce roughly $3.5 million dollars of revenue a year," the team concluded.
Still, the researchers acknowledge their figures don't take into account perhaps the most profitable aspect of the pharma spam business: The repeat customer who comes back time and again to purchase refills.
The study also presents alarming evidence of just how many people actually click on links in unsolicited e-mail, a key propagation method used by much of today's malware.
According to their research, about ten percent of those who clicked on the link designed to spread the malware ended up running and installing the malware. Again, extrapolating out from their limited access to the Storm botnet, the researchers concluded: "By the same logic, we estimate that Storm self-propagation campaigns can produce between 3,500 and 8,500 new bots per day."
To determine Storm's spread rate, the research team hijacked e-mails that Storm sent as part of its daily campaign to infect new machines. The researchers redirected about 120 million of these propagation e-mails to their own fake download sites, which merely recorded the number of visitors who actually clicked the link.
"One in 10 people clicking through to receive the malware is a pretty sobering number," said Stefan Savage, associate professor in the systems and networking group at UCSD and one of the lead researchers on the study. "That suggests that the ability of the worm's authors to grab even more victims is little more than a marketing issue."
A copy of the academic paper is available here (PDF).]]>
Malware Piggybacks on Obama Win Cyber criminals are blasting out massive amounts of spam touting a video of President-elect Barack Obama's victory speech. Recipients who click the included link are taken to a site that prompts visitors to install an Adobe Flash Player update. The bogus update, however, is actually a data-stealing Trojan horse.
The messages, with such subject lines as "election results winner," and "the new president's cabinet?", and "fear of a black president," direct recipients to a site featuring a picture of Obama beneath an official U.S. government seal and the domain name america.gov (the real domain names used to host these fraudulent sites appear to differ from message to message). Beside Obama's visage is an embedded video player that reads "loading player." A few seconds after the site loads, the visitor is prompted to download the malware, disguised as "adobe_flash9.exe".
Anti-virus firm Sophos says this piece of malicious software represents as much as 60 percent of all the malicious spam seen in their labs today. According to an analysis by computer security software maker F-Secure Corp., the malware is a data-stealing Trojan horse that uses a rootkit to hide itself on the host PC.
Patrik Runald, chief security advisor at F-Secure, said detection of the malicious plug-in by various anti-virus engines is sorely lacking at the moment. According to a scan of the malware at Virustotal.com -- which scans any submitted files against three-dozen anti-virus products -- only 14 out of 36 products detected the file as hostile.
"This is not a big surprise, but it was done relatively quickly [after the election]," Runald said of the e-mails advertising the malware sites, which first went out around 10 a.m. PT today. "I'd say this will be fairly successful, given that a lot of people are interested in the election, obviously."
If you receive any of these messages, please just delete them. While it's nice that this scam actually purports to offer the latest, most secure version of Flash, this kind of ploy is further evidence of why it's always a good idea to avoid updating your software and browser plug-ins from anywhere but the software vendor's official Web site.]]>
Adobe Issues Critical Acrobat, Reader Updates Adobe has issued a software update to fix at least eight security flaws in its Acrobat and Adobe Reader applications, that if left unpatched could be used by attackers to take control of vulnerable systems, the company said. The vulnerabilities affect Acrobat and Reader versions 8.1.2 and earlier.
Adobe characterizes this as a "critical" update -- its most serious rating -- meaning the flaws could let an attacker run and install malicious software on a victim's computer without the victim's knowledge.
Updates are available for Reader versions on Microsoft Windows, Linux/Solaris and Mac OS X.
The software maker says users with Adobe Reader 8.0 through 8.1.2, who can't update to Adobe Reader 9, should update to Adobe Reader 8.1.3, and that the latest full version of both products, Adobe Reader 9 and Acrobat 9, are not vulnerable to these issues. Links to updates for different versions of Acrobat are available in Adobe's security advisory.
Adobe adds that it is not aware of any reports that these issues are being exploited in the wild. Rather, all were privately reported to the company. Interestingly, six out of eight of the flaws were reported to Adobe by researchers who sold the information to vulnerability management firms like iDefense and TippingPoint.
These companies and others that buy up vulnerability findings from researchers, yet also mange the notification of the affected vendors, often have been criticized by many in the security community for cashing in on security flaws. Like it or not, however, the research these firms purchase is making up an increasing share of the flaws fixed in a number of major commercial software updates.]]>
