Yikes!

I take a lot of precautions to keep my machine safe, including running Mac OS X instead of Windows, but how do I keep idiots at my bank from getting their computers infected and revealing my information to key loggers?

Brian, you are my hero. Keep up the great sleuthing!

Nice article, it is always interesting to read about real cases.

I do not use windows anymore just because there is so much viruses around, linux livecd's are nice to use after some modifications, without harddrive and copying filesystem to ram I feel safe ;-)

"but others insisted their machines got infected even though they were doing all the things experts recommend, such as using a firewall and up-to-date anti-virus software, and applying security updates from Microsoft when they are released."

Does this mean that they were infected with an unknown 0-day exploit, or that they opened some virus attachment, or downloaded some bad software?

Moike -- From the piece: "Also, it appears that most victims of this virus infected their machines after opening a poisoned e-mail attachment (although the bad guys may well have distributed this malware via other means.) I cannot overstate the importance of Windows users being extremely cautious about opening unexpected attachments in e-mails, even if they appear to come from someone you know. When in doubt, fire a quick e-mail back to the sender to ask whether they really meant to send you the attachment."

Someone correct me if I'm wrong, but isn't this yet *another* instance in which the damage from the poison pill would have been greatly mitigated if the persons concerned (assuming that they were running Win 2000/XP) used limited accounts for day to day activities as Bk tirelessly has advocated?

This admonishment remains that the single best piece of advice I have seen for a user of Windows.

Heads up, submitted to Slashdot.

Quick addendum - Judging from the times listed for the post it looks like the server hasn't had the DST patch run on it :)

Tjohn- that's correct. The company that provides the blog infrastructure for us is aware of it and I'm told going to fix it shortly.

As Brian wrote: "I scanned this particular virus against three free anti-virus tools at least three weeks after the malware first appeared, and none of them detected it as malicious."

It is possible to get infected even when you have done everything you think you should. That's why it's important to have layers of protection and not just depend on any one silver bullet. One such layer that's specifically designed to defeat keyloggers is KeyScrambler, which is a browser plugin that encrypts keystrokes in the Windows kernel and decrypts them once they reach the browser. (Full disclosure: I work for the company that developed it.) A free version is available and protects all logins in the browser. Doing a Google search for KeyScrambler should lead you to a download.

To: O snova obranto

I'm still following you. You may have left that one site, but I'll find where you are hiding now.

Is "Qian Wang" for real? I'm suspicious. This person writes "... I work for the company that developed it ... Doing a Google search for KeyScrambler should lead you to a download."

Why would a legitimate employee/company tell people to do a google search for their product instead of providing a direct URL to their company's legitimate web site? Seems suspicious to me.

I suggest people use extreme caution with KeyScrambler.

Brian,

Just three antivirus products! Have you tried virustotal.com as of last week an upload could be scanned by 30 different products. When looking at malware VirusTotal is the place to check when you think a file is suspicious.

Lagrandefoote

In the main, less technical Post article, the comment that "Hoyler's bank told him in January that someone had tried to wire money out of his account. Days later, Fidelity Investments notified him that someone tried to use his log-in information to purchase" implies that someone tried and was unsuccessful in logging in or executing the wire transfer and trading order.

Could you explain why the transfer and trade were not successful? If the thieves had the user name and password from a key logger, why were they unsuccessful?

How many security holes came from wi-fi?

I suspect this is only the tip of the iceberg so to speak.

Even though a computer system can be setup with layers of protection, the most important layer is the user! Either many users simple don't care or have no clue. In defense of users though, it must be said how increasingly savvy one must be these days to avoid these pitfalls. Part of the problem is human nature. The bad guys know this and exploit it!

Finally, it must be stated again and again ad nauseam, DO NOT RUN AS ADMINISTRATOR!

Helpful starting point (but add the above tip to the list):
http://www.bytecrime.org/security_center/tip_sheets.html

To "Concerned":

Yes, I'm for real and so is KeyScrambler. The reason I didn't provide a URL is that including a URL can often come across as blog spamming.

The company is called QFX Software and you can go directly to www.qfxsoftware.com to find KeyScrambler. It is also the first result if you Google for KeyScrambler. I agree with your suggestion of caution when downloading anything online. And if you do download KeyScrambler, please verify that it is digitally signed by QFX Software before you install it (for version 1.2.0 and later).

Joe -- Fidelity most likely stopped the purchase because it raised red flags (the company may have seen that the very same day spam went out touting that stock (see the link to ATVN.PK in the blog post above). Perhaps Hoyler doesn't normally buy many thousands of shares in little-known penny stocks. Increasingly, the online trading companies are turning to many of the same fraud detection mechanisms long used by the credit card industry.

I noticed that a large number of people use Comcast as a provider. I'll assume it was a Comcast HighSpeed connection. Did any of the affected peopel have a 3rd party hardware based firewall?

Wouldn't that just defeat the purpose of online trading, where a seconds delay could cost you thousands of dollars?

Having to verify who you are after you click the "Trade" button could be VERY 'dangerous' to the investor.

My question is when are corporations going to be held to a higher standard when holding onto our personal data.
They are only the data stewards, not the data owners.
WE are the data owners and WE must demand better from them!

WWW.SECURITYRANTS.COM

Its time to cut off communications with 'eastern europe' do it under the guise of 'war on terror' and just nuke a few server farms

What about computers with GNU/Linux OS?

People put way too much faith in AV and firewalls. Firewalls are not a magic bullet (neither is AV). You need them, and I suggest you use them, but be cautious. Common sense goes a long way. AV engines are tasked with an increasingly complex task. Rinbot had what - ~7000K variants within a few days? Signature based AV will be going away (I think) in favor of some other classification methods (perhaps Bayesian probability and better local sandboxes). Some AV vendors have been pretty good at writing their sigs to catch these zero day mutations. Also, I'm not preaching products here, but eset.com (NOD32) is actually a decent AV scanner (very lightweight) and good coverage. No, I don't work for them :-)

Oh, with regards to GNU/Linux, *BSD, OSX... common sense still goes along way. Don't operate as root/administrator (unfortunately that happens way too much still). Listen to what BK is saying, he makes a lot of sense.

"One such layer that's specifically designed to defeat keyloggers is KeyScrambler, which is a browser plugin that encrypts keystrokes in the Windows kernel and decrypts them once they reach the browser."

Just another reason to consider moving to OSX. This functionally is already builtin to the OS.

This is all very scary stuff Brian Krebs is reporting on. Who doesn't do online banking & payment these days; and can fall victim to identity theft?

I'm afraid for people like my mother who aren't too computer literate. People like her get fooled into opening e-mail attachments regardless of what they're told.

What aboot rootkits?

Every time I tell someone at a business that I do not want to use a credit card online, they give me a big lecture about how safe their system is. I always tell them it only takes one ticked off employee in the right job. Not only do we have to worry about them, but stolen laptops, virus s/w, and other scams. How about me changing my passwords every day? Would that help?

I worked at an Internet services/development company when the *I Love You* virus hit in May, 2000. Our tech team had always been incredibly diligent virus protection and education, knowing that our business made us unusually exposed. But that did not stop some of our employees from clicking on the attachment anyway, which spread the virus through our company like wildfire. What killed me the most about this is that a day after our tech team had finally repaired the damage after redoubling our antivirus protection, sending out a company wide e-mail along with talking to everyone at an All-Hands meeting AND checking every single computer for traces of the virus [not to mention the national news coverage the virus got], one of the original sources of the infection inside our company opened the attachment AGAIN! From that moment on I realized that I can do all that I can at home to protect my computer, but one idiot at any company that holds my personal information puts me at risk. I do everything I can to minimize my own risk - including trying to determine how responsibly they take their security - but in this wired society there is little I can do to protect my personal information from the inadequacies of others. Actually, you can probably say that about a lot of things, not just personal info ;)

Very nice and informative article, Mr. Krebs.

Thanks,
Brad

Yes... Legislators must isue a Law in order to obligate, sanction and fine Banking and Credit Cards, etc. Institutions, in order to make and provide more secure sistems for their Clientel (we the people).
They are the ones with the power and (our) money to pay for it.
Why not contract Bill Gates and their kind brains and money???
Do you know if he has Credit Cards and pass words as any of us?
What did he thinks about this?
Why are every body afraid of going after this mega rich monster Institutions?
Or is for certain... Legislators and Judicial Authorities, as well as Administration, have obscure interests in defending this monsters against the defendless people of America and the free world???
Did some one have a better idea???

why is operating as ADMINISTRATOR leave you open to theft?

how do you avoid this?

please explain for us

Paranoia, trust, integrity, and risk management.

These are terms that always come to mind in all aspects of our lives. Too much or too little of any or each of these items can have dramatic effects.

The right balance of these used to be called common sense! Sadly, it seems to be in great decline these days.

Because of the information age we now live in, all it takes is one person in the right position that lacks "common sense" to counter all measures of risk management!

Any system or society is only as strong as its weakest link.

The really scary aspect to all of this; the weak links appear to be growing and taking over without much consequence!

advisor7- see my past blog posts on setting up your machine to run under a limited user (non-admin) account:

http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html

http://blog.washingtonpost.com/securityfix/2006/04/windows_users_drop_your_rights.html

@advisor7

The #1 reason for running as non-admin is to limit your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious or other "undesirable" code finds its way to one of those programs, it also gains unlimited access. A corporate firewall is only partial protection against the hostility of the Internet: you still browse web sites, receive email, or run one or more instant messaging clients or internet-connected games. Even if you keep up to date on patches and virus signatures, enable strong security settings, and are extremely careful with attachments, things happen. Let's say you're using your favorite search engine and click on a link that looks promising, but which turns out to be a malicious site hosting a zero-day exploit of a vulnerability in the browser you happen to be using, resulting in execution of arbitrary code. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privs. If the exploit happens to be written so that it requires admin privileges (as many do), just running as User stops it dead. But if you're running as admin, an exploit can:

*install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)
*install and start services
*install ActiveX controls, including IE and shell add-ins (common with spyware and adware)
*access data belonging to other users
*cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
*replace OS and other program files with trojan horses
*access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
*disable/uninstall anti-virus
*cover its tracks in the event log
*render your machine unbootable
*if your account is an administrator on other computers on the network, the malware gains admin control over those computers as well
*and lots more

http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx

great article brian! thank you tj for your recommendation -- it makes perfect sense now that you mentioned it.

Great tale, Brian -- but you promised to tell us how you obtained the stolen data, and you only told us how you located it. If it doesn't close down "sources and methods" you'll need in the future, I'd love to hear how you obtained access to "a file in a master database at a Web site controlled by the attackers."

Meanwhile, you -- and other readers fascinated by your article and post -- might appreciate Uriel Maimon's new blog post describing Trojans used in financial malware and why they don't yet get serious attention from the AV scanners. See: http://www.rsa.com/blog/entry.asp?id=1175

Uriel is a malware researcher for RSA, part of EMC, for which I also do consulting. In his latest blog post, Uriel mentions in passing the recent recovery of logs for the "BankSniff" Trojan which showed that 30,000 individuals had been infected in one month.

Uriel, who works closely with many large US and international banks, reported that *none* of the banks (which were presumably being hit with active attacks using the stolen credentials) had yet realized that there was a new Trojan in play when the Banksniff database was recovered.

As for the consumers whose machines had been infected, and whose accounts were being bled -- well, Blessed are the Innocent....

(Uriel, like you, unfortunately doesn't reveal any details about how he, or at least some whitehat, recovered the Banksniff database. Sigh. I realize that my curiosity about your methods may remain unquenched. That, I suppose, is endurable so long as you keep coming up with great articles like this. Go get'em, Bk!)

Suerte,
_Vin

Yahooo/Verizon.net has started to close e-mail addreses (a dsl customer can obtain up to six without charge) if they are not used during a set time period. They are also limiting the amount of daily e-mail transfers within a certain time. There system might not be perfect but I feel they are trying to do something about the excess spam being generated withing their domain of customers which might help against the phishing scams being created.

I have a wildly novel idea: Hold software makers liable for their product. You wanna see the software industry turn around in a hurry? The ground would shake if software vendors could be sued for their product.

People complain that the software industry seems to evade engineering oversight, but that's because the consequences of shipping buggy software out the door are none. The consequences of slowing the product out the door to produce secure and reliable product: potentially bankrupting.

So, if all vendors are responsible for their work, the field becomes level. It's mind blowing that the software industry is not hold to account. That would be like Ford not being responsible for the safety of their cars.

And, incase anyone is interested: I am a software engineer and this wisdom is spoken from experience.

Would this "chill" innovation? I suppose the fast and loose mentality would have to go but the uncertainty would be gone too.

I am also perplexed as to why EULAs are not challenged in court. Imagine if all the users of IE filed a class action suite against MS......... imagine.

Christian Bongiorno

A good classification can really help with threat elimination. What names are given to the malware referenced in your article? Do your AV tools with current signatures or the sandbox services provided any clues?

Also, many banks now use authentication mechanisms designed to defeat or flag replay of stolen credentials. The correct user name and password may be OK, but the response to time-based challenge, for example, may have been what alerted some of the banks to the fraud.

Great work!

A very large portion of these problems would be eliminated if Windows/Outlook did not support automatic execution of active content. It shouldn't be possible to open one's system to malware with a single click or keystroke. Useful active content is rare, and requiring a user to double-confirm a requested permission in those rare instances would be cheap.

That's it, I'm moving to South Dakota, where those password stealing hackers can't get me! (See the map.)

A cool technology (that friends of my work on) is zero hour virus filtering of e-mail. If they start to see questionable mail but there isn't an exact virus match, they hold onto it and trigger more analysis. At worse, the mail just gets delayed for a while. At best, it can find/stop viruses before they have had time to spread.
http://www.proofpoint.com/products/zerohourav.php

After receiving an attachment from someone you know, instead of firing back a quick e-mail to ask if they meant to send it, as Brian Krebs suggests, you could tell the main people you communicate with by e-mail to: whenever sending an e-mail put something in the composition that identifies you as a friend, such as starting out every composition with an asterisk, or some other bit of identification that you all can agree on. That way you'll know that it was sent by him/her intentionally. Of course he could still unknowingly be sending you an attachment that's infected.

Question: Did you collect any information the numbers of what kinds of systems were involved, ie the various flavors of Microsoft Windows and Macs and Linux? I didn't see any information in the article about that.

It would have also been interesting if you had divided the number of infected systems by the number of customers that each of those ISPs have to see if any ISP stood out as being particularly bad or good.

Jeff Barry

I'm pretty lazy, I'll admit, so this article just helps justify why I use linux. (http://www.kelvinism.com/tech-blog/one-more-point-linux/)

uh what about those 3221 users with their secrets out in the open?

how does one find out if there on the lucky list?

who has the responsibility to inform each of those individuals of their predicament?

Is it really ok to name the victims and the companies they work for in an article such as this?

Brian: Great story!

What's being done to track down and prosecute these cyber-crooks? I've read that many of them have set up overseas. Are some foreign governments (e.g., Nigeria) actually in cahoots with these criminals because they get a percentage of the "take"?

The only way these attacks will ever stop is when the spammers start going to prison. If this means "redesigning" the Internet with secure/traceable IP addresses, then I say let's get on with it.

There is nothing unusual about finding large data bases of compromised accounts.
What's unusual is finding an informative piece about it publicly available that the normal user can understand.
Thanks BK.

Your bank or credit card company doesn't want you to understand the scale of the problem.
They will not tell you the details or extent of your data compromise.
They will not look out for their customers interests until it's legislated they do so.

The scammers often leave the cache of compromised account data lying around on the compromised server in hidden directories until they can mail them off to their gmail or whatever accounts.
Trailing the criminals might at times include remote access exploits where one gains access to the server using the same backdoors the phish crew installed.
Shadowing them while they work is informative to say the least.
The sad part is their victims are often those who can least afford to take a hit, an elderly widow living on Social Security and the young struggling single mother with a special needs child are two that come to mind when reminiscing on those I've contacted.

Ben -- Great question! And that's precisely the dilemma I looked at in the story this blog post goes with:

http://www.washingtonpost.com/wp-dyn/content/article/2007/03/13/AR2007031301522.html

> What about computers with GNU/Linux OS?

These types of scams are mostly based on viruses (which are reliant on manual intervention on the part of the user), not worms (which propagate automatically and need a hole in the OS or applications).
Executable based viruses are as easy to build on Linux as on Windows. Data embedded viruses (where the virus travels as payload inside a transmitted document) are dependent on document format support, so since Windows users tend to use the most common formats and applications they are more vulnerable in general.
If a Linux user is using emulation, virtualization or some other type of Windows compatibility technique is equally as vulnerable to a Windows based virus as a native Windows user.
And there ARE Linux based viruses. They are just less frequent, given the smalle population. So don't lower your guard. Everyone needs to be alert against crooks.

So, as a novice my questions is ... would typing my password/account number, etc. in Word or Notepad and then pasting it onto the site avoid the stealth programs that intercept passwords by capturing keystrokes?

Thank you for these articles!

GreendID1 -- If your PC were infected with a keystroke logger? Probably not. The reality is that most malware classified as keystroke loggers are in fact "form grabbers," meaning they swipe whatever information is passed when you hit the "submit" button on a Web site.

Thank you, Brian.
Where would we be without you!

Excellent work, Brian! Keep up the good work. Keep tracking those criminals.

I wonder, if it is simply too risky to do any financial transactions on the Internet.

Christian Bongiorno:

"I have a wildly novel idea: Hold software makers liable for their product. You wanna see the software industry turn around in a hurry? The ground would shake if software vendors could be sued for their product.

People complain that the software industry seems to evade engineering oversight, but that's because the consequences of shipping buggy software out the door are none. The consequences of slowing the product out the door to produce secure and reliable product: potentially bankrupting."

Honestly, it sounds like a good way to actually cripple the software development community. Not every software developer is a large multi-billion dollar corporation. In fact, I'd hazard to say that MOST software developed, and most software developers that develop it are unpaid, or develop freeware, shareware or release under the GNU/GPL license. Holding there people financially or legally responsible for the stupidity of the user base is unfair, and could be extremely damaging.

People need to learn to take personal responsibility for their actions. Most people know better than opening attachments, but many still do. That's like wanting to sue the electric company because you were stupid enough to stick your fingers in the light socket. Please.

This is a good article, but you have to be careful with telling people that they need to go back to the classroom. Sometimes people make mistakes. That's what makes people human. There isn't a "security expert" on the planet that hasn't been tricked at one point of another. There hasn't been one OS that hasn't been infected at one point or another. People just need to be careful, and learn not to trust anyone with their personal information.

-Tomcat

>>I cannot overstate the importance of Windows users being extremely cautious about opening unexpected attachments in e-mails, even if they appear to come from someone you know.

With Vista and the new Windows Mail, Microsoft had a golden opportunity to prevent Windows instances from being trivially compromised when users open executable attachments "willy-nilly" -- namely, a factory-default policy of denying execute permission on all files in the default attachments folder to all users except (of course) Administrator -- without having to critically depend on the new blocking features in Windows Mail, and they flubbed it. But, by good fortune, you can go in and correct their error yourself.
http://www.lockergnome.com/nexus/it/2006/12/12/vista-special-permissions/

@Chasmosaur:
>>one of the original sources of the infection inside our company opened the attachment AGAIN!

Sounds like some one of your employer's hired managers neglected to write the correct policy WRT Internet e-mail: namely, executable file attachments are blocked at the mailserver and/or end-users don't have execute permission on files in their mail client's attachments folder.

Mark -- I never said this was from my work e-mail. They filter the living heck out of everything. No, this came via a personal e-mail account.

I thought that cyber-crimes and scammers were only Nigerians and from other thirdworld countries. So there are scammers in the US and Europe? U should file this report to Nigeria's EFCC

I'd like to add one more counter-measure suggestion to those so far suggested in the blog and comments.

In addition to keeping your OS and AV software up to date, using a firewall, being vigilant about what you click on, running under a limited account, and possibly even using KeyScrambler as mentioned above, you can also install software that monitors your keyboard and screen. This software alerts you when any program tries to "hook" your keyboard or screen, which keylogger programs must do to do what they do. Think of this as a sort of last line of defense in case all the other counter-measures fail.

I use SnoopFree, free software found at snoopfree.com (and I'm not affiliated with them in any way, don't even remember how I found them originally). I've used it for over a year, I think, and it always alerts me when a legitimate program hooks my keyboard or screen (you can tell it to trust that program from then on). Whether keyloggers out there can defeat it, I don't know, but AFAIK I haven't had my data stolen, though I use most of the other counter-measures described above.

Like other counter-measures, using keylogger detection should not lead to complacency-- it's just another tool in the arsenal. And even if you stop using computers for financial purposes completely, you still run the risk of your bank or your employer or someone you do business with or the government failing to protect your data.

It's the age we live in. You can die in a car crash because of your own or someone else's malfeasance or negligence; but most of us respond to this reality by taking reasonable precautions, being sensibly vigilant, and then not dwelling on the risk that remains. A similar attitude with information security seems advisable.

Many thanks to all who have suggested ways to protect ourselves on-line!

With that said, I believe we should also, write our representatives to voice our dissatisfaction with the current state of affairs--the problems with our data--how our data is being handled and mishandled by both Business and Government.

As I see it, if Business and Government had acted proactively, there would be far-far fewer problems with and victims of ID Theft. As I see it, Business needs to stop thinking mostly of earning more and more money, and instead think of customers.

Why not write a logical and professional letter to the corporations you do business with, and tell them what you think about this problem of ID Theft, and what you think they should be doing to correct and prevent the problem?

Government needs to ascert it's leadership role, and pass laws to make ID Theft a much more serious crime. And, there should be new laws passed to force Business and other organizations to both protect our data, and destroy unnecessary personal data which has been collected.

I especially believe the very dangerious (and much abused)SSNs should be only used for taxation purposes and nothing else. I believe the lawmakers should pass laws making it a very serious crime for any individual or organization to even ask for an SSN for any non-tax purpose. Why not write your representatives and express your views on this topic in a logical professional way.

Why not, if possible, stop doing business with those corporations or other organizations, you believe are mishandling your data?

I also wonder about law suits. I wonder what success individuals have had in suing corporations for data breaches, and or their improper handling of personal data. Does anyone here know?

As I understand it, in the 1960's Ralph Nader and other lawyers shook up the automotive establishment. It is my understanding, as a result of this and other factors, we now have greatly improved automotive safety standards.

Perhaps, it is time for lawyers to step forward and likewise shake up the business establishment. Perhaps, this would help bring about better personal data protection standards.

The UK has a law protecting personal data. I belive it is called, "The Data Protection Act" or some such title. As I understand this law, it sets standards for organizational and corporate handling of personal data, and gives individuals rights on how corporations and other organizations handle their data. Perhaps, US law-makers could learn something from their UK counterparts.

We should do our part in protecting our data. And, Government and Business needs to do much-much more to protect our data, than it is currently doing.