Credit card fraud comes of age with advances in point-of-sale botnets

Inside the command and control channel of a point-of-sale botnet powered by StarDust.
IntelCrawler

Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target point-of-sale (PoS) terminals used by stores and restaurants to process customers' credit and debit card payments.

The botnet remained active at the time of writing and had compromised more than 20,000 payment cards since August, researchers from IntelCrawler, a Los Angeles-based security intelligence provider, told Ars. The researchers arrived at the findings after infiltrating one of the control servers used to send commands to infected machines and receive pilfered data from them. A recently captured screenshot (above) showed that it was controlling 31 machines that the researchers said belonged to US-based restaurants and retailers. Some of the infected machines are servers, so the number of affected PoS devices could be much higher. The researchers have reported their findings to law enforcement agencies that they declined to identify by name.

PoS-based hacking is nothing new. The best-known incident stole data for more than 146,000 cards after infecting 200 terminals used at Subway Sandwich shops and other small merchants. According to federal prosecutors, the criminals behind that intrusion infected one or more servers with "sniffing" software that logged payment card numbers and sent them to a remote server. Although the now-convicted crooks were able to install a backdoor on the computers they accessed so they could change configuration settings and install new programs, there is no evidence of a botnet that actively controlled the infected machines in lockstep.

Read 9 remaining paragraphs | Comments

6 Month Countdown to Canada’s Anti-Spam Legislation (CASL)

Canada’s Anti-Spam Legislation (CASL) has been a long time coming.  The Government of Canada announced today that most of CASL’s provisions will enter into force on July 1, 2014.  That will be 10 years from the time the Government of Canada launched its Anti-Spam Action Plan. 

In recent years, a steadily increasing number of organizations within and outside Canada have been monitoring CASL’s status.  Among the reasons:  CASL is a new regime, contains a private right of action,  provides for significant administrative monetary penalties (maximum $10 million), and is broader in scope than the anti-spam laws of the US and other countries.  Some organizations have already begun to take steps and adopt practices intended to allow them to comply with CASL.

As of today, with the publication of the long-awaited Industry Canada Regulations, the CASL “rulebook” now includes the following legislation, regulations and guidance documents.  

Affected organizations will be relying on certain limited provisions under CASL to phase in requirements, intended to allow businesses to get ready and to adjust to the new regime.  These include the 6-month “implementation period” until July 1, 2017, and the 3-year “transitional period” until July 1, 2017, during which existing business relationships will be grandfathered, for consent purposes. 

While the above provide a bit of breathing room, there is a great deal to be done for organizations affected by CASL.  This may involve: auditing online communications processes, contact lists, and database practices; updating forms and procedures that document consent; updating customer service processes; reviewing and updating contracts that deal with third-party communications; and providing information and training for employees, management and the Board of Directors.  Affected organizations should proceed with their review and compliance work as soon as possible. 

We will be updating this blog regularly with posts on compliance tips and new developments.  You may be interested in the Slideshare presentation Comparing CASL to CAN-SPAM, which summarizes how the Canadian and US anti-spam regimes differ, considering their respective scope, standard of consent, application, and penalties.

In airport security scanning, ultra-rare items are harder to catch

In a simulation of airport luggage scanning, a team of researchers has found that the rarer an item is, the less likely a scanner operator is to spot it—that is, if fewer people come through with bomb materials or guns, it will be harder for the operator to spot them when they do.

The Duke University scientists set up the simulation in an “Airport Scanner” app where participants would check virtual suitcases for a set of 78 verboten items, like a stick of dynamite or a gun. Thirty of the items were “ultra rare,” appearing less than 0.15 percent of the time.

Drawing upon 20 million searches, the team found that these ultra-rare items were more difficult for participants to spot than more common things. The ultra-rare items were spotted only 27 percent of the time, while items that cropped up in one percent of suitcases were correctly spotted 92 percent of the time.

Read 3 remaining paragraphs | Comments

Dangerous New Banking Trojan Neverquest Is an Evolution of an Older Threat

There has been recent media coverage around a new online banking Trojan, publicly known as Neverquest. Once Neverquest infects a computer, the malware can modify content on banking websites opened in certain Internet browsers and can inject rogue forms into these sites. This allows attackers to steal login credentials from users. The threat can also let attackers take control of a compromised computer through a Virtual Network Computing (VNC) server. Neverquest can replicate itself by stealing login details and spamming out the Neverquest dropper, by accessing FTP servers to take credentials in order to distribute the malware with the Neutrino Exploit Kit and by obtaining social networking credentials to spread links to infected websites. 
 
Symantec’s analysis of the Neverquest Trojan has found that the malware is the ongoing evolution of a threat family that Symantec detects as Snifula, which was first seen back in 2006. Our analysis of the Neverquest Trojan’s code has shown similarities with older samples of the Snifula family (in particular Backdoor.Snifula.D). We have also observed that network infrastructure found to be used previously by Snifula has close ties to the Neverquest Trojan. Symantec can confirm that we already had protection in place for this new threat under various different generic detection names from when we first encountered the malware back in mid-April 2013. Detection has since been broken out for this threat as Trojan.Snifula
 
Similarities
As mentioned, the code of Trojan.Snifula (also known as Neverquest) shows similarities with older samples of the Snifula family. The executables of the two threats have a different structure and functionality, but they do share some unique pieces of code that link them together. For example, the following pictures illustrate the code used to send eight bytes of data on the network, where the first four bytes contain the specific marker “26A6E848.”
 
figure1_5.png
Figure 1. Trojan.Snifula (Neverquest) code related to outbound network traffic
 
figure2_2.png
Figure 2. Backdoor.Snifula.D version of the same code from Figure 1
 
The code is nearly identical and the marker is unique, meaning that this code was not taken from a publicly available source. This is not the only resemblance of course; you can find many other similarities.
 
figure3_2.png
Figure 3. Trojan.Snifula (Neverquest) code for logging the current process ID
 
figure4_1.png
Figure 4. Same code from Backdoor.Snifula.D.
 
This code logs the malicious process ID along with the current time. Both the code and the string are identical in the two threats, which also make use of the CRC and Aplib algorithms and several common strings. 
 
Command-and-control infrastructure
We also got hints of a connection between the two threats by looking at the command-and-control (C&C) network infrastructure used by Trojan.Snifula (Neverquest). The IP address 195.191.56.245 was used as a C&C server by Trojan.Snifula. One of only two domains known to be hosted on that IP address is FyXqgFxUmihXClZo.org. This domain is known to be owned by Aster Ltd. In total, we know that Aster Ltd owns the following 26 domains.
  • accman.com.tw
  • afg.com.tw
  • amosw.com.tw
  • aster.net
  • asterdon.ru
  • asterltd.com
  • astervent.ru
  • bestsid.com.tw
  • countdown.com.tw
  • durpal.com.tw
  • facestat.com.tw
  • fforward.com.tw
  • fyxqgfxumihxclzo.org
  • geobiz.net
  • makumazna.com.tw
  • maskima.com.tw
  • maxward.com.tw
  • miison.com.tw
  • mssa.com.tw
  • parti.com.tw
  • pluss.com.tw
  • sparkys3.com
  • sparkys3.net
  • tdaster.ru
  • thehomeofficecatalogue.net
  • thehomeofficecatalogue.org
 
The Aster Ltd domains Pluss.com.tw and Countdown.com.tw are hosted on the IP address 195.210.47.173. Symantec has linked this IP address to an active C&C server used by Backdoor.Snifula.D in February and March of 2013. Other domains owned by Aster Ltd, such as Sparkys3.net and Facestat.com.tw, are being hosted on the IP address 195.137.188.59, another known C&C IP address for Trojan.Snifula.  
 
The Snifula family
Symantec has encountered numerous new variants of the Snifula family over the years. The arrival of Trojan.Snifula, which uses more sophisticated techniques to grow and to steal from victims, was an expected evolution of the Snifula family. Given that the Snifula threat family has been evolving and growing for years now, we don’t expect the malware to leave the threat landscape anytime soon.  
 
To protect against this threat, Symantec also has the following Intrusion Prevention System (IPS) signature.
  • System Infected: Trojan.Snifula Activity
 
Symantec will continue to monitor the Snifula threat family to ensure that the best possible protection is in place for this threat. We recommend using Norton Internet Security or Symantec Endpoint Protection to best protect against attacks of this kind.