Suspect behind “Blackhole” malware toolkit believed arrested in Russia

The man believed to be responsible for distributing the notorious Blackhole malware toolkit has been arrested in Russia, a source told Reuters today. The source, a former Russian police detective in contact with Russia's federal government, said that the man went by “Paunch” in hacking circles.

No other information was given, but a spokesman for Europol in the Hague told Reuters that the police agency “had been informed that a high-level suspected cyber-criminal” had been arrested in Russia.

Blackhole is a widely known exploit toolkit that makes “drive-by” attacks easier for hackers to execute. It allows criminals to inject malware onto PCs that either visit exploit sites or are redirected to exploit sites from compromised websites. As one of the primary names behind Blackhole, Paunch kept the toolkit current as new weaknesses in commonly used programs were discovered: in 2012 Paunch released Blackhole 2.0, and recent custom versions of the toolkit incorporated ways to exploit vulnerabilities in Adobe Reader and Java's browser plugin.

Read 1 remaining paragraphs | Comments


Australian bomb hoax suspect tracked across internet and arrested in Kentucky, USA

For the last two weeks, the media in Sydney, Australia, have been fascinated with a police investigation into a most peculiar crime committed in one of Sydney’s most prestigious suburbs.

If you’ve heard the name of the victim, Madeleine Pulver, you’ve probably heard the story behind the crime.

Imagine the scene.

Pulver is a final-year school student who will sit her school-leaving exams at the end of the year. She’s studying at her parents’ home in top-of-the-market Mosman in Sydney’s Lower North Shore on the afternoon of 03 August.

A man clad in a balaclava and carrying a baseball bat bursts into her room and chains a plastic box to her neck. He puts a lanyard round her neck with some printed documentation and a USB key attached to it. Then he vanishes.

Pulver looks at the printout. She reads these words: “Powerful new technology plastic explosives are located inside the small black combination case delivered to you. The case is booby trapped. It can ONLY be opened safely, if you follow the instructions and comply with its terms and conditions.”

The printout continues by saying, “You will be provided with detailed Remittance Instructions to transfer a Defined Sum once you acknowledge and confirm receipt of this message.” A Gmail address is provided for future communications.

In the curious grammar used these days by New South Wales (NSW) Police on charge sheets, a whole battery of crimes have just taken place: aggravated break and enter with intent to commit a serious indictable offence; demand property by force with intent to steal; kidnap.

Hats off to the NSW cops. They’ve put in the investigative work on this one, identified a suspect, tracked him to Kentucky, and had him arrested in the USA. Now they’ll apply to have him extradicted back to their jurisdiction.

The investigation makes a great story, too, and you can read it online thanks to documents tendered in court to prepare for the suspect’s arrest in Kentucky.

Here’s the brief version of what’s claimed so far.

* Trace the PC used to create the Gmail account mentioned in the extortion message to Chicago airport.

* Trace all subsequent uses of that email account to a small town on the NSW Central Coast. Get CCTV footage from the vicinity.

* Identify a Range Rover of an identifiable vintage arriving and leaving at the right time. Check NSW vehicle registrations for vehicles which fit the age and the location.

* Cross-check the name of the closest registered owner againt recent border control records.

‘Ello, ‘ello! The owner of the perfectly-placed Range Rover flew to Chicago shortly after the crime. Then he flew to Kentucky.

* Move on to credit card records. The owner of the Range Rover also made purchases at an office supply store and a sports shop on the Central Coast about a month before the crime.

* Check with the shops to see what he bought in those transactions. Hmmm. A USB key. A baseball bat. [Note: baseball is a minority sport in Australia, like cricket in the USA.]

* Check whom he’d remitted money to in recent years. Ha! A woman with the same surname living in La Grange, Kentucky. Find that house up for sale.

* Get the Kentucky cops to drive by. Spot a bloke hanging out behind the house looking at least somewhat similar to the guy who boarded that Chicago flight, owned the Range Rover on the Central Coast, and bought the baseball bat.

And that was enough for the Kentucky court. The suspect was arrested and taken into custody.

In today’s society, most of us leave digital breadcrumbs wherever we go. When the cops can use this information appropriately, as they have done in this case, most us us agree that this amounts to a good result.

But there are three important issues this brings to the fore:

* This isn’t a cybercrime case. It’s a case of person-on-person crime involving intimidation, extortion and a bomb threat. Yet much of the investigation has required cyberskills by the investigators.

So when you read that the cops are being given more money “for cybercrime”, don’t expect them to start busting pure-play cybercrooks such as spammers and scammers immediately. Almost every modern crime has a cyber-element.

CSI* This didn’t play out like it does on CSI or Hawaii-Five-O. There, the cops get results in seconds, where satellites orbiting directly overhead can mysteriously get clear images of vehicle registration plates from low angles, and where warrants magically appear at all hours of day and night.

There are many hoops which the cops have to jump through to be able to pursue an enquiry of this sort – a due process which means they can’t always and immediately get access to anything they want.

And that is exactly as it should be. Most of us are law-abiding, and our privacy and security is too important to be eroded merely to make the Orwellian nonsense of Hawaii-Five-O into a reality.

* Pure-play cybercrooks don’t play by the rules. They don’t have to show due cause to retrieve information from immigration. They don’t bother with a warrant before they install surveillance software on your PC. And they don’t leave an obvious trail like the apparently inept suspect in the Pulver case.

Of course, there’s a fourth matter, too:

* All the evidence so far is circumstantial, and the suspect is innocent until proved guilty beyond reasonable doubt.

In a case which is as perplexing, and which has provoked as much media commentary and as much speculation as this one, it’s important to keep that in mind.

Now you’ve heard the story, stop and think how much this suspect gave away without intending to.

Think about how much you give away – for example on social networking sites – entirely willingly.

Having just the tiniest amount less fun online can make you enormously more secure.

FBI announces international cyberbusts: scareware peddlers and malvertisers taken out

Twenty years ago, people used to ask, “Why do virus writers do it?”

That was a tricky question to answer, since there was often little motivation beyond notoriety – being recognised in the counterculture as a virus writer.

These days, you can explain virus writing Jeopardy-style instead. (Jeopardy is a back-to-front US game show in which the quizmaster gives an answer, and the contestants win by giving a question which produces it.) Like this: “To make lots of money online from victims all over the world with very little effort.”

Now, the question people usually ask is, “It seems so easy to be a cybercrook – why don’t the police do something about it?” One answer is that evidence can be tricky to acquire, and jurisidiction tricky to establish, when doing something about cybercrime. A crook in Belgium can defraud someone in Australia via a malicious advert served from China which tricks them into a credit card transaction in Canada processed by a server in Finland.

Despite the technical and legal hassles, the cops sometimes do get their man – or men. The US federal police force, the FBI, just announced some important international success against two cybergangs.

The operation, codenamed Trident Tribunal, lead both to arrests and to the significant disruption of their criminal operations.

The first cybergang was allegedly responsible for selling scareware, better known as fake anti-virus software. I’m sure you’re familiar with it: a popup advises you you’re at risk; then a ‘free scan’ finds a raft of ‘threats’; and a cleanup button offers to fix your woes. But the cleanup isn’t free. So you pay up, and the ‘threats’ are ‘removed’. For now, anyway.

The FBI estimates that this group tricked nearly a million people into buying its fraudulent software. With a price point from $50 to $130 (depending on how many ‘extras’ the victim gets talked into), this netted them over $72,000,000.

The second cybergang provided malvertising services. This is a technique which lets you sneak adverts for fraudulent services – notably, for scareware – onto respectable websites. The group allegedly created a fake advertising agency, and gave themselves a fake commission from a hotel chain to buy online ads in a Minneapolis newspaper. The ads were approved by the newspaper, but the fake agency ran malverts instead.

According to the FBI, it looks as though just two guys were able to make more than $2,000,000 in that scam.

Given the global scale of cybercrime, this may seem like a small victory for law enforcement. But it is a victory nevertheless.

The really good news here is that the anti-cybercrime operations above saw the successful co-operation of law enforcement teams in twelve countries: USA, Ukraine, Latvia, Germany, Netherlands, Cyprus, France, Sweden, Lithuania, Romania, Canada, and the UK.

Now we know the answers.

“Why do virus writers do it?” Sadly, because they can hope for revenues of about $75 per ‘sale’ by peddling an online sack of lies to one million ‘customers’.

“Why don’t the police do something about it?” Happily, they do.