Crooks who make and deploy ATM skimmers are constantly engaged in a cat-and-mouse game with financial institutions, which deploy a variety of technological measures designed to defeat skimming devices. The latest innovation aimed at tipping the scales in favor of skimmer thieves is a small, battery powered device that provides crooks a digital readout indicating whether an ATM likely includes digital anti-skimming technology.

A well-known skimmer thief is marketing a product called “Smart Shield Detector” that claims to be able to detect a variety of electronic methods used by banks to foil ATM skimmers.

The device, which sells for $200, is called a “Smart Shield Detector,” and promises to detect “all kinds of noise shields, hidden shields, delayed shields and others!”

It appears to be a relatively simple machine that gives a digital numeric indicator of whether an ATM uses any of a variety of anti-skimming methods. One of the most common is known as “frequency jamming,” which uses electronic signals to scramble both the clock (timing) and the card data itself in a bid to confuse skimming devices.

“You will see current level within seconds!,” the seller enthuses in an online ad for the product, a snippet of which is shown above. “Available for sale after November 1st, market price 200usd. Preorders available at price 150usd/device. 2+ devices for your team – will give discounts.”

According to the individual selling the Smart Shield Detector, a readout of 15 or higher indicates the presence of some type of electronic shield or jamming technology — warning the skimmer thief to consider leaving that ATM alone and to find a less protected machine. In contrast, a score between 3-5 is meant to indicate “no shield,” i.e., that the ATM is ripe for compromise.

KrebsOnSecurity shared this video with Charlie Harrow, solutions manager for ATM maker NCR Corp. Harrow called the device “very interesting” but said NCR doesn’t try to hide which of is ATM include anti-skimming technologies — such as those that claim to be detectable by the Smart Shield Detector.

“We don’t hide the fact that our ATMs are protected against this type of external skimming attack,” Harrow said. “Our Anti-Skimming product uses a uniquely shaped bezel so you can tell just by looking at the ATM that it is protected (if you know what you are looking for).”

Harrow added that NCR doesn’t rely on secrecy of design to protect its ATMs.

“The bad guys are skilled, resourced and determined enough that sooner or later they will figure out exactly what we have done, so the ATM has to be safe against a knowledgeable attacker,” he said. “That said, a little secret sauce doesn’t hurt, and can often be very effective in stopping specific attack [methods] in the short term, but it can’t be relied on to provide any long term protection.”

The best method for protecting yourself against ATM skimmers doesn’t require any fancy gadgets or technology at all: It involves merely covering the PIN pad with your hand while you enter your PIN!

That’s because the vast majority of skimming attacks involve two components: A device that fits over or inside the card reader and steals data from the card’s magnetic stripe, and a tiny hidden camera aimed at the PIN pad. While thieves who have compromised an ATM you used can still replicate your ATM card, the real value rests in your PIN, without which the thieves cannot easily drain your checking or savings account of cash.

Also, be aware of your physical surroundings while using an ATM; you’re probably more apt to get mugged physically than virtually at a cash machine. Finally, try to stick to cash machines that are physically installed inside of banks, as these tend to be much more challenging for thieves to compromise than stand-alone machines like those commonly found at convenience stores.

KrebsOnSecurity would like to thank Alex Holden, founder of Milwaukee, Wisc. based Hold Security, for sharing the above video.

Are you fascinated by skimming devices? Then check out my series, All About Skimmers, which looks at all manner of skimming scams, from fake ATMs and cash claws to PIN pad overlays and gas pump skimmers.

Leakbase, a Web site that indexed and sold access to billions of usernames and passwords stolen in some of the world largest data breaches, has closed up shop. A source close to the matter says the service was taken down in a law enforcement sting that may be tied to the Dutch police raid of the Hansa dark web market earlier this year.

Leakbase[dot]pw began selling memberships in September 2016, advertising more than two billion usernames and passwords that were stolen in high-profile breaches at sites like linkedin.com, myspace.com and dropbox.com.

But roughly two weeks ago KrebsOnSecurity began hearing from Leakbase users who were having trouble reaching the normally responsive and helpful support staff responsible for assisting customers with purchases and site issues.

Sometime this weekend, Leakbase began redirecting visitors to haveibeenpwned.com, a legitimate breach alerting service run by security researcher Troy Hunt (Hunt’s site lets visitors check if their email address has shown up in any public database leaks, but it does not store corresponding account passwords).

Leakbase reportedly came under new ownership after its hack in April. According to a source with knowledge of the matter but who asked to remain anonymous, the new owners of Leakbase dabbled in dealing illicit drugs at Hansa, a dark web marketplace that was dismantled in July by authorities in The Netherlands.

The Dutch police had secretly seized Hansa and operated it for a time in order to gather more information about and ultimately arrest many of Hansa’s top drug sellers and buyers. 

According to my source, information the Dutch cops gleaned from their Hansa takeover led authorities to identify and apprehend one of the owners of Leakbase. This information could not be confirmed, and the Dutch police have not yet responded to requests for comment. 

A message posted Dec. 2 to Leakbase’s Twitter account states that the service was being discontinued, and the final message posted to that account seems to offer paying customers some hope of recovering any unused balances stored with the site.

“We understand many of you may have lost some time, so in an effort to offer compensation please email, refund@leakbase.pw Send your LeakBase username and how much time you had left,” the message reads. “We will have a high influx of emails so be patient, this could take a while.”

My source noted that these last two messages are interesting because they are unlike every other update posted to the Leakbase Twitter account. Prior to the shutdown message on Dec. 2, all updates to that account were done via Twitter’s Web client; but the last two were sent via Mobile Web (M2).

Ironically, Leakbase was itself hacked back in April 2017 after a former administrator was found to be re-using a password from an account at x4b[dot]net, a service that Leakbase relied upon at the time to protect itself from distributed denial-of-service (DDoS) attacks intended to knock the site offline.

X4B[dot]net was hacked just days before the Leakbase intrusion, and soon after cleartext passwords and usernames from hundreds of Leakbase users were posted online by the hacker group calling itself the Money Team.

Many readers have questioned how it could be illegal to resell passwords that were leaked online in the wake of major data breaches. The argument here is generally that in most cases this information is already in the public domain and thus it can’t be a crime to index and resell it.

However, many legal experts see things differently. In February 2017, I wrote about clues that tied back to a real-life identity for one of the alleged administrators of Leakedsource, a very similar service (it’s worth noting that the subject of that story also was found out because he re-used the same credentials across multiple sites).

In the Leakedsource story, I interviewed Orin Kerr, director of the Cybersecurity Law Initiative at The George Washington University. Kerr told me that owners of services like Leakbase and Leakedsource could face criminal charges if prosecutors could show these services intended for the passwords that are for sale on the site to be used in the furtherance of a crime.

Kerr said trafficking in passwords is clearly a crime under the Computer Fraud and Abuse Act (CFAA).

Specifically, Section A6 of the CFAA, which makes it a crime to “knowingly and with intent to defraud traffic in any password or similar information through which a computer may be accessed without authorization, if…such trafficking affects interstate or foreign commerce.”

“CFAA quite clearly punishes password trafficking,” Kerr said. “The statute says the [accused] must be trafficking in passwords knowingly and with intent to defraud, or trying to further unauthorized access.”

A former employee for the National Security Agency pleaded guilty on Friday to taking classified data to his home computer in Maryland. According to published reports, U.S. intelligence officials believe the data was then stolen from his computer by hackers working for the Russian government.

Nghia Hoang Pho, 67, of Ellicott City, Maryland, pleaded guilty today to “willful retention of national defense information.” The U.S. Justice Department says that beginning in April 2006 Pho was employed as a developer for the NSA’s Tailored Access Operations (TAO) unit, which develops specialized hacking tools to gather intelligence data from foreign targets and information systems.

According to Pho’s plea agreement, between 2010 and March 2015 he removed and retained highly sensitive classified “documents and writings that contained national defense information, including information classified as Top Secret.”

Pho is the third NSA worker to be charged in the past two years with mishandling classified data. His plea is the latest — and perhaps final — chapter in the NSA’s hunt for those responsible for leaking NSA hacking tools that have been published online over the past year by a shadowy group calling itself The Shadow Brokers.

Neither the government’s press release about the plea nor the complaint against Pho mention what happened to the classified documents after he took them home. But a report in The New York Times cites government officials speaking on condition of anonymity saying that Pho had installed on his home computer antivirus software made by a Russian security firm Kaspersky Lab, and that Russian hackers are believed to have exploited the software to steal the classified documents.

On October 5, 2017, The Wall Street Journal reported that Russian government hackers had lifted the hacking tools from an unnamed NSA contractor who’d taken them and examined them on his home computer, which happened to have Kaspersky Antivirus installed.

On October 10, The Times reported that Israeli intelligence officers looked on in real time as Russian government hackers used Kaspersky’s antivirus network as a kind of improvised search tool to scour computers around the world for the code names of American intelligence programs.

For its part, Kaspersky has said its software detected the NSA hacking tools on a customer’s computer and sent the files to the company’s anti-malware network for analysis. In a lengthy investigation report published last month, Kaspersky said it found no evidence that the files left its network, and that the company deleted the files from its system after learning what they were.

Kaspersky also noted that the computer from which the files were taken was most likely already compromised by “unknown threat actors.” It based that conclusion on evidence indicating the user of that system installed a backdoored Microsoft Office 2013 license activation tool, and that in order to run the tool the user must have disabled his antivirus protection.

The U.S. Department of Homeland Security (DHS) issued a binding directive in September ordering all federal agencies to cease using Kaspersky software by Dec. 12.

Pho faces up to 10 years in prison. He is scheduled to be sentenced April 6, 2018.

A note to readers: This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online. That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story.

Roman Seleznev, a Russian man who is already serving a record 27-year sentence in the United States for cybercrime charges, was handed a 14-year sentence this week by a federal judge in Atlanta for his role in a credit card and identity theft conspiracy that prosecutors say netted more than $50 million. Separately, a Canadian national has pleaded guilty to charges of helping to steal more than a billion user account credentials from Yahoo.

Seleznev, 33, was given the 14-year sentence in connection with two prosecutions that were consolidated in Georgia: The 2008 heist against Atlanta-based credit card processor RBS Worldpay; and a case out of Nevada where he was charged as a leading merchant of stolen credit cards at carder[dot]su, at one time perhaps the most bustling fraud forum where members openly marketed a variety of cybercrime-oriented services.

Seleznev’s conviction comes more than a year after he was convicted in a Seattle court on 38 counts of cybercrime charges, including wire fraud and aggravated identity theft. The Seattle conviction earned Seleznev a 27-year prison sentence — the most jail time ever given to an individual convicted of cybercrime charges in the United States.

This latest sentence will be served concurrently — meaning it will not add any time to his 27-year sentence. But it’s worth noting because Seleznev is appealing the Seattle verdict. In the event he prevails in Seattle and gets that conviction overturned, he will still serve out his 14-year sentence in the Georgia case because he pleaded guilty to those charges and waived his right to an appeal.

Prosecutors say Seleznev, known in the underworld by his hacker nicknames “nCux” and “Bulba,” enjoyed an extravagant lifestyle prior to his arrest, driving expensive sports cars and dropping tens of thousands of dollars at lavish island vacation spots. The son of an influential Russian politician, Seleznev made international headlines in 2014 after he was captured while vacationing in The Maldives, a popular destination for Russians and one that many Russian cybercriminals previously considered to be out of reach for western law enforcement agencies.

However, U.S. authorities were able to negotiate a secret deal with the Maldivian government to apprehend Seleznev. Following his capture, Seleznev was whisked away to Guam for more than a month before being transported to Washington state to stand trial for computer hacking charges.

The U.S. Justice Department says the laptop found with him when he was arrested contained more than 1.7 million stolen credit card numbers, and that evidence presented at trial showed that Seleznev earned tens of millions of dollars defrauding more than 3,400 financial institutions.

Investigators also reportedly found a smoking gun: a password cheat sheet that linked Seleznev to a decade’s worth of criminal hacking. For more on Seleznev’s arrest and prosecution, see The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27-Year Sentence, and Feds Charge Carding Kingpin in Retail Hacks.

In an unrelated case, federal prosecutors in California announced a guilty plea from Karim Baratov, one of four men indicted in March 2017 for hacking into Yahoo beginning in 2014. Yahoo initially said the intrusion exposed the usernames, passwords and account data for roughly 500 million Yahoo users, but in December 2016 Yahoo said the actual number of victims was closer to one billion (read: all of its users). 

Baratov, 22, is a Canadian and Kazakh national who lived in Canada (he’s now being held in California). He was charged with being hired by two Russian FSB officer defendants in this case — Dmitry Dokuchaev, 33, and Igor Sushchin, 43 — to hack into the email accounts of thousands of individuals. According to prosecutors, Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts’ passwords to Dokuchaev in exchange for money.

Baratov operated several business that he advertised openly online that could be hired to hack into email accounts at the world’s largest email providers, including Google, Yahoo and Yandex. As part of his plea agreement, Baratov not only admitted to agreeing and attempting to hack at least 80 webmail accounts on behalf of one of his FSB co-conspirators, but also to hacking more than 11,000 webmail accounts in total from in or around 2010 until his arrest by Canadian authorities.

Shortly after Baratov’s arrest and indictment, KrebsOnSecurity examined many of the email hacking services he operated and that were quite clearly tied to his name. One such business advertised the ability to steal email account passwords without actually changing the victim’s password. According to prosecutors, Baratov’s service relied on “spear phishing” emails that targeted individuals with custom content and enticed recipients to click a booby-trapped link.

For example, one popular email hacking business registered to Baratov was xssmail[dot]com, which for several years advertised the ability to break into email accounts of virtually all of the major Webmail providers. XSS is short for “cross-site-scripting.” XSS attacks rely on vulnerabilities in Web sites that don’t properly parse data submitted by visitors in things like search forms or anyplace one might enter data on a Web site.

In the context of phishing links, the user clicks the link and is actually taken to the domain he or she thinks she is visiting (e.g., yahoo.com) but the vulnerability allows the attacker to inject malicious code into the page that the victim is visiting.

This can include fake login prompts that send any data the victim submits directly to the attacker. Alternatively, it could allow the attacker to steal “cookies,” text files that many sites place on visitors’ computers to validate whether they have visited the site previously, as well as if they have authenticated to the site already.

Baratov pleaded guilty to nine counts, including one count of aggravated identity theft and eight violations of the Computer Fraud and Abuse Act. His sentencing hearing is scheduled for Feb. 20, 2018. The aggravated identity theft charge carries a mandatory two-year sentence; each of the other counts is punishable by up to 10 years in jail and fines of $250,000, although any sentence he receives will likely be heavily tempered by U.S. federal sentencing guidelines.

Meanwhile, Baratov’s co-defendant Dokuchaev is embroiled in his own legal worries in Russia, charges that could carry a death sentence. He and his former boss Sergei Mikhailov — once deputy chief of the FSB’s Center for Information Security — were arrested in December 2016 by Russian authorities and charged with treason. Also charged with treason in connection with that case was Ruslan Stoyanov, a senior employee at Russian security firm Kaspersky Lab.

There are many competing theories for the reasons behind their treason charges, some of which are explored in this Washington Post story. I have my own theory, detailed in my January 2017 piece, A Shakeup in Russia’s Top Cybercrime Unit.

A newly-discovered flaw in macOS High Sierra — Apple’s latest iteration of its operating system — allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now.

For better or worse, this glaring vulnerability was first disclosed today on Twitter by Turkish software developer Lemi Orhan Ergin, who unleashed his findings onto the Internet with a tweet to @AppleSupport:

“Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”

High Sierra users should be able to replicate the exploit by accessing System Preferences, then Users & Groups, and then click the lock to make changes. Type “root” with no password, and simply try that several times until the system relents and lets you in.

How does one change the root password? It’s simple enough. Open up a Terminal (in the Spotlight search box just type “terminal”) and type “sudo passwd root”.

Many people responding to that tweet said they were relieved to learn that this extremely serious oversight by Apple does not appear to be exploitable remotely. However, sources who have tested the bug say it can be exploited remotely if a High Sierra user a) has not changed the root password yet and b) has enabled “screen sharing” on their Mac.

Likewise, multiple sources have now confirmed that disabling the root account does not fix the problem because the exploit actually causes the account to be re-enabled.

There may be other ways that this vulnerability can be exploited: I’ll update this post as more information becomes available. But for now, if you’re using macOS High Sierra, take a moment to change the root password now, please.