Mise à jour de la base de données, veuillez patienter...

New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video advertising networks each day. Experts say the scam relies on a vast network of cloaked Internet addresses, rented data centers, phony Web sites and fake users made to look like real people watching short ad segments online.

Online advertising fraud is a $7 billion a year problem, according to AdWeek. Much of this fraud comes from hacked computers and servers that are infected with malicious software which forces the computers to participate in ad fraud. Malware-based ad fraud networks are cheap to acquire and to run, but they’re also notoriously unstable and unreliable because they are constantly being discovered and cleaned up by anti-malware companies.

Now researchers say they’ve uncovered a new class of ad robot or “bot” fraud that was designed from the ground up to keep its nose clean — running not on infected hosts but instead distributed across a vast, rented network of dedicated Web servers and computers.

According to White Ops, a digital advertising security company based in New York City, those rented computers are connected to a network of more than 570,000 Internet addresses apparently leased or hijacked from various sources.

White Ops dubbed the video ad fraud network “Methbot,” and says the individuals at the helm of this network are spending upwards of $200,000 a month just maintaining a fully automated fraud network that imitates real Web site publishers showing real viewers video-based advertisements.

Ryan Castellucci, principal security researcher at White Ops, said Methbot’s coders built many of the fraud network’s tools from scratch — including the Web browser that each rented computer in the network uses to mimic Web sites displaying video ads. Spoofing actual news Web sites and other popular video-rich destinations, Methbot requests video ads from ad networks, and serves the ads to a vast array of bots that “watch” the videos.

To make each Web browsing session appear more like one generated by a human, Methbot simulates cursor clicks and mouse movements, and even forges social network login information so that it appears the user who viewed the ad was logged in to a social network at the time.

“They’ve written their own browser from scratch in Javascript, and this allows them to arbitrarily control the information that gets fed back to the ad networks and to companies like us who try to detect this stuff,” Castellucci said. “This has allowed Methbot to scale to beyond anything the industry has seen before, putting it in a new class of ad fraud.”

Interestingly, the registration records for virtually all of those Internet addresses have been forged so they appear to be controlled by some of the world’s largest Internet service providers (ISPs).

For instance, one of the many Internet addresses White Ops says was used by Methbot — 196.62.126*117 — is registered in October 2015 to AT&T Services Inc., but the contact address is “adw0rd.yandex.ru@gmail.com” (the letter “o” is a zero). Adw0rd is no doubt a play on Google Adwords, an online advertising service where advertisers pay to display brief advertising copy to Web users.

Another address tied to Methbot — 196.62.3*117 — is registered to the same adw0rd.yandex.ru@gmail.com account but also to “Comcast Cable Communications, Inc.” Records for another Methbot IP — 161.8.252.* — says the address is owned by “Verizon Trademark Services LLC.”

Whoever dreamed up Methbot clearly spent a great deal of time and money building the fraud machine. For example, White Ops says the address space alone used by this ad fraud operation has a current market value of approximately $4 million. A full list of the 570,000+ Internet addresses used by Methbot is published in the White Ops report page.

“Methbot operators invested significant time, research, development, and resources to build infrastructure designed to remove these limitations and provide them with unlimited scale,” White Ops said in its report. “They created dedicated data centers to support proxy networks in order to hide the single origin source of their operation. This is the first time we’ve seen data centers impersonating residential internet connections. This makes the scale of this operation virtually unlimited, with none of the typical durability issues of maintaining a constant base of infected user machines.”

White Ops said it estimated the earning potential of Methbot by looking at the number of phony video ad impressions it could serve up and the average cost to advertisers for displaying those ads. Assuming an average CPM (cost per mille, or per thousand number of impressions) of $13, the company estimates Methbot has the ability to serve between two million and three million impressions each day, with a daily revenue ranging from $2.6 million to $5.2 million.

WHO RUNS METHBOT?

White Ops’s report doesn’t delve much into the possible actors behind this ad fraud network, but there are a couple of tantalizing clues in their findings. White Ops found that the Methbot network originally used a program called Zombie to test the ad code in a simulated Web browser environment, but that later the Methbot team built their own Javascript-based browser. The report also notes that Methbot employs a program called “Cheerio” to parse the HTML rendered by the video ads.

Both Zombie and Cheerio show up in this October 2015 discussion thread on the Russian-language tech forum pyha[dot]ru. That thread was started by a developer using the nickname “adw0rd,” the same nickname listed in the phony ISP internet address ranges used by Methbot. A glance at adw0rd’s profile on pyha[dot]ru shows the user is from St. Petersburg, Russia and that his email is adw0rd@pyha.ru.

The “contact” page for adw0rd[dot]com (again, with a zero) includes that same email address, and says the account belongs to a software developer named Mikhail Andreev. That page at adw0rd.com says Andreev also has the account “adw0rd” on Facebook, Google, Twitter, LinkedIn, Github and Vkontakte (a Russian version of Facebook). A look back at programming projects dating to 2008 for adw0rd can be found via archive.org. Andreev did not respond to requests for comment.

The “abuse” contact email address listed on many of the Internet address ranges that White Ops tied to Methbot was “stepanenko.aa@mmk.ru,” someone who appears to have at least at one time acted as a broker of Internet addresses. That same “stepanenko” email address also appears on the official contacts page for an Alexey A. Stepanenko, senior manager of support group IT management systems within the telecommunications infrastructure at Magnitogorst Iron & Steel Works, the third largest steel company in Russia.

Many readers are asking what they should be doing in response to Yahoo‘s disclosure Wednesday that a billion of its user accounts were hacked. Here are a few suggestions and pointers, fashioned into a good old Q&A format.

Q: Was my account hacked? 

A: Experts I’ve spoken to believe Yahoo has about a billion active accounts. So, yes, it’s very likely your account’s password is compromised, and probably most of the other information you at one point entrusted to Yahoo. According to a statement from the company, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

Q: I’m not sure if I have a Yahoo account. How do I find out? 

A: This is a surprisingly complex question. Thanks to the myriad mergers and business relationships that Yahoo has forged over the years, you may have a Yahoo account and not realize it. That’s because many accounts that are managed through Yahoo don’t actually end in “yahoo.com” (or yahoo. insert country code here).

For example, British telecom giant BT uses Yahoo for their customer email, as did/do SBCGlobal, AT&T and BellSouth. Also, Verizon.net email addresses were serviced by Yahoo until AOL took over. Up in Canada, Rogers customers may also have Yahoo email addresses. I’m sure there are plenty of others I’m missing, but you get the point: Your Yahoo account may not include the word “yahoo” at all in the address.

Q: I created a Yahoo account a few years ago, but Yahoo says it doesn’t exist anymore. What’s going on here? 

A: Yahoo has a policy of deactivating or deleting accounts that remain dormant for more than a year. If you haven’t touched your account in years, that’s probably why.

Q: Why would someone want to hack my email account? What could they do with it? 

A: Spam, spam, and spam. Oh, and spam. They want to spam your contacts with malware and ads for dodgy products and services. Also, it gives the bad guys direct access to any account that you have signed up for using that email address. Why? Because if the crooks have access to your inbox, they can request a password reset link be sent to your inbox from any Web site you’ve signed up with at that email address.

For more detail on why these lowlifes might want control over your inbox and how they can monetize that access, see one of the most-read pieces on this blog — The Value of a Hacked Email Account. NB: Accounts that are hijacked for use in spam campaigns may also be suspended or deleted by Yahoo.

Q: What the heck is an MD5?

A: It’s an inferior password storage method that too many companies still use to protect user passwords. An MD5 “hash” is computed by taking your plain text password and running it against an algorithm that is supposed to make the output impossible to reverse. For example, the world’s worst password — “password” — always computes to the MD5 hash of “cc3a0280e4fc1415930899896574e118” (see this MD5 generator for more examples).

The problem is that computing power is super cheap nowadays, and MD5s are no match for brute-force attacks that simply compare the result of hashed dictionary words and other common passwords with user password databases stored in MD5 format (i.e., if the MD5 your email provider stores for you is “cc3a0280e4fc1415930899896574e118”, then congrats on using the world’s worst password).

Long story short, there are vast indexes of these pre-computed MD5 hashes — known as “rainbow tables” — freely available online that can be used to quickly crack a large percentage of any MD5 password list.

Q: So if using hashing methods like MD5 is such a lame security idea, why is Yahoo still doing this? 

A: Yahoo says this breach dates back to 2013. To its credit, Yahoo began moving away from using MD5s for new accounts in 2013 in favor of Bcrypt, far more secure password hashing mechanism. But yeah, even by 2013 anyone with half a clue in securing passwords already long ago knew that storing passwords in MD5 format was no longer acceptable and altogether braindead idea. It’s one of many reasons I’ve encouraged my friends and family to ditch Yahoo email for years.

Q: I’ve been using Yahoo for years. If this service can’t be trusted, what would you recommend? 

A: I’ve used Google Mail (Gmail) for more than a decade, but your mileage may vary. I moved virtually all of my email activity to Gmail years ago mainly because they were among the first to offer more robust authentication and security measures, such as two-step authentication. And they continue to innovate in this space. If you’d like to migrate the messages from your Yahoo account to a Gmail account, see these instructions.

Q: Yahoo said in some cases encrypted or unencrypted security questions and answers were stolen. Why is this a big deal?

A: Because for years security questions have served as convenient backdoors used by criminals to defraud regular, nice people whose only real crime is that they tend to answer questions honestly. But with the proliferation of data that many people post online about themselves on social media sites — combined with the volume of public records that are indexed by various paid and free services — it’s never been easier for a stranger to answer your secret question, “What was the name of your elementary school?”

Don’t feel bad if you naively answered your secret questions honestly. Even criminals get their accounts hacked via easily-guessed secret questions, as evidenced by this story about the San Francisco transit extortionist who last month had his own account hacked via weak secret questions.

Q: So should I change my secret questions in my Yahoo account? Yahoo says it has “invalidated unencrypted security questions and answers so that they cannot be used to access an account,” but how do I know whether my security questions were encrypted or not?

A: Assuming you still can, yes by all means change the answers to the security questions to something only you know. However, it’s not clear that this is still an option: I tried logging in using the secret questions on two older accounts I have and did not see that option available anymore, so it’s likely that Yahoo has disabled them altogether. Yahoo’s statement on this matter is confusing, and the company hasn’t responded yet to follow-up questions to clarify things.

More importantly, if you have used these questions and answers at other sites, please change those answers at the other sites now. Pro tip: If you must patronize sites that allow password and account recovery via secret questions, don’t answer the secret questions honestly. Pick answers that aren’t obvious and that can’t be found using social media or a search engine.

Q: Yahoo also said that the intruders were able to forge “cookies.” What’s that all about?

A: Yahoo said the attackers had worked out a way to forge cookies, text files that Yahoo places on user computers when they log in. Authentication cookies contain information about the user’s session with Yahoo, and these cookies can contain a great deal of information about the user, such as whether that user has already authenticated to the company’s servers.

The attackers in this case apparently found a way to forge these authentication cookies, which would have granted them to access targeted accounts without needing to supply the account’s password. In addition, a forged cookie could have allowed the attackers to remain logged into the hacked accounts for weeks or indefinitely.

Yahoo’s statement said the company is in the process of notifying the affected account holders, and that it has invalidated the forged cookies.

Q: That sounds pretty bad.

A: Yeah, that’s about as bad as it gets. It’s yet another reason I’m telling people to run away from Yahoo email.

Q: Okay, I don’t need my account anymore, and/or I’ve transferred what I need from that account and no longer want to have an account at Yahoo. Can I delete my account? 

A: Yes, you can delete your account. Yahoo has detailed instructions here. But before you do this, consider whether you have created unique relationships with any other Web sites using this email account. If so, you may lose access to those third-party Web site accounts if you no longer have access to the email inbox you used to create that relationship. Take stock of any third-party Web site user accounts you may have tied to your Yahoo inbox, and if you wish to keep those accounts you’ll probably need to log in to them separately and change the contact email address.

Q: What else should I be concerned about as a result of this latest hack? 

A: Make sure you have not used your Yahoo password at any other sites or online accounts that you value or that hold potentially sensitive information about you. If you have, change the password at those other sites to unique, complex passwords. And stop re-using passwords: It’s probably the leading cause of account compromises.

Also, be on the lookout for an uptick in possibly much more targeted email phishing and malware attacks. When attackers have a lot of details about you (like the ones Yahoo said were stolen in this hack) it makes it much easier for them to craft convincing email lures. Be especially wary of clicking on links or attachments in emails you were not expecting, and never respond to login or password reset requests sent via email that you did not initiate.

If your mobile phone number was associated with your Yahoo account, that number may receive SMS phishing or “smishing” attacks as a result. The standard warning about clicking links applies to unbidden text messages as well.

Enable any and all security measures available to you at your current or new email provider. The most important steps you can take are adding a backup email account that you can use to receive messages or password resets if you somehow lose access to your account (i.e., someone figures out your password and seizes control over your account), and taking advantage of two-step or two-factor authentication. With this new feature enabled, thieves would have to know your username, password, and have access to your mobile device or impersonate you to your mobile provider in order to hijack your account. For more on which providers offer this vital security feature, see twofactorauth.org. If you’re sticking with Yahoo despite all of the above, please make sure to take advantage of their two-step feature, called Yahoo Account Key.

Just months after disclosing a breach that compromised the passwords for a half billion of its users, Yahoo now says a separate incident has jeopardized data from at least a billion more user accounts. The company also warned attackers have figured out a way to log into targeted Yahoo accounts without even supplying the victim’s password.

On September 22, Yahoo warned that a security breach of its networks affected more than 500 million account holders. Today, the company said it uncovered a separate incident in which thieves stole data on more than a billion user accounts, and that the newly disclosed breach is separate from the incident disclosed in September.

“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo’s chief information security officer Bob Lord said in a statement the company published Wednesday afternoon. “We have not been able to identify the intrusion associated with this theft.”

The statement says that for “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

In addition, Lord said the attackers had worked out a way to forge “cookies” that Yahoo places on user computers when they log in. Authentication cookies are text files that contain information about the user’s session with Yahoo. Cookies can contain a great deal of information about the user, such as whether that the user has already authenticated to the company’s servers.

The attackers in this case apparently found a way to forge these authentication cookies, which would have granted them to access targeted accounts without needing to supply the account’s password. In addition, a forged cookie could have allowed the attackers to remain logged into the hacked accounts for weeks or indefinitely.

Yahoo’s statement said the company is in the process of notifying the affected account holders, and that it has invalidated the forged cookies.

“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.

Yahoo says users should change their passwords and security questions and answers for any other accounts on which they used the same or similar information used for their Yahoo account. The company is asking users to review their accounts for suspicious activity, and to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For years I have been urging friends and family to migrate off of Yahoo email, mainly because I watched for years as the company appeared to fall far behind its peers in blocking spam and other email-based attacks. But also because of weak security features (like secret questions) that tend to weaken the security of accounts. I stand by that recommendation.

Most importantly, if you are reusing your Yahoo password anywhere else, now is a great time to change those passwords elsewhere. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.

Both Adobe and Microsoft on Tuesday issued patches to plug critical security holes in their products. Adobe’s Flash Player patch addresses 17 security flaws, including one “zero-day” bug that is already actively being exploited by attackers. Microsoft’s bundle of updates tackles at least 42 security weaknesses in Windows and associated software.

Half of the dozen patches Microsoft released yesterday earned its “critical” rating, meaning the flaws fixed in the updates could be exploited by malware or miscreants to seize remote control over vulnerable Windows computers without any help from users.

As per usual, the largest share of flaws fixed are in Microsoft’s browsers — Internet Explorer and Edge. Also included in the mix are updates for Microsoft Office and .NET.

According to security firm Shavlik, several of the vulnerabilities fixed with this Microsoft patches were publicly disclosed prior to this week, meaning would-be attackers have had a head start trying to figure out how to exploit them.

As part of a new Microsoft policy that took effect in October, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option — intended for enterprises and not available via Windows Update —  will only include new security patches that are released for that month. What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible).

It’s important to note that several update types won’t be included in a rollup, including those released for Adobe Flash Player on Tuesday. The latest update brings Flash to v. 24.0.0.186 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. According to analysis released this month by Recorded Future, Adobe Flash vulnerabilities provided six of the top 10 vulnerabilities used by exploit kits in 2016. Exploit kits are automated tools that criminals stitch into the fabric of hacked or malicious Web sites, so that visitors who visit one of these sites with an outdated version of Flash in their browser can have malware silently installed. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep and update Flash, please do it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

As always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.

Federal investigators in the United States and Europe last week arrested nearly three-dozen people suspected of patronizing so-called “booter” services that can be hired to knock targeted Web sites offline. The global crackdown is part of an effort by authorities to weaken demand for these services by impressing upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

On Dec. 9, 2016, the U.S. Federal Bureau of Investigation (FBI) arrested Sean Sharma, a 26-year-old student at the University of California accused of using a booter service to knock a San Francisco chat service company’s Web site offline.

Sharma was one of almost three dozen others across 13 countries who were arrested on suspicion of paying for cyberattacks. As part of a coordinated law enforcement effort dubbed “Operation Tarpit,” investigators here and abroad also executed more than 100 so-called “knock-and-talk” interviews with booter buyers who were quizzed about their involvement but not formally charged with crimes.

Stresser and booter services leverage commercial hosting services and security weaknesses in Internet-connected devices to hurl huge volleys of junk traffic at targeted Web sites. These attacks, known as “distributed denial-of-service” (DDoS) assaults, are digital sieges aimed at causing a site to crash or at least to remain unreachable by legitimate Web visitors.

“DDoS tools are among the many specialized cyber crime services available for hire that may be used by professional criminals and novices alike,” said Steve Kelly, FBI unit chief of the International Cyber Crime Coordination Cell, a task force created earlier this year by the FBI whose stated mission is to ‘defeat the most significant cyber criminals and enablers of the cyber underground.’ “While the FBI is working with our international partners to apprehend and prosecute sophisticated cyber criminals, we also want to deter the young from starting down this path.”

According to Europol, the European Union’s law enforcement agency, the operation involved arrests and interviews of suspected DDoS-for-hire customers in Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom, and the U.S. Europol said investigators are only warning one-time users, but aggressively pursuing repeat offenders who frequented the booter services.

“This successful operation marks the kick-off of a prevention campaign in all participating countries in order to raise awareness of the risk of young adults getting involved in cybercrime,” reads a statement released Monday by Europol. “Many do it for fun without realizing the consequences of their actions – but the penalties can be severe and have a negative impact on their future prospects.”

The arrests stemmed at least in part from successes that investigators had infiltrating a booter service operating under the name “Netspoof.” According to the U.K.’s National Crime Agency, Netspoof offered subscription packages ranging from £4 (~USD $5) to £380 (~USD $482) – with some customers paying more than £8,000 (> USD $10,000) to launch hundreds of attacks. The NCA said twelve people were arrested in connection with the Netspoof investigation, and that victims included gaming providers, government departments, internet hosting companies, schools and colleges.

The Netspoof portion of last week’s operation was fueled by the arrest of Netspoof’s founder — 20-year-old U.K. resident Grant Manser. As Bleeping Computer reports, Manser’s business had 12,800 registered users, of which 400 bought his tools, launching 603,499 DDoS attacks on 224,548 targets.

Manser was sentenced in April 2016 to two years youth detention suspended for 18 months, as well as 100 hours of community service. According to BC’s Catalin Cimpanu, the judge in Manser’s case went easy on him because he built safeguards in his tools that prevented customers from attacking police, hospitals and government institutions.

ANALYSIS

As a journalist who has long sought to expose the booter and stresser industry and those behind it, this action has been a long time coming. The past three to four years have witnessed a dramatic increase in the number and sophistication of booter services.

In September 2016, this site was the recipient of a record-sized DDoS attack that knocked this site offline for several days. The attack came hours after a story I wrote about the now-defunct booter service vDOS was punctuated by the arrest of two 18-year-old Israeli men allegedly tied to the business. I was able to track them down because vDOS had been massively hacked, and huge troves of data from the service’s servers were shared with KrebsOnSecurity.

vDOS had been in business for four years, but records about how much the business made were incomplete; only two years’ worth of DDoS customer data was available (the rest had apparently been wiped from the server). But in that two years, the records showed that more than 150,000 customer paid in excess of $600,000 to launch DDoS attacks on targeted sites.

The demise of vDOS exposed a worrying trend in DDoS-for-hire attack services: The rise of hyper-powered booter services capable of launching attacks that can disrupt operations at even the largest of Web sites and hosting providers.

Hours after the Septemeber attack swept KrebsOnSecurity offline, the same attackers hit French hosting giant OVH with an even larger DDoS-for-hire attack. On Oct. 21, 2016, Internet infrastructure provider Dyn was hit by a very similar attack. All three attacks involved collections of hacked computers powered by DDoS-based malware called “Mirai.” This malware doesn’t infect Windows computers, but instead worms its way into Linux-based systems that run on many consumer hardware products like wireless routers, security cameras and digital video recorders that are left operating in factory-default (insecure) settings.

Security experts say the crime machine that caused problems for Dyn was not the same one that was used to knock my site offline in September. That’s because at the beginning of October the miscreant responsible for creating Mirai leaked the source code for the malware online. Since then, dozens of new Mirai robot networks or “botnets” have been spotted being used to launch cyberattacks — including the one used to attack Dyn. And in some cases, the criminals at the helm of these weapons of mass disruption are renting out “slices” or shares of the botnet to other crooks, typically at the rate of several thousand dollars per week.

I applaud last week’s actions here in the United States and abroad, as I believe many booter service customers patronize them out of some rationalization that doing so isn’t a serious crime. The typical booter service customer is a teenage male who is into online gaming and is seeking a way to knock a rival team or server offline — sometimes to settle a score or even to win a game. One of the co-proprietors of vDos, for example, was famous for DDoSsing the game server offline if his own team was about to lose — thereby preserving the team’s freakishly high ‘win’ ratios.

But this is a stereotype that glosses over a serious, costly and metastasizing problem that needs urgent attention. More critically, early law enforcement intervention for youths involved in launching or patronizing these services may be key to turning otherwise bright kids away from the dark side and toward more constructive uses of their time and talents before they wind up in jail. I’m afraid that absent some sort of “road to Damascus” moment or law enforcement intervention, a great many individuals who initially only pay for such attacks end up getting sucked into an alluring criminal vortex of digital extortion, easy money and online hooliganism.