The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers.

According to the FBI, ISIS sympathizers are targeting WordPress Web sites and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international sites. The agency said the attackers are mainly exploiting known flaws in WordPress plug-ins for which security updates are already available.

The public service announcement (PSA) coincides with a less public alert that the FBI released to its InfraGard members, a partnership between the FBI and private industry partners. That alert noted that several extremist hacking groups indicated they would participate in an operation dubbed #OpIsrael, which will target Israeli and Jewish Web sites to coincide with Holocaust Remembrance Day (Apr .15-16).

“The FBI assesses members of at least two extremist hacking groups are currently recruiting participants for the second anniversary of the operation, which started on 7 April 2013, and coincides with Holocaust Remembrance Day,” the InfraGard alert notes. “These groups, typically located in the Middle East and North Africa, routinely conduct pro-extremist, anti-Israeli, and anti-Western cyber operations.”

Experts say there may be no actual relationship between these defacements and Islamist militants. In any case, if you run a Web site powered by WordPress — or any other content management system (CMS) — please take a few moments today to ensure that the CMS itself is up-to-date with the latest patches, and apply all available fixes for any installed plug-ins.

The FBI also issued an unrelated PSA advising people to be wary of fake government Web sites set up to take advantage of search engine optimization techniques that try to get the sites listed prominently in search results when searching for government services online. The FBI explains the scam thusly:

“Victims use a search engine to search for government services such as obtaining an Employer Identification Number (EIN) or replacement social security card. The fraudulent criminal websites are the first to appear in search results, prompting the victims to click on the fraudulent government services website. The victim completes the required fraudulently posted forms for the government service they need. The victim submits the form online, believing they are providing their PII to government agencies such as the Internal Revenue Service, Social Security Administration, or similar agency based on the service they need.”

“Once the forms are completed and submitted, the fraudulent website usually requires a fee to complete the service requested. The fees typically range from $29 to $199 based on the government service requested. Once the fees are paid the victim is notified they need to send their birth certificate, driver’s license, employee badge, or other personal items to a specified address. The victim is then told to wait a few days to several weeks for processing.”

“By the time the victim realizes it is a scam, they may have had extra charges billed to their credit/debit card, had a third-party designee added to their EIN card, and never received the service(s) or documents requested. Additionally, all of their PII data has been compromised by the criminals running the websites and can be used for any number of illicit purposes. The potential harm gets worse for those who send their birth certificate or other government-issued identification to the perpetrator.”

The FBI advises consumers to use search engines or other websites to research the advertised services or person/company you plan to deal with. Search the Internet for any negative feedback or reviews on the government services company, their Web site, their e-mail addresses, telephone numbers, or other searchable identifiers. Fly-by-night scam Web sites often have little or no reputation — i.e., they haven’t been online that long. A simple WHOIS Web site registration record search will often reveal scam domains as just recently having been put online.

Most of the ATM skimming attacks written about on this blog conclude with security personnel intervening before the thieves manage to recover their skimmers along with the stolen card data and PINs. However, an increasingly common form of ATM fraud — physical destruction — costs banks plenty, even when crooks walk away with nothing but bruised egos and sore limbs.

An ATM technician and KrebsOnSecurity reader shared photos of a recent attack in which three would-be robbers went to town on a wall-mounted cash machine with crowbars and hammers.

Thieves with crowbars did massive and costly damage to this ATM, but were thwarted in cracking the safe.

According to the technician, the burglars ruined a $13,000 cash acceptor, a $5,000 check scanner, a $900 monitor, and a $700 card reader, among many other pricey items. Hardly any part of the machine escaped damage.

This thief-ravaged ATM is totaled.

The carnage from this incident looks like something out of a bad Transformers movie.

Decepticons, attack!

For all their work, the closest that the crooks got to the money was chipping the safe hinge.

Turns out, ATM cash safes are pretty tough.

The thieves in this case clearly didn’t have the right tools for the job. The real pros come armed with thermal tools to cut into the thick metal parts, as described in a recent update from the European ATM Security Team (EAST). As shown in the images below, the crooks draped flame-retardant cloth around the ATM while they set to work cutting into the cash machine with a gas-powered torch.

Real pros bring the proper tools for the job.

In December 2014, I wrote about a spike in attacks on ATMs in Europe in which thieves attempt to blast open the cash machines with explosive gas. Since then, Bloomberg Business has published “Boom,” a detailed look at the growth of explosive gas attacks on ATMs since 2013.

In October 2014, KrebsOnSecurity examined a novel “replay” attack that sought to exploit implementation weaknesses at U.S. financial institutions that were in the process of transitioning to more secure chip-based credit and debit cards. Today’s post looks at one service offered in the cybercrime underground to help thieves perpetrate this type of fraud.

Several U.S. financial institutions last year reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the October 2014 breach at Home Depot. The affected banks were puzzled by the attacks because the fraudulent transactions were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question hadn’t yet begun sending customers chip-enabled cards.

Seller in underground forum describes his “Revolution” software to conduct EMV card fraud against banks that haven’t implemented EMV fully.

Fraud experts said the most likely explanation for the activity was that crooks were pushing regular magnetic stripe transactions through the card network as chip card purchases using a technique known as a “replay” attack. According to one bank interviewed at the time, MasterCard officials explained that the thieves were likely in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real chip-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account data on-the-fly.

Recently, KrebsOnSecurity encountered a fraudster in a popular cybercrime forum selling a fairly sophisticated software-as-a-service package to do just that. The seller, a hacker who reportedly specializes in selling skimming products to help thieves steal card data from ATMs and point-of-sale devices, calls his product “Revolution” and offers to provide buyers with a list of U.S. financial institutions that have not fully or properly implemented systems for accepting and validating chip-card transactions.

First, a bit of background on chip-based cards is in order. Chip cards are synonymous with a standard called EMV (short for Europay, MasterCard and Visa), a global payment system that has already been adopted by every other G20 nation as a more secure alternative to cards that simply store account holder data on a card’s magnetic stripe. EMV cards contain a secure microchip that is designed to make the cards very difficult and expensive to counterfeit.

There are several checks that banks can use to validate the authenticity of chip card transactions. The chip stores encrypted data about the cardholder account, as well as a “cryptogram” that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal “counter” mechanism that gets incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the bank that issued the card.

It appears that the Evolution software is designed to target banks that are in the process of architecting their payment networks to handle EMV transactions, but that nevertheless aren’t yet properly checking the EMV cryptogram and/or counter for these transactions. It also seems that some banks have inexplicably lowered their fraud controls on EMV transactions, even though they are not yet taking advantage of the added security protections offered by chip-based cards.

“The reason I think they bother to fake EMV transactions is that they know the EMV card issuing banks relax their fraud controls on them and don’t have it implemented properly and therefore they do not properly check the dynamic EMV data,” said Avivah Litan, a fraud analyst with Gartner Inc.

That’s precisely what the fraudster selling Evolution points out in his somewhat awkwardly-worded sales thread for his product, which he said relies on Java card software capable of writing to chip and mag-stripe based cards.  Java Card refers to a software technology that allows Java-based applications (applets) to be run securely on smart cards and similar small memory footprint devices. Java Card is the tiniest of Java platforms targeted for embedded devices, and was originally developed for the purpose of securing sensitive information stored on smart cards.

“The good news is that USA is shifting to EMV,” he writes. “ This software works with Java cards work with static EMV security not with dynamic. Static means the [counter] remains the same every transaction. The thing to add is that I will provide from a lot of banks that uses static some of them that has been tested on it after purchase. Imagine how many banks using STATIC!“

This same fraudster appears to be the operator of an online store called “Last Carding,” which sells stolen credit cards and includes a number of tutorials on how to conduct card fraud. The crook running this site says he’s online twice a day, but that he takes Sundays off. Interestingly, the clock on his Web store says he operates on Central America time (-06:00 GMT).

The “Last Carding” store sells stolen cards, tutorials and software for perpetrating card fraud.

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank routing and account number that received the $8,936 phony refund filed in his name.

Earlier this month I wrote about Antidetect, a commercial tool designed to help thieves evade fraud detection schemes employed by many e-commerce companies. That piece walked readers through a sales video for Antidetect showing the software being used to buy products online with stolen credit cards. Today, we’ll take a closer look at clues to a possible real-life identity of this tool’s creator.

The author of Antidetect uses the nickname “Byte Catcher,” and advertises on several crime forums that he can be reached at the ICQ address 737084, and at the jabber instant messaging handles “byte.catcher@xmpp.ru” and “byte.catcher@0nl1ne.at”. His software is for sale at antidetect[dot]net and antidetect[dot]org.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Searching on that ICQ number turns up a post on a Russian forum from 2006, wherein a fifth-year computer science student posting under the name “pavelvladimirovich” says he is looking for a job and that he can be reached at the following contact points:

ICQ: 737084

Skype name: pavelvladimirovich1

email: gpvx@yandex.ru

According to a reverse WHOIS lookup ordered from Domaintools.com, that email address is the same one used to register the aforementioned antidetect[dot]org, as well as antifraud[dot]biz and hwidspoofer[dot]com (HWID is short for hardware identification, a common method that software makers use to ensure a given program license can only be used on one computer).

These were quite recent registrations (mid-2014), but that gpvx@yandex.ru email also was used to register domains in 2007, including allfreelance[dot]org and a domain called casinohackers[dot]com. Interestingly, one of the main uses that Byte Catcher advertises for his Antidetect software is to help beat fraud detection mechanisms used by online casinos. As we can see from this page at archive.org, a subsection of casinohackers.com was at one time dedicated to advertising Antidetect Patch — a version that comes with its own virtual machine.

That ICQ number is tied to a user named “collisionsoftware” at the Russian cybercrime forum antichat[dot]ru, in which the seller is advertising software that routes the user’s Internet connection through hacked PCs. He directs interested buyers to the web site cn[dot]viamk[dot]com, which is no longer online. But an archived version of that page at archive.org shows the same “collision” name and the words “freelance team.” The contact form on this site also lists the above-referenced ICQ number and email gpvx@yandex.ru, and even includes a résumé of the site’s owner.

Another domain connected to that antichat profile is cnsoft[dot]ru, the now defunct domain for Collision Software, which bills itself as a firm that can be hired to write software. The homepage lists the same ICQ number (737084).

The ICQ.com profile page for that number includes links to accounts on Russian fraud forums that are all named “Mysterious Killer.” In one of those accounts, on the fraud forum exploit[dot]in, Mysterious Killer lists the same Jabber and ICQ addresses, and offers a variety of services, including a tool to mass-check PayPal account credentials, as well as a full instructional course on click-fraud.

Antidetect retails for between $399 and $999, and includes (somewhat unreliable) live support.

Both antifraud[dot]biz and allfreelance[dot]org were originally registered by an individual in Kaliningrad, Russia named Pavel V. Golub. Note that this name matches the initials in the email address gpvx@yandex.ru. KrebsOnSecurity has yet to receive a response to inquiries sent to that email and to the above-referenced Skype profile. Update, 1:05 p.m.: Pavel replied to my email, denying that he produced the video selling his software. “My software was cracked few years ago and then it as spreaded, selled by other people,” he wrote. Meanwhile, someone has started deleting photos and other items linked in this story.

Original story:

A little searching turns up this profile on Russian social networking giant Odnoklassniki.ru for one Pavel Golub, a 29-year-old male from Koenig, Russia. Written in Russian as “Кениг,” this is Russian slang for Kaliningrad and refers to the city’s previous German name.

One of Pavel’s five friends on Odnoklassniki is 27-year-old Vera Golub, also of Kaliningrad. A search of “Vera Golub, Kaliningrad” on vkontakte.com — Russia’s version of Facebook — reveals a vk.com group in Kaliningrad about artificial fingernails that has two contacts: Vera Ivanova (referred to as “master” in this group), and Pavel Vladimirovich (listed as “husband”).

The Vkontakte profile linked to Pavel’s name on that group has been deleted, but “Vera Ivanova” is the same face as Vera Golub from Pavel’s Odnoklassniki profile.

A profile of one of Vera’s friends – one Natalia Kulikova – shows some photos of Pavel from 2009, where he’s tagged as “Pavel Vladimirovich” and with the link to Pavel’s deleted Vkontakte profile.  Also, it shows his previous car, which appears to be a Mitsubishi Galant.

Pavel, posing with his Mitsubishi Galant in 2008.

A search on the phone number “79527997034,” referenced in the WHOIS site registration records for Pavel’s domains — antifraud[dot]biz and hwidspoofer[dot]com — turns up a listing on a popular auto sales Web site wherein the seller (from Kaliningrad) is offering a 2002 Mitsubishi Galant. That same seller sold a 2002 BMW last year.

On one level, it’s amusing that a guy who sells software to help Web criminals evade detection is so easily found on the Internet. Then again, as my Breadcrumbs series demonstrates, many individuals involved in writing malware or selling fraud tools either do not care or don’t take too many precautions to hide their identities — probably because they face so little chance of getting into trouble over their activities as long as they remain in Russia.

The above photo of Pavel in his Mitsubishi isn’t such a clear one. Here are a couple more from Kulikova’s Vkontakte pictures.

Vera and Pavel Golub in April 2012.

Pavel V. Golub, in 2009.