$45 Million – Cyber Heist

Posted on Monday May 13th, 2013 by R Sachin

Magicians rely on sleight of hand and target the human perception of the way things are construed by the human mind. They are always on a lookout for loopholes and technology to assist them in their acts.

Weakness and lack of common sense, is an inherent part of the human psych, however, when it comes to Information Technology, to overcome these disabilities, we have RFCs and compliance guidelines, to assist us to make this virtual world a better place to live.

 A few years ago, I had raise some questions about the internal working of Indian organizations especially those in the banking sector. Here is a small snippet for quick read:

I have observed a lot of Shopping Malls, which store entire Credit-Card and Debit Card Data on their personal servers and their employees are encouraged to swipe the Card into their own POS along-with the one provided by the Banks, its only a matter of time until someone hacks into these and finds a treasure trove of information. Whether the information stored by Indian Shopping Malls, is using the PCI-DSS norms or not, only time will tell.

The security of Indian Organizations will be severely tested or has it already been tested and no one knows about it?

Sounds untrue?

A few weeks ago, Bank of Muskat and National Bank of Ras Al Khaimah PSC (RAKBANK) based in Oman and United Arab Emirates respectively, lost around $45 million in a well coordinated global cyber-heist.  In the center of this action, were two Card processing companies having major operations in Pune and in Bangalore.

In the hit against Bank of Muscat, the processor is enStage Inc, based in Cupertino, California, a source close to the Bank of Muscat said. Bank of Muscat has not commented on the attack.

Officials at enStage did not respond to requests for comment on Saturday. EnStage CEO Govind Setlur said in a statement in the Times of India his company had implemented security enhancements since the attack.

In the RAKBANK case, the processor is India’s ElectraCard Services, according to people familiar with the situation. RAKBANK has not confirmed that ElectraCard Services is the payment processor and ElectraCard Services has not commented.
Sources : NDTV and Yahoo.

How was this Cyber Heist done?

The hackers had intruded into the networks of these Card processors and had targeted a few pre-paid debit card , the limit for balances and withdrawal were raised. The copies of the cards were then distributed and in two different coordinated attacks on the ATMs, the cash was withdrawn within a few hours. The first wave targeted $5 million on 21st December 2012 and later on Feburary 19th 2013 these criminals withdrew $40 million . The ATMs were located in geographically separate areas.

From the looks of it, this is a wakeup call for Indian outsourcing partners to understand that data security and data integrity are highly sensitive issues and every effort should be made to protect , not just the data but also the network. Insider Threats in such cases cannot be ruled out, however if the entire system itself is susceptible then insider threats can be ruled out.

A lot is still desired from the Indian organizations especially when it comes to IT security and its compliance. I wouldn’t be surprised if you find yet another Indian organization in the news in the next few months for all the wrong reasons.

Posted in eScan 14, Security | Tagged | Leave a comment

The Professional Web

Posted on Saturday May 4th, 2013 by R Sachin

The Professional Web, this is what “.pw” domains being projected / promoted as.

Very lately we have been observing a rise in spam originating from .pw domains. PW ccTLD had recently started providing domains for registrations and that too at a price much lower than those of .com domains.

Many of the researchers will concur that low price, is an invitation to spam and malware domain registrations. For years researchers have been battling with various registrars to either sinkhole or get the domains suspended, in order to maintain a clean and neat Internet.

However, it has been my personal experience that not every registrar or a registry will assist you in this task, they may present to you numerous hurdles or may simply redirect your complaints to the rogue registrar.

Yes, rogue registrars do exist, these registrars, will dilly dally, give you vague explanations or will simply ignore your requests for reviewing a domain, which had been registered with the intention of serving malware / spam.

Previously, I had mentioned about .ru ccTLD and its association with the numerous malicious domains . The difficulties which are being faced by this registry are tremendous and unimaginable.

However, there is one registrar which has stood against all odds and have stuck to their promise of providing us with a clean Internet. Their Zero tolerance policy is not just mere words, they back it up with action.

Directi Internet Solutions Pvt. Ltd., is the registrar which controls the .pw ccTLD and other TLDs. In past few days, their actions have spoken louder than their words. They are only organization to have recognized the importance of identifying rogue registrants, the domains registered by these rogue registrants and ultimately taking preventive measures.  PW ccTLD was infested by spam domains and in past couple of days, they not only identified the rogue entity and took preventive measure against this entity but also suspended the domains. Its a +1 for such a young ccTLD.

Lower priced domains coupled with a proactive and an alert compliance / anti-abuse team will always ensure that TLDs controlled by Directi will remain devoid of malware / spam domains, although not 100% but certainly not like the .ru ccTLD or other registrars who always end up in the top 10 malware TLD lists.

I have been writing blogs about the methods to detect rogue registrant and these have been based on my interaction with the compliance team of Directi and my personal experience. Link 1 and Link 2, these links describe the various methods used for finding out rogue registrants

Moreover, whenever other registrars were made known about these methods they simply chose to ignore and if its the good registrar then they will take action only against those domains which have been submitted for review.

One registrar, even went to the extent explaining, that, since the malicious domains are not hosted on the infrastructure provided by them ie. their hoisting service, they cannot take any preventive action. These are rogue registrars and no one seems to do anything about them.

In the ecosystem of Internet, domain registrars play a very important role in order to maintain and sustain Internet, and in future, only security conscious Registrars who take proactive steps will survive. At some point of time in future, I believe that action will be taken against the very existence of Rogue Registrars , its only a matter of time. Today Internet is controlled and governed by the Individual laws of the Countries but the day is not far away when we will find each and every country, arriving at a common consensuses on how to tackle Cyber Crime and Cyber Criminals. Be it the domain registrations or hosting servers, all under one unified law – sounds like an Utopian ideology?

To sum it up : I hope, other domain registrars, learn a thing or two about tackling the menace of malicious domains from Directi and their compliance team.

Posted in eScan 14, Security | 3 Comments

Phishing – Blocked by htaccess

Posted on Friday April 26th, 2013 by R Sachin

In recent months, we at eScan have been observing a whole bunch of phishing attacks on Indian Banks. CERT-IN has been informed on multiple occasions but the phishing scams just doesn’t seem to end.

Untill recently, I had never seen the usage of .htaccess , however, this time got hold of the source-code which revealed its inclusion.

The .htaccess is used to block access attempts from unwanted locations and to be more specific, accept connections from India.

List

List of Files used in the Phishing attack

Rest of the things remain the same, phishing site , asking the user to provide login credentials etc , but the usage of .htaccess is what I want to highlight.

Normally in malware laced websites we have seen the usage of .htaccess and other methods to deny connections from IP address, however for a phishing site this is something new.

Some of the IP addresses which have been included in this .htaccess belong to certain organizations who provide security solutions and since to ensure that this phishing campaign is a successful one, blocking the IP addresses belong to such organizations will always result in wrongful detection.

As our latest product eScan 14 employs Dynamic Phishing filter, users from specific geographical areas will get varied responses, however, any user who is from the non-blocked IP address range will be protected by the Dynamic Phishing filter, as they are the ones who will be served with the Phishing content.

Secondly, database based detection, will be severely impaired, as DB cleanup will rely on the error code generated by the .htaccess and the url might be removed from its DB , again putting the users at risk who solely rely on DB based detection.

In near future , phishing campaigns targeting different Banks / Institutions / Online Services may limit their target audience based on their geographical location and those will be testing times for everyone.

Posted in eScan 14, Security | Tagged , | Leave a comment

RU a nightmare ?

Posted on Saturday April 20th, 2013 by R Sachin

Dont judge a book by its cover and a blog by its title. The title of today’s blog-post isn’t your daily SMS lingo, it is infact about .RU domains.

Ask any security guy about .ru and they will promptly say “Which malware did you find in there?”, such is the clout of .ru domains in the world of malware, that it is considered profitable and these bad-guys often find it quite useful to register .ru domains to sell and spread their wares.

Be it Fast-Flux or BHEK EK, Sytx EK, infact be it anything malicious and you will find majority of the domains belonging to the .RU ccTLD.

One thing is for certain that : SOMETHING IS VERY VERY WRONG.

There are two different things which need to be investigated

1: Registry Terms and Conditions

When we look into the Terms and Conditions for registrations of .RU domains, it is comforting to know that the rules are certainly stringent ; at-least, that is what appears to look like when you read them. You may read the entire T&C over here.

5.7. The Registrar may terminate the domain name delegation upon the receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet, should the petition contain information about the domain’s information addressing system being used for:
  1. receipt from third parties (users  of the system) of confidential information by misleading these persons regarding its origin (authenticity) due to similarity of the domain names, design or content of the information (phishing);
  2. unauthorized access to third parties’(users, visitors)  information systems or for infecting these systems with  malware or taking control of  such software (botnet control);
  3. dissemination of materials with  pornographic images of the minors.
Upon the receipt of the request, the Registrar shall dispatch to the Administrator a notification with the text of the petition attached thereto and, where necessary, request from the Administrator the documents proving the information entered in the Registry and intended for identification of the Administrator. The Registrar shall resume the domain name delegation in accordance with the procedures set forth by the Contract when the cause of termination of the domain name delegation has been eliminated.
The Coordinator shall post the list with competent organization on its official website.

So, the gist of this content is that everyone can / has the right to complain, but only to those organizations selected by the Coordinator (Registry). I presume the last sentence is pointing to this list, which includes CERT-GIB.

Way back in 2010, .RU Registry had made some path breaking changes in the Terms and Conditions governing the registration and usage of a domains, this was done so as to decrease the registration of malware domains. And at present, in the year 2013, the T&C states the following: This is a snippet, however you may read the entire “Section 9″ to understand the basic requirements for registering a .ru domain

9.2.6. The following information intended for identification of Administrators represented by legal entities shall be stored in the Registry:
  1. name in full;
  2. the Administrator’s name presented represented in characters of the Roman alphabet and other ASCII-7 characters;
  3. residence (legal address);
  4. the taxpayer’s identification number (for Russian corporations as well as for the foreign ones, which have it); the tax identifier or an identifier in the trade register (for foreign corporations not registered as taxpayers in the Russian Federation).

So where is the catch? Point no. 9.2.6 clearly states that documents pertaining to the proper identification of the registrant / administrator has to be provided.

9.3.7. The domain name delegation shall be terminated where the Administrator fails to execute the request to submit details and documents within the specified timeline, and the Administrator’s requests relating to the domain name (including requests for extension of registration) shall not be executed until the request is executed.

And what is the time-frame ?

9.3.9. The Registrar shall at least once a year dispatch a notification to the Administrator on the need for examination of information about the Administrator stored in the Registry.

And, what exactly happens when we put all these points together : We have a system which accepts the information provided by the registrant / administrator and once a year the Registrar sends an email for the need to verify the information – How very convenient.

How do we prove this statement? Look into the whois records

2: WHOIS records

Let us take into consideration two domains first one is a legit domain while the other is a malware domain.

domain:        MAIL.RU
state:         REGISTERED, DELEGATED, VERIFIED
domain:        IMANRAIODL.RU
state:         REGISTERED, DELEGATED, UNVERIFIED
created:       2013.03.26

We are not interested in other details provided by the Registrar but the State of the record .

Registered : the domain is registered
Delegated : the domain can be resolved, when you see “NOT DELEGATED” means the domain has been suspended by the registrar for reasons known to them.
VERIFIED/UNVERIFIED : this is the field we are interested in . UNVERIFIED means the identity of the Registrant/Administrator has not been verified.

So what do we have here , a malware domain has been registered almost 24 days ago and the identity of the registrant/administrator has not yet been verified. Secondly, a quick google search will infact prove that IMANRAIODL.RU is a malicious domain.

Conclusion / Hypothesis:

The T&C have been created with a view that, by providing real verifiable information, there would be a decrease in the registration of malware domains, however the method itself is incorrect.

Let me ask you one question : For the sake of security / integrity of a country , do you feel offended by the Security Checks? So, when legit people want to register a domain then they shouldn’t mind a few hardships to get themselves verified, as in the future their verified identity can be used to register bulk domains.

However, if you are allowed to first register a domain and later-on ask the registrant/administrator to prove their Identity, I believe that the very idea/thought of creating these T&C rules have gone for a toss.

This present T&C rules not only creates the necessary loophole but also promotes the idea of “Bullet Proof” registrations.

As we all know, within 48 hours of a malware domain getting registered it is used for serving malware , so where is the pro-activeness required to block such malicious ?

Remember, for any complaints related to malicious .RU Domains, contact the organizations provided in the list .

Some well-known malware searches :

.RU:8080 –> Exploit Kit

.IN:8080 in fact you may replace the URLQuery results with any ccTLD of your choice and play around with statistics.

Posted in eScan 11 | Tagged | 2 Comments