Cedric PERNET - Computer Security, Forensics, Malware & Cybercrime

You might have been surprised not seeing any reference on my Webl0g about the cyberwar that took place between Russia and Estonia for about three weeks recently. (it began at the end of April)

Well, I have to admit I haven't been having much time recently to spend here, and then, well ... I guess you've read about it in plenty different websites...
To be honest, I thought such kind of things would happen years ago. After all, botnets have always been able to DDoS (even a few old eggdrops are enough sometimes...) and it wouldn't have been surprising to see successfull DDos against some special networks earlier...

Anyway, what happened in Estonia is definitely alarming ... Enough for NATO to study it at least ...And for Bruno Kerouanton to speak about it during his rump session at SSTIC 2007...

As usual, mainly because I'm missing time, I found a good article on the web about it, and it's HERE, coming from Counterterrorism Blog

I fell on this newspaper article today, and started getting angry reading it.

Has this supposedly journalist any evidence that Kevin Mitnick might "steal" informations ? Does he know at least what a security consulting company is ?

Kevin Mitnick has paid his tribute to Justice. He's just like any other man, he's got the right to come back to the society, and not to be claimed as being guilty for everything he does !

I wish journalists would always check their information before claiming stuff around... This one even writes about "ethics" ? I guess he's got none... And I'm being polite ;-)

Again, Symantec has released some interesting screenshots and article about Zunker, and its association with Mespam.

I won't add any comments, the article that you can find HERE is very well written.

Here's a part of an article from ha.ckers.org you can find here. It is about a phisher being interviewed, I'm hereby including a copy/paste of the interview, that I find very interesting and that I won't comment :-P

-----

How would you describe yourself? Age? Did you go to school? Interests?
Determined is the best word to describe myself. I’m 18 years young. Yes, I went to school. I left after high school. My interests are mma (mixed martial arts); fitness and last but not least..The internet!

How did you get your start in phishing? How did you get interested in it?
The typical scam mail that my parents kept recieving in their inbox. They were very poorly done! Yet in general they worked. So, I knew automatically I could come up with more efficient methods and have a far greater outcome.

How long have you been phishing?
I’ve been pishing since I turned 14. So thats, Nearly 5 years.

Do you have any idea how many people’s identities you’ve stolen so far?
Way over 20 million. Social networking worms really hit it off for me! I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through.

Did you need to forge any particular relationships with other people/groups to get started?
No, When I started I went solo. Alot of groups came to me asking if I wanted in, I declined.

What types of sites make the best phishing sites?
Social networking sites, Any site that involves teenagers ranging from 14 years old upwards.

What are the steps you take to set up a phishing site?
I try find a domain name that would best suite the current target. Try find a few similarities which would make my site more realistic. Then, Register it! I then find a reliable anonymouse host. (Offshore are the most reliable) Although, I do tend to use compromised hosting accounts.
Secondly, I view the page source. Then I alter the source code to post the forms information to my pishing site.
Thirdly, I create a php file which will POST the current forms information to a text file on my server. I use the same php file with every site, Just minor alterations are needed since it’s mearly a few lines of php code.

How many people do you typically phish per site you post?
That all depends on the size of the website (the ammount of users) Usually, I pish 30k a day.

How do you monetize the identities and how much does that net you?
Social networking sites, Make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers. All in all, I make 3k to 4k a day. I only pish 3-4 days a week. Depends on how much time I invest, The more time I invest the greater the outcome.

Are there any costs associated with phishing?
Yes there are costs. A dedicated server, VPN, Network encryption software and time.

What sort of hardware/software do you need to do this? Anything special (phishing kits, etc…)? What kind of internet connection do you use?
For MOST social networking sites, I use a program called MyChanger. You can find it on this website - www.myownchanger.com - This makes pishing so much faster on social networking sites. Everything is automated! messaging/bulletins/comments/profile modifications it’s great. Other than that, I get ALOT of custom programs built to suite my needs from freelance developers. My internet connection isn’t anything fancy, A stanard 1mb adsl line.

How do you keep yourself safe from being caught?
I use VPN’s, Dedicated servers, Proxies and my network traffic is encrypted. All payments are made through egold.

Are there any anti-phishing deterrents (tools or technology) that make life as a phisher harder?
Oh sure, There are many things that make pishing harder. But since Internet Explorer 7 and firefox 2 have implemented an antiphishing protection, Those two cause the most irritation.

Do you forsee any changes to the phishing industry that are worthy of note?
No.

Anything else you’d like to share/last words?
Lazy web developers are the reason I’m still around pishing.
Pretty telling on the current state of affairs, I’d say. The first interesting point I took from this were that IE7 and FF2 were actually a somewhat okay deterrent. From the looks of it, it hasn’t made much of a dent - only changed the tactics that phishers use. I suppose we could have guessed that since there is no lack of phishing emails in our inboxes, still I found it somewhat surprising that it was making a dent. I actually predicted that it would before IE7.0 launched, but I lost a bit of hope afterwards. Interesting nonetheless.
The second is that the password is used in more than one place 50% of the time - we already knew that but it’s interesting to hear it from a phisher’s perspective on how that’s actually useful to help monetize the attack. A huge thanks to lithium who allowed me to post all of his words. Does it make you re-think that MySpace profile you set up?

I've read an interesting article from Securityfocus ...
The article is about a two and a half year investigation from the FBI, leading to charging the famous E-Gold with four counts of violating the U.S. laws restricting funds transfers and money laundering.

I think I'm not the only one thinking it would be great if E-Gold, and all other "companies" of this kind, would definitely close... But I know, I'm a dreamer sometimes... ;-)

There has recently been a huge amount of "friendly networking systems" as I call them ...
You all know about them, when you get mails from old-forgotten friends who found traces of you on the net, and are inviting you to join www.ohmygodhowdidwelivewithoutkeepingtouchforsuchalongtime.com or such...
Either you refuse the invitation, smiling nastily as you immediately forget about this old guy you were hating in your student years, or you are a good pal and accepting the invitation, you connect yourself to the site and start filling personnal infos about you.

Now how much of your private life do you want to share with perfect unknown people on Internet ? Most of these networking sites are showing your profile, including the picture of your face, your current job, your interests, your friends, and whatever you can think of, completely freely.
And most can be accessed with Google searches...
Most adult people are taking care and complaining about the "MySpace" kiddies community. Most parents are asking their kids not to say too much about themselves on Internet, and not to reveal all their lives there. To give such lesson to a kid is great, but what should we think about those parents when they are filling all forms they find and give such a lot fo details about themselves on a networking site ?

Now the danger is there.I can pretend to be an old friend of yours. I can do it easily just by reading your details, seeing your picture, and having good social engineering skills.

Now if you're a nice woman, I could get a date with you, you would probably accept an invitation "to remember good old past"...
If you're a person I have reasons to dislike or hate, I could make you fall into any kind of traps.
Now if you're a person not interested at all in computer security, I could probably make you click anywhere, or lead you to any malicious site, maybe already knowing what anti-virus/firewall you run at home...See what I mean ?

Danger is everywhere... You just have to be aware of it.

And here is an article from Symantec about facebooks that you could also read ;-)

There's been quite a lot of talks during the last months about "Search Engine Poisoning" ... This topic is quite hot, since it can impact quite any Internet user who's got an unprotected or not up to date system...

Here is a good article about Search Engine Poisoning, from Patrick Comiotto and Nicolas Brulez (Websense)

Its reading is very interesting, and quite funny at some points. ("dead code")

Do you think this kind of article could get some people paranoïd ? ;-)

Here is an article from al.com ...

So Hoover will host the NATIONAL COMPUTER FORENSICS INSTITUTE.

It will welcome a thousand people each year, police investigators as well as prosecutors and judges...
But it will also train "private-sector specialists" ... Could you imagine this mix here in France ? *grin*

I'm not even daring to write about the money involved in this project... On the other hand, I'll damn myself to have a training there, to satisfy my curiosity and to learn more about Forensics ;-)

Here is a real nice article from Bojan Zdrnja I've just read, about some kind of new traps against javascript reversers.

I guess everyone reading this blog knows how to deobfuscate most of the actual used JS, but the article shows the malware coders are starting to take care of not being so easily reversed.
Personnaly (usually in hacking challenges) I'm mainly using the alert() méthod to deobfuscate parts of JS code, but it's true that it can become quite boring and tiringsometimes...
And to be honest, I didn't know Rhino, which I immediately apt-get'ed after reading this article ;-)

Here's an article I've just read ...

This article is about the old known technic of "trashing" to get crucial informations about companies, or about their users, or network, or security... Anything you can think of that could be found in your trash.
This technic has often proven to be efficient in the years of 90, used widely by malicious hackers to get user names and passwords from companies.
Well I was smiling seeing this article, because I am still naïve enough to think almost all companies actually *are* recycling their trash in secure ways.
I might change my mind ;-)