On Q Professional Investigations

“In the first Minnesota case to address a new and growing form of cybercrime, federal prosecutors have charged a former state resident with employing “hackers-for-hire” to sabotage the website of a local business.

The case reflects concern among law enforcement officials nationwide that hackers ranging from disgruntled ex-employees to enemy nation states are ramping up attacks on an ever-expanding array of personal digital devices connected to the web.

Prosecutors say John Kelsey Gammell, 46, paid hacking services to inflict a year’s worth of “distributed denial of service” (DDoS) attacks to bring down websites affiliated with Washburn Computer Group, a Monticello business where he used to work.

DDoS attacks overwhelm a network with data, blocking access for legitimate users and even knocking web services offline. Washburn, a point-of-sale system repair company, told prosecutors that Gammell’s attacks cost it about $15,000.

Authorities say Gammell didn’t stop there: He is accused of paying $19.99 to $199.99 in monthly payments to try to bring down web networks that included those of the Minnesota Judicial Branch, Hennepin County and several banks.

“As a society that is increasingly reliant on network-connected devices, these types of cyberattacks pose a serious threat to individuals, businesses, and even our nation’s critical infrastructure,” Acting U.S. Attorney Gregory Brooker in Minneapolis said, speaking generally about the new forms of crime.

The FBI’s Internet Crime Complaint Center reported more than $11 million in losses to victims of DDoS attacks last year.

“We have a growing trend where the sophistication of the dark web and the sophistication of certain professional hackers to provide resources is allowing individuals — and not just experienced individuals — to conduct hacks and conduct DDoS,” said FBI Supervisory special agent Michael Krause, who leads the FBI’s cyber squad in Minneapolis.

Devices such as digital video recorders and home appliances recently have been marshaled by cyber criminals to carry out massive operations like last year’s flooding of a prominent web infrastructure company that affected sites like Amazon and Netflix. In a separate attack, in June 2016, the Minnesota Judicial Branch’s website went down for 10 days, alarming local officials because so many government services have at least some nexus to the web.

“A lot of people think it’s just a nuisance,” said Chris Buse, Minnesota’s chief information security officer. “But it’s not. If you look at what government does — basic critical services — if those services don’t continue, people can literally die.”

Minnesota IT Services, which administers the state’s computer systems, said state networks field an average of more than 3 million attempted cyberattacks daily. Officials say the state still hasn’t experienced a major attack on par with a 2012 South Carolina breach that exposed personal data for 3.7 million residents and cost the state $20 million.

But with hackers able to take over hundreds of millions of unsecured devices worldwide to flood networks in a single DDoS attack, security professionals are trying to stay ahead of the threat.

“In our environment it’s pretty clear now that every organization needs some sophisticated and expensive tools to mitigate these DDoS attacks,” Buse said.

‘We will do much business’

The government’s case against Gammell underlines the difficulty of linking any suspect to the daily torrent of attacks often carried out by far-afield hackers who advertise their services online. Authorities might not have caught Gammell without tracing taunting e-mails he allegedly sent after attacks.

One of his preferred hacking-for-hire services was called vDOS, which was shuttered last year after the arrests of two alleged operators in Israel. The FBI obtained files from vDOS that included records of Gammell’s purchases, attacks and communications with vDOS administrators and customers.

One day in 2015, according to a criminal complaint, Gammell eagerly wrote the company boasting of his success in blowing past a “DDoS mitigation” program to kick an unnamed network offline for at least two days. “We will do much business,” Gammell allegedly wrote. “Thank you for your outstanding product.”

According to an FBI agent’s sworn affidavit, Gammell sought out seven sites offering DDoS-for-hire services and paid monthly fees to three to carry out web attacks from July 2015 to September 2016.

Charges are also expected out of Colorado and New Mexico for firearms offenses stemming from searches in the case.

Appearing in a Minneapolis courtroom last week, Gammell confirmed that he rejected a plea offer that would have resolved all charges and capped his possible prison sentence at a mandatory 15 to 17 years. A federal magistrate is reviewing motions filed by Gammell’s attorney, Rachel Paulose, to dismiss the case or suppress evidence.

On Monday, Paulose told U.S. Magistrate Judge David Schultz that evidence the FBI obtained from an unnamed researcher should be thrown out and suggested the data could itself have been retrieved by hacking.

Paulose, who did not respond to messages seeking comment for this story, also argued in pretrial motions that Gammell didn’t personally attack Washburn.

“The government has failed to charge a single one of those ‘cyber hit men’ services, named and evidently well known to the government,” Paulose wrote. “Instead the government’s neglect has allowed the professional cyber hit men for hire to skip off merrily into the night.”

Addressing Schultz last week, Paulose described the attacks on Washburn as “essentially a prank on a dormant site not doing business.”

“Even if Mr. Gammell thinks it’s a prank,” Assistant U.S. Attorney Timothy Rank replied, “it’s a criminal prank.”

View Source

RICHMOND, Va. — Virginia State Police is warning citizens about an “automated traffic ticket email scam” being used by scammers to demand money for unpaid traffic tickets.

“The email scam is just one of numerous tactics used by scammers to harass individuals under the guise of being the Virginia State Police,” a VSP spokesperson wrote.

State Police said they do not use or issue digital/automated traffic tickets or summonses.

The department is warning anyone who receives the email to not click on any links provided and delete it immediately.

This scam notice comes one month after the department warned citizens about state police phone numbers being cloned by scammers demanding money and/or threatening individuals with arrest warrants.

State Police advised residents who received the calls to hang up immediately.

Here are some tips from VSP to protect you from similar scams:

Never open or click on a link in an email from an unknown email address, individual or organization.

To check the validity of an email, locate the entity’s website and call to determine if it is a legitimate email. The same goes for an individual.

Never give out personal information, credit card numbers, bank account information, etc. to an unknown individuals or entities via the phone or email.

View Source

Credit monitoring company Equifax says a breach exposed the social security numbers and other data of about 143 million Americans.

After discovering the breach, but before notifying the public, three Equifax senior executives sold shares in the company worth almost $1.8m. Since the public announcement, the company’s share price has tumbled.

The Atlanta-based company said Thursday that “criminals” exploited a US website application to access files between mid-May and July of this year.

It said consumers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s license numbers were exposed. Credit card numbers for about 209,000 US consumers were also accessed.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said the company’s chairman and CEO Richard Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

The company said hackers also accessed some “limited personal information” from British and Canadian residents.

Equifax said it doesn’t believe that any consumers from other countries were affected.

Such sensitive information can be enough for crooks to hijack people’s identities, potentially wreaking havoc on the victims’ lives.

Financial institutions, landlords and other businesses draw on data from credit monitoring companies like Equifax to verify people’s identity and ensure they are suitable for leases and loans. This breach has given cybercriminals a treasure trove of data to assume the identities of those affected and carry out fraudulent transactions in their name.

“On a scale of one to 10, this is a 10 in terms of potential identity theft,” said Gartner security analyst Avivah Litan. “Credit bureaus keep so much data about us that affects almost everything we do.”

Ryan Kalember, from cybersecurity company Proofpoint said: “This has really called into question the entire model of how we authenticate ourselves to financial institutions. The fact that we still use things like mother’s maiden name, social security number and date of birth is ridiculous.”

The breach could also undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does, Litan said.

Equifax discovered the hack 29 July, but waited until Thursday to warn consumers. In the interim, as first reported by Bloomberg, chief financial officer John Gamble sold shares worth $946,374 and president of US information solutions Joseph Loughran exercised options to sell stock worth $584,099. President of workforce solutions Rodolfo Ploder also sold stock worth $250,458.

Ines Gutzmer, head of corporate communications for Equifax, said: “The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.”

Read More

Facebook turns off more than 1 million accounts a day as it struggles to keep spam, fraud and hate speech off its platform, its chief security officer says.

Still, the sheer number of interactions among its 2 billion global users means it can’t catch all “threat actors,” and it sometimes removes text posts and videos that it later finds didn’t break Facebook rules, says Alex Stamos.

“When you’re dealing with millions and millions of interactions, you can’t create these rules and enforce them without (getting some) false positives,” Stamos said during an onstage discussion at an event in San Francisco on Wednesday evening.

Stamos blames the pure technical challenges in enforcing the company’s rules — rather than the rules themselves — for the threatening and unsafe behavior that sometimes finds its way on to the site.

Facebook has faced critics who say its rules for removing content are too arbitrary and make it difficult to know what types of activity it will and won’t allow.

Political leaders in Europe this year have accused it of being too lax in allowing terrorists to use Facebook to recruit and plan attacks, while a U.S. Senate committee last year demanded to know its policies for removing fake news stories, after accusations it was arbitrarily removing posts by political conservatives.

Free speech advocates have also criticized its work.

“The work of (Facebook) take-down teams is not transparent,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, which advocates for free speech online.

“The rules are not enforced across the board. They reflect biases,” says Galperin, who shared the stage with Stamos at a public event that was part of Enigma Interviews, a series of cybersecurity discussions sponsored by the Advanced Computing Systems Association, better known as USENIX.

Stamos pushed back during the discussion, saying “it’s not just a bunch of white guys” who make decisions about what posts to remove.

“When you turn up the volume on hate speech, you’ll get more false positives, (and) catch people who are just talking about it,” rather than promoting it, Stamos said.

The company also must operate within the laws of more than 100 countries, some of which use speech laws to suppress political dissent, he said.

“The definition of hate speech in some countries is problematic,” Stamos said.

Facebook CEO Mark Zuckerberg has said the company will hire 3,000 extra workers to monitor and remove offensive content.

That effort continues apace, according to Stamos, who said the company is “massively expanding our team to track threat actors.”

Still, “you can’t do all that with humans,” he said, which is why Facebook also relies on artificial intelligence software to judge whether someone trying to log in is a legitimate user.

Read More

“Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Cybercrime if often thought of as something that only happens within the generalized, invisible space of the internet. It is seen as virtual rather than physical, and those who commit cybercrime are thought of as anonymous individuals whose activities are all within the confines of the web. Run an image search for “hacker” or “cybercriminal” and you will see plenty of pictures of people with their faces hidden by hoods or masks, sitting alone in a dark room in front of a computer. But what if, instead of a hooded loner, the universal image of cybercrime was that of a group of neighbors in an impoverished part of the world, gathered together at a local cafe?

The latter is a new picture of cybercrime that researchers Jonathan Lusthaus and Federico Varese hope to make more people aware of in their recent paper “Offline and Local: The Hidden Face of Cybercrime.” The co-authors, working on the Human Cybercriminal Project out of the sociology department of the University of Oxford, traveled to Romania in 2014 and 2015 to study the oft-ignored real-world aspect of cybercrime in an area known to be a hub for one specific form of this crime—cyber fraud.

“Hackerville”

The town of Râmnicu Vâlcea, which has a population of around 100,000, has faced some economic setbacks in the last decade, including the loss of a major employer, a chemical plant; in addition, the average monthly salary in Romania as a whole (in 2014) was only €398 compared to €1,489 across the European Union. However, upon arriving in town, Lusthaus and Varese found themselves surrounded by luxury cars, “trendy” eateries, and shopping malls stocked with designer clothes and electronics. Though Râmnicu Vâlcea is poor “on paper,” the town seemed to be thriving, and interviews with Romanian law enforcement agents, prosecutors, cybersecurity professionals, a journalist, a hacker, and a former cybercriminal would soon give the researchers a clue as to why that might be.

“It was rumored that some 1,000 people (in Râmnicu Vâlcea) are involved almost full-time in internet fraud,” Varese told me, explaining why the town sometimes nicknamed “Hackerville” became a key target of their research (although the authors point out, in their paper, that the more accurate term would be “Fraudville,” as scams are focused more on the sale of fake goods than hacking or the spread of malware).

Varese said major findings from their interviews in Râmnicu Vâlcea as well as the Romanian cities of Bucharest and Alexandria were that cybercriminals knew each other and interacted with each other at local meeting spots offline, such as bars and cafes; that they operated in an organized fashion with different people filling different roles; that many in the town were aware of the organized crime but either didn’t say anything or sought to become involved themselves; and that there have been several cases throughout the years of corrupt officials, including police officers, who accepted bribes from the fraudsters and allowed them to perpetuate their schemes without interference.

“These are almost gangs,” Varese said. “They are not the individual, lonely, geeky guy in his bedroom that does the activities, but it’s a more organized operation that involves some people with technical skills and some people who are just basically thugs.”

The paper describes a culture of local complacency, often under threat of violence by a network of seasoned cybercriminals. This picture is far from that of the anonymous, faceless hacker many have come to envision, and instead reveals how internet crime can become embedded in specific populations.

“Most people think of cybercrime as being a global, international sort of liquid problem that could be anywhere and could come at you from anywhere,” Varese said. “In fact, the attacks—the cybercrime attacks or the cyber fraud—really come from very few places disproportionately. So cybercrime is not randomly distributed in the world. It’s located in hubs.”

Cultural and Human Factors

I asked Varese two major questions—why Romania and why cybercrime, as opposed to other forms of profitable crime? He responded that a look at the country’s history reveals why, instead of weapons or drugs, criminals in Romania might turn instead to their computers.

“Romania is a very special place. Mainly because, during the dictatorship of Nicolae Ceaușescu—that was the communist dictator that ruled Romania from the 60s to the 90s—he emphasized the importance of technical education, and especially IT,” Varese explained. “There was a very good technical basis among people. When the internet arrived, a lot of Romanians built up their own micro-networks. And so it turns out that when the regime fell, Romania turned out to be a country which was very, very well-connected.”

The high level of technical education, combined with a high level of poverty and a high level of corruption—as shown in the paper, which points out that Romania’s score on Transparency International’s 2016 Corruption Perceptions Index is only 48 out of possible 100—created a perfect storm for a culture of cybercrime to grown, Varese said.

But Romania is not the only place where cybercrime is highly concentrated and where online activities are strongly tied to offline factors. Varese identifies Vietnam in Asia, Nigeria in Africa and Brazil in the Americas as three other cybercrime hubs. Varese and his coauthor also plan to take their future research to Eastern Europe, where “corruption and the technical and economic of legacy of communism” have created “a highly conducive environment for cybercrime,” their paper states.

Varese hopes this sociological research will help authorities recognize and manage the human element of cybercrime that is often ignored in the fight against online threats.”

Read More

“A security firm linked a recent wave of hacked hotel Wi-Fi networks to one of the groups suspected of breaching the Democratic National Committee during the 2016 presidential election, according to Wired.

The group, known as Fancy Bear or APT28, used tools allegedly stolen from the National Security Agency to conduct widespread surveillance on higher-end hotels that were likely to attract corporate or other high-value targets, the cybersecurity firm FireEye reported. FireEye has “moderate confidence” Fancy Bear was behind such a surveillance campaign in 2016, and others in recent months at hotels in Europe and one Middle Eastern capital. The campaign’s target, however, is unclear.

FireEye said the hackers used phishing emails to spread attachments infected with the alleged NSA exploit Eternal Blue. They eventually worked their way to corporate and guest Wi-Fi networks, where they could intercept guest information and collect credentials.

The Wired article suggested travelers should bring their own hotspots and avoid connecting to hotel networks.

Security Researchers: North Korea Hit with Malware Campaign

An unknown group has targeted North Korean organizations with malware that would allow repeated access to systems.

Security researchers say the latest campaign—after a July 3 intercontinental ballistic missile test—is at least the fifth attack in three years, Dark Reading reported. That campaign used a copy-pasted news article about the missile launch to trick recipients into launching the malware, the security firm Talos reported.

At first, the Konni malware used in the campaign only gathered information, but it later evolved to include the ability to remotely take control of some seized accounts, according to Talos and another security firm Cylance. The malware is capable of logging keystrokes, capturing screens and uses advanced techniques to avoid detection, the firms reported.

“The motivation behind these campaigns is uncertain, however it does appear to be geared towards espionage against targets who would be interested in North Korean affairs,” Cylance researchers said.”

View Source

“WHEN ALPHABAY, THE world’s largest dark web bazaar, went offline two weeks ago, it threw the darknet into chaos as its buyers and sellers scrambled to find new venues. What those dark web users didn’t—and couldn’t—know: That chaos was planned. Dutch authorities had already seized Hansa, another another major dark web market, the previous month.

For weeks, they operated it as usual, quietly logging the user names, passwords, and activities of its visitors–including a massive influx of Alphabay refugees.

On Thursday, Europol and the US Department of Justice jointly announced the fruits of the largest-ever sting operation against the dark web’s black markets, including the seizure of AlphaBay, a market Europol estimates generated more than a billion dollars in sales of drugs, stolen data, and other illegal goods over its three years online. While Alpabay’s closure had previously been reported as an FBI operation, the agency has now confirmed that takedown, while Europol also revealed details of its tightly coordinated Hansa takeover.

With Hansa also shuttered as of Thursday, the dark web looks substantially diminished from just a few short weeks ago—and its denizens shaken by law enforcement’s deep intrusion into their underground economy.

“This is likely one of the most important criminal cases of the year,” attorney general Jeff Sessions said in a press conference Thursday morning. “Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity by ‘going dark.’ This case, pursued by dedicated agents and prosecutors, says you are not safe. You cannot hide. We will find you, dismantle your organization and network. And we will prosecute you.”

The Sting

So far, neither Europol nor the Department of Justice has named any of the administrators, sellers, or customers from either Hansa or AlphaBay that they plan to indict. The FBI and DEA had sought the extradition from Thailand of one AlphaBay administrator, Canadian Alexandre Cazes after identifying him in an operation they called Bayonet. But Cazes was found hanged in a Bangkok jail cell last week in an apparent suicide.

Still, expect plenty of prosecutions to emerge from the double-takedown of Hansa and AlphaBay, given the amount of information Dutch police could have swept up in the period after Alphabay’s closure.

“They flocked to Hansa in their droves,” said Interpol director Rob Wainwright. “We recorded an eight-times increase in the number of new users on Hansa immediately following the takedown of Alphabay.” The influx was so large, in fact, that Hansa put up a notice just last week that it was no longer accepting new registrations, a mysterious development given that Dutch police controlled it at the time.

That surveillance means that law enforcement likely now has identifying details on an untold number of dark web sellers—and particularly buyers. Europol claims that it gathered 10,000 postal addresses of Hansa customers, and tens of thousands of their messages, from the operation, at least some of which were likely AlphaBay customers who had migrated to the site in recent weeks.

Though customers on dark web sites are advised to encrypt their addresses so that only the seller of the purchased contraband can read it, many don’t, creating a short trail of breadcrumbs to their homes for law enforcement when they seize the sites’ servers.”

Read More

A massive international hacking and telecommunications fraud scheme served as a backdrop for an FBI investigation that led to the capture of a Pakistani citizen who played a major role in scamming U.S. companies out of millions of dollars in fees.

From November 2008 to December 2012, Muhammad Sohail Qasmani laundered more than $19.6 million in proceeds from a conspiracy that transformed the telephone networks of American corporations into literal cash cows.

Allegedly led by another Pakistani national, Noor Aziz Uddin—who is currently a fugitive wanted by the FBI—the fraud scheme involved an international group of highly skilled hackers who focused on penetrating telephone networks of businesses and organizations in the United States. Once the hackers gained access to the computer-operated telephone networks, commonly known as PBX systems, they reprogrammed unused extensions to make unlimited long distance calls.

Before a hired group of dialers could freely use the exploited lines, Aziz set up a handful of pay-per-minute premium telephone numbers to generate revenue. While the numbers appeared to be chat, adult entertainment, and psychic hotlines, no actual services were provided. Instead, the hacked extensions of the U.S. companies dialed into dead air or fake password prompts and voice-mail messages. The longer the lines stayed connected with the fraudulent premium numbers, the higher the bill would be for the unsuspecting businesses. Once paid, the resulting income for Aziz’s fake premium lines ended up in the pockets of the criminal enterprise.

Having previous experience running a money laundering and smuggling business in Thailand, Qasmani was a prime candidate for managing the hundreds of transactions necessary to keep the fraud scheme going over the long term.

“Qasmani was a lifelong fraudster with a history of running telephone schemes since the late 1990s. It’s how he made his name,” said Special Agent Nathan Cocklin, who investigated the case from the FBI’s Newark Field Office. “His collective background made him a go-to money mover for Aziz.”

Read More

By now you’ve probably heard you should be using two-factor authentication, often called 2FA, to log in to your accounts. If you’re using 2FA, you need an additional code to access your email, Facebook or other accounts. This is often sent via SMS, which may not be the most secure.

For instance, if you request a texted code, it could be intercepted by someone snooping on your mobile network or a hacker who has convinced a mobile operator to redirect your phone number. Further, when you don’t have cell service, you can’t get the text.

YubiKey, created by Yubico, is one solution. The $18 key connects to a USB port on your computer and tells a service, like Gmail, that you are you.

You simply plug it into your computer, touch it and your identity is authenticated. It automatically creates a one-time-use password to log in to an account, and because it’s a physical key, data can’t be intercepted in transit.

Security researchers say Yubikey is the best method to protect yourself from phishing, a common tactic that tricks a person into thinking a malicious message was sent by someone they trust.

Usually phishing attacks are used to gain access to your personal information, like emails or bank accounts.

Facebook added support for the security key in January.

“We added support for U2F Security Keys because they offer the best possible account protection against the potential risk of phishing,” Facebook security engineer Brad Hill said in a statement to CNN Tech.

It takes just minutes to set it up with services like Facebook and Gmail, which let you add it under Security Settings.

“Security is the biggest issue on the internet,” Yubico CEO Stina Ehrensvard said. “For the internet to be secure … it should be the users who own and monitor and control what data they want to provide.”

Read More

“A Miami student was sentenced yesterday for cyberstalking on Facebook and Instagram.

Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, and George L. Piro, Special Agent in Charge, Federal Bureau of Investigation (FBI), Miami Field Office, made the announcement.

Kassandra Cruz, 23, of Miami, Florida, was sentenced by U.S. District Judge Frederico A. Moreno to 22 months in prison, followed by three years of supervised release, a $100 special assessment, and $2,178.32 in restitution, stemming from her conviction on one count of cyberstalking, in violation of Title 18, United States Code, Section 2261(A)(2)(B).

According to court documents, beginning in June 2015, victim “S.B.” received a “friend” request from Cruz on her Instagram and Facebook accounts. In an effort to gain “S.B.’s” friendship, Cruz created a false persona on her Instagram account wherein she portrayed herself as a male who was an active duty U.S. Marine. Under that ruse, “S.B.” accepted the friend request.

From late June 2015 until September 2015, Cruz, posing as Giovanni, “liked” and commented on pictures “S.B.” posted on both her Instagram and Facebook accounts. However, when “S.B.” noticed that Cruz had begun “following” and “liking” all of her friends pages and posts, she became suspicious and “blocked” and “unfollowed” Cruz from her social media accounts.

As a result, Cruz threatened that “S.B.” would face repercussions at her job and with her family if she did not comply, and specifically threatened to expose “S.B.’s” past via social media. The threats to “S.B.” persisted from Cruz on social media and later via text messaging, and Cruz ultimately demanded on multiple occasions $100,000 in exchange for no further contact, adding that she “knew where “S.B.’s family lived and they should watch their backs because someone would be heading to…to deal with them.” In total, “S.B.” received over 900 unwanted calls and text messages since the beginning of 2016, and the extortionate and threatening messages continued until late April 2016. Ultimately, Cruz was arrested and taken into custody during a pre-arranged meeting in Miami.

Mr. Ferrer commended the investigative efforts of the FBI. This case is being prosecuted by Assistant U.S. Attorneys Jodi L. Anton and Francis Viamontes.

View Source