On Q Professional Investigations

Data breaches resulting in the compromise of personally identifiable information of thousands of Americans.

Intrusions into financial, corporate, and government networks.

Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general.

These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.”

The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

But it’s important for individuals, businesses, and others to be involved in their own cyber security. And National Cyber Security Awareness Month—a Department of Homeland Security-administered campaign held every October—is perhaps the most appropriate time to reflect on the universe of cyber threats and on doing your part to secure your own devices, networks, and data.

What are some of the more prolific cyber threats we’re currently facing?

Read More

“The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It’s a technique that’s so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.

Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.

Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer.”

Read More

What do more than 870,000 students across the nation have in common?

Since 2012, they have all completed the FBI’s Safe Online Surfing (SOS) Internet Challenge. Available through a free website at https://sos.fbi.gov, this initiative promotes cyber citizenship by teaching students in third through eighth grades how to recognize and respond to online dangers through a series of fun, interactive activities.

Anyone can visit the website and learn all about cyber safety, but teachers must sign up their school to enable their students to take the exam and participate in the national competition. Once enrolled, teachers are given access to a secure webpage to enroll their students (anonymously, by numeric test keys) and request their test scores. E-mail customer support is also provided. Top-scoring schools each month are recognized by their local FBI field office when possible. All public, private, and home schools with at least five students are welcome to participate.

Now entering its fifth season, the FBI-SOS program has seen increased participation each year. From September 2015 through May 2016, nearly a half-million students nationwide finished the activities and took the exam. We look forward to even more young people completing the program in the school year ahead. The challenge begins September 1.

Read More

“Today, the FBI’s Internet Crime Complaint Center (IC3) is embarking on a campaign to increase awareness of the IC3 as a reliable and convenient reporting mechanism to submit information on suspected Internet-facilitated criminal activity to the FBI. As part of the campaign, digital billboards featuring the IC3’s contact information are being placed within the territories of a number of Bureau field offices around the country.

While the number of complaints being reported to the IC3 did increase in 2015 from the previous year, anecdotal evidence strongly suggests that there are many other instances of actual or suspected online frauds that are not being reported, perhaps because victims didn’t know about the IC3, were embarrassed that they fell victim to a scammer, or thought filing a complaint wouldn’t make a difference. But the bottom line is, the more complaints we receive, the more effective we can be in helping law enforcement gain a more accurate picture of the extent and nature of Internet-facilitated crimes—and in raising public awareness of these crimes.

The FBI field offices taking part in the billboard campaign include Albany, Buffalo, Kansas City, Knoxville, New Orleans, New York City, Phoenix, Oklahoma City, Salt Lake City, and San Diego. They were selected because they house multi-agency cyber task forces that participate in an IC3 initiative called Operation Wellspring. This initiative connects state and local law enforcement with federal cyber resources and helps them build their own cyber investigative capabilities, which is important because not all Internet fraud schemes rise to the level necessary to prosecute them federally. We hope to expand Operation Wellspring to other FBI offices in the future.”

Read More

Cyber criminals who have forced U.S. hospitals, schools and cities to pay hundreds of millions in blackmail or see their computer files destroyed are now targeting the unlikeliest group of victims — local police departments.

Eastern European hackers are hitting law enforcement agencies nationwide with so-called “ransomware” viruses that seize control of a computer system’s files and encrypt them. The hackers then hold the files hostage if the victims don’t pay a ransom online with untraceable digital currency known as Bitcoins. They try to maximize panic with the elements of a real-life hostage crisis, including ransom notes and countdown clocks.

If a ransom is paid, the victim gets an emailed “decryption key” that unlocks the system. If the victim won’t pay, the hackers threaten to delete the files, which they did last year to departments in Alabama and New Hampshire. That means evidence from open cases could be lost or altered, and violent criminals could go free.

Since 2013, hackers have hit departments in at least seven states. Last year, five police and sheriff’s departments in Maine were locked out of their records management systems by hackers demanding ransoms.

Ransomware crimes on all U.S. targets are soaring. In just the first three months of 2016, attacks increased tenfold over the total entire previous year, costing victims more than $200 million. Authorities stress that this number only represents known attacks. One federal law enforcement official told NBC News that the “large majority” of attacks go unreported.

The viruses – most of which come from Russia and Eastern Europe — are typically so impenetrable that even FBI agents have at times advised victims to just pay up and get their data back.

Read More

“After surviving a rocky divorce and custody dispute in 2007, all Christine Belford wanted was to settle back into a peaceful life with her three young daughters in her Delaware home.

Instead, her ex-husband, David T. Matusiewicz, and several members of his family stalked, harassed, and intimidated Belford for years leading up to her murder at a federal courthouse in Wilmington on February 11, 2013. The ensuing investigation, conducted by the FBI and the Delaware State Police, resulted in the first-ever convictions on charges of cyberstalking resulting in death, a violation contained in the federal Violence Against Women Act.

During their investigation, agents and detectives learned that David Matusiewicz hatched the plot to stalk and harass his ex-wife while in prison for kidnapping Belford’s children in 2007, when the couple was going through divorce proceedings. The Delaware optometrist enlisted the help of his mother, father, and sister, who waged an elaborate, years-long, online campaign against Christine Belford, alleging she endangered the lives of the daughters she had with Matusiewicz.

“Through our investigation, we discovered that the Matusiewicz family had a network of supporters helping them uncover information about Christine’s life,” said Special Agent Joseph Gordon, who investigated the case out of the Baltimore Field Office’s Wilmington Resident Agency. “They were convinced by the family’s claims that she was a child abuser, but they didn’t know the family’s real intent.”

Read More

” A Turkish man who led three cyberattacks against global financial institutions that caused more than $55 million in losses pleaded guilty Tuesday, prosecutors said.

Ercan Findikoglu, 34, whose online nicknames included “Segate,” ”Predator,” and “Oreon,” entered the plea in Brooklyn federal court.

Prosecutors said he used cashing crews worldwide to make fraudulent ATM withdrawals on a massive scale across the globe. In a February 2011 operation, Findikoglu’s cashing crews withdrew about $10 million through 15,000 fraudulent ATM withdraws in at least 18 countries, they said.

The government said he hacked into computer systems of three payment processing companies. It said he and co-conspirators accessed prepaid debit card accounts, inflated balances and removed their withdrawal limits between 2011 and 2013.

In a February 2013 attack, crews in 24 countries made 36,000 transactions, withdrawing about $40 million from ATMS, prosecutors said. During one operation, they added, crews in New York City withdrew approximately $2.4 million from nearly 3,000 ATM withdrawals during an 11-hour period.

His lawyer hasn’t commented.

In a release, U.S. Attorney Robert L. Capers called the cyberattacks massive.”

Read More

“Net scum have bashed florists with distributed denial of service attacks over Valentine’s Day in a bid to extract ransoms, security analysts say.

The attacks affected almost a dozen florists who were customers of security company Incapsula, and likely many others not monitored by the firm.

Security bods Ofer Gayer and Tim Matthews say one of their florist customers received a ransom note after a distributed denial of service attack.

“Of those sites (with inflated traffic), 23 per cent showed a sharp increase in attack traffic,” the pair say.

“There does not appear to be a trend in attacks against all online florists, but rather targeted attacks.”

Some sites received attacks that sent a flood of over 20,000 requests a second. In one instance the content distribution network provider counted the attack as legitimate traffic, bringing down the site “with a great loss of revenue”.

Attackers are in some instances attempting to exploit the Shellshock vulnerability against florists in a bid to breach the sites.

Distributed denial of service attacks are a common extortion tool in the lead up to big public events. Betting companies are understood to routinely pay off attackers who threaten to knock the sites offline during major sporting events.”

View More

As the holiday shopping season officially gets underway, the FBI would like to take this opportunity to warn shoppers to be aware of the increasingly aggressive techniques of cyber criminals who want to steal your money and your personal information.

For example, watch out for online shopping scams—criminals often scheme to defraud victims by offering too-good-to-be-true deals, like brand name merchandise at extremely low discounts or gift cards as an incentive to buy a product. Beware of social media scams, including posts on social media sites that offer vouchers or gift cards or that pose as holiday promotions or contests. Always be careful when downloading mobile applications on your smartphone—some apps, disguised as games and offered for free, maybe be designed to steal personal information. And if you’re in need of extra cash this time of year, watch out for websites and online postings offering work you can do from home—you may actually become the victim of an advance fee, counterfeit, or pyramid scheme, or become an unknowing participant in criminal activity.

Here are some additional steps you can take to avoid becoming a victim of cyber fraud this season:

Check your credit card statement routinely, and ensure websites are secure and reputable before providing your credit card number;
Do your research to ensure the legitimacy of the individual or company you are purchasing from;
Beware of providing credit card information when requested through unsolicited e-mails;
Avoid filling out forms contained in e-mail messages that ask for personal information;
Never click on links contained within unsolicited e-mails;
Verify any requests for personal information from any business or financial institution by contacting them directly;
Be cautious of e-mails claiming to contain pictures in attached files, especially unsolicited e-mails—the files may contain viruses; and
Be leery if you are requested to act quickly or told there is an emergency (fraudsters often create a sense of urgency).
If you suspect you have been victimized, contact your financial institution immediately, contact law enforcement, and file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

Read More

Internet pioneer and DNS expert Paul Vixie says ‘passive DNS’ is way to shut down malicious servers and infrastructure without affecting innocent users.
Botnet and bad-actor IP hosting service takedowns by law enforcement and industry contingents have been all the rage for the past few years as the good guys have taken a more aggressive tack against the bad guys.

These efforts typically serve as an effective yet short-term disruption for the most determined cybercriminal operations, but they also sometimes inadvertently harm innocent users and providers, a problem Internet pioneer and DNS expert Paul Vixie says can be solved by employing a more targeted takedown method.

Vixie, CEO of FarSight Security, which detects potentially malicious new domain names and other DNS malicious traffic trends, says using a passive DNS approach would reduce or even eliminate the chance of collateral damage when cybercriminal infrastructure is wrested from the attackers’ control. Vixie will drill down on this topic during his presentation at Black Hat USA in August.

Takedowns typically include seizing domains, sinkholing IPs, and sometimes physically removing equipment, to derail a botnet or other malicious operation.

Perhaps the most infamous case of collateral damage from a takedown was Microsoft’s Digital Crimes Unit’s takeover of 22 dynamic DNS domains from provider No-IP a year ago. The move did some damage to Syrian Electronic Army and cybercrime groups, but innocent users were also knocked offline. Microsoft said a “technical error” led to the legitimate No-IP users losing their service as well, and No-IP maintained that millions of its users were affected.

The issue was eventually resolved, but not after some posturing in hearings on Capitol Hill, and debate over whether Microsoft was getting too heavy-handed in its takedown operations.

Vixie says the key to ensuring innocent users and organizations don’t get swept up in the law enforcement cyber-sweep is get a more accurate picture of just what is attached to and relying on the infrastructure in question. “There is a tool that you can use to find out [whether] the Net infrastructure belongs to bad guys so you don’t target anything else” that shares that infrastructure and is not malicious, Vixie says.

Passive DNS is a way to do that, says Vixie. With passive DNS, DNS messages among DNS servers are captured by sensors and then analyzed. While Vixie’s company does run a Passive DNS database, he says he’s advocating that investigators and task forces doing botnet or domain takedowns use any passive DNS tool or service.

Vixie says the two-part challenge in takedowns to date has been ensuring law enforcement “got it all” while not inadvertently cutting off innocent users and operations in the process.

Passive DNS not only can help spot critical DNS name servers, popular websites, shared hosting environments, and other legit operations so they aren’t hit in a takedown operation, he says, but it can also help spot related malicious domains that might otherwise get missed. That helps investigators drill down to the malicious tentacles of the operation, according to Vixie.

Vixie in his talk at Black Hat also plans to lobby for researchers and service providers to contribute data to passive DNS efforts.

Meanwhile, it’s unclear what long-term effects takedowns have had on the cybercrime underground. “I’m involved in the same [volume] of [takedown] cases than I ever was. The trend of bad guys is on an upward swing,” Vixie says.

View Source