Cyber Security Wins: May 2016
With all the reports of business email compromise (BEC) attacks, tax fraud, and ransomware infections, it can be hard to find a silver lining. But there are successes happening in the battle against cyber crime, cyber espionage, and social engineering. Here are a few highlights from the first few months of 2016.
U.S. House Unanimously Passes Email Privacy Act
A long-awaited update to the 1986 Electronic Communications Privacy Act (ECPA) unanimously passed through the U.S. House of Representatives last week. Under the Email Privacy Act, law enforcement authorities would be required to obtain a search warrant in order to gain access to emails older than 180 days. Currently, they are only required to obtain a subpoena, which requires less judicial oversight.
According to Reuters, though the unanimous vote is “likely to put pressure” on the members of the Senate, the bill’s prospects in the upper house “remain unclear.” Though more than a quarter of the Senators have reportedly supported similar legislation, there are concerns that politics will be a factor during this election year.
Philippines Elections Commission Announces Second Arrest in Website Breach
The Commission on Elections (Comelec) in the Philippines late last week announced that a second person suspected of hacking its official website was arrested by the National Bureau of Investigation. Jonel de Asis, a 23-year-old IT graduate, reportedly masterminded the attack and the leak of 340 GB of downloaded data, which included information about 55 million registered Filipino voters.
Another 23 year old, Pal Zulueta, was arrested the week prior in connection with the Comelec attack. He faces three separate charges: illegal use of devices, illegal access, and data interference.
Blackhole Exploit Kit Mastermind, Cohorts Sentenced
In mid-April, Dmitry Fedotov — better known in online circles as “Paunch” — and the members of his cyber crime ring were sentenced to between five and a half and eight years of time in a Russian penal colony. Paunch himself was given a seven-year sentence. According to a Russian news agency, one member of the cyber gang remains at large and was convicted in absentia. The group reportedly broke into numerous bank websites and stole money from organizations and individuals, causing 25 million rubles in damage (~$750,000 by 2013 exchange rates).
Paunch is the mastermind of Blackhole exploit kit and, according to cyber security expert Brian Krebs, the pioneer of the “rent-a-kit” model. A dominant exploit kit until Paunch’s arrest in 2014, Blackhole could supposedly be rented for $500 to $700 per month (with an optional $50 per month giving users access to services designed to end-around antivirus software). With the money earned from Blackhole, Paunch allegedly sought to fund the development of the more advanced Cool Exploit Kit, which Krebs indicated carried a price tag of $10,000 per month.
Notorious Romanian Hacker Extradited to U.S.
On April 1, Marcel Lehel, the infamous Romanian hacker better known as “Guccifer,” made his first appearance in a U.S. court following his extradition. He faces nine counts in an indictment that indicates he “hacked into the email and social media accounts of high-profile victims, including a family member of two former presidents, a former Cabinet member, a former member of the Joint Chiefs of Staff, and a former presidential advisor.”
Though the indictment doesn’t name names, Guccifer was credited with a hack that pilfered emails sent to Hillary Clinton by her former adviser Sidney Blumenthal, ultimately giving rise to the Clinton email server scandal. A cab driver by trade, Guccifer has claimed responsibility for a number of other high-profile (and embarrassing) hacks and leaks, including emails and artwork that reportedly belonged to George W. Bush’s family.
Dutch Officials Shut Down Encrypted Network with Suspected Ties to Organized Crime
On April 22, Dutch police announced the arrest of Danny Manupassa, the owner of Ennetcom, a company that provides encrypted communications for a 19,000-user network. Manupassa will be held for 14 days while officials investigate his business’s suspected ties to organized crime, money laundering, and illegal weapons possession.
Prosecutors said they believe the move has shut down the largest encrypted crime network in the Netherlands. The communications provider disputes the charges, stating, "Ennetcom regrets this course of events and insinuations towards Ennetcom. It should be clear that Ennetcom stands for freedom of privacy."
Teen Developer of Dejaboot Malware Convicted on Ten Counts
Grant Manser, the British developer and distributor of the Dejabooter malware what was used to crash 200,000 websites around the globe, was sentenced to two years in juvenile detention, which will be suspended for 18 months. He was also sentenced to 100 hours of unpaid work and an £800 fine.
Manser is now 20 years old, but he reportedly began selling his software creation when he was just 16. He allegedly earned £50,000 ($70,000) from approximately 4,000 customers, who then used the software in nearly 225,000 attacks on government departments, businesses, and learning institutions around the globe.
Manser was arrested in late 2014 after being caught crashing sites using his software, ultimately pleading guilty to six charges under the UK’s Computer Misuse Act and four under its Serious Crime Act. Though he’s commonly been referred to as a hacker, his lawyers insisted that was a misnomer because Dejabooter “doesn’t take take or hack any information from the websites being attack.” They claimed his “immaturity and naivety…led him to commit these offences.”
SpyEye Botnet Creators Sentenced to a Combined 24 Years
KrebsOnSecurity reported last month that the two 27-year-old hackers who were convicted of creating and selling the SpyEye botnet kit were sentenced to a combined 24 years in prison. The botnet reportedly infected hundreds of thousands of computers and enabled millions of dollars in theft.
Aleksandr Andreevich Panin, a Russian national who operated under the names “Harderman” and “Gribodemon” was sentenced to 9.5 years. He is credited as being the primary develop and distributor of the botnet toolkit. His partner, Algerian national Hamza “Bx1” Bendelladj, was given a 15-year sentence. The extra jail time for Bendelladj is tied to his admission that he operated his own SpyEye botnet that helped him steal 200,000 credit card numbers, which resulted in an estimated $100 million in losses.
’60 Minutes’ Investigation Prompts FCC Review of Vulnerable Telecom Technology
On April 21, Reuters reported that a recent investigative report by CBS’s 60 Minutes has prompted the FCC to review mobile carriers’ use of a long-standing telecommunication technology after the news program showed it could be used to spy on mobile phone calls.
In the news program, German computer scientist Karsten Nohl showed that known security bugs in the SS7 global mobile network can be remotely exploited to snoop on conversations. Nohl was able to spy on a mobile phone used by Ted Lieu, a U.S. Representative.
The 60 Minutes piece naturally prompted concerns that malicious attackers and intelligence agencies (including those in the U.S.) could exploit the flaws to spy on unsuspecting targets. The head of the FCC’s Public Safety Bureau, David Simpson, indicated that he has tasked his staff with reviewing SS7, which he regards to be an end-of-life technology. Nohl, who first publicized the vulnerability in 2014, said he believes SS7 will continue to be used for 10 to 15 years and that Diameter, the technology’s replacement, has similar vulnerabilities.
Ukranian Hacker Who Attempted to Frame Brian Krebs Pleads Guilty
Sergey Vovnenko, a Ukrainian computer hacker who operated under aliases such as “Flycracker” and “Centurion,” pleaded guilty to charges of aggravated identity theft and conspiracy to commit wire fraud earlier this year. He faces a minimum of two years in prison for identity theft, but could receive additional prison time and a fine at his sentencing in May.
Vovenko reportedly admitted to using a massive botnet of 13,000+ computers and Zeus malware to steal banking credentials and log keystrokes. In a rather bizarre sidebar, he’s also been accused of attempting to frame Brian Krebs (of KrebsOnSecurity fame) for heroin possession.
Florida Man Charged in Illegal Bitcoin Activities with Links to the JPMorgan Hack
Michael Murgio, a 65-year-old school board member in Florida’s Palm Beach County, was arrested last month for his participation in a bribery scheme with roots in an illegal bitcoin exchange and ties to the cyber attack on JPMorgan Chase.
Murgio was arrested by the FBI and indicted for bribes designed to support Coin.mx, an unlicensed bitcoin exchange, and its plan to take control of a credit union. Coin.mx is reportedly operated by Murgio’s son, Anthony, and Gery Shalon, an Israeli man who is one of the accused orchestrators of the massive hacking scheme that compromised the personal information of more than 100 million individuals, including 83 million JPMorgan customers.
The Murgios are not suspected of involvement in the hacking scheme, but they and two others — including a pastor — are charged with paying $150,000 in bribes to the chairman of a New Jersey credit union in an attempt to eliminate scrutiny of the illegal Coin.mx operations.
Moldavian Hacker Extradited to Pittsburgh Waives Detention Hearing, Remains Jailed
Andrey Ghinkul, a Moldavian hacker accused of operating the “Bugat” malware, waived his right to a detention hearing in March and remains in custody in Pittsburgh, pending trial. Ghinkul’s phishing exploits reportedly led to more than $25 million in losses to businesses and individuals worldwide.
Ghinkul was extradited from Cyprus in late February. Charges were filed in Pittsburgh in part because a western Pennsylvania oil and gas drilling firm and a school district in the area were prime targets. Penneco Oil Co. Inc. initially lost more than $3.5 million in the business email compromise (BEC) attacks, a local bank now holds the loss. Sharon City School District was targeted for a nearly $1 million fraudulent fund transfer, but an attentive bank employee noticed and stopped the transaction.
Cyber Criminal Faces Fraud Charges in Multiple States
In April, a U.S. Attorney’s Office in Michigan filed identity theft charges against Bernard Ogie Oretekor, a man who is suspected in a number of fraudulent dealings in multiple states, including a 2014 data breach and tax refund scam at the University of Northern Iowa (UNI). An agent with the IRS Criminal Investigation Division also filed a complaint against him last month in a U.S. District Court in Tennessee. He was charged in Iowa earlier this year.
A Nigerian citizen who has also used the name Emmanuel Libs, Oretekor has been in custody in California since October 2014, based on charges of advance fee fraud and email phishing scams that rerouted fund from victims’ bank accounts. He is reportedly suspected of stealing tax information from employees at universities other than UNI, including Purdue (Indiana), the University of Tennessee, and Michigan State University.
Oregon Man Pleads Guilty to Celeb Hacking
In February, Andrew Helton, 29, pleaded guilty to stealing private and explicit photos from 13 individuals. The Oregon resident reportedly used phishing emails to gain access to victims’ email accounts and steal the images. Celebrities were allegedly among the victims, though none have been named and an FBI spokesperson indicated that none of the images were believed to have been posted online.
Helton faces up to five years in prison for the cyber crimes, which allegedly gained him access to more than 360 email accounts in total. His sentencing is scheduled for June.
Pennsylvania Man Admits to Stealing Explicit Celebrity Photos
In “haven’t-I-heard-this-one-before” news, Ryan Collins, 36, has reportedly accepted a plea agreement for charges stemming from his 2014 theft of explicit celebrity photos. Collins’ hack was highly publicized; many of the photos were released online, and the list of victims included actresses Jennifer Lawrence, Gabrielle Union, and Kate Upton.
A Pennsylvania native, Collins has admitted to using phishing emails to gain access to more than 100 iCloud and Gmail accounts, after tricking recipients into revealing their login credentials. Though Collins faces up to five years in federal prison, reports indicate that prosecutors will recommend an 18-month sentence.
The leniency in the recommendation may be due to the face that it’s unclear whether Collins acted alone in all facets of the cyber crime. According to multiple news outlets, investigators have not found evidence to tie him to the online leaks of the stolen photos.
Disgruntled Employee Jailed, Fined for Destroying IP
In February, New Jersey resident Nikhil Nilesh Shah, 33, was sentenced to 30 months in prison and ordered to pay nearly $325,000 in restitution for sending malware to his previous employer in North Carolina.
According to an FBI press release last year, Shah served as an information technology manager for Smart Online, a mobile application platform developer, from 2007 to 2012. After leaving to work for another technology company, he sent malicious code to Smart Online’s servers in Durham and Raleigh, an act that reportedly deleted much of the company’s intellectual property and caused at least $5,000 in damage.
Fired IT Specialist Faces Jail Time, Fine for Retaliatory Cyber Attack
In more “haven’t-I-heard-this-one-before” news, Brian Johnson, a former Georgia-Pacific employee, faces up to 10 years in prison and a $250,000 fine for a cyber attack on the company following his dismissal. He reportedly sent command and control codes to the plant’s computer system from his home network after he was fired, causing significant damage and affecting the 24-hour-a-day mill’s ability to operate machinery and fulfill orders.
The 44-year-old Louisiana man was working at an IT specialist and systems administrator at Georgia-Pacific’s Port Hudson paper mill when he was fired and escorted from the premises in February 2014. Johnson had been employed by the company for nearly 15 years and helped write the code for some of the plant’s machinery. His sentencing is scheduled for May.
IRS Shares Top Identity Theft Busts of 2015
A recent Network World article highlighting the top 10 identity theft busts by the IRS in 2015 shows the concerted efforts the agency is making to combat tax fraud in the U.S. The list is a showcase of prolific scam artists who illegally obtained millions of dollars in fraudulent federal and state refunds.
According to the article, the IRS launched 776 investigations related to identity theft complaints in fiscal year 2015, with its Criminal Investigation enforcement team bringing in 774 convictions. The average sentence in the cases was 38 months of jail time; the longest was 27 years.
Man Accused of Wide-Spread ATM Skimming Pleads Not Guilty
U.S. citizen Atef Alkhabteeb, who stands accused of installing card skimmers on Wells Fargo ATMs throughout San Diego County, pleaded not guilty to charges of aggravated identity theft and bank fraud in federal court in March.
Alkhabteeb allegedly used the data captured from the skimmers to create counterfeit credit cards and steal nearly $500,000 from bank accounts. Wells Fargo identified more than 4,800 accounts that were compromised in the scam. Investigators believe Alkhabteeb acted alone; he is visible on surveillance recordings from multiple locations and reportedly wore the same baseball cap in all the videos.
Purported ‘Crackas with Attitude’ Mastermind Arrested in the UK
A prolific teenage hacker suspected of leading several cyber attacks against U.S. agencies and officials was arrested in the UK in February. His name has not been released, but he is believed to be the mastermind of the “Crackas with Attitude” hacker group, having used such pseudonyms as “Cracka” and the Twitter handle “@DotGovz.”
He has been accused of the recent FBI and U.S. Department of Homeland Security (DHS) hack and the subsequent leak of the personal data of 29,000 federal employees. The 16-year-old is also suspected of compromising CIA Director John Brennan’s personal email account, exposing information about 31,000 government agents, and committing other high-profile attacks.
We can help you reduce risks related to cyber security breaches in your organization. Explore the research studies that show how our innovative approach can reduce organizational risk and provide a significant ROI on security awareness training initiatives.
Subscribe to the Proofpoint Blog