Threat Weekly – A Situational Awareness Report from our Technical Security Team

When the Antisec branch of Anonymous hacked into security think tank Strategic Forecasting, or Stratfor, at the end of December, one of its claims was the theft 200GB worth of data, including e-mails and clients' credit card information. Days after the hack, the group published 860,000 e-mail addresses and 75,000 unencrypted credit card numbers on the Web.

Now, the FBI's Milan Patel says that between December 6, 2011, and February 2012, "at least $700,000 worth of unauthorized charges were made to credit card accounts that were among those stolen during the Stratfor Hack," according to Internet security news site Security Week. Stratfor's list of clients whose information was allegedly compromised in the hack includes the U.S. Army, U.S. Air Force, Department of Defense, Lockheed Martin, and Bank of America.

Patel said that the $700,000 figure "does not reflect any of the charges that may have been incurred on cards associated with the Stratfor Hack for which records have not yet been reviewed."

This information was made available during this week's court case for Jeremy Hammond--one of the alleged hackers arrested last week by the FBI for the Stratfor attack. According to Security Week, Hammond is being charged with one count of computer hacking conspiracy, one count of computer hacking, and one count of conspiracy to commit access device fraud. Each of these counts carries a maximum sentence of 10 years in prison.

Along with the money lost from stolen credit cards, Security Week reports that Stratfor is claiming another $2 million in losses that it had to pay for recovery, lost business claims, and monitoring to protect its clients who had their credit card details exposed.

Source: http://news.cnet.com/8301-1009_3-57395944-83/fbi-says-$700k-charged-in-anonymous-stratfor-attack/

The Pentagon is accelerating efforts to develop a new generation of cyberweapons capable of disrupting enemy military networks even when those networks are not connected to the Internet, according to current and former U.S. officials. The possibility of a confrontation with Iran or Syria has highlighted for American military planners the value of cyberweapons that can be used against an enemy whose most important targets, such as air defence systems, do not rely on Internet-based networks. But adapting such cyberweapons can take months or even years of arduous technical work.

When U.S. military planners were looking for ways to disable Libya’s air defence system before NATO’s aerial attacks last year, they discussed using cybertechnology. But the idea was quickly dismissed because no effective option was available, said current and former U.S. officials. They estimated that crafting a cyberweapon would have taken about a year, including the time needed to assess the target system for vulnerabilities.

“We weren’t ready to do that in Libya,” said a former U.S. official, who spoke on the condition of anonymity because of the sensitivity of the discussions. “We’re not ready to do that now, either.”

Last year, to speed up the development of cyberweapons, as well as defensive technology, then-Deputy Defense Secretary William J. Lynn III and Marine Corps Gen. James Cartwright, then vice chairman of the Joint Chiefs of Staff, placed $500 million over five years into the budget of the Defense Advanced Research Projects Agency, one of the Defense ­Department’s premier research organizations. The agency also has launched new ­cyber-development initiatives, including a “fast-track” program.

“We need cyber options that can be executed at the speed, scale and pace” of other military weapons, Kaigham J. ­Gabriel, DARPA deputy director, said in testimony last month to Congress.

• http://www.securityweek.com/department-defense-developing-cyberspace-rules-engagement-framework

More on this story at: http://www.washingtonpost.com/world/national-security/us-accelerating-cyberweapon-research/2012/03/13/gIQAMRGVLS_story.html

An alleged member of hacker group LulzSec appeared in a London court on Friday charged with conspiracy over cyber-attacks against websites maintained by the CIA and the UK's Serious Organised Crime Agency. Ryan Ackroyd, 25, of Oak Road, Mexborough, Doncaster, is also charged with breaking into systems maintained by the NHS and Sun newspaper publisher News International, the BBC reports.

At a hearing at Westminster Magistrates' Court, district judge Howard Riddle granted Ackroyd, who spoke only to confirm his name and address and did not enter a plea, bail pending a case management hearing before Southwark Crown Court on 11 May. Unemployed Ackroyd is accused of conspiring with Jake Davis, 18, Ryan Cleary, 19, and a 17-year-old lad to launch a string of denial-of-service attacks against websites between 1 February and 30 September 2011.

Bail conditions imposed on Ackroyd ban him from accessing the internet, The Guardian reports. Ackroyd, who is accused of using the hacker label Kayla, also faces allegations in the US that he participated in hacks against the Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service.

• http://www.bbc.co.uk/news/uk-england-17399149
• http://www.guardian.co.uk/technology/2012/mar/16/alleged-british-hacker-lulzec-attack-cia

Source: http://www.theregister.co.uk/2012/03/19/lulzsec_suspect_court_date/

With the arrest of its members and the revelation that its leader was an FBI informant, one might have thought that LulzSec would fade into history. Apparently not. A YouTube video posted at the weekend has announced that LulzSec will return. On April 1st the group will be back, and attack corporations and governments, promising "epic operations and pranks."

The LulzSec video downplays the arrests and insists that LulzSec remains a going concern. "Several days ago we decided to swiftly bring back our humble hacking group and set sail towards the Interwebz once again, much to the dismay of corrupt governments and corporations across the planet," proclaims the video's computer-generated voice. "It's ridiculous to believe that by arresting the six prime members of LulzSec that you've stopped us. You haven't stopped us, you have merely disrupted the active faction."

The new LulzSec targets are as broad and varied as the old LulzSec targets: "Lulzsec will start targeting governments, corporations, agencies, and quite possibly the people watching this video." The motivation is similarly nonspecific: "We are here for the lulz, the fame, the anarchy, and the people."

An Anonymous Web site linked LulzSec's return to "Project Mayhem," a new operation with a long and rambling manifesto that seeks to use hacks and artwork to subvert or undermine governments and corporations and create social change. On December 21st of this year, Project Mayhem will, apparently, provoke a global financial meltdown through a series of bank runs. Critical infrastructure will also be attacked. A Web site related to the project cites George Orwell and implies that the Proles will rise up on this date.

• http://www.imperva.com/docs/HII_The_Anatomy_of_an_Anonymous_Attack.pdf

More on this story at: http://arstechnica.com/tech-policy/news/2012/03/anonymous-reincarnates-the-lulzsec-name-for-new-campaign-of-hacks-and-attacks.ars

The IP address of a computer used to view a motorbike sales ad posted by an early victim of the Toulouse gunman played a vital role in narrowing down Mohamed Merah as the main suspect in a series of attacks that have horrified France, it has emerged.

French soldier Imad Ibn-Ziaten posted a video of the motorbike he wanted to sell online. The paratrooper was killed on 11 March after he invited someone who posed as a prospective buyer to his house.

Le Monde reports that the ad was viewed by about 500 people. Cyber police narrowed down the list of likely suspects to those who lived in and around Toulouse in south-west France. This search was intensified after Ibn-Ziaten's assassination was linked to the slaughter of three children and a rabbi at a Jewish school in Toulouse on Monday, 19 March.

In addition, Le Monde added, a motorcycle dealer had reported a suspicious conversation with someone who wanted to know whether it was possible to remove an anti-theft tracking device from a Yamaha scooter just days before the vehicle was stolen on 6 March and before the first attacks against French soldiers. The twin strands of evidence allowed police to compile a shortlist of suspects.

Merah was already under surveillance by French authorities and the use of an IP address, which was linked to his brother's house, to view Ibn-Ziaten's motorcycle video made him a prime suspect in the case.

In the early hours of Wednesday a French anti-terrorist unit surrounded a block of flats where the reportedly heavily armed Mohamed Merah lived, leading to a siege that ended after police stormed his flat on Thursday morning. Merah jumped out of a window while firing back at cops and was subsequently found dead on the ground. It is as yet unclear whether the fall or police snipers killed him.

During the firefight, Merah reportedly proclaimed allegiance to al Qaida and admitted responsibility for shooting dead of three French soldiers in two ambushes last week as well as the attack on the Jewish school.

• http://www.guardian.co.uk/world/2012/mar/22/toulouse-siege-suspect-mohamed-merah-dies

Source: http://www.theregister.co.uk/2012/03/22/toulouse_manhunt

"In these new scams, the criminals are stealing the actual mobile device SIM (subscriber identity module) card," the company said. The first kind of attack uses the Gozi Trojan to steal IMEI (international mobile equipment identity) numbers from online bank account holders when they log in.

"Once they have the IMEI number, the criminals contact the victim's wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. With this new SIM card, all OTPs intended for the victim's phone are sent to the fraudster-controlled device," Trusteer said.

Oren Kedem, director of product marketing for Trusteer, said the Gozi attacks are mainly in the U.S. and that, "the level of infection is quite significant," even though the damage is not yet extensive. "What's happening right now is that fraudsters are sitting on pile of information but not using it yet. Now we have to go through the process. I'm sure they are looking for the high-value customers first, so we expect to see a long tale of woe," he said.

The second type of attack, which Kedem said appears to be focused more in Europe, starts with a Man in the Browser (MitB) or phishing attack to obtain the victim's bank account details, including credentials, name, phone number, etc. Trusteer says the criminal then goes to the local police station and uses that stolen personal information to get a police report that lists the mobile device as lost or stolen. He then calls the victim to and says his mobile phone service will be interrupted for the next 12 hours.

The criminal then presents the police report at one of the wireless service provider's retail outlets. The SIM card reported as lost or stolen is deactivated by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim's phone number.

Trusteer says accounts protected by OTP systems typically have higher transfer limits and are less scrutinized. They are therefore more lucrative. Kedem says the best way to defeat either threat is to be protected and be aware.

"The best practice requires three steps," he says. "First is to have security software from the bank itself that is designed to fight financial fraud. Second, don't play along with any change you see in the bank's web site that is asking for information it hasn't asked you for previously. Call the bank and ask about it." Finally, he says, is the warning that is standard for online transactions of any kind: Be suspicious of any unsolicited call asking for personal information.

Kedem said it is not clear where the attacks are originating, but said it appears to be from the U.S. or Europe. Trusteer discovered the MitB attack on an underground forum. "The blog was written in English -- and not even broken English," he said.

Source: http://www.computerworld.com/s/article/9225226/In_new_attack_on_mobile_handsets_fraudsters_target_one_time_passwords?taxonomyId=17