Zimperium Announces Its Exploit Acquisition Program for N-Days

zimperium-eap-postYour million dollar 0day just got burned and now worth nothing? No worries – we are still interested in your exploit. The value of 0days can range from a few thousands to even a million dollars for a full remote exploit chain and many companies and governments are willing to buy them. The problem with this approach is your exploits are used for attacks against unknown targets (security researchers, press reporters and activists are all well known targets). As soon as the vulnerability is discovered and patched, sophisticated attackers will stop exploiting this bug and it is rendered useless. Professional hackers-for-hire try not to rely on N days to avoid getting caught.

In many cases, exploit buyers will not pay the full exploit price in case the vulnerability gets fixed by the vendor.

How much is an 0day worth in the latest Android or iOS? Possibly even a million dollars for a remote, generic, exploit. How much is the same 0day worth one month after the bug was patched? Sometimes as low as zero dollars. In our efforts to promote patching in mobile devices, we seek to change this process and help companies and researchers alike. We now offer a purchasing program for N-Days exploits.

It’s simple. We’ll buy remote or local exploits targeting any version other than the latest version of iOS and Android.

The exploit will be released first to Zimperium Handset Alliance (ZHA) partners. ZHA includes 30+ of the most well-known carriers and handset vendors. Amongst our ZHA partners you can find: Samsung, Softbank, Telstra and Blackberry. The complete list is available only to the security contacts within the carriers and vendors.

We will provide ZHA partners between one to three months advanced notice, before releasing the exploit publicly (unlike most exploit acquisition programs). We will not release these exploits publicly if requested by the author. We would like to encourage security researchers to provide proofs for exploitation of known vulnerabilities and at the same time, getting paid for previous work. Multiple ZHA partners explained to us that without proof of exploitability, it’s hard to convince the security teams to allocate resources needed for a complete patch cycle, even for known issues. We hope this program will encourage more researchers to look into monthly security updates, and promote better patching.


What will Zimperium do with the exploits?

Our plan is to use the exploits to enhance our z9 engine. So far, all of the publicly available kernel exploits released over the last few years were detected by our z9 engine, without requiring an update. As a mobile security vendor, it is obvious that we should support the latest devices – but on large deployments, and tens of millions of users – we must also provide backward compatibility and identify attacks on devices that even the device vendors are no longer supporting anymore (e.g: Android 4.1). In such scenarios, the users do not even have the option to update their phone. For us, supporting old devices is a key decision to help where the update policy have failed the consumers.

Why are you buying N-days?

Security research and exploitation is in our heart and what led Zimperium to this point. We appreciate the art of exploitation, and appreciate cool tricks in order to write an exploit development, bypass ASLR/KASLR, achieve persistency, etc. We humbly believe that we can learn from any exploit and as a result offer better security for our customers and partners.

Are you planning to buy 0days, too?


Will you release the exploit?

Yes, unless explicitly asked by the author. Our goal is to help the community, penetration testers, mobility and IT Admins to better evaluate their security and protect their devices.

Will you provide credit for the exploit developer?

Yes, unless asked to remain anonymous.

What are the payment methods?

We can do an electronic transfer, PayPal or even bitcoin if you wish to remain anonymous.

How much is going to be allocated for the Zimperium N-Days EAP?

We will allocate 1.5 million US dollars for this program.

How will you decide which exploit gets purchased and for how much?

An exploit committee built from selected members of zLabs will decide how much to offer for each N-Day exploit. Remote exploits are valuable even more than local ones, but it all depends on the exact bug (and the beauty of the exploit).

What type of bugs are we looking for?

  1. Remote exploits
  2. Local exploits
  3. Information disclosure vulnerabilities
  4. Other vulnerabilities can apply but needed to be described in the email

How does it work?

Send us a note to ninja_exploits@nothuman.ninja (PGP key below).

  1. Describe the exploit
  2. When was it patched? (which CVE)
  3. How does the exploit chain work?
  4. Do you want to release the code publicly after we check it in our labs? if so, would you like to receive credit for it? If (4) is not provided, the default is yes.

We will then provide you with a quote containing our offer for your exploit. We will only submit the payment once we were able to trigger the vulnerability on an older device/OS.

ninja_exploits@nothuman.ninja – public key



Shopping for W2s, Tax Data on the Dark Web

The 2016 tax season is now in full swing in the United States, which means scammers are once again assembling vast dossiers of personal data and preparing to file fraudulent tax refund requests on behalf of millions of Americans. But for those lazy identity thieves who can’t be bothered to phish or steal the needed data, there is now another option: Buying stolen W-2 tax forms from other crooks who have phished the documents wholesale from corporations.

A cybercriminal shop selling 2016 W-2 tax data.

A cybercriminal shop selling 2016 W-2 tax data.

Pictured in the screenshot above is a cybercriminal shop which sells the usual goods — stolen credit card data, PayPal account logins, and access to hacked computers. But hidden beneath the “other” category of goods for sale by this fraud bazaar is an option I’ve not previously encountered on these ubiquitous, cookie-cutter stores: A menu item advertising “W-2 2016.”

This particular shop — the name of which is being withheld so as not to provide it with free advertising — currently includes raw W-2 tax form data on more than 3,600 Americans, virtually all of whom apparently reside in Florida. The data in each record includes the taxpayer’s employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.

Each W-2 record costs the Bitcoin equivalent of between $4 and $20. W-2 records for employees with higher-than-average wages in the 2016 tax year cost more, ostensibly because thieves stand to reap a higher tax refund from those W-2’s if they successfully trick the Internal Revenue Service and/or the states into approving a fraudulent refund in the victim’s name.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

Tax data can be phished directly from consumers via phony emails spoofing the IRS or employers. But more often, the information is stolen in bulk from employers. In a typical scenario, the thieves target people who work in HR and payroll departments at corporations, and spoof an email from a higher-up in the company asking for all employee W-2 data to be included in a single file and emailed immediately.

Incredibly, this scam tricks countless organizations into giving away all employee W-2 data directly to identity thieves who use it (or, in this case, sell it) for tax refund fraud. Earlier this month, solar panel maker Sunrun disclosed that a spear phishing attack exposed W-2 tax form data on more than 3,400 employees.

In this case, however, it does not appear the cybercrime shop obtained the W-2’s through phishing employers. It cost roughly $25 worth of Bitcoin to reveal the likely common thread among all 3,600+ Floridians being exploited by this shop: A local tax preparation firm that got hacked or phished.

Two tax records that a source purchased from the shop listed Kirai Restaurant Group LLC in Fort Lauderdale, Fla. Kirsta Grauberger, managing partner of that organization’s physical property — the Market 17 & Day Market Kitchen — confirmed that the two W-2 records were tied to two employees.

But Grauberger said her company has employed fewer than 150 employees total since it opened for business six year ago. So which other company or companies account for the remaining 3,450 employees whose W-2 are for sale by this shop?

Grauberger told KrebsOnSecurity that her firm doesn’t even handle employee tax forms, and that her company outsourced that entire process to a local tax preparation firm called The Payroll Professionals.

W-2 information also was on sale for employees of a doctor’s office in Boca Raton, Fla. The medical office told KrebsOnSecurity that it, too, managed its payroll through the same third-party payroll management firm.

A man answering the phone at Payroll Professionals who would only give his name as “Robert” said the company was “aware of the potential hacking” and was in the process of informing its clients.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints in 2015. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can.

See last year’s Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache. But here are the main takeaways from that story:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. A freeze can help you stop ID thieves from opening new lines of credit in your name. Instructions for doing that are here. However, note that neither a credit freeze nor credit monitoring will stop ID thieves from filing a fraudulent refund request with the IRS in your name. Again, your best bet to prevent this is to file your taxes before the fraudsters can do it for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.