UK police target script kiddies, teenage hackers

UK law enforcement is targeting teenagers dabbling in hacking with the aim of preventing them becoming involved in cybercrime.

A recent UK National Crime Agency (NCA) poll found that the average age of cybercrime suspects — such as those involved in the recent TalkTalk hack — is 17, in comparison to 24 a year ago. There are teenagers out there able to flit in and out of servers, pinch data and cause chaos for enterprise players — all before completing their mandatory education, exams, or being able to legally drink.

This is quite a concept. If you have teenagers interested in and willing to explore cybersecurity and hacking, perhaps these young people could be influenced to do so in a legitimate setting, which would in turn help plug some of the skills gap currently causing businesses headaches thanks to the uptake of high-profile data breaches.

Must-Read: Security

The NCA is thinking along the same lines.

The #CyberChoices campaign is aimed at educating parents of teenagers potentially involved in hacking, in order to “help parents and carers spot signs of potential problems, understand what the consequences could be, and to emphasise better ways for young people to use their skills and interest in technology.”

Richard Jones, Head of the National Cyber Crime Unit’s Prevent team said:

“Over the past few years the NCA has seen the people engaging in cyber crime becoming younger and younger.

We know that simply criminalising young people cannot be the solution to this and so the campaign seeks to help motivate children to use their skills more positively.”

The NCA’s research also indicated few teenage script kiddies or hackers knew what the consequences would be if they were caught.

The UK law enforcement agency says the most popular tools among teens are distributed denial-of-service (DDoS) tools — unsurprising, considering how easy it is to set up and launch such attacks which flood websites with traffic to take them offline.

In addition, Remote Access Trojans (RATs) are popular. The Blackshades RAT, for example, enticed a number of teenagers into purchase deals, leading to the arrest of 22 people — the average age of which being 18. The youngest buyer of the RAT was only 12 years old.

“We have aimed the campaign initially at parents, because we know from research that they often are unaware of what their children are doing online,” Jones said.

“These individuals are really bright and have real potential to go on to exciting and fulfilling jobs. But by choosing the criminal path they can move from low level ‘pranking’ to higher level cyber crime quite quickly, sometimes without even considering that what they’re doing is against the law.”

The campaign is supported by various partners including GetsafeOnline, CREST and the Cyber security challenge.

[embedded content]

Read on: Top picks

Malvertising Hits DailyMotion, Serves Up Angler EK

We have been tracking an attack via .eu sites for several days but were missing the final payload. However, this changed when we managed to reproduce a live infection via an ad call coming from popular video streaming site DailyMotion, ranked among Alexa’s top 100 sites.

This malversiting incident happened via real-time bidding (RTB) within the WWWPromoter marketplace. A decoy ad (pictured below) from a rogue advertiser initiates a series of redirections to .eu sites and ultimately loads the Angler exploit kit.

The bogus advertiser is using a combination of SSL encryption, IP blacklisting and JavaScript obfuscation and only displays the malicious payload once per (genuine) victim. In addition, Angler EK also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler.

flow_

We immediately contacted Atomx, the online media exchange platform used in the ad call, who informed us the issue was coming from WWPromoter and more specifically a malicious buyer (the rogue advertiser) on their network.

The incident was resolved very rapidly once the proper contacts were made and the problem isolated. For this, we would like to them all parties involved in taking such prompt action, therefore limiting the potential damage to innocent users.

This particular malvertising attack is one of a few campaigns we have been tracking which is much more sophisticated than the average incidents we encounter daily. We can say that lately threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment.

Indeed, the problem comes when we suspect foul play but can’t prove it with a live infection. It is difficult to convince ad networks to take action, when on the surface there’s nothing wrong with a particular advertiser.

This is also a reminder that even popular sites with recognized brand names can still be used as a vector to distribute malware.

Malwarebytes Anti-Exploit users were protected against this attack (Flash CVE-2015-7645) which would have dropped Bedep and ad fraud, but possibly other payloads as well.

Technical details

Infection flow

  1. Publisher: dailymotion.com/video/xv1pn7_the-x-factor-uk-s09e22-live-shows-10-11-2012-part-1_shortfilms
  2. Ad call: p.ato.mx/placement?v=8&id=9146&size=728×90&type=iframe&b=0&domain=&screen=1600x900x24
    &timezone=300&cookies=1&flash=1&r=http%3A%2F%2Fwww.dailymotion.com
    %2Fvideo%2Fxv1pn7_the-x-factor-uk-s09e22-live-shows-10-11-2012-part-1_shortfilms
  3. Malvertisingcreative.wwwpromoter.com/pop-imp/1491/11672
  4. Fake advertiser (loads advert picture and JS){sanitized}.eu/advertising.html
  5. Fake advertiser (booby trapped JS){sanitized}.eu/scripts/media.js?
  6. Fake advertiser{sanitized}.eu/advertising.html?tm=1449123577264
  7. Redirector (SSL) to Angler EKworldbesttraffic.eu/
  8. Angler EK: ftuifio.vpkoqbs.eu/civis/viewforum.php?f=3s5&sid=vk830.1892qo288&

Fiddler view

Fiddler_daily_motion2

If you would like more information about this attack, feel free to contact us via the usual means.


Cyber Extortion, DDoS-For-Bitcoin Campaigns Rise

Now that the model is proven, more cyber-extortionists are entering the scene, stealing their predecessors’ ideas and even their names.

Whether it be via DDoS, doxing threats, or ransomware, attackers extorting victims for cash via electronic means is growing, and Bitcoin may be partly to blame for the increase, according to researchers at Recorded Future

“Bitcoin attracted more miscreants to the space,” says Tyler Bradshaw, solutions engineer for Recorded Future. Because it’s a relatively new, the unregulated currency allows extortionists to accept payments anonymously.

While ransomware operators are generally indiscriminate about targets, go after individuals, and request small ransoms of 1 to 2 BTC (currently approximately $349 to $698), DDoS extortionists take the opposite approach.

Last year, the threat group DD4BC (short for “DDoS for Bitcoin”) first emerged. DD4BC’s modus operandi was to threaten a company with a major distributed denial of service — on the magnitude of 400-500 Gbps — prove it could compromise the network by carrying out a low-level warning attack of roughly 10-20 Gbps, and demand a payment to prevent a large-scale DDoS. According to Recorded Future, DD4BC has attacked over 140 companies in this way.

According to a report by researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) released in September, the group first targeted online gaming and online currency exchanges — which would be reluctant to request help from law enforcement. They then shifted attention to financial services companies, tweaking the attack to include a threat of publicly embarrasing the company by revealing, via social media, the company had been DDoSed. 

DD4BC’s ransom demands ranged from 10 BTC to as much as 200 BTC (currently $3,940 to $78,788), often starting low and increasing the price the longer the victim failed to pay up.

DD4BC did not actually seem to be capable of carrying out the 400-500 Gbps-scale attack they threatened. The worst Akamai detected was 56 Gbps. Yet, the threats and warning attacks were enough to convince targets to pay the ransom.

As Akamai PLXsert wrote in its September report:

PLXsert believes copycats will enter the game, increasing these types of attacks. In fact,
copycats may already be sending their own ransom letters, piggybacking on the reputation
of dd4bc.

That’s precisely what has happened, according to Recorded Future.

In the wake of Akamai’s report, DD4BC’s own activity sharply decreased, but a new group called Armada Collective showed up on the scene, using the same model DD4BC had used.

One of Armada Collective’s victims was ProtonMail, an encrypted email service provider. Yet even after ProtonMail paid the extortion fee, the attacks increased and became more sophisticated. According to the Recorded Future report:

ProtonMail claimed this second attack was a “coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes.” In fact, ProtonMail has stated that the second attack appears to be nation-state sponsored.

The Armada Collective vehemently denied involvement in this second attack, despite their own warnings of a larger attack. They even refunded bitcoins to ProtonMail in order to send messages such as:

“Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!” and “WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE.”

Then last week, news broke that three Greek banks were hit with DDoS attacks, claiming to be committed by the Armada Collective. However, the extortion amount requested was a whopping 20,000 BTC, or $7.85 million at current value, from each bank.

“That’s why it was a red flag for me,” says Bradshaw, “that this might not be the Armada Collective,” either. The size of the ransom was too high for the original Armada Collective, which also tended to go for targets that were unlikely to involve law enforcement.

A bank official told the Financial Times last month, “No bank responded to this extortion, so the same hackers tried again at the weekend and today. But we had strengthened our defence in the meantime, so no disruptions took place.”

Why would an attack group hijack another’s handle? “They may be using the name because it’s easier to ride those coattails without doing any work first,” says Bradshaw, explaining that threats from an established threat actor may be taken more seriously by targets. Plus, it gives law enforcement a false trail to follow. “If something goes down, the eyes are not pointed at them,” he says.

Although cyber-extortion is increasing, the success of each attack campaign depends upon combining the right technological capabilities with the right price point. Last week, not only did the Greek banks not pay Armada Collective the $7.85 million request, but three banks in the United Arab Emirates refused to pay an attacker called Hacker Buba a $3 million payout. In response, Hacker Buba publicly dumped personal information, full credit card data, and transaction histories on tens of thousands of the banks’ customers.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

More Insights

Pro tip: Check your Android device for vulnerabilities with Belarc Security Advisor

belarchero.jpg

Image: Jack Wallen

For many admins, Belarc’s Security Adviser is the go-to tool for information gathering on a Windows desktop system. Now, you can reach for Belarc Security Advisor on the Android platform.

What do you get from Belarc?

The single most important element is a report on any system vulnerability. With Belarc, you will find out if there are any installed apps that do not properly validate SSL certificates — something most standard antivirus and antimalware cannot spot. In fact, Belarc Security Adviser will scan your Android device for over 1,850 known vulnerabilities (as of this writing).

The process will scan every application installed on your device and report back the results. (Belarc is a reporting tool, not an app to fix problems — although it will make a suggestion.) You should immediately check the flagged app for updates and, if there are none, uninstall any app Belarc lists as vulnerable. Simple.

Installing Belarc Security Advisor

  1. Open the Google Play Store on your Android device.
  2. Search for belarc.
  3. Locate and tap the Belarc Security Advisor entry by Belarc.
  4. Tap Install.
  5. Read the permissions listing carefully.
  6. If the permissions listing is acceptable, tap Accept.
  7. Allow the installation to complete.

You should see a Belarc launcher on your home screen, or in your App Drawer, or in both spots. Tap it to launch the tool.

Using Belarc Security Advisor

When Belarc Security Advisor opens, you will have to agree to an EULA (tap Accept & Begin). As soon as you agree to the license, Belarc will run its first scan automatically. Hopefully, the app will report no vulnerabilities on your device. If the app does find something, it will report the vulnerability as well as its severity (Figure A).

Figure A

Figure A

Figure A

Image: Jack Wallen

Belarc found a moderate vulnerability on a Verizon-branded HTC One M8.

If Belarc does report a vulnerability, tap on it for more information. Most likely, you will be presented with a Check For Updates button for the app (Figure B).

Figure B

Figure B

Figure B

Image: Jack Wallen

Zoom reported with a vulnerability.

Tap the Check For Updates button. If there are no updates for the app, you should immediately uninstall the app and re-run Belarc to make sure the vulnerability has been removed.

Be sure to run Belarc Security Advisor on a regular basis to keep your system as secure as possible.

Also see

BackStab Attack Takes Indirect Route To Mobile Data

Attack technique takes advantage of weak protections around mobile user’s backup files.

While there are plenty of mobile device vulnerabilities just waiting for bad guys to pick up on, some of the lowest hanging fruit for mobile-oriented attackers isn’t on the device itself. Instead, the softest target comes in the form of insecure back-ups stored on a traditional desktop or laptop.

Palo Alto Networks’ Unit 42 research team calls the technique “BackStab.” In a report out today by researchers with the team, they explain that this indirect route can nab attackers text messages, photos, geo-location data and just about anything else that’s been stored on a mobile device.

“While the technique is well-known, few are aware of the fact that malicious attackers and data collectors have been using malware to execute BackStab in attacks around the world for years,” writes report author Claud Xiao. “iOS devices have been the primary target, as default backup settings in iTunes® have left many user backups unencrypted and easily identified, but other mobile platforms are also at risk.”

According to the report, Unit 42 has found over 700 recent flavors of Trojans, adware and other hacking tools designed to target Windows and Mac systems containing user data from backup files from iOS and BlackBerry devices.  Several of the malware families discovered by the researchers have been around for at least five years. They explain that there are tons of public articles and video tutorials detailing how to carry out a BackStab attack. And unlike a lot of mobile device attacks, the attack doesn’t require for a targeted user to have a jailbroken device.

In the case of iOS attacks, often BackStab is made possible due to default settings on iTunes that don’t encrypt backed up data.

The report today detailed some of the most common tools that employ BackStab, including a dropped portable executable file often used in concert with the DarkComet remote access Trojan called USBStler. Interestingly, they also showed how RelevantKnowledge, a tool developed by Internet research firm comScore, leans on BackStab techniques to spy on consumers.

“We found that many RelevantKnowledge samples contain code to collect users’ iPhone and BlackBerry data through these mobile devices’ backup archives,” Xiao wrote. “During their execution, these samples will search for files under the Windows iTunes backup directory, collect information, compress it into a file and upload it to (comScore’s) web server.” 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

More Insights