Web Host Netregistry Hit by DDoS Attack

WEB HOST INDUSTRY REVIEW) --Australian web host NetRegistry (www.netregistry.au) was hit by a DDoS attack on Monday, according to a report by ZDNet Australia.

This attack comes a few months after it acquired the customers and assets of Australian web host Distribute.IT, the web host attacked by hacker group Evil in June.

According to the report, the attack started at 10:30 am and affected its customers using shared and virtual private server hosting. Approximately 100,000 customers were likely to have been affected by the disruption, according to Netregistry CEO Brett Fenton.

Fenton says Netregistry itself was not the intended target, but it isn't sure which hosting customer the attack was directed at. According to the report, Netregistry had to fend off a similar DDoS attack last year when its customer the Australian Federation Against Copyright Theft was targeted by Anonymous.

Around 10:45 am, Netregistry announced its phone system was overloaded and had to place a limit on the number of calls it could accept. Around this time, the company confirmed it was experiencing a DDoS attack, and began to re-divert its network bandwidth and work with its upstream provider Telstra to stem the flow of traffic.

A report by iTechReport says that by lunchtime, the company believed it had resolved the issue, but the attack restarted around 2pm bringing the hosted sites offline again.

Netregistry says by 5pm access had been restored for most customers except for those using a Telstra-provided internet connection. Access to sites on the Zeus Dynamic shared hosting infrastructure remains offline, according to the report.

The report says the outage impacted its resellers and subsidiaries like ZipHosting as well.

http://www.thewhir.com/web-hosting-news/092611_Web_Host_Netregistry_Hit_by_DDoS_Attack

DDoS takes down UK's Russian embassy website before PM visit to Moscow

It has been 5 years since a British leader has visited Moscow. On the eve of the first visit since a Kremlin critic was killed in London, the website for the Russian Embassy in London was attacked by a distributed denial of service attack.
British Prime Minister David Cameron has been very vocal in the past about the killing of Alexander Litvinenko who was poisoned in 2006 by radioactive polonium-210, but has worked in the last year since taking over as Prime Minister to mend the relationship with Russia and President Dmitry Medvedev.
“Prior to the visit of Prime Minister David Cameron to Russia, the website of the Russian Embassy in London was brought down by a suspected DDoS attack,” the embassy said in a statement.
The site went down on Friday, came back up on Saturday, then fell again on Sunday. It is currently live.

http://www.techi.com/2011/09/ddos-takes-down-uks-russian-embassy-website-before-pm-visit-to-moscow/

Hacker Group Anonymous Vows To Destroy Facebook On November 5

Hacktivist group Anonymous, which has been responsible for cyber-attacks on the Pentagon, News Corp, and others, has vowed to destroy Facebook on November 5th (which should ring a bell).
Citing privacy concerns and the difficulty involved in deleting a Facebook account, Anonymous hopes to "kill Facebook," the "medium of communication [we] all so dearly adore."
This isn't the first time Anonymous has spoken out against social networks.
After Google removed Anonymous' Gmail and Google+ accounts, Anonymous pledged to create its own social network, called AnonPlus.
The full text of the announcement, made on YouTube and reported by Village Voice, is below:

Operation Facebook

DATE: November 5, 2011.

TARGET: https://facebook.com

Press:
Twitter : https://twitter.com/OP_Facebook
http://piratepad.net/YCPcpwrl09
Irc.Anonops.Li #OpFaceBook
Message:

Attention citizens of the world,

We wish to get your attention, hoping you heed the warnings as follows:
Your medium of communication you all so dearly adore will be destroyed. If you are a willing hacktivist or a guy who just wants to protect the freedom of information then join the cause and kill facebook for the sake of your own privacy.

Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria. 

Everything you do on Facebook stays on Facebook regardless of your "privacy" settings, and deleting your account is impossible, even if you "delete" your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more "private" is also a delusion. Facebook knows more about you than your family. http://www.physorg.com/news170614271.htmlhttp://itgrunts.com/2010/10/07/facebook-steals-numbers-and-data-from-your-iph.... 

You cannot hide from the reality in which you, the people of the internet, live in. Facebook is the opposite of the Antisec cause. You are not safe from them nor from any government. One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you.

The riots are underway. It is not a battle over the future of privacy and publicity. It is a battle for choice and informed consent. It's unfolding because people are being raped, tickled, molested, and confused into doing things where they don't understand the consequences. Facebook keeps saying that it gives users choices, but that is completely false. It gives users the illusion of and hides the details away from them "for their own good" while they then make millions off of you. When a service is "free," it really means they're making money off of you and your information.

Think for a while and prepare for a day that will go down in history. November 5 2011, #opfacebook . Engaged.

This is our world now. We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves.

We are anonymous
We are legion
We do not forgive
We do not forget
Expect us

http://www.businessinsider.com/anonymous-facebook-2011-8

Topiary 'known' to police says network giant

Frontline Lulzsec hacking member Topiary's identity and whereabouts were known to British police, chief technology officer of Prolexic Paul Sop has said.
While debate raged over whether British Police had arrested Topiary.
Scotland Yard released the name of a teenager, Jake Davis, it arrested in the Shetland Islands last week on suspicion of involvement with the LulzSec hacking group.
It has yet to emerge if the arrest man was the LulzSec identity Topiary, a concept contested by some online groups dedicated to uncovering the groups' participants.
Paul Sop, chief technology officer at Prolexic could not say if Topiary was in police hands, or talk specifically about the international police operation to locate and identify suspected online criminals within Anonymous and LulzSec because of non-disclosure agreements.
But he confirmed that police knew who and where Topiary was.
“Yes, I’ve read about the speculation. But you know I can’t say anything, right?” Sop said.
His company used its global IP network and technical specialists to defend businesses against Distributed Denial of Service (DDoS) attacks.
In doing so, it had harvested countless IP addresses and other data from DDoS attacks launched against customers and supplied them to law enforcement.
“With that many eyes watching the long and protracted attacks [by LulzSec and Anonymous] it’s not really possible to stay anonymous," Sop said.
"Police efforts are slow and protracted – they have to be because evidence must be transferred and it cannot be compromised".
Sop predicted the hacking groups' continued attacks against government intelligence and police agencies and scores of businesses would be “just more damning for them”.
Prolexic was not the only private sector company to assist the police investigations into Lulzsec and Anonymous.
A sworn affidavit by an FBI agent had revealed PayPal supplied the IP addresses of 1000 participants in DDoS attacks launched against its network in December.
Many of the DDoS participants had used the LOIC (Low Orbit Ion Cannon) software which made it easy for non-technical users to participate in coordinated attacks against nominated targets.
But in doing so, their IP addresses were recorded on the logs of victims, or with specialists like Prolexic.
A report  last year by researchers from the University of Twente in the Netherlands compared the use of LOIC for DDoS attacks to "overwhelming someone with letters, but putting your address at the back of the envelope".
The IP addresses were all there, in logs,” Sop said. “It’s rather daft – like throwing a brick through a window with your address taped to it," he said.
The philosophical ideology that united much of the Anonymous and Anti Security movement had helped investigators build profiles, Sop said.
Yet for all the attacks against Prolexic customers, Sop was warm to the movements’ broad ambitions to fight censorship and corruption.
“I don’t disagree with the messages, but the methods affect hundreds of thousands of innocent people. Look at the attacks on Sony – that affected thousands of people who just wanted to play PlayStation. When it was down, I couldn’t enjoy gaming with my son.”

http://www.scmagazine.com.au/News/265445,topiary-known-to-police-says-network-giant.aspx

Massive DDoS attack mitigated

Prolexic Technologies, a company specializing in Distributed Denial of Service (DDoS) mitigation services, has announced that it successfully mitigated another major DDoS attack of unprecedented size in terms of packet-per-second volume. Prolexic cautions that global organizations should consider the attack an early warning of the escalating magnitude of similar DDoS threats that are likely to become more prevalent in the next six to eight months.
The attack was directed against an Asian company in a high-risk e-commerce industry. It generated larger than usual TCP SYN Floods and ICMP Floods, both of which are common DDoS attack methods. There was nothing common, however, about the magnitude of the attack.
According to Prolexic chief technology officer Paul Sop, the volume of the attack reached levels of approximately 25 million packets per second (pps), a rate that can overwhelm the routers and DDoS mitigation appliances of an internet service provider (ISP) or a major carrier. In contrast, most high-end border routers can forward 70,000 pps in typical deployments. In addition, Prolexic’s security experts found 176,000 remotely controlled PCs, or bots, in the attacker’s botnet (robot network). This represents a significant threat as typically only 5,000 to 10,000 bots have been employed in the five previous attacks mitigated by Prolexic.
“The customer attempted to mitigate these repeated DDoS attacks for many months with solutions from its ISP and its carrier before approaching Prolexic,” said Sop. “Defeating this attack is a testament to our unrivaled capacity and our unique position as the only global DDoS mitigation provider with the experience and bandwidth to successfully fight these gigantic attacks.”
To mitigate this high-magnitude attack without putting the burden on a single carrier, Prolexic distributed traffic among several of its global Tier 1 carrier partners and scrubbing network centers. Prolexic was able to help the client maintain service availability throughout the duration of the attack. While Prolexic was fighting this particular threat, it simultaneously helped another client who was experiencing a 7 Gbps DDoS attack.

Early warning and escalating threats
“Prolexic sees this massive attack in Asia with millions of packets per second as an early warning beacon of the increasing magnitude of DDoS attacks that may be on the horizon for Europe and North America in the next 6 to 8 months,” Sop said. “High risk clients, such as those extremely large companies in the gaming and gambling industries in Asia, are usually the first targets of these huge botnets just to see how successful they can be.”
Prolexic cautions that the next quantum leap in DDoS attacks will not necessarily center on bandwidth, but rather on increasing the volume of packets per second to such a high level that carriers cannot handle the overload. According to Sop, these extremely high packet-per-second DDoS attacks are especially insidious because they can cause collateral damage to carriers long before the “bad traffic” ever reaches its intended target.
Overwhelmed by the deluge of Internet traffic, carriers try to cope by passing around the excessive traffic like a “hot potato” from one to another. Ultimately, the carriers must “black hole” the IP address of the attack target and in doing so they unwittingly help the hacker to achieve the goal of creating a “zero route” which crashes the victim’s site. In addition, the continuous shifting of traffic from carrier to carrier can seriously affect the performance of multiple web sites, not just the intended target.
“Prolexic has invested millions to be ready for this type of DDoS attack and while we have only seen this botnet once in the Western Hemisphere to date, it is likely to follow a common pattern and become much more prevalent,” Sop said. “The good news is that Prolexic is already well ahead of the game and has proven that we can stop attacks of this magnitude.”

http://dateline.ph/2011/08/01/massive-ddos-attack-mitigated/

Financial Mogul Linked to DDoS Attacks

Pavel Vrublevsky, the embattled co-founder of ChronoPay — Russia’s largest online payments processor — has reportedly fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against a top ChronoPay competitor.

KrebsOnSecurity has featured many stories on Vrublevsky’s role as co-founder of the infamous rogue online pharmacy Rx-Promotion, and on his efforts to situate ChronoPay as a major processor for purveyors of “scareware,” software that uses misleading computer virus infection alerts to frighten users into paying for worthless security software.  But these activities have largely gone overlooked by Russian law enforcement officials, possibly because the consequences have not impacted Russian citizens.
In the summer of 2010, rumors began flying in the Russian blogosphere that Vrublevsky had hired a hacker to launch a distributed denial of service (DDoS) attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors. The attack on Assist occurred just weeks before Aeroflot was to decide which company would win the contract; it so greatly affected Assist’s operations that the company was unable to process payments for extended periods of time. Citing the downtime in processing as a factor in its decision, Aeroflot ultimately awarded the contract to neither ChronoPay nor Assist, but instead to Alfa-Bank, the largest private bank in Russia.
According to documents leaked to several Russian security blogs, investigators with the Russian Federal Security Service (FSB) this month arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. The documents indicate that Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky. The same blogs say Vrublevsky has fled the country. Sources close to the investigation say he is currently in the Maldives. Vrublevsky did not respond to multiple requests for comment.

The allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which said it assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured at left) allegedly used to coordinate the DDoS attack against Assist. Group-IB said Artimovich’s botnet also was used to attack several rogue pharmacy programs that were competing with Rx-Promotion, including Glavmed and Spamit (these attacks also were observed by security firm SecureWorks in February).
This DDoS saga is the latest chapter in a fascinating drama playing out between the two largest rogue Internet pharmacies: Vrublevsky’s Rx-Promotion and Glavmed (a.k.a. “Spamit”), a huge pharma affiliate program run by Igor Gusev, the man who co-founded ChronoPay with Vrublevsky in 2003.
Gusev has been in exile from his native Moscow since last fall, when Russian authorities named him the world’s biggest spammer and lodged criminal charges against him for operating an illegal business. Spamit was forced to close shortly thereafter, and Gusev blames Vrublevsky for using his political connections to sabotage Spamit. Late last year, Gusev launched redeye-blog.com, a blog dedicated to highlighting alleged wrongdoing by Vrublevsky. In one post, Gusev charged that Artimovich agreed to DDoS Spamit.com because he believed forum members fleeing the program would join his own budding spammer forum: the still-active but largely dormant program Spamplanet.
Both ChronoPay and Glavmed/Spamit suffered hacking attacks last year that exposed internal documents, financial dealings and organizational emails. The data leaked from Glavmed/Spamit includes a list of contact information, earnings and bank account data for hundreds of spammers and hackers who were paid to promote the program’s online pharmacies. Those records suggest that for most of 2007, Artimovich was earning thousands of dollars a month sending spam to promote Spamit pharmacy sites.
The document that the FSB used to lay out the case for criminal proceedings against Artimovich, a.k.a. “Engel,” states that he was paid for the DDoS services with funds deposited into a WebMoney account “Z578908302415″. According to the leaked Spamit affiliate records, that same WebMoney account belonged to a Spamit affiliate who registered with the program using the email address “support@id-search.org.” Web site registration records for id-search.org show that the name of the registrant is hidden behind paid privacy protection services. But historic WHOIS records maintained by DomainTools.com reveal that for a two-month period in 2008 those registration records were exposed; during that brief window, records listed the registrant as Igor Artimovich from Kingisepp, Russia, a town 68 miles west of St. Petersburg.
The emails and documents leaked from the hacking intrusion into ChronoPay last year show that Artimovich and Vrublevsky exchanged numerous emails about payment for unspecified services. Among them is an email receipt from WebMoney showing a transfer of more than $9,000 from an account Vrublevsky controlled to Artimovich’s Z578908302415 purse on July 6, 2010, just days before the DDoS attacks began. The notation listed next to the payment receipt? “Engel.”


http://krebsonsecurity.com/2011/06/financial-mogul-linked-to-ddos-attacks/

Soca website taken down after LulzSec 'DDoS attack'

The UK Serious Organised Crime agency has taken its website offline after it appeared to be a victim of an attack by hacking group Lulz Security.

Soca said it had taken its website offline to limit the impact attack on clients hosted by its service provider.
Soca.gov.uk had been unavailable for much of Monday afternoon, with an intermittent service restored later.
Lulz Security has said it was behind the denial of service attack which had taken the website offline.
Earlier on Monday, as the agency launched an investigation, LulzSec tweeted: "Tango down - in the name of #AntiSec".
The group has hit a number of high-profile websites in recent weeks, including the CIA and US Senate.
Soca appeared to be the victim of a distributed denial of service (DDoS) attack, where large numbers of computers, under malicious control, overload their target with web requests.
In a statement given to BBC News, a Soca spokesman said: "Soca has chosen to take its website offline to limit the impact of DDoS attack on other clients hosted by our service provider.
"The Soca website is a source of information for the general public which is hosted by an external provider. It is not linked to our operational material or the data we hold."

Embarrassment

Earlier on Monday, a LulzSec Twitter posting seemed to confirm the nature of the attack.
"DDoS is of course our least powerful and most abundant ammunition. Government hacking is taking place right now behind the scenes," it said.
The latest attack will come as an embarrassment for Soca, which is tasked with investigating cybercrime.
"It is not going to please the boys in blue one bit," said Graham Cluley, senior technology consultant at security firm Sophos.

Mr Cluley added that it was wrong to confuse DDoS with the kind of hacking that can lead to confidential information being stolen.
However, he warned that LulzSec was capable of both types of attack.
"They have in the past broken into websites and stolen e-mail addresses and passwords, so there is a lot of harm can be done."



Big Lulz
When Lulz Security first appeared in May, the group portrayed itself as a light-hearted organisation, bent on creating online fun and Lulz (laughs).
Soon after, details of its hacking exploits began to emerge.
The first involved stealing and publishing a database of US X-Factor contestants, including their e-mail addresses and phone numbers.
It followed up with a mixture of website denial of service attacks and intrusions where data was taken and made available on the internet.
On June 19, LulzSec declared that it would begin targeting government systems, calling the campaign Antisec.
"Top priority is to steal and leak any classified government information, including e-mail spools and documentation. Prime targets are banks and other high-ranking establishments," said a post on the group's website.
The reason for LulzSec's greater focus on government is unclear, although it appears to have recently ended a feud with the more politically-motivated group Anonymous.

http://www.bbc.co.uk/news/technology-13848510

CIA website and FBI hacked by LulzSec

Hacking collective LulzSec has decided to stop giving online gaming sites a hard time and instead put its efforts into taking down the CIA's website and the FBI's phone network.
Last week the group managed to DDoS the CIA's homepage and along with it the FBI's phone network in Detroit.
As per usual LulzSec kept everyone updated with its hacking shenanigans on Twitter, posting on the site: "Tango down – CIA.Gov- for the lulz.".
According to reports, it wasn't just the CIA and the FBI, either - the US Senate's website was also a target, but the group failed to compromise the site.

Love hack
LulzSec has been extremely busy over the last few weeks, but it has mostly targeted gaming sites. Its Titanic Takeover Tuesday campaign saw the group hack into Eve Online, Minecraft, League of Legends and FinFisher.
Even though LulzSec seems to be infiltrating websites just to show how poor the security is, this latest wave of hacks will have the US government keeping more than a close eye on it.

 http://www.techradar.com/news/internet/cia-website-and-fbi-hacked-by-lulzsec-966715#ixzz1PzhuXoHY

Hackers may try to disrupt World IPv6 Day

Hundreds of popular websites -- including Google, Facebook, Yahoo and Bing -- are participating in a 24-hour trial of a new Internet standard called IPv6 on June 8, prompting worries that hackers will exploit weaknesses in this emerging technology to launch attacks.

BACKGROUND: Large-scale IPv6 trial set for June 8
Dubbed World IPv6 Day, the IPv6 trial runs from 8 p.m. EST on Tuesday until 7:59 p.m. EST on Wednesday.
Security experts are concerned that the 400-plus corporate, government and university websites that are participating in World IPv6 Day could be hit with distributed denial of service (DDoS) or other hacking attacks during the 24-hour trial.

"In the last five months, there has been a huge increase in DDoS attacks," says Ron Meyran, director of product marketing and security at Radware, a network device company that is not participating in World IPv6 Day. "IPv6 is going to be even easier for attackers ... because IPv6 traffic will go through your deep packet inspection systems uninspected."
Meyran says another concern is that IPv6 packet headers are four times larger than IPv4 headers. This means routers, firewalls and other network devices must process more data, which makes it easier to overwhelm them in a DDoS attack.
"With a DDoS attack, you need to reach 100% utilization of the networking and security devices to saturate the services," Meyran says. The longer headers in IPv6 "must be processed completely to make routing decisions."

"I wonder if there's going to be any sort of DDoS type of things going on ... or hackers probing servers that are dual-stack enabled [running IPv6 and IPv4 at the same time],'' says Jean McManus, executive director of Verizon's Corporate Technology Organization, which is participating in World IPv6 Day. "Content providers need to be careful and watch to make sure that everything is appropriately locked down."
Many security threats related to IPv6 stem from the fact that the technology is new, so it hasn't been as well-tested or de-bugged as IPv4. Also, fewer network managers have experience with IPv6 so they aren't as familiar with writing IPv6-related rules for their firewalls or other security devices.
"We know from security breaches that the security rules that allow you to see the network and applications better ... is where there is a lack of training and expertise with IPv6," Meyran says. "The new software is much more complex ... and there are much less programmers familiar with it."

BY THE NUMBERS: 8 security considerations for IPv6 deployment
World IPv6 Day participants say the event was advertized to everybody in the Internet engineering community, including hackers, and they are beefing up the security measures on their sites accordingly.
"This is a well-publicized event," says John Brzozowski, distinguished engineer and chief architect for IPv6 at Comcast, which is participating in World IPv6 Day both as a provider of IPv6-based cable modem services and as an operator of seven IPv6-enabled websites. "Anything can happen. IPv6 is no different than any other new technology. The potential [for attacks] is there. Protecting the network is key to us."

Brzozowski says Comcast will be monitoring its network for signs of attack throughout the trial. "We're taking the necessary steps so that the Comcast infrastructure is protected," he adds.
Juniper says that if its website comes under DDoS or other attack on World IPv6 Day, it will simply switch back to IPv4. "We can revert back to IPv4 in about five minutes," says Alain Durand, director of software engineering at Juniper, which is using its own translator-in-a-cloud service to IPv6 enable its main website for the day.
Akamai, a content delivery network with 30 customers that are participating in World IPv6 Day, says it isn't too concerned about hacking or DDoS attacks during the IPv6 trial.
"All of our command and control systems are going to stay on IPv4," says Andy Champagne, vice president of engineering with Akamai, which is developing a commercial IPv6 service. "Absent some underlying exposure in the protocol that we don't know about ... we think we're OK. We've got enough IPv6 capacity ... I don't expect any trouble.''

Radware's Meyran says hackers may be so clever that they won't attack websites on World IPv6 Day but will instead wait until these sites turn IPv6 on permanently. "The hackers will be very happy to see this day go successfully and that sites are starting to deploy IPv6 because it opens up new areas of attack," he predicts.
That's why Meyran recommends network administrators who participate in World IPv6 Day follow up with an event focused on IPv6 security testing. "The next stage will be to ... run attack tools that simulate IPv6 attacks to make sure your firewalls are really seeing the network and that your intrusion protection systems can really do the deep packet inspection of IPv6 traffic," he says.
World IPv6 Day is a large-scale experiment sponsored by the Internet Society that is designed to discover problems with IPv6 before the new protocol is widely deployed.

DETAILS: What if IPv6 simply fails to catch on?
The Internet needs IPv6 because it is running out of addresses using IPv4. The free pool of unassigned IPv4 addresses expired in February, and in April the Asia Pacific region ran out of all but a few IPv4 addresses being held in reserve for startups. The American Registry for Internet Numbers (ARIN), which doles out IP addresses to network operators in North America, says it will deplete its supply of IPv4 addresses this fall.
IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet, but IPv6 uses 128-bit addresses and can connect up a virtually unlimited number of devices: 2 to the 128th power. IPv6 offers the promise of faster, less-costly Internet services than the alternative, which is to extend the life of IPv4 using network address translation (NAT) devices.
One major stumbling block for IPv6 deployment is that it's not backward compatible with IPv4. That means website operators have to upgrade their network equipment and software to support IPv6 traffic.

http://www.networkworld.com/news/2011/060611-ipv6-security.html?page=1

http://www.networkworld.com/news/2011/060611-ipv6-security.html?page=2

Cybercrooks turn Eve Online into botnet battlefield

Fun-spoiling, DDoSing thieves farm virtual gold to sell for cold hard cash

Crooks using online games to farm virtual currencies that they can sell for real money have turned internet spaceship game Eve Online into a battlefield for botnets.
Eve Online is home to various rival groups who generate in-game currency for gamers who want to join in without spending their time acquiring experience and resources by working their way up from the bottom. Rivals groups from eastern Europe are using botnets to DDoS opponents before taking over their territories. Regular gamers are often caught in the cross-fire of multi-pronged attacks that might occur in game, via DDoS attacks to forums, over VoIP communication systems and late night prank phone calls. Game servers have taken a hit in the process.
Gold farmers are known for using Trojans to gain control of compromised accounts. The Eve Online baddies have taken a different tack through attacks that swamp forums with junk traffic

Chris Boyd, a senior threat researcher at GFI Software and gaming security experts, said that Eve Online's difficulties are a part of wider problems in virtual worlds.
"Gold farmers can cause the price of in-world items to rise, chat channels can be flooded by sale scams, endless bots and automated processes can cause significant server load," Boyd told El Reg. "That's before you get to the problems creating by phishing, hacking and scamming established and profitable accounts."
Boyd (AKA paperghost) agreed that the miscreants on Eve Online are taking it up to 11.
"The idea that there are effectively dead systems filled with nothing but spambots and hostile empires that are happy to do battle outside of their gaming realm by DDoS'ing websites and making prank phonecalls is a fascinating insight into the troubles plaguing virtual worlds, and real world currency having a marked impact on virtual trading makes this a few steps above dedicated DDoS botnets designed for nothing other than kicking console gamers out of Halo 3 sessions."
Various groups rumoured to be working out of Eastern Europe and Russia are said to be offering in-game currency for real money. "Investigations by the owners of the game have caused several leaders of these alliances to be banned in the past," explained Reg reader Patrick, who was the first to tell us of the hive of villainy within Eve Online.

http://www.theregister.co.uk/2011/05/23/eve_online_botnet_mayhem/

The Explosion of Cybercrime

 

 

Cybercrime is any crime involving a computer or a network and cybercrime has increased significantly in the past decade. Most organizations value employees that have an understanding of IT security risks, and many organizations require employees to have specific security certifications. This article provides an overview of various types of cyber crime, including cyber extorsion, botnets, morophing malware, and online fraud.

Cybercrime is broadly defined as any crime involving a computer or a network. In the last decade, the amount of cybercrime has grown substantially resulting in significant losses to businesses, and lining the pockets of criminals. This article presents some information about some of the common cybercrime activities and it helps emphasize the value of IT security for any organization.
It also helps to emphasize the value organizations place on employees with IT security awareness. The (ISC)2 CISSP has become one of the top IT security certifications and many organizations seek employees with this certification for both IT jobs and managerial positions. Lower level security certifications such as CompTIA’s Security+ and the (ISC)2 SSCP are also valued by organizations. For example, the U.S. Department of Defense requires anyone with an administrative account to have at least a Security+ certification.

Cyber Extortion

In high-crime areas, extortionists have demanded payments from businesses for “protection.” If the businesses refused, the business was attacked, robbed, employees harassed, and in extreme cases, the business was burned. Of course, the extortionists actually attacked the businesses when the protection money wasn’t paid.
Extortion has made it to the cyber community. Attackers use distributed denial of service (DDoS) attacks to show they can cripple Websites and corporate networks. They then demand protection payments to stop the attacks. Ron Lepofsky wrote in 2006 that the U.S. and FBI receive at least 20 new cases of cyber extortion a month. Blackmailers use various types of denial of service attacks to cripple Websites and corporate networks. They then demand protection payments to restore the service. Extortionists have demanded ransoms of more than 1 million dollars to stop the attacks. Some companies quietly pay. Others attempt to fight back.
A smaller form of cyber extortion is in the form of rogueware, or fake antivirus software. A user visits a Website and sees a popup indicating their system is infected, and encouraging them to download free software to clean their system. After the user downloads and installs the software, the rogueware reports several serious infections, but then states that the free version only scans the system, but won’t clean it. If they want to clean their system, they must pay between $49.95 and $79.95 for the full version. PandaLabs reported in 2008 that criminals were extorting approximately $34 million dollars a month from unsuspecting users. While this is bad enough in itself, the rogueware provides zero protection against actual malware, leaving the user with a false sense of security.
Additionally, many rogueware criminals include additional malware in the rogueware. For example, an added keystroke logger can capture a user’s keystrokes (such as capturing passwords for online banking accounts) and periodically send the data to the criminal. Many versions also include software to convert the computer into a zombie as part of a botnet.

Botnets

Botnets have grown to astronomical proportions over the past few years, and despite some successes, they’re still stealing money from people every day. As an example, NBC reported in 2004 how a small business in Miami was attacked. Specifically, their computer was infected with the CoreFlood virus (used in the COREFLOOD botnet) and someone transferred $90K out of their Bank of America account without their authorization to a bank in Latvia. Before this, the COREFLOOD botnet was primarily known for DDoS attacks.
Other losses from the COREFLOOD botnet include $115K from a real estate company in Michigan, $78K from a law firm in South Carolina, $151K from an investment company in North Carolina. The list goes on and on. Don’t think they’re only attacking businesses though. It’s just that when an individual’s $1,000 in savings is stolen, it isn’t as newsworthy as a loss of tens of thousands of dollars. Still, the loss of $1,000 by an individual can be devastating.
Interestingly, a report in June 2008 by Joe Stewart (Director of Malware Research, Dell SecureWorks) showed this same botnet was still in operation and the bot herders had shifted their activities from DDoS attacks, to full-fledged bank fraud. After all, they found they could get quick paydays with much less effort. At that time, they had infected over 378,000 computers and had at least one database with over 50 Gigabytes of data on hapless users around the world. The botnet had captured keystrokes and recorded bank passwords, credit card data, email passwords, social network passwords, and more.
As of February 2010, this botnet had grown to over 2.3 million infected computers with 1.8 million of the computers in the United States. Thankfully, the U. S. Department of Justice took several steps in April 2011 to take over the botnet’s command and control servers and may have succeeded in shutting this botnet down. We’ll see.
The point is botnets are thriving. Even though experts are shutting down some of the large botnets, it’s like a game of whack-a-mole. They keep popping up. In years past, malware was used to cause damage to systems such as corrupting a hard drive or system files. Today, malware is a tool often used by criminals to steal identities and hard cash from regular people just like you and me.

Morphing Malware

Malware is increasingly difficult to detect, mostly because attackers are constantly developing new methods and strategies. One common method used today is polymorphism. Malicious code within a single virus can be run through a mutation engine to create thousands of different versions of the same virus. While one version may be detected by a malware detection signature, thousands of other mutations may get past this signature until another signature is developed to detect the mutated versions.
At one point, it was recommended that you update your antivirus definitions on a weekly basis. Some experts now suggest you update it hourly. Malware vendors are constantly working on detecting new variants, updating signature files, and publishing them.
It’s also worth noting that all antivirus (AV) software is not created equal. Virus Bulletin publishes a monthly report on the effectiveness of AV products that is quite enlightening. You may think that malware products can consistently detect close to 100 percent of malware in the wild, but that is not the case. For example, this graph shows a wide scattering of products in the 60 percent to 80 percent effectiveness ranges. This equates to a grade somewhere between a B and a D. For me, I don’t want the D student protecting my bank accounts and identity.
It’s also worth pointing out that criminals have discovered the power of malware when used effectively for criminal activities. While malware was previously used to take down systems or networks just for the fun of it, criminals don’t do that today. Instead, criminals use malware to enlist zombies into their huge botnets. These zombies then engage in activities allowing the criminals to steal money from people and organizations on a grand scale.

Zero Day Vulnerabilities

Zero day vulnerabilities are those that are known to attackers, but either not known to the vendor, or the vendor has not developed and released a fix yet. While this implies that a zero day vulnerability lasts only a single day, it can actually last months before a fix is written, tested, and released.
In other words, even if you are taking steps such as keeping a system up-to-date, running AV software, and regularly updating signature files, you are still at risk from zero day vulnerabilities. Defense-in-depth procedures within an organization include a variety of other security practices to protect systems and networks to help protect them from zero day vulnerabilities.

Online Fraud

Cybersource publishes an annual fraud report on online fraud. Online fraud is fraud occurring through the Internet, such as charges on stolen credit cards, and chargebacks required by a credit card’s issuing bank. In the 2011 Online Fraud Report, Cybersource reported that losses from online fraud was about 2.7 billion dollars in 2010.
The good news is that online fraud appears to be declining. Online revenue losses due to fraud were estimated at 3.3 billion in 2009 and a peak of 4 billion in 2008. While this may look like criminals are trying less, that’s not actually the case. Instead online retailers have dedicated more and more resources to blocking cybercrime and are enjoying some success. That is if you want to call an annual loss of 2.7 billion dollars a success.

Conclusion

If you’re studying IT security certifications (such as CompTIA Security+, or the (ISC)2 SSCP or CISSP), expect your skills and your knowledge to be in high demand. Organizations using computers, and especially organizations with an online presence, are recognizing the risks to IT systems and networks. More and more organizations value individuals that understand these risks.

http://www.informit.com/articles/article.aspx?p=1713590