Exploiting Video Console Chat for Cybecrime or Terrorism

A couple of days ago there was a lot of interest in how terrorists may have been using chat features of popular video console platforms (e.g. PS4, XBox One) to secretly communicate and plan their attacks. Several journalists on tight deadlines reached out to me for insight in to threat. Here are some technical snippets on the topic that may be useful for future reference:

• In-game chat systems have been used by cyber-criminals for over a decade to conduct business and organize transfers of stolen data. Because the chat systems within games tend to use proprietary protocols and exist solely within a secure connection to the game vendors server, it is not ordinarily possible to eavesdrop or collectively intercept these communications without some level of legal access to the central server farm. While the game vendors have the ability to inspect the chat traffic, this level of inspection (when conducted - which is rare) tends to focus on inappropriate language and bullying, and that inspection or evidence gathering is almost exclusively limited to text-based communications.
• As games (particularly multi-player first-person shootem-up games) have embraced real-time voice chat protocols, it has become considerably more difficult to inspect traffic and identify inappropriate communications. Most responses to abuse are driven my multiple individuals complaining about another in-game player - rather that dynamic detection of abuse.
• This difficulty in monitoring communications is well known in the criminal community and is conveniently abused. Criminals tend to not use their own personal account details, instead use aliases or, more frequently, stolen user credentials - and may electronically proxy their communications via TOR and other anonymizing proxy services to avoid people working out their physical location. There is a sizable underground market for stolen on-line gaming user credentials. When using stolen credentials, the criminals will often join specific game servers and use pre-arranged times for games (and sub-types of games) to ensure that they will be online with the right group(s) of associates. These game times/details are often discussed in private message boards.
• While US law enforcement has expended efforts to intercept communications and ascertain geographical location information from TOR and proxy services in the past, it is difficult - since the communications themselves are typically encrypted. Intercepting in-game communications are very difficult because of the complex legal and physical server relationships between (lets say for example) Sony (running the PlayStation network), Electronic Arts (running the account management system and some of the gaming server farm), and the game development team (who implemented the communication protocol and runs the in-game service). For law enforcement, getting the appropriate legal interception rights to target an individual (criminal) is complex in this situation and may be thwarted anyway if the criminals choose to use their own encryption tools on top of the game - i.e. the in-game communications are encrypted by the criminals using a third-part non-game tool.
• Console chat typically takes the form of either text or voice-based chat. Text-based chat is much easier to analyze and consequently easier for console operators and law enforcement to identify threats and abuse. In addition, text-based communications are much easier to store or archive - which means that, after an event, it is often possible for law enforcement to obtain the historical communication logs and perform analysis. Voice-based chat is much more difficult to handle and typically will only be inspected in a streaming fashion because the data volumes are so large - making it impractical to store for any extended period of time. There are also more difficulties in searching voice traffic for key words and threats. Video-based chat is even more difficult again to dynamically inspect, monitor, and store.

-- Gunter

Crimeware Immunity via Cloud Virtualization

There's a growing thought recently that perhaps remote terminal emulators and fully virtualized cloud-baseddesktops are the way to go if we're ever to overcome the crimeware menace.

In essence, what people are saying is that because their normal system can be compromised so easily, and that criminals can install malicious software capable of monitoring and manipulating done on the victims computer, that perhaps we'd be better off if the computer/laptop/iPad/whatever was more akin to a dumb terminal that simply connected to a remote desktop instance - i.e. all the vulnerable applications and data are kept in the cloud, rather than on the users computer itself.

It's not a particularly novel innovation - with various vendors having promoted this or related approaches for a couple of decades now - but it is being vocalized more frequently than ever.

Personally, I think it is a useful approach in mitigating much of today's bulk-standard malware, and certainly some of the more popular DIY crimeware packs.

Some of the advantages to this approach include:

1. The user's personal data isn't kept on their local machine. This means that should the device be compromised for whatever reason, this information couldn't be copied because it doesn't exist on the user's personal device.
2. So many infection vectors target the Web browser. If the Web browser exists in the cloud, then the user's device will be safe - hopefully implying that whoever's hosting the cloud-based browser software is better at patch management than the average Joe.
3. Security can be centralized in the cloud. All of the host-based and network-based defenses can be run by the cloud provider - meaning that they'll be better managed and offer a more extensive array of cutting-edge protection technologies.
4. Any files downloaded, opened or executed, are done so within the cloud - not on the local user's device. This means that any malicious content never makes it's way down to the user's device, so it could never get infected.

That sounds pretty good, and it would successfully counter the most common flaws that criminals exploit today to target and compromise their victims. However, like all proposed security strategies, it's not a silver bullet to the threat. If anything, it alters the threat landscape in a way that may be more advantageous for the more sophisticated criminals. For example, here are a couple of likely weaknesses with this approach:

1. The end device is still going to need an operating system and network access. As such it will remain exposed to network-level attacks. While much of the existing cybercrime ecosystem has adopted "come-to-me" infection vectors (e.g. spear phishing, drive-by-download, etc.), the "old" network-based intrusion and automated worm vectors haven't gone away and would likely rear their ugly heads as the criminals make the switch back in response to cloud-based terminal hosting.
   As such, the device would still be compromised and it would be reasonable to expect that the criminal would promote and advance their KVM capabilities (i.e. remote keyboard, video and mouse monitoring). This would allow them to not only observe, but also inject commands as if they were the real user. Net result for the user and the online bank or retailer is that fraud is just as likely and probably quite a bit harder to spot (since they'd loose visibility of what the end device actually is - with everything looking like the amorphous cloud provider).
2. The bad guys go where the money is. If the data is where they make the money, then they'll go after the data. If the data exists within the systems of the cloud provider, then that what the bad guys will target. Cloud providers aren't going to be running any more magical application software than the regular home user, so they'll still be vulnerable to new software flaws and 0-day exploitation. This time though, the bad guys would likely be able to access a lot more data from a lot more people in a much shorter period of time.
   Yes, I'd expect the cloud providers to take more care in securing that data and have more robust systems for detecting things that go astray, but I also expect the bad guys to up their game too. And, based upon observing the last 20 years of cybercrime tactics and attack history, I think it's reasonable to assume that the bad guys will retain the upper-hand and be more innovative in their attacks than the defenders will.

I do think that, on average, more people would be more secure if they utilized cloud-based virtual systems. In the sort-term, that security improvement would be quite good. However, as more people adopted the same approach and shifted to the cloud, more bad guys would be forced to alter their attack tools and vectors.

I suspect that the bad guys would quickly be able to game the cloud systems and eventually obtain a greater advantage than they do today (mostly because of the centralized control of the data and homogeneity of the environment). "United we stand, divided we fall" would inevitably become "united we stand, united we fall."

Kelihos' Voodoo Patronage

The King is dead. Long live the King! Or, given this week’s events, should the phrase now be “Kelihos is dead. Long live Kelihos”?

It is with a little amusement and a lot of cynicism that I’ve been watching the kerfuffle relating to the latest attempt to take down the Kelihos botnet. You may remember that a similar event (“Kelihos is dead”) occurred late last year after Microsoft and Kaspersky took it on themselves to shut down the botnet known as Kelihos (or sometimes as Waledac 2.0 or Hlux). Now, like a poor sequel to a TV docu-drama, Kaspersky and a number of other security vendors have attempted to slap down control of Kelihos Season Two – meanwhile Season Three of Kelihos has just begun to air. 

 

In the most recent attempt to interrupt the business operations of the criminal entity behind the Kelihos botnet, a bunch of threat researchers have managed to usurp command and control (C&C) of the Kelihos.B crimeware package by poisoning the peer-to-peer (P2P) relationships between all of the infected devices and install a surrogate control server. It’s good technical work by all those concerned, but has also proved to be ineffective if the objective was to actually takedown the botnet.

The good guys have set up what amounts to a sinkhole for a particular configuration of the Kelihos.B crimeware – with the Kaspersky blog initially identifying some 116,000 infected devices around the world. Like I’ve said many times before, botnets reliant upon P2P for transport of C&C information and stolen data propagation are vulnerable to this kind of takeover and victim enumeration. It’s one of the reasons we don’t see P2P being used much by sophisticated criminal groups – and almost never as a vehicle for attacks that target businesses.

Having said that, takeovers of portions of P2P botnets such as this most recent Kelihos.B example worry me quite a bit – it’s a reason why Damballa doesn’t offer to do this kind of work despite having excellent real-time visibility of the threat and the victims. There are two elements of P2P botnet takeovers that cause me the most concern:

1. To usurp control of the P2P botnet you have to initially join it in some shape or fashion, and then you have to send commands (via the P2P network) to all the other infected devices and redirect them to something you control.
   A victim of the Kelihos.B crimeware would be unable to differentiate the “good guys” from the “bad guys” – after all, their computer is still under someone else’s unauthorized control – and they could justly bring a legal case against those parties that seized control of their computer.
2. The use of sinkholes for victim data harvesting. It raises all kinds of questions about how you’re using someone’s stolen data – let alone the effect of sharing that victim information with other commercial entities. Obviously I have a strong opinion as to the ethics of selling these kinds of stolen information or using it for commercial purposes.

Despite the sinkholing attempt and the cries from the highest watchtowers that the Kelihos botnet is dead, it obviously isn’t. Within the security community there’s consequently a lot of discussion already over the semantics of what constitutes a botnet and what it means to have “killed” a botnet.

For example, the criminal operators behind the Kelihos.B botnet have been rolling out a new and improved variant of their crimeware – Kalihos.C – and it’s infecting a whole bunch of new victims (with some overlap with the Kelihos.B botnet victims). The fact that a new malware variant is being distributed to an overlapping group of victims seems to cause some degree of confusion to a few people.

Based upon my own observations, I’d be more inclined to take care when differentiating between the gang that operates botnets, botnets that share the same C&C infrastructure, and campaigns of crimeware updates and their installation. The claim of taking down the Kelihos botnet (twice now) is clearly false. It would be more precise to say that certain Kelihos campaigns have been disrupted. The criminals (and their core infrastructure) haven’t been significantly affected. In fact, the speed at which the Kelihos criminal gang was able to release an updated variant (Kelihos.C) reflects the futility of much of the current takedown effort.

Why go to all this effort? Why invest in Wac-a-mole style takedowns? While the efforts to takedown some Kelihos.A and Kelihos.B P2P botnets haven’t succeeded, they have enabled researcher to better understand the nature of the threat and hone their skills in the art of takedown. Knowing what doesn’t work (and why) is almost as valuable as knowing what does work.

I’m sure some group is going to try their hand at taking down Kelihos.C (and probably Kelihos.D) based botnets in the future. There’ll probably be the same claims of “Kelihos is dead” too. Unfortunately, if the Kelihos botnet controllers want to escape this bothersome cycle of losing a few thousand botnet victims each time, they already have the means available to them. As I discussed earlier this month, we’ve observed a growing number of criminal operators adding DGA’s to their malware families as a backup strategy should their P2P C&C fail for whatever reason. If the Kelihos operators add that feature to their next variant the wac-a-mole efforts of Kelihos-P2P-swatters truly become inconsequential.

Like I’ve said before, if you’re going to take down a botnet you have to take out the criminals at the top. It’s the only way. Taking out the infrastructure they depend upon for distributing new infectious material and C&C is a disruption technique – a delaying tactic if you will, and maybe an evidence building process if you’re lucky. In the case of P2P-based botnets, there’s very little infrastructure you can get your hands on – and you’ll probably end up having to issue commands to botnet victim devices – which is fraught with legal and ethical problems.

Oh, one last thing. Even if you’re lucky enough to be able to take out the C&C infrastructure or mechanism of communication, if you don’t take out the infection vector – the mechanisms of distributing new crimeware variants – you’ve achieved very little. As evidenced by the most recent Kelihos botnet takedown attempt, the criminals retained their primary distribution system and are already accumulating thousands of new victims per day with their latest Kelihos-variant campaign.

DIY Malware - Octopus Keylogger

As is so often the case, I'm trying to pull content together fresh content for a presentation at the last minute - this one about DIY malware creator kits.

So, with a quick browse and a few Google searches I come across a batch of new DIY kits - "new" in the context that I hadn't stumbled upon them before (neither for public download as a generator kit or circulating "in the wild" as malware).

I find it interesting that there is such a variety of region-specific DIY kits.

One of the regional DIY kits I came across has just made the transition from freeware to a commercial offering. This kit - called "Octopus Keylogger" - has been developed by a Spanish author and offers the usual assortment of keylogging goodies for the low price of €20 ($30)...

* Encrypted FTP and Email of captured key logs,
* UPX compression
* Local and remote keylogging
* Peer-to-peer infection vectors
* Bypassing of host system logging
* Downloader creator
* "100% undetectable" executable stub
* Scheduled uploading of captured key logs
* Disabling of Task Manager
* Add two autorun's (HKEY_LOCAL_MACHINE) and (HKEY_CURRENT_USER)
* Supports Windows XP SP2/SP3, Windows Vista and Windows 7

The author, SharkI, has been experimenting with the keylogging technology for quite some time and this latest commercial version appears to have been based off the the DigitalX.

SharkI has previously published the keyloggers and DIY creators kits called:
* Royal Stealer (now in to its second edition - source code for the first version is now public)
* Virus Maker (written in visual basic)
* Call of Duty WAW Stealer (game license key stealer)
* Call of Duty 4 Stealer



On the point of Royal Stealer, it's interesting to note which applications the tool is designed to steal passwords and obtain registration keys from...
* Internet Explorer
* Mozilla Firefox
* Windows Live Messenger
* Winzip
* PhotoShop 7.0
* Symantec Anti-virus
* No-Ip
* mIrc
* Norton Antivirus
* COD SAGA (Game)
* Burnout Paradise (Game)
* Crysis Wars (Game)
* Counter Strike (Game)
* BattleField2 (Game)
* RainbowSix (Game)
* The Gladiators (Game)

Organized Cybercrime Response or Vigilante mobs?

I was flying back from the OWASP 2009 Europe conference in Krakow yesterday and with 17 hours of travel I had several moments to think on different topics.

One of the topics I was doing some in-depth thinking about followed on from several questions that were raised following my talk "Factoring malware and organized crime in to Web application security"

Over the last couple of years we've seen some fairly serious responses by industry and interested others in building support mechanisms focused on tackling organized cybercrime. Some of these movements have been focused on a very specific threat - such as the Conficker Working Group - while others have been more generic grass-roots responses such as McAfee's Cybercrime Response Unit.

There are a couple of problems though:

1. Judging illegal behaviors/activities based upon your own countries legal system.
2. When does a movement of concerned entities become a vigilante mob?
   

International Law & Values
Now I'm certainly no international lawyer and would never admit to being one, but as a person who has lived/worked/emigrated to multiple countries around the world and spent multiple years in each country getting familiar with their cultures, legal systems, taxes and social ethics, what I can say is that no two countries are particularly alike - even the ones you think would be.

Sure, there are a lot of overlaps at various levels, but the combination of subtle differences results in quite a marked difference in world outlook.

Granted, as far as it comes to things such as hacking tools, most people have a basic understanding that a tool in one country may be classified differently in another - e.g. writing and distributing a hacking tool is legal, while actually using it against an unauthorised host is illegal.

I think most people understand the concept and probably think of it a bit like "there are countries that allow citizens to carry automatic handguns, then there are countries that only allow semi-automatic handguns, then there are countries that limit the number of bullets allowed in a handgun, and then there are countries that don't allow hand-guns at all" - which country that has that particular law is probably unknown to the vast majority of people - but they understand the concept.

Unfortunately what most people fail to grasp are the ethics and social norms that surround or dictated that particular law and, in my opinion, that's the element you really need to understand when looking at responses to the anti-cybercrime movement.

When I see and hear about these anti-cybercrime organizations and their "call to arms" in combating the threat, it worries me that they are basing their response (and anger) upon their own legal framework and countries ethics (as much as that statement "country ethics" makes sense). The laws most western countries would like to see that could aid the fight against cybercrime within or against their own country need to driven in a different manner if they are to be supported and enacted within other countries - and to do that you really need to understand the local countries culture and ethics - because failure to do so merely results in misdirected hot-air.

Vigilante Mobs
The discussion of country-specific ethics and culture leads me to also consider the question "when does a coordinated response become a vigilante mob?"

I have several concerns with the way some anti-cybercrime groups have appeared over recent years and approach their topic with single-minded intensity. It's the kind of drive I'd classify as being in the realm of religious fervor - with all the negative connotations that entails.

By all means, work with and support your local (i.e country) law enforcement teams in combating the threat against your organization or customers. But if you're thinking of taking the law in to your own hands and targeting (what you'd label as) cybercrime being operated in other countries - then you'd best think long and hard about the fact that the laws and ethics you're operating under are most likely not the same as those you're targeting - as you become part of a vigilante response to a threat.

Which, in my mind, draws further parallels to the religious troubles around the world. Only now perhaps we're looking at fanatic factions of an online anti-cybercrime religion.

Who Cloned the Web Site? Here's how to Tell...

One of the problems regularly encountered when dealing with phishing, fraud and other flavors of counterfeit Web site content is the process of tracking back who the original perpetrator of the crime was.

Given the stateless nature of Web application technologies and the abundance of tools capable of conveniently cloning and creating "off-line" copies of popular transactional Web sites, it's damned near impossible to tell where the copy came from unless you can uniquely "seed" the content in some way.

Over the years I've been asked by dozens of financial institutes around the world as to the best techniques and technologies that can be used to seed Web application content and tag it in such a way that it's possible to figure out who the original "copier" was - without alerting them to the fact.

There are a number of techniques available to Web application designers and architects, but I've found the best solutions (i.e. least detectable and least prone to tampering or removal) revolve around tagging the images used within the application.

It's not an easy solution to implement, but the principle of "Distribution Tracing" can be applied to Web applications in the form of anti-fraud images.

I've finally had a chance to knock up a whitepaper describing the relative merits of the different techniques after all these years, and you can find it on my main Web site under the topic "Anti-fraud Image Solutions".

Now I'm sure some people are going to question the merits of the solution - and rightly so. I'm not an overly strong proponent of this kind of tracking solution. It needs to be used carefully and with an expert eye in order to yield prosecutable results, but for some organizations (particularly financial services organizations) it adds an extra arrow to their quiver in hunting down criminals who try to defraud their customers.

So, here's a question for readers (after they've read the paper of course)... can you name some of the large international banks that have already implemented Distribution Tracing within their secure customer portals?

------------
The whitepaper's abstract:

The Use of Distribution Tracing Within Web Content to Identify Counterfeiting Sources

Many of today’s more successful Internet-based fraud tactics require the counterfeiting of popular transactional Web sites such as financial portals, stock-trading platforms and online retail sites. For the fraud to be successful, the cyber-criminal must typically clone most, if not all, of the targeted site’s content and host the counterfeit site on a Web server under their control. With some minor modifications to the underlying HTML code and changes to the application logic, the cyber-criminal will seek to steal the personal authentication or authorization credentials of unlucky victims who fall to the counterfeit site. Armed with these credentials, the cyber-criminal will subsequently attempt to defraud the accounts of their victim.

The major subclass of this attack is often referred to as “phishing” and typically targets the customers of major financial organizations; with the cyber-criminals end-goal being the removal of monies from their victim’s bank accounts. However, over time, phishing attacks have increasingly targeted a broader range of online consumer.

One key problem facing organizations targeted by these cyber-criminals is the identification of the perpetrators. While it is sometimes a simple task to shut down or have removed a counterfeit site, it is much more difficult to uncover the identity of those responsible for its creation.

Since the counterfeit sites are predominantly clones of a legitimate site, there are a number of techniques that can be employed by an organization to essentially “embed” a key in to the duplicated content which can then later be used to trace back to the original source of the content.

This whitepaper provides an overview of the techniques available to organizations that wish to undertake such identification activities – evaluating the pro’s and con’s of the various mechanisms and providing advice on how to employ this class of investigative technology.

<PDF of Anti-Fraud Image Solutions>

Bot Counting via Hijacked C&C Portals

So, the question is "can you accurately size a botnet by hijacking the Web C&C portal and counting the bot agents under management?"

The obvious answer should be "yes", but I'm sorry to say that the answer is almost certainly "not really". Not meaning to rain on Finjan's parade, but just because a C&C portal has a 'total' figure - doesn't mean that's how big the botnet actually is.

Original response is over on the Damballa site... "Caution Over Counting Numbers in C&C Portals"...

C&C Portal Counting

It’s always a struggle to get definitive information about the size of the global botnet infestation. The typical way in which security researchers build the big picture is either through extrapolation of an existing dataset (e.g. there are 1,000 infections within this class-A, therefore there are probably 250,000 infections globally) or through the summation of confirmed reports.

The former method has always struck me as fraught with uncertainty, and I wouldn’t even consider it a reliable estimating method since there are way too many factors at work. The later method tends to underestimate the global number – but is a more accurate reflection of what we know.

So, it was with interest I read today’s blog by Finjan - How a cybergang operates a network of 1.9 million infected computers – which details their investigation of a Web-based C&C platform that they stumbled upon which appears to have been managing a little over 1.9 million bot agents. It’s an interesting walk through of what they found (and well worth the read), however I think it’s important that followers of these kinds of numbers (and supporting evidence) keep a critical eye open.

Some things to bear in mind with these kinds of notable finds:

1. The absolute number quoted within these C&C portals doesn’t necessarily mean that there were (or are) as many bot agents out there.
   a. Depending upon the age of the portal, the number is probably an aggregate of all the infected hosts over time. Some hosts may have been infected and then remediated or just “lost” by the botnet herder.
   b. Just like the way in which new companies tend to start their invoices with a number other that one (e.g. start with 10000) so that their first customers don’t realize that they are so small/new, botnet herders aren’t just as inclined to start at a higher number – after all, a big number looks cool.
   c. In the majority of cases the counter increments upon the addition of a new infected host. In many cases each reinfection of an infected host (e.g. the user falls victim to the same drive-by-download attack) overwrites the malware that was first installed and creates a fresh registration to the C&C server.
   d. DHCP – an oldie, but a goodie – means that an infected host will be assigned different IP addresses (and host names if they’re subscribers of a mainstream ISP), which means that the same host can (typically) get counted each time it connects to the C&C from a different address. In conjunction with that, “new” infections that happen to reuse an older infected IP address registration may not get counted at all.
2. A basic business model has developed over the last 18 months revolving around building large botnets as fast as possible, inventorying them for low-hanging-fruit authentication credentials and network-orientated configuration info (e.g. speed of network connection, VPN, NAT and enterprise network settings), and then carving them up for sale to other botnet operators. As such, the carved off botnet subsets (often sold in the realm of $50-400 per thousand hosts) may be removed from the C&C portal. I say “may” because the large botnet herder may not bother removing them from the count (It’s only a counter after all), or that he still keeps a backdoor open to bots that have already been sold off.
3. In most cases, to gain access to the C&C portal, you need to supply login credentials. Depending upon which country you happen to be living, accessing the C&C portal without permission may constitute a legal offense – and be subject to jail time. Just because the bad-guys were operating a botnet doesn’t mean that the good guys are allowed to break in to their systems – sorry, but it’s true whether we like it or not. Some may argue that the good-guys are just breaking in to a system owned by the bad-guys, so that’s fair game. Unfortunately, theres no guarantee that the C&C server is actually running on a host that the bad-guys own – in fact there’s a higher probability that it’s running on a server they’ve p0wned (i.e. it’s another victims computer). Therefore, by proceeding with an unauthorized access to the previously-compromised computer, the good-guys could be prosecuted by the real owner of the system… and things can get really ugly of that host also has important/confidential files on it belonging to the host owner.

One last observation about this type of botnet C&C discussion - you’ll note that there are multiple malware samples associated with the botnet. This is a common modus operandi as botnet herders use their C&C channel to force down new malware packages to be installed – often from various organized cyber-crime malware distribution gangs – for a fee (this is part of the money making process) – and the infected host may subsequently be remotely controllable by a whole bundle of different botnet operators. As a consequence of this multiple-install process, the infected host is effectively “sub-leased” my multiple tenants – and disagreements can often result in mini-battles as the various botnet herders try to wrestle ultimate control of the host away from the other operators. There’s no trust amongst criminals.

Password Revisitied

I've been hearing a lot about HTTP-based brute-forcing of Web email accounts lately - in particular the use of automated tools - and there are few interesting aspects here that I think commentators are missing.

Firstly, the easiest (and fastest) way to brute-force a webmail account is to not use HTTP. Ignoring the major free-mail services (e.g. gmail, yahoo mail, hotmail, etc.), many people rely upon ISP-provided webmail services for their every-day mail access. What you will find is that these ISP-provided webmail services come bundled with the ability to host your own personal Web site - as part of the service. And, you've probably already guessed it, you use your email address and it's password to access via FTP or WebDAV. Therefore, brute-forcing via FTP/WebDAV is possible - in fact it's not only possible, it's also much faster and more efficient (in many cases, FTP won't lock out the account after too many password guess failures).

Another aspect for consideration is the fact that in most cases today you don't actually need to brute-force the password, instead you can focus on a much smaller subset of probabilities via the "forgotten your password" interfaces. While an account password may be 8 characters long and contain numbers, uppercase characters and extended characters, the password recovery may be as simple as guessing a favorite color or pet's name. Even security aware geeks fall for this - and I wonder how many passwords can be recovered by answering the "your favorite movie?" recovery question with "Star Wars"? - too many I bet.

So, what happens after all that? What if you want to "recover" a webmail account (yours or someone elses)? Hire an expert of course...

Password Recovery Services

If you have regular access to the Internet, the odds are pretty high that you’re also making use of the email services from one of the popular free Webmail providers. In fact, most people I know have multiple personal accounts on several of the most common platforms (e.g. gmail.com, hotmail.com, yahoo.com, etc.).

Unfortunately, remembering the passwords for these accounts can be troublesome – particularly if you don’t use an account regularly or (more commonly nowadays) if you’ve been using some application’s “remember my account/password” functionality.

What happens when you’ve forgotten the password (or never knew it to begin with)? If contacting the email provider and answering the “forgotten password” questions hasn’t worked, there are several ways to gain access to the password.

If it’s been “remembered” by the Web browser or “saved” by the email client (e.g. Microsoft Outlook) there are several installable tools freely available to help recover the password. Most of the tools are very small and effectively do a little registry or memory hooking to “see behind” the *** asterisks, and present the password back to you. Meanwhile, others perform a little crypto magic and decode the stored password from somewhere else on the host.

I’ve used these tools many times in the past – both personally (e.g. recovering passwords for DSL modem dialup's when trying to migrate to a replacement PC) and professionally (having gained control of a remote host during penetration testing and needed to recover other user-level passwords for deeper penetration) – but you have to be pretty careful. Today, more often than not, you’ll find many of these “free” tools come bundled with spyware and keyloggers built in.

Someone Else’s Account

OK, but what if you’re in need of hacking in to someone else’s free Internet email account? What about if you don’t want the owner of the account to know you’re interested in getting their password and gaining access to their account? Well, in this age of hacking-as-a-service, you’d be right in guessing that it’s pretty easy to engage on-demand “password recovery” hacking services.

But why would someone want to use these hacking services? Funnily enough, the hacking-as-a-service web sites themselves will give you plenty of excuses why you’d want to engage their services in breaking in to personal email accounts…

• Online Infidelity (Cheating Spouses)
• Identifying Cyber Stalkers
• Internet Security Audit
• Background Search
• Online Fraud Investigations
• Employee Data Theft
• Cyber harassment
• Internet Surveillance
• Password Recovery
• Identity Theft
• EBay (Online Auction) Fraud
• Child Predators and Pornography

I think most people have a fair amount of personal information in their free webmail accounts. With the webmail providers continuously increasing their free storage capabilities (and making it very difficult to actually “delete” any emails), most users probably have several years of stored emails – emails likely containing order confirmation details, photo’s of loved ones, banking and personal account details, address details, etc. – all of which has a value to an identity thief and can be sold through any number of channels.

But it can go further than that. It must be hard for some employers not to engage these services themselves. How many times have you seen farewell emails go around the corporate email system with the leaving employee saying that they can be contacted at such-and-such webmail address? What if that farewell was from a manager or executive who was off to work for a competitor, or launch a start-up organization, and the likelihood of other employees following them was high? If the (former) employer could inspect that webmail account every so often they could probably figure out who was about to jump ship and maybe take preventative action.

Is it Legal?

Depending upon which country you happen to be living in, maybe – but more than likely “probably not”. You’d have to check with your own legal team (I’m not a legal expert), but the services being provided sound pretty-much like criminal hacking to me. At the very least they’re going to breach the terms and conditions of the webmail provider.

You’ll also find that many of the hacking-as-a-service providers will have their own “terms and conditions” and disclaimers for self preservation. By way of example, here’s a snippet from one such site:

"Use of Sites Services
We don't have any partnership or alliance with Yahoo, Hotmail, AOL, Rediffmail. If you lost your password from these sites you have to first contact the corresponding authority. We are recovering passwords using some of our softwares, brute forcing and dictionary attacks. We will not responsible for any damage occur in the email id you supplied.
We will not crack passwords of another persons. If you are contacting us to crack another users password, that will be 100% with your own risk. Password hacking of another persons account is illegal. So all legal and government actions relating to the case is against you only.”

Service Levels and Reassurances

Competition in the password hacking business is fierce, and you’ll find no shortage of suppliers. At the moment the market is fragmented, with many smaller hacking-as-a-service providers specializing in a handful of local country-specific webmail providers. For example, a quick search will reveal dozens of specialist Russian and Czech sites focusing on popular .ru webmail services – such as Mail.ru (list.ru, bk.ru, inbox.ru) and Pochta.ru ( fromru.com, front.ru, hotbox.ru, hotmail.ru, land.ru, mail15.com, mail333.com, newmail.ru, nightmail.ru, nm.ru, pisem.net, pochtamt.ru, pop3.ru, rbcmail.ru, smtp.ru).

I’ve also come across a lot of portals that “specialize” in hacking any email account as long as it doesn’t belong to a .gov or .edu domain (which is interesting in its own right). But I’ve also stumbled across a few that cater exclusively to .gov and .edu mail services - so none are "safe".

That said, you’ll also find the competition has driven some of the larger international service providers to present polished commercial facades that promote the quality and professionalization of their services, with many offering money-back guarantees should they fail to retrieve the password of the account you’re interested in.

While most search engines will quickly uncover stacks of service providers, you’ll also come across lots of hacker forum postings promoting their services – each offering their own unique reassurances of their service. For example, with the help of an online translator:

To start probably need to reassure potential customers:
A) We are not advances. [i.e. they do not need advanced payment]
B) We are carrying out transactions through the guarantors of the forum in which you find this announcement.
C) We provide daily report on the work done.
D) We are not physically stronger orders.
E) We maintain our established time frame.
F) We are polite and attentive, what you want.
About rules, see no need to write, because each order individually discussed with the client.

How much does it cost?

Whether you’re dealing with the hacking-as-a-service providers Web portal, or directly with the password recovery purveyor, “100” appears to be a popular figure for a single email account. That “100” may be in US dollars, Web-money WMZ, or some other form of currency, and can be paid using any of the usual online payment systems.

In the majority of cases, the providers do not require advanced payment, and the process of engaging a service provider is pretty easy. For example, the Crackpal service (pictured above) lists five easy steps to the password recovery of your targeted webmail account:

1. Email the target id to crackpal@crackpal.com or click to order password
2. After Successful Crack we will send you the proofs
3. Verify proofs and if you are well satisfied then you can reply back
4. We will send the Detailed Payment information after getting reply
5. After payment confirmation we will send the original password

Interestingly enough, while several payment options are available, it looks like they will only accept direct bank deposits from Malaysia, Singapore, the Philippines and India – which likely hints at their operational location.

Password recovery prices tend to increase once you move from popular webmail accounts to other email accounts. For example, hirehackers.net charges a lofty $200 per retrieval session for POP3 email account passwords…

…and you’ll also uncover plenty of scam artists operating in this field.

Behind the Scenes

There’s actually not a lot going on behind the scenes in the attacks. As you’d expect, in almost all cases the hacking of the targeted email accounts are done through standard automated guessing techniques (e.g. dictionary attacks and brute-forcing) using commonly available tools and scripts.

What you will find though is that some degree of specialization has been necessary by the hacking-as-a-service providers due to CAPTCHA use. The smaller providers appear to be making use of tuned auto-CAPTCHA-breaking scripts, while the other “general” providers are more than likely employing human CAPTCHA breakers (you can find out more details of these CAPCHA breaking trends in an earlier blog entry on Mechanical Turks).

This approach is not necessarily guaranteed to retrieve all passwords – especially if it is a long and complex password (i.e. a “good” password). And it’s often for this reason that the providers won’t charge in advance (most common with fixed price recovery schemes). I suspect that each provider has decided upon a “maximum effort” level (or duration) that they’re will to expend in earning their 100 whatever-monetary-units.

But, as you’d expect, there are also a handful of hacking-as-a-service providers that charge based upon a sliding-scale of effort involved. You’ll often see such portal sites including details of how many IP addresses or botnet agents they will be using in their password recovery efforts – and you can sometimes select how much effort (as in time and agents) you’re willing to pay for.

Protection

How do you protect against someone employing these services to hack in to your webmail account? Unfortunately, there is very little you can do beyond the obvious.

1. Use a webmail provider that is known to have good anti-bruteforce protection (e.g. check out the details of how they handle account lockout processes and alerting).
2. Use a “good” password. There are plenty of guides on selecting appropriate passwords, but in general make it long and unpredictable. But beware – some webmail services don’t actually allow users to select passwords that would meet the “good” criteria (such as artificially restricting password length to 10 characters). If you’re currently relying on one such webmail provider, I’d recommend changing to another one that does – there’s no shortage of free webmail providers out there.
3. Don’t keep your entire email history online if at all possible. Delete regularly – especially personal information!

If you’re like me and don’t really use free webmail services that much, but find you need something like them for handling all those bothersome web sites that require an email address so they can send you a confirmation email with a URL to download or access they thing you were actually interested in, then I’d recommend disposable webmail services such as dodgeit.com (or dodgit.com).

These types of email service allow you to specify any email address you want within that domain (e.g. brochuresfromhell@dodgeit.com), and then access that “account” anytime without requiring a password. Obviously, they’re no good if you’re expecting any personal information to be received – and most don’t allow you to send emails either.

Digging up the Dead?

What happens when you die? OK, so that's a classic question that philosophers and theologians have been trying to answer for millennium now. But seriously, in this digital world, what happens when you die?

If you're like me, you've probably heard the terrible stories about fraudsters that scan the obituary columns of the local news paper and create new bank accounts and take out loans in the name of the recently deceased - only to scarper with the cash while family members are mourning the loss. It's a terrible crime - no doubt about it - but what about the the cyber aspects?

A couple of months aback a journalist asked me how family members of the recently deceased could recover the passwords of email accounts, and that got me thinking more about the subject.

Hijacking an Identity
Since we already know that people conduct this fraud in the physical world, what would it take to do the scam in the cyber world? Would it be easier or tougher? Are there more or less opportunities to get away with the crime?

Normally I'm game for a bit of tinkering to prove a point, but this time I won't - so lets just go through the theory - the last thing I want to do is prove how doable it would be by hijacking (or creating afresh) the cyber identity of someone that's just died.

A) Finding the deceased...
Well, that proves to be extraordinarily easy. Instead of having to wait for the morning's delivery of dead tree and scanning the columns, there are Web sites that automatically collate obituaries from multiple national papers (e.g. Obituaries.com) and even allow you to search for keywords.

B) Selecting the deceased...
The type and volume of information contained within obituary write-ups can vary considerably, but more often than not there's enough information there to be 'dangerous' and helpful from an identity theft perspective. For example, the first obituary I came across had the following data nuggets:

• Full name
• Birth date
• Home Address (the wake attendees were to meet there)
• List of family members and siblings (including all the grandparents names - i.e. Mothers Maiden Name)
• Schools (a list of schools and colleges attended)
• Favorite sports
• Home phone number
• Parents email address
• Dogs name
  

C) The cyber deceased...
Armed with a full name, address and general age-group information, it's pretty easy to Google your way around and uncover more relevant cyber information. Social network profiles, blogs, photo sharing sites and other posting forums can provide a wealth of new information - although the fraudster is probably better off targeting a deceased person with a slightly unique name if they don't want to spend ages sifting out unrelated material.

D) Going after the email...
Frankly, the most useful piece of information (that's going to reap the most rewards the fastest) is probably going to be the deceased main email account. Armed with that, it'll become almost trivial to recover the authentication information from any other related and interesting sites - i.e. through the typical "I've forgotten my password" which responds with an email verification. It's not like anyone's going to be watching the email account are they?

Hijacked Identity
Armed with a hijacked cyber identity, the fraudster/criminal can do all the normal badness we'd expect - except that he's got a window of time with a much higher probability of successfully making money. While family members are bereaved and otherwise occupied, the fraudster can be making merry and escaping with their ill gotten gains.

Which leads me to my next question. If someone dies, how do you legitimately gain access to their cyber identity/accounts?

Take myself as an example, I have several online bank accounts in multiple countries (I know, it's a bit extreme, but I've lived and worked in multiple countries over the years) - each with different account credentials and passwords, a dozen regular email accounts and Web sites, several social network accounts, about two dozen physical service portal accounts (e.g. cable TV, Electric Utilities, etc.) for bill payment, and probably another 50-80 online accounts that I use regularly for various things (e.g. blogging, Work VPN, online shopping, etc.). No two accounts share the same passwords, but lots of them store my credit/debit card details, and I don't have any of that written down.

So, if I was to kark it tomorrow, would my family be able to recover the accounts - either transferring them over to their own account names (for bill payments) or shutting them down to prevent misuse? Frankly, I think the answer would be a colossal No. And, the more I think about it, that's probably going to be a problem.

With more and more "cyber identities" out there, and more and more of our day-to-day lives being conducted online, if you do croak, how do friends and family recover the important accounts - and how can they do that quickly? (yeah, I'm one of those folks with the slightly unique names).

Armed with the content of a typically verbose obituary, any automated dead-like-me equivalent to "forgotten my password" is probably going to be pretty useless. Not to mention the fact family members are probably going to be rather occupied for the first few weeks. Also, lets say family members never uncover a particular account (e.g. a social network page/micro-site) - how long will it stay there? Should it stay there?

More Questions than Answers
This is one of those security blog entries that raise more questions than answers. And, even then, I think I'm only just scratching the surface of questions. However, I know from my own pentesting and passive information gathering experience that stealing online identities based upon obituary write-ups is going to be pretty easy - I'm you can guarantee that someone figured this out a while back and is probably already making a lot of money from this cyber vector.

I'd welcome any comments and thoughts from readers below...

Encouraging the UK police to hack a little more often

Apparently the UK Home Office is going to be encouraging the British bobby to do a little more hacking against those big bad cybercriminals out there - according to the BBC news.

In a statement regarding the agreement, the Council stated that "the new strategy encourages [the police and the private sector] to…resort to remote searches."

British law already allows police to remotely access computers under the Regulation of Investigatory Powers Act 2000, which allows surveillance to "prevent or detect serious crime".

I'm not sure exactly what the Council thinks the "private sector" encompasses, but wouldn't it be rather jolly if that included commercial penetration testing teams? (obviously not including commercial criminal hacking-as-a-service providers) I'd love to take a legal crack at the multitude of known criminal sites out there, and so would just about every professional pentester I know.

With the prospect of hacker-bobby knocking on your virtual door, you just know that someone'll complain about the breach of privacy etc. Oh well, it'll be interesting to see if the police take up the hacking challenge. If not, I'm sure these no shortage of willing volunteers.

One other quick note about the BBS news article. I'm not sure who Professor Peter Sommer is, but I'm not sure about the following statement...

Most anti-virus programs and firewalls will detect surveillance attempts because they are designed to stop the remote access software or Trojan-type viruses that hackers - even police hackers - usually use, he explained.

As far as I'm aware most of the professional malware out there in use today by the real criminals is a generation or two more advanced that the anti-virus solutions in popular use. And, strangely enough, that very-same malware the criminals are using can be purchased by anyone willing to fork over a few hundred dollars to a hacking-as-a-service provider in Russia, Korea, Turkey, Brazil, etc. so I don't think that's an inhibitor.

Here's a proposition to the police officers that are worried about being detected by anti-virus - buy the same software the organized criminal teams are using.