Saturday, July 26, 2008

DNS Cache Poisoning Opens Doors for Internet Criminals

The electronic universe seems to get more dangerous all the time. A new systems vulnerability called DNS Cache Poisoning might allow an Internet bad guy (or gal) to redirect you to a malicious site without your knowledge. In the majority of instances, malicious sites are designed to steal personal and financial information.

DNS Cache Poisoning is a flaw in what is referred to as the domain name system (DNS) that allows domain names like "" to be changed into numeric code. In layman's terms, this makes it easier for networking hardware to route search requests. When exploited by hackers, the flaw could allow them to redirect Internet users to malicious sites.

Security Resercher, Dan Kaminsky -- who discovered the flaw several months ago -- reported it to the authorities and had been working in secret with the major security vendors on a fix. The plan was to coordinate a response before criminals discovered the flaw and started exploiting it. In March, experts from all over the world met at the Microsoft campus to put this plan into motion. On July 8th, patches were shipped from the major security vendors to protect systems against the flaw.

They were hoping this would give everyone 30 days to patch their systems, but it didn't work out the way it was supposed to.

On Wednesday, instructions how to use this flaw were posted on the Internet. Subsequently, these "instructions" (computer code) were put into a hacker tool called Metasploit, which makes them easy to use by not very technically inclined criminals.

Easy to use tools, sometimes referred to as DIY (do-it-yourself) kits, have been blamed for the ever increasing crime levels we see on the Internet today. They are sold fairly openly and sometimes even come with technical support.

Metasploit is open source computer project used to research exploits and vulnerabilities. While considered a useful tool by researchers, it can also be used by criminals to exploit vulnerabilities within systems.

Dan Kaminsky did an interesting blog post explaining this in detail that contains a DNS Checker to see if your internet service provider (ISP) has patched the flaw. I highly recommend everyone tests their system using this tool!

Thanks to this information being released on the Internet before everyone could get their systems fixed, the first attacks using this flaw are being seen in the wild (on the Internet). Yesterday, James Kosin announced on his blog that the attacks are starting and it's time to patch or upgrade now. Websense also announced the same thing with a security alert.

Impromptu research by Kaminsky reveals that as of yesterday just over 50 percent of the unique name servers are vulnerable to this attack. On July 9th, roughly 85 percent of the unique name servers were vulnerable. Undoubtedly, there are a lot of computer security types working this weekend.

Individual users, who have their systems set for automatic updates probably will receive the patch as soon as it's released by their provider. Please note that older systems might still be vulnerable until they are updated.

Robert Vamosi at CNet has aptly pointed out that home users might need to patch, also. Handy links to do so are linked from the article, he wrote on this.

I guess the best thing for us "little people" to do is to make sure our systems are updated. I would recommend doing it manually if you aren't set up for automatic updates.

Further details of this will be covered by Kaminsky at the upcoming Black Hat Conference scheduled on August 6th.

Wednesday, July 23, 2008

Will One Spam King's Conviction and Another's Escape Mean Less E-Trash on the Internet?

Robert Soloway dubbed the "Spam King" was sentenced in Washington yesterday, according to an article in the Seattle Intelligencer.

For his misdeeds, Soloway was sentenced to just under four years. Notably, Soloway was the second person to be prosecuted under the Can-Spam Act. It should also be noted that the prosecutors asked for about twice the time in prison and with good behavior, Soloway will probably only serve about half of the sentence he received.

Like most of the many "Spam Kings" out there, Soloway allegedly used a botnet (army of zombie computers) to saturate the electronic universe with e-trash, including advertisements from commercial clients. To give everybody an idea of the scope of Soloway's activity, he allegedly sent out 90 million e-mails in a three-month period.

The made me wonder if anyone is looking at the commercial clients? Of course, everyone knows that "Spam Kings" send out a lot more than commercial advertisements, including a variety of scams designed to steal from unwary people. They also tout knock-off drugs, merchandise, software and porn.

Spam is also used to deliver malicious software, which can steal all your personal and financial information. Ironically, spam also delivers malware designed to turn a system (part of a botnet), which is then used to send out even more spam.

In fact, spam designed to send out even more spam best describes Soloway's operation. Using a company, Newport Internet Marketing Corporation (NIM), he offered a broadcast e-mail software product and broadcast e-mail services. His website promised a full refund if a customer wasn't satisfied, however in reality, if anyone ever complained they were threatened with financial charges and collection agencies.

According to the Department of Justice press release, one customer tried to complain about the amount of spam he was getting and Soloway's response was to send him even more spam.

The press release also mentions that he willfully failed to pay his taxes after earning more than $300,000 in 2005.

Interestingly, enough another "Spam King," Edward "Eddie" Davidson simply walked out of a minimum security facility in Colorado about the same time Soloway was sentenced. Davis allegedly made $3.5 million spamming for about 20 commercial clients. Like Soloway, he failed to pay any taxes on the proceeds of his misdeeds.

Unfortunately, Soloway's conviction or Davidson's escape is unlikely to make much of a dent in spam anytime in the near future. Earlier this month, Symantec reported blocking 3.5 million spam messages over the 4th of July holiday. Their monthly spam report reported that over 80 percent of all e-mail sent is spam. The 80 percent statistic (and greater) has been a sad fact for several months now.

Notable trends on the last report included using the China earthquake to spread viruses and the use of fake new flashes (like U.S.A. attacks Iran) to net Internet crime victims.

We probably shouldn't be too quick to celebrate Soloway's conviction. He is obviously just one of many "Spam Kings" operating out there. Hopefully, as time goes on, we will see more of these so-called spam superstars put behind bars. After all, just about anything that is distasteful or illegal on the Internet normally starts with a spam e-mail.

On a final note, both Soloway and Davidson seemed to be servicing a lot of commercial clients. Maybe if the legal emphasis shifted towards the people paying spammers, there would be less incentive (money) for spammers to pollute the Internet!

Update (7/25/08): In a horrifying twist to Eddie Davidson's escape, it has now been reported by the AFP that he killed himself after killing his wife and their three month old daughter. Davidson's seven month old son was left in the car unharmed and his sixteen year old daughter was shot in the neck before escaping.

Given these circumstances, I wonder if anyone is going to question why Davidson was locked up in a minumum security facility that he was able to walk away from?

Monday, July 21, 2008

E-Gold Admits Being Guilty of Enabling Internet Criminal Activity

According to an article in UPI, the three principal executives of E-Gold Limited have pleaded guilty in a case brought against them by the Department of Justice.

The three executives in question, Dr. Douglas Jackson, principal director of E-Gold and CEO of Gold & Silver Reserve Incorporated, and two of his senior directors (Barry Downey and Reid Jackson) pleaded guilty to conspiring to engage in money laundering and operating an unlicensed money transmitting business.

The corporations involved (E-Gold and Silver Reserve) face a fine of $3.7 million and have already agreed to pay a judgment of $1.75 million. Jackson faces up to 20 years in prison and a fine of $500,000 and Downey and Reid face a maximum of 5 years in prison and a $25,000 fine.

Anonymous means of transmitting money are favorite ways for criminals to conduct illegal business and scam people. In the current case, the Department of Justice charged that the criminal activity included investment scams, credit card fraud, identity theft and even child exploitation.

They did mention that E-Gold assigned employees to monitor accounts for fraud, but the employees allegedly didn't have any previous experience in dealing with illegal activity.

Another article in PC World about this story pointed to a blog post, where Douglas Jackson announced some new security procedures to verify their customers and prevent fraud. No new accounts are being opened until they can find out an "interim means" of verifying who their customers actually are. Also mentioned in the blog post was that a systems design flaw made it difficult for them to get rid of a user, effectively. The logic behind this seems to be that if one account was blocked another one would be opened. Please note that with all kinds of free e-mail accounts -- which was the only requirement to open an E-Gold account -- it wouldn't be very hard for a criminal to simply move on to another e-mail address if they got caught committing fraud.

It will be interesting to see how they plan to verify customers over the Internet.

In 2006, BusinessWorld reported that the ShadowCrew -- a 4,000 strong credit card fraud and identity theft ring operating in carder forums on the Internet -- used E-Gold to launder some of their proceeds.

To anyone familiar with crime on the Internet, allegations of criminals using, or manipulating E-Gold (or other services like these) are nothing new. E-Gold gives their customers the ability to transfer the value of gold, electronically. To transfer E-Gold -- which has a cash value -- all anyone needs is an e-mail address, account number and password.

E-Gold type accounts are also prone to take-overs. This normally occurs when account numbers and passwords are stolen via what is known as phishing and the account is taken over by a fraudster. After a crook compromises the account in this manner, they simply transfer the gold, elsewhere. Phishing is accomplished using social engineering or sometimes with the help of malware (crimeware) that automatically steals all the information from a system using keylogging software.

Please note from what I've heard, people are never made whole (compensated) after this happens to them. Once the money is transferred, there is little or no recourse to be had by the account owner. Interestingly enough, E-Gold spins this as there are no chargebacks to worry about. Chargebacks occur when a financial institution discovers a financial instrument was used to commit fraud and the transaction is charged back to the merchant.

So far as the money laundering aspect, a anonymous service such as E-Gold can be used to move the proceeds of all sorts of crimes. People are known to be duped in job scams to launder money using a service like this. In cases like these, they are taking all the risks for a small portion of the rewards.

In most instances, anyone who gets involved in one of these scam activities is going to at the very least lose their shirt in the process. Of course, they can also get arrested.

The best thing to do is to be extremely careful when someone offers you riches, or "gold" over the Internet. There is a difference big between real gold and what is known as "fools gold."

Sunday, July 20, 2008

Rapper DMX Charged With Medical Identity Theft

Earl Simmons a.k.a. DMX -- a rap artist who seems to run afoul of the law frequently -- was arrested in a Phoenix mall on Saturday for identity theft.

Apparently, DMX used the name Troy Jones when seeking medical care for pneumonia, according to KNXV-TV in Phoenix. He also used a social security number that didn't belong to him. Allegedly, DMX did this to get out of paying a $7500 bill.

Earlier this month, DMX was arrested at Sky Harbor Airport in Phoenix for outstanding warrants. He was flying into Phoenix after being arrested for drugs in Florida. Maybe the reason, he doesn't have the money to pay his medical bills is because of all the drugs he buys (speculation)?

Prior to this arrest, DMX was recently arrested for speeding over 100 miles per hour on a suspended licence, drugs and animal cruelty. According to a Associated Press article, Maricopa County Sheriff Joe Arpaio said the investigation into DMX committing identity theft started following the investigation into animal neglect at the rapper's home in Phoenix. During the search warrant of DMX's digs -- drugs, guns and 12 malnourished Pit Bulls were found. The remains of three other dogs were found on the property, also.

The type of identity theft DMX allegedly committed is known as medical identity theft. Medical identity theft is a growing phenomenon that causes great harm to it's victims, according to the World Privacy Forum, who performed the first in-depth study of the problem.

Despite the risk it carries, it's probably one of the least studied forms of identity theft. When someone becomes a victim of medical identity theft they not only face having to fix all their financial records, they also face having a lot of erroneous information placed in their medical records.

Medical identity theft victims might receive the wrong treatment, have their insurance used up, and could even be classified as a bad risk when seeking life and medical coverage. They could also fail a medical exam for employment when diseases show up in their medical records that they never had.

While most identity theft victims can correct errors in their credit reports and place alerts or freezes to prevent further fraudulent activity, the victim of medical identity theft doesn't have the same legal rights to clear their files of bad information. In some instances, they aren't even allowed to see what is in their files. Furthermore, medical identity theft victims don't have the right to stop insurers, health care providers and medical clearinghouses from sending this information back and forth to each other.

As medical records become electronic, this poses even greater risks because the information is being transmitted to a variety of databases. Sadly enough, one of the reasons many of these databases are being created is to prevent fraud.

It is also not unheard of for dishonest people in the medical industry to steal identities to submit fraudulent claims to insurance companies and even the government. Authorities within the law enforcement community estimate we are losing $60 billion a year due to Medicare fraud, according to an article in the Washington Post.

If you are interested in learning more about this, or have been a victim of Medical Identity Theft, I recommend reading the Medical Identity Theft Information Page on the World Privacy Forum.

The World Privacy Forum plans to issue a second study on this problem later on this year.

Booking photo of Earl Simmons a.k.a. DMX at the Maricopa County Jail shortly after his arrest.