Web Gang Operating in the Open

[Reginald Hudlin]

NY TIMES:

--------------------------------------------------------------------------------

January 16, 2012
Web Gang Operating in the Open
By RIVA RICHMOND
Five men believed to be responsible for spreading a notorious computer worm on Facebook and other social networks — and pocketing several million dollars from online schemes — are hiding in plain sight in St. Petersburg, Russia, according to investigators at Facebook and several independent computer security researchers.

The men live comfortable lives in St. Petersburg — and have frolicked on luxury vacations in places like Monte Carlo, Bali and, earlier this month, Turkey, according to photographs posted on social network sites — even though their identities have been known for years to Facebook, computer security investigators and law enforcement officials.

One member of the group, which is popularly known as the Koobface gang, has regularly broadcast the coordinates of its offices by checking in on Foursquare, a location-based social network, and posting the news to Twitter. Photographs on Foursquare also show other suspected members of the group working on Macs in a loftlike room that looks like offices used by tech start-ups in cities around the world.

Beginning in July 2008, the Koobface gang aimed at Web users with invitations to watch a funny or sexy video. Those curious enough to click the link got a message to update their computer’s Flash software, which begins the download of the Koobface malware. Victims’ computers are drafted into a “botnet,” or network of infected PCs, and are sent official-looking advertisements of fake antivirus software and their Web searches are also hijacked and the clicks delivered to unscrupulous marketers. The group made money from people who bought the bogus software and from unsuspecting advertisers.

The security software firm Kaspersky Labs has estimated the network includes 400,000 to 800,000 PCs worldwide at its height in 2010. Victims are often unaware their machines have been compromised.

The Koobface gang’s freedom underscores how hard it is to apprehend international computer criminals, even when identities are known. These groups tend to operate in countries where they can work unmolested by the local authorities, and where cooperation with United States and European law enforcement agencies is poor. Meanwhile, Western law enforcement is awash in computer crime and lacks the resources and skilled manpower to tackle it effectively, especially when evidence putting individuals’ fingers on keyboards must be collected abroad.

On Tuesday, Facebook plans to announce that it will begin sharing information about the group and how to fight them with security researchers and other Internet companies. It believes public namings can make it harder for such groups to operate and send a message to the criminal underground.

None of the men have been charged with a crime and no law enforcement agencies have confirmed they are under investigation.

The group investigators have identified has adopted the tongue-in-cheek name, Ali Baba & 4: Anton Korotchenko, who uses the online nickname “KrotReal”; Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the online moniker “PoMuc”; and Alexander Koltysehv, or “Floppy.” )

Efforts to contact members of the group for comment have been unsuccessful.

Weeks after early versions of the Koobface worm began appearing on Facebook, investigators inside the company were able to trace the attacks to those responsible. “We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” said Ryan McGeehan, manager of investigations and incident response at Facebook.

Since then, Facebook and several independent security researchers have provided law enforcement agencies, including the Federal Bureau of Investigation, with information and evidence. Most notably, Jan Droemer, a 32-year-old independent researcher in Germany, has provided important information and leads, including a password-free view inside Koobface’s command-and-control system, known as the “Mothership.” Mr. Droemer spent nights and weekends for four months in late 2009 and early 2010 unmasking the gang members using only information available publicly on the Internet.

The F.B.I. declined to comment.

That computer crime pays is fueling a boom that is leaving few Internet users and businesses unscathed. The toll on consumers alone is estimated at $114 billion annually worldwide, according to a September 2011 study by the security software maker Symantec.

Russia, in particular, has a reputation as a hacker haven, although it has pursued several prominent cases against spammers recently. The Soviet education system’s emphasis on math and science combined with post-Communist economic collapse and weak private industry meant there were many highly trained engineers, but few legitimate outlets for their skills, said Vsevolod Gunitskiy, an assistant professor at the University of Toronto.

“Russia is sort of a perfect storm for cybercrime,” he said. The proliferation of organized crime and official corruption created “this very strong legacy of contempt for the laws and general culture of criminality.”

The Russian Embassy in Washington said it does not have any information regarding this group and that American law enforcement officials had never contacted the embassy on this issue.

The men investigators believe are behind Koobface look a lot like ordinary software enthusiasts, albeit with more tattoos and an outlaw persona. Mr. Avdeyko, who is two decades older than the other men and has been tied to an infamous spyware program dating to 2003 called CoolWebSearch, appears to hold a leadership role.

He and at least two of the other men have worked in the world of online pornography, said Mr. Droemer. Mr. Korotchenko and several of the other men apparently tried to run a legitimate mobile software and services business, colorfully named MobSoft Ltd. They did not reply to e-mails requesting interviews.

Mr. Droemer said the gang’s success was more attributable to workaday persistence and willingness to adapt than technical sophistication. They could have spread Koobface to many more PCs, he said. “They could have done a lot more technical things to make it more perfect, more marvelous. But there was just no need to do it. They were just investing as much to get the revenue they wanted to get.”

The group cleverly harnessed the infrastructures of powerful online services — from Facebook and Twitter to Google’s search engine and Blogger — to do the heavy lifting, and may have run its enterprise with just a few computers.

Koobface will probably earn its place in history for pioneering and leading the criminal exploitation of social networks, rather than the size of its profits. Data found in the botnet’s command-and-control system suggests the group has earned at least $2 million a year for the 3 1/2 years of its existence, although the actual total is very likely higher, Mr. Droemer said.

Experts say the gang could have further enriched itself through identity fraud, since it has had access to millions of PCs and social-network profiles, but that there is no evidence it has done so.

Indeed, in a 2009 Christmas e-card to security researchers left inside victim computers, the gang vowed it would never steal credit card or banking information. It called viruses “something awful.” Its tactics have been less ruthless than those of many other hacker groups, experts said. For instance, it has never deployed malicious programs that install automatically, and rather has required its victims to make several unwise clicks.

While the Koobface gang operates freely, Facebook has focused on building elaborate defenses against the worm, which relentlessly struck the site again and again until disappearing in March. The gang abandoned the site after Facebook mounted a major counteroffensive, which included an effort to dismantle the command-and-control system of the botnet and a simultaneous push to scrub its network of the worm and clean up infections in users’ PCs.

“We fired all the different guns at the same time,” said Joe Sullivan, chief security officer at Facebook. “If we could literally shut down the command-and-control, all the infections, and just make them have to start over from scratch in all contexts, we figured they might decide to move on.” He hoped they would conclude Facebook was unprofitable, he said.

But Facebook’s effort and two earlier takedown efforts by security researchers — including one by the Bulgarian researcher Dancho Danchev, who revealed the name of one Koobface member on his blog last week — have failed put an end to Koobface, and smaller sites continue to suffer.

“People who engage in this type of stuff need to know that their name and real identity are going to come out eventually and they’re going to get arrested and they’re going to be targeted,” Mr. Sullivan said. “People are fighting back.”

[Battle]

I think incidents like this will lead to much more strict U.S. laws and challenge our privacy concerns of innocent and decent people while the 'bad guys' get away.

[BmoreAkuma]

I think incidents like this will lead to much more strict U.S. laws and challenge our privacy concerns of innocent and decent people while the 'bad guys' get away.

they are already in the works so watch out

[Battle]

"Megaupload's Mega-fukked!"

Megaupload founder:  JAILED!

CAUGHT!  CAN I GET A WITNESS?

According to nzherald.co.nz (in New Zealand) and Yahoo! news, did you know that if you can be part of the one of the world's biggest entertainment piracy operations, Megaupload, you too can own a mansion in New Zealand, pricey art and a fleet of expensive automobiles -- including a 1959 pink Cadillac and a Rolls Royce Phantom --  or even a swimming pool filled with imported spring water?  ...Or an entire wall outfitted with seven 60-inch HD screens, each with its own Xbox 360 console and Lazyboy recliner?

Yep, Kim Dotcom, one of the most notorious digital pirates in the world was arrested over accusations that his Megaupload empire cost copyright holders $500 million in lost revenue by facilitating millions of illegal downloads.

Would you like to know more?
http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10781984
http://nz.finance.yahoo.com/news/Megaupload-founder-arrested-businessdesk-2174876245.html?x=0
http://games.yahoo.com/blogs/plugged-in/imprisoned-megaupload-founder-loses-call-duty-crown-205144239.html

[Battle]

Monday, 19th July Twenty One

Despite the hype, iPhone security no match for NSO spyware

by Craig Timberg, Reed Albergotti and Elodie Guéguen

The text delivered last month to the iPhone 11 of Claude Mangin, the French wife of a political activist jailed in Morocco, made no sound.

It produced no image.

It offered no warning of any kind as an iMessage from somebody she didn’t know delivered malware directly onto her phone — and past Apple’s security systems.

Once inside, the spyware, produced by Israel’s NSO Group and licensed to one of its government clients, went to work, according to a forensic examination of her device by Amnesty International’s Security Lab.

It found that between October and June, her phone was hacked multiple times with Pegasus, NSO’s signature surveillance tool, during a time when she was in France.

The examination was unable to reveal what was collected.

But the potential was vast: Pegasus can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories, according to security researchers and NSO marketing materials.

The spyware can activate cameras or microphones to capture fresh images and recordings.

It can listen to calls and voice mails. It can collect location logs of where a user has been and also determine where that user is now, along with data indicating whether the person is stationary or, if moving, in which direction.

And all of this can happen without a user even touching her phone or knowing she has received a mysterious message from an unfamiliar person — in Mangin’s case, a Gmail user going by the name “linakeller2203.”

These kinds of “zero-click” attacks, as they are called within the surveillance industry, can work on even the newest generations of iPhones, after years of effort in which Apple attempted to close the door against unauthorized surveillance — and built marketing campaigns on assertions that it offers better privacy and security than rivals.

Mangin’s number was on a list of more than 50,000 phone numbers from more than 50 countries that The Post and 16 other organizations reviewed.

Forbidden Stories, a Paris-based journalism nonprofit, and the human rights group Amnesty International had access to the numbers and shared them with The Post and its partners, in an effort to identify who the numbers belonged to and persuade them to allow the data from their phones to be examined forensically.

For years, Mangin has been waging an international campaign to win freedom for her husband, activist Naama Asfari, a member of the Sahrawi ethnic group and advocate of independence for the Western Sahara who was jailed in 2010 and allegedly tortured by Moroccan police, drawing an international outcry and condemnation from the United Nations.

“When I was in Morocco, I knew policemen were following me everywhere,” Mangin said in a video interview conducted in early July from her home in suburban Paris.

“I never imagined this could be possible in France.”

Especially not through the Apple products that she believed would make her safe from spying, she said.

The same week she sat for an interview about the hacking of her iPhone 11, a second smartphone she had borrowed — an iPhone 6s — also was infected with Pegasus, a later examination showed.

Researchers have documented iPhone infections with Pegasus dozens of times in recent years, challenging Apple’s reputation for superior security when compared with its leading rivals, which run Android operating systems by Google.

The months-long investigation by The Post and its partners found more evidence to fuel that debate.

Amnesty’s Security Lab examined 67 smartphones whose numbers were on the Forbidden Stories list and found forensic evidence of Pegasus infections or attempts at infections in 37.

Of those, 34 were iPhones — 23 that showed signs of a successful Pegasus infection and 11 that showed signs of attempted infection.

Only three of the 15 Android phones examined showed evidence of a hacking attempt, but that was probably because Android’s logs are not comprehensive enough to store the information needed for conclusive results, Amnesty’s investigators said.

Still, the number of times Pegasus was successfully implanted on an iPhone underscores the vulnerability of even its latest models.

The hacked phones included an iPhone 12 with the latest of Apple’s software updates.

In a separate assessment published Sunday, the University of Toronto’s Citizen Lab endorsed Amnesty’s methodology.

Citizen Lab also noted that its previous research had found Pegasus infections on an iPhone 12 Pro Max and two iPhone SE2s, all running 14.0 or more recent versions of the iOS operating system, first released last year.

Ivan Krstić, head of Apple Security Engineering and Architecture, defended his company’s security efforts.

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” he said in a statement.

“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.

While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Apple burnished its reputation for guarding user privacy during its high-profile legal fight with the FBI in 2016 over whether the company could be forced to unlock an iPhone used by one of the attackers in a San Bernardino, California, mass shooting the previous year.

The FBI ultimately withdrew from the legal clash when it found an Australian cybersecurity firm, Azimuth Security, that could unlock the iPhone 5c without any help from Apple.

Outside researchers praise Apple for its stand — and for continuing to improve its technology with each new generation of iPhones.

The company last year quietly introduced BlastDoor, a feature that seeks to block iMessages from delivering malware, to make Pegasus-style attacks more difficult.

The investigation’s conclusions also are likely to fuel a debate about whether tech companies have done enough to shield their customers from unwanted intrusions.

The vulnerability of smartphones, and their widespread adoption by journalists, diplomats, human rights activists and businesspeople around the world — as well as criminals and terrorists — has given rise to a robust industry offering commercially available hacking tools to those willing to pay.

NSO, for example, reported $240 million in revenue last year, and there are many other companies that offer similar spyware.

On Sunday, NSO’s chief executive, Shalev Hulio, told The Post that he was upset by the investigation’s reports that phones belonging to journalists, human rights activists and public officials had been targeted with his company’s software, even though he disputed other allegations reported by The Post and it partner news organizations.

He promised an investigation.

“Every allegation about misuse of the system is concerning to me,” Hulio said.

“It violates the trust we are giving the customer.”

Apple is not alone in dealing with potential intrusions. The other major target of Pegasus is Google’s Android operating system, which powers smartphones by Samsung, LG and other manufacturers.

Google spokeswoman Kaylin Trychon said that Google has a threat analysis team that tracks NSO Group and other threat actors and that the company sent more than 4,000 warnings to users each month of attempted infiltrations by attackers, including government-backed ones.

She said the lack of logs that help researchers determine whether an Android device has been attacked was also a security decision.

“While we understand that persistent logs would be more helpful for forensic uses such as the ones described by Amnesty International’s researchers, they also would be helpful to attackers. We continually balance these different needs,” she said.

Advocates say the inability to prevent the hacking of smartphones threatens democracy in scores of nations by undermining newsgathering, political activity and campaigns against human rights abuses.

Most nations have little or no effective regulation of the spyware industry or how its tools are used.

“If we’re not protecting them and not providing them with tools to do this dangerous work, then our societies are not going to get better,” said Adrian Shahbaz, director of technology and democracy for Freedom House, a Washington-based pro-democracy think tank.

“If everyone is afraid of taking on the powerful because they fear the consequences of it, then that would be disastrous to the state of democracy.”

Hatice Cengiz, the fiancee of slain Washington Post contributing columnist Jamal Khashoggi, said she used an iPhone because she thought it would offer robust protection against hackers.

“Why did they say the iPhone is more safe?” Cengiz said in a June interview in Turkey, where she lives.

Her iPhone was among the 23 found to have forensic evidence of successful Pegasus intrusion.

The infiltration happened in the days after Khashoggi was killed in October 2018, the examination of her phone found.

NSO said in a statement that it had found no evidence that Cengiz’s phone had been targeted by Pegasus.

“Our technology was not associated in any way with the heinous murder of Jamal Khashoggi,” the company said.

A head-to-head comparison of the security of Apple’s and Google’s operating systems and the devices that run them is not possible, but reports of hacks to iPhones have grown in recent years as security researchers have discovered evidence that attackers had found vulnerabilities in such widely used iPhone apps as iMessage, Apple Music, Apple Photos, FaceTime and the Safari browser.

The investigation found that iMessage — the built-in messaging app that allows seamless chatting among iPhone users — played a role in 13 of the 23 successful infiltrations of iPhones.

IMessage was also the mode of attack in six of the 11 failed attempts Amnesty’s Security Lab identified through its forensic examinations.

One reason that iMessage has become a vector for attack, security researchers say, is that the app has gradually added features, which inevitably creates more potential vulnerabilities.

“They can’t make iMessage safe,” said Matthew Green, a security and cryptology professor at Johns Hopkins University.

“I’m not saying it can’t be fixed, but it’s pretty bad.”

One key issue: IMessage lets strangers send iPhone users messages without any warning to or approval from the recipient, a feature that makes it easier for hackers to take the first steps toward infection without detection.

Security researchers have warned about this weakness for years.

“Your iPhone, and a billion other Apple devices out-of-the-box, automatically run famously insecure software to preview iMessages, whether you trust the sender or not,” said security researcher Bill Marczak, a fellow at Citizen Lab, a research institute based at the University of Toronto’s Munk School of Global Affairs & Public Policy.

“Any Computer Security 101 student could spot the flaw here.”

Google’s Project Zero, which searches for exploitable bugs across a range of technology offerings and publishes its findings publicly, reported in a series of blog posts last year on vulnerabilities to iMessage.

The encrypted chat app Signal adopted new protections last year requiring user approval when an unfamiliar user attempts to initiate a call or text — a protection Apple has not implemented with iMessage.

Users of iPhones can choose to filter unfamiliar users by activating a feature in their devices’ settings, though research for many years has shown that ordinary users of devices or apps rarely take advantage of such granular controls.

In a 2,800-word email responding to questions from The Post that Apple said could not be quoted directly, the company said that iPhones severely restrict the code that an iMessage can run on a device and that it has protections against malware arriving in this way.

It said BlastDoor examines Web previews and photos for suspicious content before users can view them but did not elaborate on that process.

It did not respond to a question about whether it would consider restricting messages from senders not in a person’s address book.

The Amnesty technical analysis also found evidence that NSO’s clients use commercial Internet service companies, including Amazon Web Services, to deliver Pegasus malware to targeted phones.

Kristin Brown, a spokeswoman for Amazon Web Services, said,

“When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts.”