The @marcorubio twitter account announced “lol it’s amazing. look and feel great with http://cleansefats.com.” on Wednesday. The campaign spokesman Alex Burgos stated that the account password was quickly changed and they are still investigating what happened. The Twitter worm from Wednesday is known to create a phishing style web site to capture Twitter credentials, however there has been no admission from the campaign that anyone fell for this method. It is also not clear that the attack isn’t also seeded by breaking into someone’s Twitter account, a vector still fairly wide open as we detailed in Breaking Twitter. Finally there is the possibility that the “Hi, this you on here” and this attack are separate. Twitter is usually pretty light on details of their analysis (assuming there is an analysis) of these attacks after the fact.

Senate Candidate Rubio discusses colon cleanser.

I got hacked selling something?Could be worse. They could have written Go Noles or Go Jets as if it was 
coming from me!
9:43 AM Oct 29th from Echofon 

Meanwhile Congressman Wamp’s account @zachwamp sent out direct messages or DM’s to his followers reading: “hi. this works. i feel better and look great. http://bdgdfij.info.”. This URL also leads to a site about colon cleansing.

Congressman Wamp warned his followers about the DM’s with the following tweet:

Disregard any direct message you get from my acct, we got spammed. Go to http://zachwamp.com to 
see my real vision for a healthy Tennessee!
12:25 PM Oct 29th from web 

It is unclear at this time whether members of government are targeted because their Twitter followers are in specific need of colon cleansing products and therefore more susceptible to such advertising. Constipation may explain some of the angrier political discourse in the nation of the last six months or so.

Related Posts:

• A twitter “worm’s” brilliant variation
• Operation Phish Phry
• ROFL this you on here? The latest Twitter Worm

:)

In all seriousness, this attack does prey on a successful social engineering ploy, playing on the victim’s vanity or curiosity about themselves and originating the message from a trusted source. On Twitter you can only send a direct message to someone who is following you. Or put another way, only someone whose updates you have previously expressed an interest in and signed up for (followed) can send you one of these messages. This attack is the Twitter equivalent of e-mail phishing schemes that use an e-mail sent from someone else’s address book: essentially you theoretically know the person already and are more likely to open an e-mail received from them and act upon any instructions contained therein. Combine the suggestion that this person you know or know of has found something about you on a blog, a login screen that is familiar, and you end up with a number of compromised Twitter accounts.

In an unusual variant though, the URL used is less like the actual Twitter URL then in the original attack. Upon putting in credentials, you are like the previous attack presented with the ubiquitous fail whale.

Phishing site found when you click on the tweeted URL.

This gets even more bizarre in the that fail whale page redirects you to “whatsup” http://gfsdgdf5845jg.blogspot.com/, the blog of NetMeg99 from Ventura, CA with a picture of an American Idol contestant. NetMeg99 is a handle of Dawn Lager, apparently a big fan of American Idol contestant Adam Lambert, also from Ventura, CA. Here is her twitter feed as an example: http://twitter.com/NetMeg99. The feed looks legitimate, so we have no idea why the site is redirecting to this blog, which is not reported in the malware site listings we checked.

The URL of the phishing site, http://blogger.djhxkcs.com, is again hosted in Beijing, China according to GeoIP, the host is listed as Chinanet Yunnan Province Network which is China Telecom’s (3rd biggest mobile telecom provider in China) internet service. This would link it circumstantially to the previous attack, and therefore to a number of other related attacks as detailed in our previous post.

Related Posts:

• Sir, the floor wishes to hear no more about your colon.
• Operation Phish Phry
• ROFL this you on here? The latest Twitter Worm

“This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands, of bank customers,”

Acting US Attorney George Cardona

Hackers in Egypt perpetuated the phishing scam itself and recruited money mules in the U.S. to assist in transferring money to bank accounts opened to receive the fraudulent money transfers. Through this method at least $1.5mm dollars from a few thousand bank customers was siphoned from accounts at Bank of America and Wells Fargo, a portion of which was then wired back to Egypt. Some of this money was stopped from being withdrawn after the banks involved started working with law enforcement.

The FBI in Los Angeles has outlined the details in a statement released today:

According to the indictment that was unsealed this morning, Egyptian-based hackers obtained bank account numbers and related personal identification information from an unknown number of bank customers through phishing—a technique that involves sending e-mail messages that appear to be official correspondence from banks or credit card vendors. In illegal phishing schemes, bank customers are directed to fake websites purporting to be linked to financial institutions, where the customers are asked to enter their account numbers, passwords and other personal identification information. Because the websites appear to be legitimate—complete with bank logos and legal disclaimers—the customers do not realize that the websites do not belong to legitimate financial institutions.

The indictment alleges that co-conspirators in Egypt collected victims’ bank account information by using information obtained from their phishing activities. Armed with the bank account information, members of the conspiracy hacked into accounts at two banks. Once they accessed the accounts, the individuals operating in Egypt communicated via text messages, telephone calls and Internet chat groups with co-conspirators in the United States. Through these communications, members of the criminal ring coordinated the illicit online transfer of funds from compromised accounts to newly created fraudulent accounts.

U.S. Connection

The U.S. ringleaders in this scam were named as Kenneth Joseph Lucas 25, Nichole Michelle Merzi 24, and Jonathan Preston Clark 25 all residents of California. Their role was directing the efforts of the more then forty U.S. runners setting up fraudulent bank accounts to receive the transfers and initiating the withdrawals.

“Criminally savvy groups recruit here and abroad to pool tactics and skills necessary to commit organized theft.”

Acting Assistant FBI Director Keith Bolcar

They communicated with their Egyptian counterparts through text messaging, phone calls, and Internet chat rooms. Other runners have been named by local authorities including Shontovia Debose, 21, Trarnond Davis, 20, and Raymond Valentino Mancillas III, 21, of Las Vegas.

Phishing

Phishing is a form of fraud carried out over the Internet, commonly but not always associated with e-mail, where a sender masquerades as another party and attempts to persuade the receiver to turn over sensitive information, such as access credentials for online banking web sites. The term phishing itself dates back to at least 1996 and was described in detail in a 1987 paper delivered to an HP users group called Interex.

In this scenario, users received an e-mail purportedly from one of the two banks affected indicating a reason they should log into their online banking account, and providing a link that appears to be for the banking web site but in fact is a counterfeit site hosted elsewhere that simply collects the customer’s id and password. After gaining online access to the user’s bank account, a money transfer was initiated to a fraudulent account, and the money withdrawn.

The scams themselves can be very difficult to detect. In fact Robert Mueller, the Director of the FBI, admitted that his wife forbade him from doing banking online after he nearly fell prey to an e-mail phishing scam. He noted that he received an e-mail requesting verification of account details, had started filling out information before realizing his error and then had to log into his account and change his password.

We’ll let him explain it:

Examples of E-mail Text

The following are examples of phishing style e-mails from previously reported scams:

Subject: Notification for Customer of e-mail address change 

E-MAIL CHANGE NOTIFICATION

Dear Customer! 

Thank you for banking online at wellsfargo.com. Our records indicate that you recently added or made a
change to one of your email address(es). This notification is to confirm that you initiated this change.

If you feel you have received this email in error and did not add or change your email address(es), 
please click here.

Sincerely, 
Online Banking Team

Subject: Regarding Your Wells Fargo Account 

Dear Wells Fargo customer, 

We have noticed that you experienced trouble logging into Wells Fargo Online Banking. 

After three unsuccessful attempts to access your account, your Wells Fargo Online Profile has been locked.
This has been done to secure your accounts and to protect your private information. Wells Fargo is
committed to making sure that your online transactions are secure. 

To unlock your account, and verify your identity please follow this link and sign in 

Sincerely, 
Wells Fargo
Online Customer Service

Example E-mail Presentations:

Bank of America Example (Previous Scam)

Wells Fargo Example (Previous Scam)

Example Counterfeit Website:

Example Counterfeit web site - Previous Scam

Penalties

Suspects in the United States face possible conviction based on a 51 count indictment including accusations of conspiracy to commit wire fraud and bank fraud. The more involved suspects face additional charges including aggravated identify theft, money laundering, and unauthorized access to protected computers. The addition of § 1028A. Aggravated identity theft is interesting in that it adds an automatic two years to each sentence if successfully prosecuted. Sentences of up to 20 years are possible though unlikely.

In Conclusion

The size and scale of this investigation, the sophistication of the criminal enterprise targeting large U.S. financial institutions, and the inter-agency inter-country cooperation in this investigation are remarkable. As Keith Bolcar, acting assistant director in charge of the L.A. FBI stated: “The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed”.

References

• One Hundred Linked to International Computer Hacking Ring Charged by United States and Egypt in Operation Phish Phry
• Indictment
• 33 Arrested as FBI Busts Global ‘Phishing’ Ring
• Vista woman accused of leading international bank-fraud ring
• Las Vegans Arrested In ‘Phish Phry’ Bust
• Feds net 100 phishers in biggest cybercrime case ever
• Operation Phish Phry Nets 100 Suspects
• FBI director banned from online banking

Related Posts:

• The “Aurora” IE Exploit Used Against Google in Action
• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash
• Forensics: Beverages Aside, A Look at Incident Response Tools

The phishing site's Twitter login page.

The real Twitter homepage

Because direct messages are private it is not possible for anyone but Twitter itself to pinpoint both when the attack began and the original seeding of the attack (whether compromised user accounts, previously set up Spam/bot accounts, or another method. A number of accounts appear to have been affected; by 5pm TwitScoop (a service that monitors popular Twitter trends) started reporting trending words including “hacked”, “worm”, and “spreading”. The attack is effective based on two classic principles of social engineering: the message comes from someone you have previously followed (and implicitly trust on some level) and the message appeals to a combination of curiosity and vanity.

On Twitter you can only send a direct message to someone who is following you. Or put another way, only someone whose updates you have previously expressed an interest in and signed up for (followed) can send you one of these messages. This attack is the Twitter equivalent of e-mail phishing schemes that use an e-mail sent from someone else’s address book, essentially you theoretically know the person already and are more likely to open an e-mail received from them. Combine the suggestion that this person you know or know of has found a video of you online, a login screen that is familiar, and you end up with a number of compromised Twitter accounts.

The direct message containing the link to the spoofed Twitter login.

This is far from the first worm Twitter has faced (Koobface, StalkDaily, mikeyy), and is not even the first direct message phishing style attack in this style. While labeled a worm on Twitter, it is not confirmed thus far that this is a self-replicating program, an important part of the definition of a computer worm, it just appears that way. In order to get some understanding of this, Twitter would have to release some analysis of their logging, showing some correlation between a compromised Twitter account, a direct message to a group of parties, and then a subsequent compromise and direct message from within that second group, and so on in the chain. For now we’ll assume this is the path this attack is taking with the evidence we have noticed thus far. Regardless since everyone is referring to this as a Twitter worm, for the sake of clarity, we’ll continue to call it a worm here and update if proven otherwise.

What happened if you did go ahead and put credentials in the login screen: Fail Whale.

If you put some string in for the login or password, this is the response.

No Newcomer

The URL in question is hosted in Beijing, China according to GeoIP, the host is listed as Chinanet Yunnan Province Network which is China Telecom’s (3rd biggest mobile telecom provider in China) internet service. The e-mail address used in the registration, lixing688@gmail.com, links this up to similar phishing sites for Twitter and MySpace identified in the malwaredomainlist forums back in July. That time around the site url was: secure-login.twitter.verifiylogin.com/twitter/. MySpace was cloned at rnyspece.com.

Another URL, Faecibook.com, with the same e-mail address for registrar is a phishing site that appears to prey on users in a way very similar to the Twitter attack, posting comments on Facebook such as this: “seen this really bad blog about you? http://www.jdsense.com/search/redirect.php?f=http://blogs.faecibook.com/sessionid?nglnbskuf”.

That e-mail was also used in a series of money transfer agent scams (money mules) with bogus charity phishing web sites (KPEREZHOME, Rodney Lawrence International, Edward White, et. al) all hosted on a problematic registrar, the Xin Net Technology Corporation.

A photographer, Warren Henke, wrote a blog post describing receipt of a phishing e-mail associated with this scam from the Glen Hamilton International Organization.

The Rodney Lawrence International phishing site.

Something New

One of the differences with this attack that separates it from previous ones is that in the time since the more famous compromises of January of this year (Barack Obama, Britney Spears, CBS News, Kevin Rose) Twitter has implemented some controls around the login screen, including a CAPTCHA element that shows up after several bad password entries.

CAPTCHA is a program designed to differentiate humans from computers and prevent abuse by bots, automated programs used to generate spam among other things. It is a contrived acronym standing for Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHA has three primary principles: the computer can’t solve it, most humans can, and the tool does not rely on some form of obscurity such as being a new implementation.

reCAPTCHA, a free service that combines CAPTCHA with the digitizing of printed books, newspapers, and old radio shows.

Actually reCAPTCHA is used, a free service that combines CAPTCHA with the digitizing of printed books, newspapers, and old radio shows. When you are translating the image to text, you are acting as a human optical character recognition (OCR) translator. The service was acquired by Google this month. Circumventions of CAPTCHA have occurred with each step in the method’s evolution, starting in wide use from Yahoo’s EZ-Gimpy program, using roughly the same three step process: pre-processing or removing the background obscurities, segmentation or separating the letters, and classification or identification of each letter. Segmentation remains the one area where humans outperform computers; however, spammers are achieving some level of success in this area. Here is a good analysis from WebSense detailing how a service in Russia is achieving a 20% rate in automated breaks of CAPTCHA images.

So CAPTCHA, while not perfect, does help mitigate dictionary brute force password attacks in that it adds another layer of complexity to the authentication process. Some of the reasons for beating CAPTCHA are to be able to post blog comment spam, create fraudulent accounts such as the e-mail example above, and similar automated completion of web forms designed for human interaction. In these applications it makes sense: a download of the image, a translation to text, and the comment spam is posted, the e-mail account created, and so forth. If two or three out of every ten requests is successful, the comment will be posted or new account opened at an acceptable rate.

In a password cracking application, which moves through a number of password possibilities for each id quickly the additional processing combined with a less than perfect translation rate adds a level of complexity likely not used. With that in mind, how does the bad actor break into Twitter accounts easily? The answer may lie in the Twitter API, which while limiting the rate of requests still allows for a large request rate upon request. That is not to suggest that this is definitely what this attacker did, in fact the bad actor in this case may have previously had compromised ids, may have used more conventional spam tactics to get an original seeding of ids, or may have broken into a few early accounts as discussed here. Only Twitter could potentially have the log access to figure this out.

Related Posts:

• Persistent XSS on Twitter.com
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.