Krebs on security bitcoin chart
When he examined what that traffic was designed to do, he found his honeypot systems were being told to download a piece of malware from a destination on the Web. My source grabbed a copy of the malware, analyzed it, and discovered it had two basic functions: When he realized how his system was being used, my source fired up several more virtual honeypots, and repeated the process.
What he observed was that all of the systems were being used for a variety of badness, from proxying Web traffic destined for cybercrime forums to testing stolen credit cards at merchant Web sites.
Unfortunately, this type of criminal proxying is hardly new. Crooks have been using hacked PCs to proxy their traffic for eons. The various subscription packages to the service are sold based in part on how many seconds the denial-of-service attack will last.
And in just four months between April and July , vDOS was responsible for launching more than million seconds of attack time, or approximately 8. Let the enormity of that number sink in for a moment: That kind of time compression is possible because vDOS handles hundreds — if not thousands — of concurrent attacks on any given day. The hack of vDOS came about after a source was investigating a vulnerability he discovered on a similar attack-for-hire service called PoodleStresser.
PoodleStresser, as well as a large number of other booter services, appears to rely exclusively on firepower generated by vDOS.
Responses from the tech support staff show that the proprietors of vDOS are indeed living in Israel and in fact set the service up so that it was unable to attack any Web sites in that country — presumably so as to not attract unwanted attention to their service from Israeli authorities. Here are a few of those responses:. Sorry for any inconvinience. I know him from Israel. P1st0 , and AppleJ4ck. The Web server hosting vDOS also houses several other sites, including huri[dot]biz , ustress[dot]io , and vstress[dot]net.
Virtually all of the administrators at vDOS have an email account that ends in v-email[dot]org, a domain that also is registered to an Itay Huri with a phone number that traces back to Israel.
The proprietors of vDOS set their service up so that anytime a customer asked for technical assistance the site would blast a text message to six different mobile numbers tied to administrators of the service, using an SMS service called Nexmo.
Two of those mobile numbers go to phones in Israel. One of them is the same number listed for Itay Huri in the Web site registration records for v-email[dot]org; the other belongs to an Israeli citizen named Yarden Bidani. Neither individual responded to requests for comment. The data shows that vDOS support emails go to itay huri[dot]biz, itayhuri8 gmail.
But for several years until recently it did, and records show the proprietors of the attack service worked assiduously to launder payments for the service through a round-robin chain of PayPal accounts. They did this because at the time PayPal was working with a team of academic researchers to identify, seize and shutter PayPal accounts that were found to be accepting funds on behalf of booter services like vDOS.
Turns out, AppleJ4ck and p1st routinely recruited other forum members on Hackforums to help them launder significant sums of PayPal payments for vDOS each week. The data shows that they now use an intermediary server When a Bitcoin payment is received, Coinbase notifies this intermediary server, not the actual vDOS servers in Bulgaria.
A server situated in the middle and hosted at a U. The move comes in response to the theft of usernames and passwords from a subset of Gyft customers. Acting on a tip from a trusted source in the cybercrime underground who reported that a cache of account data on Gyft customers was on offer for the right bidder, KrebsOnSecurity contacted Gyft to share intelligence and to request comment. Gyft declined to comment on the record for this story. Gyft did confirm attackers were able to acquire usernames and passwords for a subset of Gyft customers, and that it had forced a password reset for those accounts.
Follow me on Twitter. Join me on Facebook. Krebs on Security In-depth security news and investigation. The vDos home page.
Once that happened, the Javascript installed a plugin in the background that allowed [the attackers] to execute PHP scripts. Kim said the attackers in that case even came on the MacRumors forum and posted a blow-by-blow of the attack , confirming that the cause of the breach was a compromised moderator account.
Kim said the person who left the comment was using the same Internet address as the attacker who hacked his forum, and that the moderator account that got compromised on MacRumors also had an account with the same name and password on vBulletin.
All of you kids that are saying upgrade from 3. This message is left by CryptoLocker for victims whose antivirus software removes the file needed to pay the ransom. To recap, CryptoLocker is a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. Victims who pay the ransom receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files forever.
Part of the problem, according to Abrams, is that few victims even know about Bitcoins or MoneyPak, let alone how to obtain or use these payment mechanisms. The people who did pay with Bitcoins said they found the process for getting them was so cumbersome that it took them a week to figure it out.
The idea of purposefully re-infecting a machine by downloading and executing highly destructive malware may be antithetical and even heresy to some security pros. But victims who are facing the annihilation of their most precious files probably have a different view of the situation. And those victims will no longer have the option to pay the ransom via MoneyPak.
Abrams said the service exposes two lies that the attackers have been perpetuating about their scheme. For starters, the bad guys have tried to dissuade victims from rolling back their system clocks to buy themselves more time to get the money together and pay the ransom. According to Abrams, this actually works in many cases to delay the countdown timer.
A complaint unsealed Oct. Investigators with the FBI and U. Post Office inspectors say they tracked dozens of packages containing drugs allegedly shipped by Sadler and a woman who was living with him at the time of his arrest. Authorities tied Sadler to the Silk Road after intercepting a package of cocaine and heroin destined for an Alaskan resident. Investigators allege that the tracking showed the two traveled to at least 38 post offices in the Seattle area during the surveillance period.
Two of those servers were located in Iceland, one in Latvia, another in Romania, and apparently one in the United States. See the map above. Still more admirers paid my cable bill for the next three years using stolen credit cards. Malware authors have even used my name and likeness to peddle their wares. But the most recent attempt to embarrass and fluster this author easily takes the cake as the most elaborate: Earlier this month, the administrator of an exclusive cybercrime forum hatched and executed a plan to purchase heroin, have it mailed to my home, and then spoof a phone call from one of my neighbors alerting the local police.
Thankfully, I had already established a presence on his forum and was able to monitor the scam in real time and alert my local police well in advance of the delivery.
In the screenshot pictured above, Flycracker says to fellow members:. We will save Brian from the acute heroin withdrawal and the world will get slightly better! At first, Fly tried to purchase a gram of heroin from a Silk Road vendor named 10toes , an anonymous seller who had excellent and plentiful feedback from previous buyers as a purveyor of reliably good heroin appropriate for snorting or burning and inhaling see screnshot below.
Seller said the package will be delivered after 3 days, on Tuesday. If anyone calls then please say that drugs are hidden well. Last week, I alerted the FBI about this scheme, and contacted a Fairfax County Police officer who came out and took an official report about it. Meiklejohn and fellow researcher Damon McCoy , an assistant professor of computer science at George Mason University , have been mapping out a network of bitcoin wallets that are used exclusively by the curators of the Silk Road.
If you wish to transact with merchants on the Silk Road, you need to fund your account with bitcoins. The act of adding credits appears to be handled by a small number of bitcoin purses. New fraudster-friendly content management systems are making it more likely than ever that crooks who manage botnets and other large groupings of hacked PCs will extract and sell all credentials of value that can be harvested from the compromised machines.
That is, they tend to chronically undervalue the computers at their disposal, and instead focus on extracting specific resources from hacked PCs, such as using them as spam relays or harvesting online banking credentials. Some of the panels are even reselling hacked credentials at popular porn sites. Goods can be purchased via virtual currencies such as Perfect Money and bitcoin. The shop shown below — blackhatstore[dot]ru — borrows the trademarked image of the Black Hat security conference franchise.