Digiss Blogs - Thwarting your adversaries...

Some people have made Nigeria proud. Again.

At least 4 Nigerians have been indicted in a $1.3m dollar phishing scheme that targeted customers of major banks in the United States of America.
Chase Bank, Bank of America, ADP and Branch Bank & Trust are the banks involved while Charles Umeh Chudi (UK), Osarhieme Uyi Obaygbona (Atlanta), and Olaniyi Jones (Nigeria) are among the six criminals indicted alongside the principal culprit - Waya Nwaki, a.k.a Prince Abuja.

Nwaki was arrested in December 2011 on charges of wire fraud conspiracy, wire fraud, aggravated identity theft, and conspiracy to gain unauthorised access to computers. But for the collaborative efforts between the victim banks and the FBI, these criminals would have continued to live like kings after successfully robbing other people of their hard earned money.

Going by a related story on naijapals, EFCC are currently on the case of Nigerian-based Olaniyi Jones who is currently awaiting judgement on his extradition to the United States of America for his part in this crime.

According to the indictment filed with the U.S District Court in NJ, these cyber thieves launched phishing attacks against unsuspecting individuals between August 2000 and June 2010 causing the victims to disclose their confidential personal and financial information.

Phishing is the act of sending deceptive e-mails - purported to come from a trusted party, e.g., a financial institution - to a large group of people in the hope of getting a 'positive' response from a percentage of this group. Most recipients are educated enough to just delete these e-mails without reading them, but those who eventually fall victim generally supply all the information requested by the criminals. These criminals then leverage this information to gain unauthorised access to the victim's online accounts.

This type of attack is still very common but its success rate is diminishing, thanks to constant user education and out-of-band authentication techniques. The days of username and password are long gone and if your bank still authenticates you via this means alone, you might want to consider taking your money elsewhere. If you don't, your account will be breached someday.

I should mention that online criminals have evolved as well though. We are now seeing what is called Man-in-the-browser (MITB) attacks, which means that even if you have a one-time password (OTP) device, popularly known as hardware token, your online account can still be emptied! All the criminal needs do is get your machine infected with a trojan.
One will normally hope that this will serve as a deterrent to other cyber thieves, but that's all it is - hope.

It will be interesting to see how this case concludes come August 15, 2012 - when judgement will be served.

Having got back from the office after a lengthy & busy couple of days, I settled down to watch Barcelona destroy Bayern Leverkusen in the Champions League. Midway through the one-sided match, I got a call from a friend who asked me to check whether I could access GTB's website from my PC. He complained that he had been trying for the past 12 hours without any joy! My initial suspicion was: either his PC was having issues, or his ISP's DNS servers were screwed but it turned out that I was wrong!

I was least expecting that, even if their website had been hijacked, GTB would not have the requisite recovery capabilities to ensure that the site comes back to life within minutes. Anyway, I decided to see things for myself by jumping on my little malware analysis toy laptop. Well, I did indeed find that the site was redirecting my traffic all over the place. The redirection path is thus: mylife.tk=>domain.dot.tk=>search discovered.com=>searchmagnified.com=> (..etc, etc....) =>cdn.optmd.com.

Even Afrikeo had a pop at them!

How good is this for business? Well, let's imagine that 1000 online transactions of an average value of 10,000 Naira occur on GTB's website every hour. It means that the company loses N10,000,000/hour in transactional value. However, assuming that the site went down just before my friend accessed it at 0900GMT (and still hasn't recovered up till now, which it hasn't) they would have lost N150,000,000 in transactional value. I am not a banker, but assuming the profit margin on this volume is 5%, this represents a loss of N7,500,000. Ok, that's just about enough to pay the annual salary of a middle management staff, but this is an unwanted loss that could have easily been prevented. Besides, GTB's reputation and the confidence of their customers would have taken a bit of a hit, which we cannot put a Naira amount to!

Let's hope our financial organisations learn fast.

Back to the attack; going by my quick analysis, the attacker is focusing on his primary target which is GTBank. User's (secondary targets) are not currently being re-directed to websites hosting malicious codes, but that can change anytime. Before you visit the website, make sure you check the state of your browser and it's plugins here - and do the needful if need be - just in case you're redirected to a website hosting malicious exploit kits

Currently, it looks like a denial of service attack where the attacker is demanding a ransom before handing control of the website back to the legitimate administrator - this is the kind of deep mess you can find yourself in if you fail to guide your critical assets jealously.

One can also make so many educated guesses as to the cause of this incident. The domain does not expire until March 2016, so this isn't the cause of the re-directs. There is a fair chance that the site is running a vulnerable version of Apache which has been exploited as Netcraft shows that the last change (to the site's Apache web server app) occurred yesterday.

Anyhow, let's watch how this event unfolds and hope that our dear GTBankDOTcom recovers on time.

Investigation efforts by the FBI, Scotland Yard and some other European cops were undermined as the infamous 'hacktivist' group - Anonymous - pulled a fast one on them by listening in on conference call conversations between the law enforcement organisations. The 16-minute call was recorded, and is now doing the rounds on the Internet. The cops are mere mortals like us afterall - they can be heard cracking jokes and discussing McDonalds' fast foods. Infact one of the British folks even mistook Sheffield for Birmingham. Names of criminals being investigated were mentioned, but the hackers rightly or wrongly - depending on whose side you are - bleeped out some parts of the recordings in an effort to protect the identities of the individuals being discussed as much as possible.

Details of the conference call was acquired when the bad guys hacked into the e-mail of one of the FBI agents. They then dialled in, didn't announce their name(s) on 'arrival' and managed to remain passive throughout the duration of the conference call. This was basic 'school boy' error but at least we can learn a thing or two from this incident. Getting every attendee to say their name and 'stock taking' by the person chairing the conference shouldn't be optional.

Apparently, the purpose of the call was to strategise on how to uncover the identities of the key members of Lulzsec and Anonymous. It so turned out that the intended prey became the hunter! Leonardo Dicaprio's 'Catch me if you can' movie comes to mind.

As we've learned some lessons from this, it is hoped that the almighty FBI and other security agencies have learned a thing or two from this embarrassing episode themselves.

If you're interested in listening in on the recorded session, I suggest you 'google' it now before it's pulled from the nooks and crannies of the Interweb. Oh actually, I'll make that easier. Try here;-)