Uncategorized Archive

Crooks using online games to farm virtual currencies that they can sell for real money have turned internet spaceship game Eve Online into a battlefield for botnets.

Eve Online is home to various rival groups who generate in-game currency for gamers who want to join in without spending their time acquiring experience and resources by working their way up from the bottom. Rivals groups from eastern Europe are using botnets to DDoS opponents before taking over their territories. Regular gamers are often caught in the cross-fire of multi-pronged attacks that might occur in game, via DDoS attacks to forums, over VoIP communication systems and late night prank phone calls. Game servers have taken a hit in the process.

Gold farmers are known for using Trojans to gain control of compromised accounts. The Eve Online baddies have taken a different tack through attacks that swamp forums with junk traffic.

Chris Boyd, a senior threat researcher at GFI Software and gaming security experts, said that Eve Online’s difficulties are a part of wider problems in virtual worlds.

“Gold farmers can cause the price of in-world items to rise, chat channels can be flooded by sale scams, endless bots and automated processes can cause significant server load,” Boyd told El Reg. “That’s before you get to the problems creating by phishing, hacking and scamming established and profitable accounts.”

Boyd (AKA paperghost) agreed that the miscreants on Eve Online are taking it up to 11.

“The idea that there are effectively dead systems filled with nothing but spambots and hostile empires that are happy to do battle outside of their gaming realm by DDoS’ing websites and making prank phonecalls is a fascinating insight into the troubles plaguing virtual worlds, and real world currency having a marked impact on virtual trading makes this a few steps above dedicated DDoS botnets designed for nothing other than kicking console gamers out of Halo 3 sessions.”

Various groups rumoured to be working out of Eastern Europe and Russia are said to be offering in-game currency for real money. “Investigations by the owners of the game have caused several leaders of these alliances to be banned in the past,” explained Reg reader Patrick, who was the first to tell us of the hive of villainy within Eve Online.

Anti-zombie PC systems hit the market one after another in the wake of the DDoS (distributed denial of service) attack earlier in March this year and the recent NACF (National Agricultural Cooperative Federation) network breakdown caused by a laptop infected by a zombie PC.

Wins Technet, Piolink and NP Core are about to enter into the market soon with their CC (Common Criteria) certifications, a qualification to supply anti-malignant bot solutions to the local public-sector market.
Wins Technet has recently released the Sniper BPS, which not only detects and blocks a PC infected with a malicious bot from accessing networks but also analyzes malicious codes to treat affected computers. It has already won the CC mark and is getting ready to win over public-sector customers after June.
Piolink has also launched a similar product, dubbed TiFRONT-AntiBot, and has supplied it to the National Computing & Information Agency, the Korea Internet & Security Agency and major companies in the industry. The solution senses botnets trying to access networks in advance and analyzes them, directing the L2 security switch to shut them off. Saint Security, a local bot detection firm, participated in the development of the product and added to its detection accuracy.
In the meantime, foreign companies like Trend Micro, Symantec and FireEye are preparing themselves to land on the local malware detection software market, too. As such, it is likely that the domestic and foreign solution developers will be engaged in a neck-and-neck competition down the road.

According to a new case study published by the Internet Security Awareness Training (ISAT) firm KnowBe4, a telephony denial-of-service (TDoS) attack against a semi-retired St. Augustine dentist served as a smokescreen for a nearly $400,000 cyberheist.

In November 2009, Robert Thousand Jr. began receiving a flood of calls to his business, home and mobile phone lines. The calls consisted of a 30-second recorded message from a sex hotline. What appeared to be a phone service issue turned out to be far more sinister. The following month, Thousand discovered that five transfers totaling $399,000 had been made from his TD Ameritrade retirement account. When the FBI investigated his case, it became apparent that the TDoS attack was intended to prevent Thousand’s broker from reaching him while the criminals committed their cyberheist.

TDoS is a form of denial-of-service (DoS) attack. When the calls come from multiple sources, it is known as a distributed denial-of-service (DDoS) attack. The high volume of automated calls prevents victims from making or receiving legitimate calls, thereby denying them use of their phone service. In Thousand’s case, the cybercriminals set up a number of VoIP accounts and used automated dialing to inundate his phone lines. While that was happening, they initiated the transfers that drained his retirement account.

Thousand was not the only victim to be targeted in such a manner. Others reported similar telephony DoS attacks in the months that followed. In 2010, the Communication Fraud Control Association (CFCA) and the FBI formed a partnership to identify TDoS patterns and trends, prevent DoS attacks, raise Internet security awareness and catch those who conduct cyberheists. Despite these efforts, unsuspecting members of the public can still fall prey to increasingly sophisticated cybercrime tactics.

“The problem is larger than the issue of telephony denial of service alone,” explained KnowBe4 founder and CEO Stu Sjouwerman (pronounced “shower-man”). “Before the cybercriminals launched their TDoS attack, they found a way to obtain Dr. Thousand’s Ameritrade account information and password. Victims in these cases are often targeted through phishing attempts or by clicking an innocuous-looking email link that downloads malware to their system. In this manner, criminals are able to capture account details, passwords and other personal information. Once they have access to an account, they can then change the contact numbers and impersonate the victim when communicating with the bank or broker.”

Sjouwerman advises those on the receiving end of a telephony DoS attack to immediately contact all financial institutions where they hold accounts and request a halt to any transfer requests, and then report the suspected cybercrime to the authorities. The sooner victims act, the better chance they have of preventing or minimizing potential losses. However, Sjouwerman emphasizes that Internet security awareness is critical in order for targets to prevent a cybercriminal from obtaining their account information in the first place.

“As awareness of phishing tactics increases, people are becoming more wary of emails from unknown senders. However, cybercriminals have become much more sophisticated in their practices. They are able to convincingly make it appear as if an email is being sent by a bank, government institution or trusted friend or colleague,” noted Sjouwerman. “All it takes is a single click to unwittingly give intruders access to a computer. They can then view all of the personal information contained within, as well as any transactions conducted online.”

While individuals must take responsibility for their own Internet activity and data security, Sjouwerman stressed that businesses need to implement proactive measures to minimize their employees’ vulnerability to phishing tactics. “In many cases, data security breaches that occur from within a company are not the result of any employee’s malicious intent, but rather an honest mistake made by someone who happened to be susceptible to phishing. That’s why Internet security awareness training is so important. It helps personnel identify and avoid potential phishing attempts that can expose the company to financial loss and intellectual property theft.”

Australians love to place bets online but little do some punters know of the dangers lurking in cyberspace.

Melbourne-based internet betting and entertainment website Sportsbet.com.au found out about these dangers the hard way when in 2009 the company was the target of a distributed denial of service attack (DDoS).

A DDoS attack involves harnessing hundreds or thousands of computers to simultaneously bombard a website with data so it becomes overwhelmed. The computers in such attacks have typically been infected with malware so they can be used without the consent or knowledge of their owners.

According to the company, traffic on the Sportsbet site can reach 2000 hits per second as punters place bets on race days and cyber criminals are keen to try and take a share of the money. Heightened attention during the Spring Carnival race in Melbourne during 2009 proved a viable opportunity for attack on its services.

Competitors TABCorp, Sportingbet and Centrebet all faced attack over the same time frame.

Sportsbet IT security manager, Gonzalo Ernst, told Computerworld Australia the company managed to mitigate against heavy traffic resulting from the attack.

“We had help from our internet service provider [ISP] because it’s a bandwidth attack and can only be done at the ISP level,” he said. “We have an agreement with our ISP to offer protection.”

According to Ernst, there were rumours of more DDoS attacks in 2010 on betting agency websites but it has not experienced a DDoS attack since the X-Series was installed.

While the Sportsbet website experienced service degradation for only two hours during its attack, the IT department made a decision to upgrade its firewalls to ensure the security infrastructure had the capacity to handle future attacks.

At the time, the company was using a C12 security offering from its vendor Crossbeam but, following the attack, it upgraded to the X-Series combined with a Check Point firewall.

The new updated Crossbeam firewall handles 10 to 13 million connections per second., allowing the company to prevent connection attacks, in which millions of connections of directed at a homepage to pull it down.

Online betting was a growth industry for Sportsbet, continuing to double traffic to the company’s website.

Crossbeam Australia and South East Asia regional sales director, Andrew Draper, said in a statement that Sportsbet had been working with the vendor since 2006.

“In our [Australian] customer base they are completely unique in that they are a 100 per cent Web-based business. We’re not working with other online betting agencies in Australia at present,” he said.

While he would not name any other Australian customers, Draper said it does play in the telecommunications, university, financial services, insurance and government sectors.

Ernst advised other companies to have a close partnership with their ISP and good monitoring tools in place.

“The important thing is that once you get an attack is to know what kind of attack it is.”

The collective known as Anonymous has declared it will target Sony as a result of the company’s legal action against PlayStation 3 jailbreakers GeoHot and Graf_Chokolo.

A spokesperson for the collective writes, “Congratulations, Sony. Your recent legal action against our fellow hackers, GeoHot and Graf_Chokolo, has not only alarmed us, it has been deemed wholly unforgivable.”

Anonymous is perhaps most famous for its denial of service attacks (DDoS) against Amazon, PayPal, Visa and Mastercard for their perceived anti-WikiLeaks behaviours. Both Visa and Mastercard’s websites were brought down as a result of DDoS attacks.

Earlier this year, GeoHot and fail0verflow (a group that includes Graf_Chokolo) exposed the PlayStation 3’s root key after the removal of OtherOS from the console. Doing so has exposed Sony’s platform to rampant piracy.