Ameritrade leaks user information yet again, blames hacker X

OK, you know things are getting bad when Ameritrade leaks its customer information yet again, and I don't even bother to report it because it's not news anymore.

Well, recent updates to the story have prompted me to correct that omission. Yes, it happened again. Roughly a month ago, correspondents began to receive pump-n-dump spam to tagged email addresses which they had given only to Ameritrade.

I've reported on this issue before, once in July 2006, and again in April 2007. This now marks the third major confirmed leak of customer information from Ameritrade. In addition, the Inquirer reported the loss of 200,000 Ameritrade client files in February 2005. One correspondent informs me that this has happened to him on four or five previous occasions.

There is no indication that the selling of customer information to spammers is official Ameritrade policy. Previously, speculation had centered on theft by rogue email service providers contracted by Ameritrade, or on the possibility of theft by an Ameritrade insider.

Normally, Ameritrade responds to these incidents with their standard bug letter, apologising for the leak and assuring the customer that it was a terrible aberration, etc, etc, etc.

This time, however, they've just issued a press release blaming the problem on Hacker X. Or more precisely, on "unauthorized code" in their systems. Was this the work of Hacker X targeting and penetrating their system, or just some random fool at Ameritrade clicking on the wrong thing with the wrong browser and installing spyware by accident? At any rate, information on 6.3 million customers was stolen.

Of course, Ameritrade assures the public that no ids, passwords, social security numbers or other sensitive information were lost. In other words, they're only admitting to what they were actually busted for.

We, of course, are asked to believe that having successfully breached Ameritrade's security, the crackers took only email addresses, leaving the rest behind:

While more sensitive information like account numbers, date of birth and Social Security Numbers is stored in this database, there is no evidence that it was taken.

John Levine informs me that he's also had three email addresses leaked from TD Waterhouse. One dates back before the merger with Ameritrade, one from shortly after the merger, and the third about a month ago. Quoting: "This gives me no confidence that the leak they found is the only one."

More coverage on this issue can be found at Agave Mountain, Computerworld, Dark Reading, Intellectual Intercourse, SC Magazine, and many others. Dark Reading points out that Ameritrade is not forthcoming on the details of the spyware used, preferring to wait until the investigation is complete. SC Magazine (quoting Phil Neray, vice president of marketing at Guardium) speculates that it was an inside job, arguing that only an insider with administrative access could have installed the spyware.

Perhaps my favorite quote is from Intellectual Intercourse, which writes

Hacker X is a busy, busy hacker. But we expect from someone who has been around for ten years now. Earlier this year, e360 Insight, LLC (a/k/a, e360insight.com, a/k/a e360data.com), asserted that Hacker X had visited them. That’s two in less than 6 months, and we’re not done with the year yet.

Stock spamming is big business these days. The site listguy.com openly advertises their pump-n-dump services and boasts that they have copies of email lists from Market Watch, E-Trade, and Scottrade (but not Ameritrade). I have even received pump-n-dump brochures via snail-mail on more than on occasion.

Given the scope of the problem and the amount of money involved, I can easily believe that Ameritrade has someone on the inside willing to sell email addresses to the highest bidder.

FBI makes arrests in botnet case

SC Magazine reports that the FBI has arrested or charged three men in connection with a botnet believed to comprise more than a million zombie computers.

Named are: James C. Brewer of Arlington, Texas, Jason Michael Downey of Covington, Ky, and — wait for it — Robert Alan Soloway, the spammer who was already arrested a few weeks ago on various charges running from fraud to money laundering.

The botnet in question was used for both spamming and executing DDoS attacks. It's not yet clear if this is the botnet involved in the recent attack against various anti-spam services.

Spamhaus, URIBL, SURBL under DDOS attack

This has been ongoing for a couple of days now. Spamhaus and two other major blocking list providers have been under a distributed denial-of-service (DDOS) attack. Steve Linford of Spamhaus believes that the source of the attack is the same people who executed the attack against Blue Security last year which effectively destroyed their Blue Frog anti-spam project.

Spamhaus has implemented anti-DDOS countermeasures and is weathering the storm. Uribl has closed up shop, redirecting their IP address to 127.0.0.1 until things blow over. (One wag has suggested that they redirect to 255.255.255.255 in order to get the attention of the ISPs hosting the zombies. Bit of network geek humor there.)

More information can be found in Linford's announcement on usenet news.

More on the BBB and IRS phishes

Analyst Joe Stewart informs me that these are being sent by at least two different groups, using two different approaches. His analysis of the BBB phish describes the phish in detail. In short, the trojan connects to Internet Explorer and steals everything it can get ahold of. Over 145 Mb of data has been collected from over 1400 victims so far.

More on E360Insight vs Hacker X

Direct magazine, a news magazine for direct marketers has a little bit more on the story of the alleged cracker who broke into E360's systems and sent porn spam to nearly 300,000 people on one of E360's client's email lists. E360 CEO Dave Linhardt claims that they subsequently lost that customer's emailing business.

Linhardt also made sure to mention that two of the defendants in the SLAPP suit he filed against various anti-spammers live in the region where the cracker was operating, and that he believes the defendants have been helping Spamhaus, a defendant in another SLAPP suit he has filed.

Linhardt says that he's notified the FBI and other authorities of the break-in.

For an example of the cracker's work, see this wonderful Snopes article about the email alleging that folks with AIDS can fly Southwest airlines for free.

Other examples attacked with American Airlines and Wendy's Hamburgers.

National Spam News

I haven't done a news roundup in quite a while, and I have a lot of catching up to do. Are you sitting comfortably? Good, let us begin.

Good article in Slashdot today, bemoaning the fact that the latest Ameritrade leak has gotten no attention from the mainstream press. California law requires them to notify their California customers of a potential security breach. Have they done so? Were customer account ids and passwords also leaked? Ameritrade isn't saying. So far, all they've said is that they take these things seriously. The article suggests some security techniques that Ameritrade should implement to track the source of the leak.

There have been a lot of "greeting card" spams lately. I'll bet you've gotten some yourself. Remember: if the subject line doesn't identify who the card is from, then it's spam. Anyway, Trend Micro reports that these spams are also carrying malware as part of the payload.

Robert Soloway isn't the only one with legal problems this week. TG Daily and other sources report that Microsoft has filed suit against three John Does for sending pump-n-dump spam through their Hotmail service.

The BBC reports that internet service provider Tiscali is now caught up in a serious battle with their spammers. Spam coming from Tiscali has become serious enough that many other ISPs are refusing email from Tiscali, which is seriously impacting their customers. Tiscali has long been plagued with 419 scammers, which they managed to bring under control about 6-8 months ago. It now seems that another house-cleaning has begun.

There is some speculation that Tiscali's problems might be caused by spambots inside their network. See my recent article on this subject.

Ben Edelman reports that spyware is still stealing referal fees. As usual, his claims come with a detailed and in-depth analysis.

The Seattle Times reports that Nigerian 419 scammers are now inviting suckers to get puppies out of the country instead of money. Some people have paid more than $1500 to adopt a valuable dog from Nigeria.

Spam bots now relaying through ISP mail servers

Correspondents inform me that a new bot network has begun spamming. An army of spambots woke up within one ISP starting at 6 pm yesterday, and attempted to send millions of spams through the ISP's mail server.

This represents a new step in the evolution of spambots. Previously, these bots all tried to transmit directly from port 25, but with the advent of port 25 blocking by ISPs, this has become an obstacle. It was only a matter of time before spambots began trying to relay through mail servers.

The question to be asked — and hopefully someone will analyze the bot responsible — is were the bots specifically crafted for the ISP which was attacked, with knowledge of the correct mail server to use, or were the bots able to extract mail server information from the customers' machines.

This new spambot capability was inevitable as port 25 blocking came into widespread use. The next generation of spambots will most likely search user files for email account information, including passwords, in order to transmit their spam.

For this reason, I believe that best practices dictate that users never check the "remember this password" box on their mail programs, but instead enter the password each time they fire up their mailers. Note that MacOS is probably immune to this problem thanks to its key manager system.

Is your corporate network breeding spambots?

Briefly mentioned elsewhere, but worth mentioning here as well: Support Intelligence of San Francisco, is running a project known as "30 Days of Bots" with the intent of naming and shaming major companies which are allowing spambots to run unchecked from within their networks.

Among the companies named: 3M (pump-n-dump spams), Oracle (phishing attack on PayPal), HP, Best Buy (thousands of spams per week), ExxonMobile, American Electric Power, Indymac Bank, Dow Jones (penis pills), Thomson Financial (pump-n-dump), AIG (fake Rolexes, porn, drugs), Aflac (penis pills), Business Week (penis pills), Toshiba (pump-n-dump, fake Rolexes), Conseco (porn, penis pills, warez), Bank of America (warez), Clear Channel (drugs, warez, phishing), Borders (drugs), Home Depot (drugs), and Affiliated Computer Services (warez, drugs, pump-n-dump). Expect more reports in the future; monitor their blog for updates.

Now here's the scary part: Networks that have spam-spewing zombies could just as easily have keystroke loggers or other spyware. Bank of America recently acquired the company that manages my credit cards. Believe me, this does not instill confidence in the safety of my credit account with them. Do you do business with any of the above companies (or any of dozens that Support Intelligence hasn't reported yet)? Better start checking your credit card receipts.

More references: Slashdot, The Register, New York Times, Washington Post.

Mail server report — no, a robot didn't really detect abnormal activity from your IP address

Just received two identical copies of this from from the same sender in the Czech Republic (but with different "From" lines):

Dear Customer,

Our robot has fixed an abnormal activity from your IP address on sending e-mails.
Probably it is connected with the last epidemic of a worm which does not have patches at the moment.
We recommend you to install a firewall module and it will stop e-mail sending. Otherwise your account will be blocked until you do not eliminate
malfunction.

The enclosed zip file is, of course, a virus of some sort. If you're reading this, you're probably smart enough not to fall for it, but you should probably tell your more trusting friends and relations to ignore this email when they get it.

New botnet on the block? Keep an eye on port 1720

Correspondents inform me that they've observed customer machines infected with viruses that are running services on ports 1720 and 1863. Currently, there's no traffic on those ports, but it's possible that they form part of a new botnet.

Oddly enough, it's been seen on Fedora Linux as well as windows. It's pretty rare for a virus to run under Linux, so perhaps this is video conferencing software idly waiting for an incoming connection.

I'll post more details when I have them, but it's something to keep an eye on. If anybody has any more information, please post a comment.

UPDATE: Correspondent has assured me that this isn't videoconferencing software, and that experienced techies are looking into it. Whatever it is, it's spreading rapidly.

Sysadmins should be prepared to block ports 1720 and 1863 if things start happening.

More information as it becomes available.

Change the password to your home router

New theoretical attack described in Computer Business Review: A phisher loads malicous javascript onto a web site. The javascript connects to your house router using the default IP address and default password, which you were too lazy to change. The javascript configures the router to use the phisher's own dns servers. Later, when you try to connect to your bank, you get connected to the phishing site instead, and there's no way to tell the difference.

The attack hasn't been seen in the wild yet, but it's only a matter of time. Save yourself a lot of hassle now, and secure your routers.

For more on the story, see Drive-By Pharming Attack Could Hit Home Networks.

Top Ten Worst Spam Offenders

This has been making the rounds for the last week or so, but perhaps you haven't seen it yet. In short, Spamhaus has released its top-ten spam offenders for the year. There are actually three such lists, one for worst countries, one for worst ISP, and one for worst spammer.

Of the worst countries, the U.S. leads, of course, with roughly 6 times the spammers as its nearest rival, China.

The winner for worst ISP — to nobody's surprise — is UUNet, now known as Verizon Business, leading with more than twice the spammers as its nearest competitor.

Of the worst spammers, Russians and Ukranians occupy six of the top ten spots, with Alex Polyakov (likely a pseudonym) leading the list. Polyakov is most known for mortgage spam, but also advertises child porn, money laundering, and drugs. He may also be the person behind the DDOS attack that brought down Blue Security in May of this year.

So, from reading the articles, I think that the majority of all spam could be stopped if just a few things would happen: 1) Russia starts going after its own criminals*, 2) Verizon fires the management team of Verizon Business, 3) ISPs start blocking outgoing email from their zombie customers, and 4) Microsoft does something about the piss-poor security of their operating system*.

Daily Tech has some good coverage of the story, with more information from Sophos and a lively discussion thread.