The Associated Press cites FBI officials in Washington, D.C. stating that authorities had arrested “Iserdo,” the nickname used by the hacker alleged to have created Mariposa, a botnet that first surfaced in December 2008 and grew to infect more than half of the Fortune 1,000 companies, as well as at least 40 major banks.

Earlier this year, police in Spain arrested three of Iserdo’s associates, who allegedly used the Mariposa botnet to steal credit card accounts and online banking credentials.

The AP story doesn’t identify Iserdo, saying officials declined to release his name and the exact charges filed against him, but says that the arrest took place about 10 days ago, and that the man has been released on bond.

According to information obtained by KrebsOnSecurity.com, Iserdo’s real name is Dejan Janžekovic. Local Slovenian press reports at the time of his arrest said Iserdo was a former student at the Maribor Faculty of Computer and Information Science, but that information could not be independently confirmed.

Individuals close to the case say Janžekovic charged a few hundred dollars for each copy of the bot kit, and that sales frequently were handled by a former classmate who accepted Western Union transfers on his behalf. According to two sources, one of those who helped with the transactions was a 24-year-old woman named Nuša Čoh, pictured here in her high school photo.

Neither Janžekovic nor Čoh could be immediately reached for comment.

Update, July 29, 4:45 p.m: Janzekovic appears only to have been a person of interest in this investigation, according to a law enforcement official I spoke with today. Also, I heard back from Janzekovic himself, who acknowledged having been investigated by the FBI and Slovenian police in connection with Mariposa, and taken in to the police station for questioning. But he said he is not Iserdo, and that the authorities somehow had him mixed up with someone else. From his e-mail to me:

“I am 23 years old (the picture you found is very outdated). I am single, I work as a senior systems administrator for a telco in Slovenia. Fact is that I love technology, I love life (even though the past two weeks it was hell on earth for me), but most of all – I am innocent. Yes, you read right, innocent. I am smarter than this and such things do interest me only from the technological point, as in how to protect against them.

Oh, not to forget, my net nick was and will never be Iserdo.

It is true, that I had the FBI and Slovenian police investigating me but it is also true, that I had nothing to hide. During the investigation I was very cooperative with authorities – I even gave them password for my encrypted partitions. What was the lead to me? It had to be some kind of mix-up and/or identity theft – the only person known to me in this whole story is the girl who I went to school with (as you have already found out).

Neither of authorities did explain to me how they came to conclusion that I was iserdo. I strongly believe the case was identity theft (obviously someone who knew enough about me, to know that I would easily fit in the case) and/or connection through Nusa. And believe me, it was also to my great surprise, when they woke me up at 6 a.m. to search my home on basis of me selling some ‘nasty code’.

But know this – I do not know any technical details about the botnet, program or anything about the criminal backgrounds as I have never seen it or worked with it.”

Original story:

Janžekovic and Čoh, circled, from a class photo.

Authorities in Spain and Slovenia were aided in their sleuthing by the “Mariposa Working Group,” a collection of security companies and experts that infiltrated the botnet late last year and ultimately wrested control of it away from criminals who had purchased access to the network.

Christopher Davis,  chief executive of working group member Defence Intelligence, said his team tracked just under 700 Web site domains being used to control portions of the Mariposa botnet, suggesting that Iserdo sold hundreds of copies of the bot kit, at hundreds of dollars per kit.

Davis said Iserdo’s creation used an advanced, custom-made communications protocol designed to slip in and out of firewalls unnoticed, and that communication between systems infected with the butterfly bot and its corresponding control Web site was obfuscated by using a homegrown encryption technology.

“It’s a complicated kit he built,” Davis said. “We’re pretty good at breaking crypto, and it took us at least three days to break the cryptography around this bot, when it normally takes us an hour or so.”

Davis praised the arrests, saying it was unusual because normally it is the individuals who are using and buying the bots that are apprehended, not the bot authors themselves. Still, he said, he hopes authorities can use the information to round up the various Mariposa botnet operators.

“We need to go after all of them – the people who write the code, the people who sell it, the people who distribute it, even the money mules they use to convert stolen credit cards and banking credentials into cash,” Davis said.

Once again, some of the best stuff is buried deep in this year’s report and is likely to be missed in the mainstream coverage. But let’s get the headline-grabbing findings out of the way first:

-Verizon’s report on 2009 breaches for the first time includes data from the U.S. Secret Service. Yet, the report tracks a sharp decline in the total number of compromised records (143 million compromised records vs.  285 million in 2008).

-85 percent of records last year were compromised by organized criminal groups (this is virtually unchanged from the previous report).

-94 percent of compromised records were the result of breaches at companies in the financial services industry.

-45 percent of breaches were from external sources only, while 27 percent were solely perpetrated from the inside by trusted employees.

Among the most counter-intuitive findings in the report?

There wasn’t a single confirmed intrusion that exploited a patchable vulnerability. Rather, 85 percent of the breaches involved common configuration errors or weaknesses that led to things like SQL database injection attacks, and did not require the exploitation of a flaw that could be fixed with a software patch. In most cases, the breaches were caused by weaknesses that could be picked up by a free Web vulnerability scanner:

“Organizations exert a great deal of effort around the testing and deployment of patches — and well they should. Vulnerability management is a critical aspect of any security program. However, based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner. Many organizations treat patching as if it were all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by week’s end but hadn’t even glanced at their log files in months.”

Speaking of log files, one of the most interesting sections of the 66-page report comes in a sidebar titled “Of Needles and Haystacks,” which states that 86 percent of all breaches last year could have been prevented if victim companies had simply looked for unusual patterns in the log files created by their Web servers.

“In 86 percent of these breaches, the victim didn’t need forensic tools or fancy intrusion detection devices to figure out what happened, because they could read the entire event out of their logs,” said Bryan Sartin, one of the multiple authors of the Verizon report. “Forensic tools are great for recreating events that aren’t logged, but in most of the cases last year, the data was all there, they just weren’t looking at it.”

Sartin said a common complaint he hears about log files is that they are generally so huge that trying to find signs that someone has broken in by looking at your logs is akin to finding a needle in a haystack. But Sartin notes that — viewed another way — the reality is quite the opposite.

“If you take a 500 gigabyte log of a Web server and scroll down through it real fast, you’re going to see a pattern of the same old request over and over again. Suddenly, you hit one that’s formatted completely differently, and instead of being 3 lines it’s 33 lines long and it contains data that’s going the other way in the form of error codes. So these are extremely obvious and noisy attacks that you could mitigate simply by looking for them. But for some reason, many organizations still think they have to go out and buy intrusion-detection devices and more things that produce logs, when their underlying problem was that they weren’t looking effectively at the logs in the first place, and now they’ve just made the problem worse.”

A key finding in this year’s report is that most companies suffering breaches missed obvious signs of employee misconduct – breaches that were either initiated or aided by employees. Sartin said in almost every case where a breach investigation zeroed in on an employee as the culprit, investigators found ample evidence that the employee had long been flouting the company’s computer security and acceptable use policies that prohibit certain behaviors, such as surfing porn or gambling Web sites on company time and/or on corporate-issued laptops.

The study found a strong correlation between ‘minor’ policy violations and more serious abuse. From the report: “Based on case data, the presence of illegal content, such as pornography, on user systems (or other inappropriate behavior) is a reasonable indicator of a future breach. Actively searching for such violations rather than just handling them as they pop up may prove even more effective.”

The Verizon study also takes aim at the hype surrounding the “advanced persistent threat,” or APT — a politically and emotionally charged term that has become virtually synonymous with the term “cyber war”. The concept of APT — which describes attackers who are motivated, skilled, well-funded and patiently directed at compromising a specific target — is not new, but it came into vogue earlier this year with Google’s public disclosure that its intellectual property had been stolen in a targeted attack originating from China.

“Maybe 28 times just in the U.S. alone last year — we had some company in the oil and gas or other critical infrastructure industry come to us…[having found] the most rudimentary, nonthreatening virus on their Web server and instantly jumping to the conclusion that some government behind a certain Asian country was hacking into their company to steal their resources,” Sartin said. “And more often than not, we were being brought in to prove that it didn’t happen, when it turns out they were sounding the alarm for all the wrong reasons. We called it out in the report and said, ‘Hey guys, thanks for the business, but don’t believe the hype.’”

Anyone seriously interested in understanding what APT is — and more importantly isn’t — should read the July cover story of Information Security Magazine, a thoughtful and incisive analysis by blogger Richard Bejtlich.

Another gem in the report is an appendix compiled by the Secret Service that includes a tale about how one of the most notorious cyber thieves ever arrested was lured to a meeting in Turkey in 2007 where he was arrested by local authorities. Wired.com’s Kim Zetter delves into this revelation in more detail here.

The full Verizon breach report is available from this link (PDF).

The documents list the amounts charged to more than 2,000 people around the world (the screen shots show the distribution of victims globally and in the United States). Victims paid anywhere from $50 to $100 for the fake anti-virus software. The file lists the amounts charged, partially obscured credit card numbers, and the names, addresses and e-mails of all victims.

More importantly, they show that only 367 victims — fewer than 20 percent — bothered to contact their bank or the scammers to reverse the fraudulent charges after the fact.

A second wave of attacks apparently conducted by the same malware gang in early April shows that only 163 out of 1,678 victims – fewer than 10 percent — initiated chargebacks or disputed the sales (the geographic distribution of victims of this second wave is not included in the Google Maps graphics shown here).

I interviewed more than a dozen victims of the first scareware attack, which occurred between April 12 and April 15. All said their computers became unusable and that the only way they could figure out how to regain control of the machine was to surrender and purchase the software. In each case, immediately after the victims submitted their payment information, the hijacking program disappeared, leaving no trace of itself, and no hint of any fake security program on the victim’s machine.

Some victims reported receiving a follow-up e-mail thanking them for their purchase, and directing support inquiries to support@browsing-solutions.com. Others never got an e-mail, but only saw a charge on their credit card statement from Browsing Solutions, Moscow. Other victims saw charges from an EBD-Software.com.

None of the victims I was able to track down had successfully reversed the charges with their credit card provider, although a few did have the charges canceled after contacting the phone number listed in the customer support e-mail. Some said they had tried to contact their credit card provider or the scam company but got the runaround and simply gave up; others said they were confused because they were in the process of trying to purchase legitimate anti-virus software when their computers were hijacked.

Raymond Zens, a generator technician from Jamestown, N.D., said he had just typed in a search for Symantec Internet Security when his computer was hijacked. Zens said that at the time he thought he had purchased the protection he was seeking from Symantec. It wasn’t until he was contacted by this reporter this week that he realized the computer wasn’t protected with a real anti-virus product.

Brad Pierson, a clinical social worker from Austin, Texas, knew he’d been scammed but said he declined to contest the charge out of shame.

“The embarrassment and feeling of degradation that goes with that made me want to blow it off,” Pierson said. “I just kind of thought, ‘That’s the price you pay for being had.’ I didn’t try to do anything about it. I was just glad to have my hard drive and data intact after the whole thing.”

Clearly, few of the victims of rogue anti-virus would describe themselves as computer experts or even intermediate computer users. Still, it’s remarkable that so few people would bother to dispute the charges, said Gary Warner, director of research in computer forensics at University of Alabama at Birmingham.

Warner said he was in San Diego for a conference earlier this year and was staying a hotel when he noticed one of the hotel’s business center computers was running a notorious rogue anti-virus product. Warner said that he alerted a hotel staff member to the infection, then watched in amazement as the staffer right-clicked on the program’s icon in the Windows task bar, selected “update,” and then proceeded to run a scan and declare that nothing seemed to be amiss.

“On the one hand, it’s amazing that these [scammers] can make so much money,” Warner said. “But the fact is that they’re able to sell something that’s fraudulent and not have people complain either because they think it’s real or they’re embarrassed to say something. The real crime, of course, is that many of these people also think this worthless product is going to protect them.”

Warner said he believes rogue anti-virus will continue to be a scourge as long as banks do little to identify the merchant accounts associated with these rogue anti-virus companies.

“The other side of this is, maybe people just don’t know how to report this kind of fraud,” Warner said. “Truthfully, who are you going to get to take law enforcement action against these scammers? In each of these situations, you’re looking at victims who each lost between $80 and $100, which isn’t exactly grounds for a big federal investigation.”

Nothing puts a crimp in the traffic to booby-trapped Web sites like being listed on multiple Internet reputation services that collect and publish information on the location of nasty Web sites. People who maintain the bad sites can stay ahead of such services by moving their malware to new domains once the present hosts start showing up on too many blacklists. But constantly checking these lists can be a time-consuming pain.

Enter sites like check-crypt.com. For a mere 20 cents, subscribers can check to see whether their malicious sites are flagged by any of 18 different blacklists, including Spamhaus, ZeuSTracker, SpamCop, SmartScreen (anti-malware and anti-phishing technology built into IE7/IE8), Norton Safe Web, Phishtank, Malwaredomainlist and MalwareURL.

As we can see from the screen shot here, this service acts as a kind of Virustotal for bad domains, listing the percentage of blacklists that detect any submitted malware sites.

The name and address of the person who registered check-crypt.com is protected by a domain privacy service, but if we dig far enough back in the WHOIS history we see it was registered to someone named Oleg Lojko in Rogatin, Ukraine. A search for the e-mail address attached to that record turns up a domain (vinni-trinni3.net) that a couple of the malware blacklists have flagged for distributing the infamous Zeus Trojan, a powerful password-stealing strain of malicious software.

I wanted to test this service, and so I thought I’d pick on vinni-trinni, because that site was first flagged by Malwaredomainlist and MalwareURL back in March of this year. The results were underwhelming: As we can see from the above screen shot, this service detects that three out of 18 blacklists have flagged it as malicious, but the author’s own service fails to show listings by either Malwaredomainlist or MalwareURL.

Last week, KrebsOnSecurity.com reported that security researchers in Belarus had found a sophisticated strain of malware that was exploiting a previously unknown flaw in the way Windows handles shortcut files. Experts determined that the malware exploiting the vulnerability was being used to attack computers that interact with networks responsible for controlling the operations of large, distributed and very sensitive systems, such as manufacturing and power plants.

When Microsoft initially released an advisory acknowledging the security hole last week, it said customers could disable the vulnerable component by editing the Windows registry. Trouble is, editing the registry can be a dicey affair for those less experienced working under the hood in Windows because one errant change can cause system-wide problems.

But in an updated advisory posted Tuesday evening, Microsoft added instructions for using a much simpler, point-and-click “FixIt” tool to disable the flawed Windows features. That tool, available from this link, allows Windows users to nix the vulnerable component by clicking the “FixIt” icon, following the prompts, and then rebooting the system.

Be advised, however, that making this change could make it significantly more difficult for regular users to navigate their computer and desktop, as it removes the graphical representation of icons on the Task bar and Start menu bar and replaces them with plain, white icons.

For instance, most Windows users are familiar with these icons:

According to Microsoft, after applying this fix, those icons will be replaced with nondescript (and frankly ugly) placeholders that look like this:

There are currently no signs that this vulnerability is being used in anything but targeted attacks against some very important targets. That said, the situation could change rapidly soon. For one thing, a proof-of-concept exploit is now publicly available and embedded into open-source attack tools. And while initial reports suggested the primary means of exploiting this flaw required someone to introduce a strange USB device into their system, experts have since shown that the exploit can also be used to spread and launch malicious programs over network shares.

The SANS Internet Storm Center on Monday made the relatively rare decision to change its threat warning level to yellow over this vulnerability, warning that “wide-scale exploitation is only a matter of time.”

“The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch,” SANS incident handler Lenny Zeltser wrote. “Furthermore, anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.”

Both of these potential exploit paths probably make this vulnerability far more dangerous for corporate and business users than for home users. That said, having ugly Start Menu and Taskbar icons for a few weeks until Microsoft issues a real fix for this flaw may be a small price to pay for peace of mind. Also, the FixIt changes can be undone simply by visiting this link and clicking the FixIt icon under the “Disable This Workaround” heading.

Further reading:

Siemens: German Customer Hit by Industrial Worm

Mitigating Link Exploitation with Ariad

ICS-CERT: USB Malware Targeting Siemens Control Software (PDF)

Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

“The idea is to run Reader in a lower-privilege mode so that even if an attacker finds an exploit or vulnerability in Reader, it runs in lower rights mode, which should block the installation of [malware], deleting things on the system, or tampering with the [Windows] registry,” said Brad Arkin, director of product security and privacy at Adobe.

Even if only somewhat effective, the new protections would be a major advancement for one of the computing world’s most ubiquitous and oft-targeted software applications. The company is constantly shipping updates to block new attacks: Less than a month ago, Adobe rushed out a patch to plug vulnerabilities that hackers were using to break into vulnerable machines. Security vendor McAfee found that roughly 28 percent of all known software exploits in the first quarter of 2010 targeted Adobe Reader vulnerabilities. According to anti-virus maker F-Secure, Reader is now the most-exploited application for Windows.

Reader still has to legitimately touch the underlying filesystem in order to save PDF files, but it will be configured to work through a separate Adobe “broker process,” such that any attempts by Reader to communicate directly with the operating system will fail, Arkin said.

“Under such a system, not only would the attacker have to find a vulnerability in Reader, but they’d also have to carry out a second-stage attack from the Reader process to the broker process,” he said. “We have put in a place a very small set of policies to make sure that any action the broker process takes on behalf of Reader is absolutely necessary for operation.”

The initial release will not sandbox “read-only” activities in Reader, such as accessing content on the user’s system, but that functionality may be incorporated into versions down the road.

Arkin said the new feature will be on by default, and will not affect the performance or speed of the application.

“The vast majority of users will never know it’s there,” Arkin said. “It doesn’t increase the number of dialogue boxes or choices, and users should be able to continue to interact with Reader the same way they always have.”

Didier Stevens, a Belgian security researcher who has discovered and reported a number of security vulnerabilities in Reader, said Adobe’s planned protections should indeed block most known PDF-based malware.

“When I read ‘sandboxing of all write calls’ I said to myself: ‘That’s easy to bypass, for example by injecting code into another process (e.g. Windows Explorer) and let it write to disk’,” Stevens wrote in an e-mail to KrebsOnSecurity.com. “But then I read that registry and process calls are also sandboxed, so injecting code inside another process would be blocked.”

Stevens said the broker process could end up being the weakest link of Adobe’s sandbox approach.

“If you can mislead the broker process, you can still get access,” Stevens said. “If similar bugs exist in the broker process, then researchers will soon find them. And I hope this mechanism fails gracefully: if the broker process breaks down, then every action should be denied.”

Adobe isn’t willing to set a date certain for the release of the new sandboxed Reader, but said it should ship in the next version, due out before the end of the year. Arkin said the sandboxing feature will initially be available only for the Windows version of Reader.

“Our primary goal was to protect the largest number of users the fastest,” Arkin said. “In the lab it’s certainly possible to take one of those [vulnerabilities] and export it onto a different platform, but in the real world, every single attack we’ve heard about has been on a Windows platform.”

Forced to re-issue an unusually high number of bank cards due to fraudulent charges on the accounts, a regional bank serving Colorado and surrounding states recently began searching for commonalities among the victimized accounts. The financial institution, which shared information with KrebsOnSecurity.com on the condition that it not be named, found that virtually all of the compromised cardholders had purchased gas from a string of filling stations along or not far from Interstate 25, a major North-South highway that runs through the heart of Denver.

Several Valero stations along the I-25 corridor reached by phone acknowledged being visited over the past week by local police and U.S. Secret Service agents searching for skimmer devices. The stations declined to comment on the record, but said investigators left a bulletin stating that stations in the area had been targeted and urging them to be on the lookout for suspicious activity around the pumps.

Mark Gallick, a Secret Service agent with the Denver field office, confirmed that a bulletin on skimmers was circulating among gas stations in the area, but refused to comment further.

Similar attacks on gas station pumps recently have hit other parts of the country: Police in Arizona also are dealing with a spike in reports about skimmers showing up at gas pumps, prompting Gov. Janice Brewer this month to urge the Arizona Department of Weights and Measures to increase their inspection efforts in looking for skimmers at gas stations.

Bluetooth-enabled gas pump skimmer. Photo: Alachua County, Fla. Sheriff's Office

Bluetooth based wireless skimmers have been found attached to a slew of gas station pumps throughout the Southeast, particularly in Florida. Wireless skimmers allow thieves to pull up to the compromised station and download stolen card data with a laptop while sitting in their car. Many wireless skimmers run on rechargeable batteries, but skimmers attached to the insides of a gas pump can easily be made to draw on the pump’s power source in order to continue stealing card data indefinitely.

“Our device is not the traditional skimmer but rather a Bluetooth enabled equivalent of a thumb drive programmed to capture the data as it was transmitted from point A to point B inside the gas pump itself,” said Lt. Stephen Maynard, the public information officer for the Alachua County, Fla. Sheriff’s Office, which dealt with skimmer compromised pumps earlier this year.

The gas pumps compromised in the Denver-area attacks showed no outward signs of having been tampered with or altered, according to several sources. My source at the bank said all of the pumps in question contained a device on the inside of the pumps designed to record data stored on the back of cards inserted into the compromised pumps, but he wasn’t sure whether the skimmers were designed to transmit the stolen data wirelessly.

My source said the hacked pumps in Denver tended to be on the outside edges of the gas station, those hardest to see by clerks in the station. In a wrinkle that could be part of an effort to drive customers to the compromised pumps, the source said, customer service representatives at the bank also received complaints from victim account holders who reported getting phone calls promising them gift cards if they purchased gas at specific stations in the Denver area.

Gas pump skimmer. Photo: Arizona Dept. of Weights & Measures

“The caller ID on those calls — 727-712-0382 — was a number that probably originated from a Florida provider,” my source said.

Unlike most skimmers affixed to ATMs — which can often be spotted because they rely on fraud devices that are attached to the exterior of the cash machines — gas station skimmers are planted after the thieves have gained access to the interior of the pumps. As result, there are rarely any signs that a gas pump has been compromised. However, consumers can and should keep a close eye on their monthly bank statements and report any unauthorized charges immediately.

The Truth In Lending Act limits consumer liability to $50.00 once a credit card is reported lost or stolen, although many card issuers will waive that amount as well. Fraudulent debit card charges are a different story: The Electronic Fund Transfer Act limits liability for unauthorized charges to $50.00, if you notify your financial institution within two business days of discovering that your debit card was “lost or stolen.” If you wait longer, but notify your bank within 60 days of the date your statement is mailed, you may be responsible for up to $500.00. Wait longer than that and you could lose all the money stolen from your account.

Update, July 16,  7:49 p.m. ET: Microsoft just released an advisory about this flaw, available here. Microsoft said it stems from a vulnerability in the “Windows shell” (Windows Explorer, e.g.) that is present in every supported version of Windows. The advisory includes steps that can mitigate the threat from this flaw.

Original post:

VirusBlokAda, an anti-virus company based in Belarus, said that on June 17 its specialists found two new malware samples that were capable of infecting a fully-patched Windows 7 system if a user were to view the contents of an infected USB drive with a common file manager such as Windows Explorer.

USB-borne malware is extremely common, and most malware that propagates via USB and other removable drives traditionally has taken advantage of the Windows Autorun or Autoplay feature. But according to VirusBlokAda, this strain of malware leverages a vulnerability in the method Windows uses for handling shortcut files.

Shortcut files — or those ending in the “.lnk” extension — are Windows files that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu. Ideally, a shortcut doesn’t do anything until a user clicks on its icon. But VirusBlokAda found that these malicious shortcut files are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer.

“So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware,” wrote Sergey Ulasen, an anti-virus expert with the company, in an advisory published this month.

Ulasen said the malware installs two drivers: “mrxnet.sys” and “mrxcls.sys.” These so-called “rootkit” files are used to  hide the malware itself so that it remains invisible on the USB storage device. Interestingly, Ulasen notes that both driver files are signed with the digital signature of Realtek Semiconductor Corp., a legitimate hi-tech company.

Ulasen said he reached out to Microsoft and to Realtek but got a response from neither. Jerry Bryant, group manager of response communications at Microsoft, told KrebsOnSecurity.com Wednesday that “Microsoft is investigating new public claims of malware propagating via USB storage devices. When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem.”

If this truly is a new vulnerability in Windows, it could soon become a popular method for spreading malware. But for now, this threat seems fairly targeted: Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples, and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.

“Looks like this malware was made for espionage,” Boldewin said.

As this attack and a related case study I wrote about last month show, cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts.

The attack on Brookeland’s Internet banking account began on Friday, April 9, about the time that General Manager Trey Daywood had authorized the utility’s payroll transfer — just a half hour before the 2 p.m. the bank’s cutoff time. A few minutes later, unidentified hackers went in and deleted Daywood’s payroll batch and set up their own payroll, sending sub-$10,000 payments to seven individuals across the United States who were recruited to help launder the money through work-at-home job scams.

Daywood soon heard from his financial institution, Texas based First National Bank, which thought the $34,038 amount was quite a bit higher than the organization’s regular payroll total. But the bank only called after it had finished processing the fraudulent transfers, and most of the unauthorized payments still were sent out the following Monday.

“It was only after I signed affidavits of forgery and had them notarized that our financial institution began the process of trying to retrieve the money,” Daywood said. “It was very clear from the beginning that their attitude was, ‘Hey, it’s not our problem.’  Which was professionally disappointing to me.”

I contacted First National multiple times for a comment on this story, but have yet to hear back from them. I will update this story if that changes.

Financial institutions are required to use “commercially reasonable” security measures to deter fraudulent attacks, but experts say just how far banks need to go for their security to be considered reasonable is a standard that is ill-defined, and is likely to be decided by several ongoing lawsuits filed in state courts. Banking regulators also encourage institutions to use so-called “multi-factor authentication,” or a user name and password in addition to some other type of authentication mechanism. However, according to Daywood, First National Bank allowed commercial customers to access their accounts online with nothing more than a user name and password.

When consumers lose money due to cyber fraud, retail banks are required by law to refund the money — provided the victim doesn’t wait too long in reporting the unauthorized charges. Commercial banks, however, are under no such obligation, although they usually will work with the victim customer to try to reverse as many of the fraudulent transfers as possible.

According to Brookeland, First National Bank managed to reverse a little less than half of the bogus transfers — $15,338 to be precise.

Daywood said the attackers also evaded procedural security measures the company put in place to ensure that two employees signed off on every transaction. Prior to the attack, another Brookeland employee was responsible for initiating payments — including payroll batches — but that employee had no authority to approve the transactions.

“They went in and changed the authority of that employee to make it possible for her to create and initiate the fraudulent batch under her login name,” Daywood said. “It’s a mystery as to how they could do that, because I am supposed to be the only one who has authority to do that through my admin account.”

Daywood said he expects Brookeland will recover the remaining lost funds through its insurance program. But he said the incident has consumed most of his time for the past several months.

“I’ve lived, breathed, ate and slept this since it happened,” Daywood said. “You’re looking at hundreds of hours of research, on and on.”

Further reading:

The Case for Cybersecurity Insurance, Part I

Avoid Windows Malware: Bank on a Live CD

E-banking on a Locked Down (non-Microsoft) PC

Target: Small Businesses

Four out of five of the flaws fixed in today’s patch batch earned a “critical” rating, Redmond’s most severe. Chief among them is a bug in the Help and Support Center on Windows XP and Server 2003 systems that’s currently being exploited by crooks to break into vulnerable machines. Microsoft released an interim “FixIt” tool last month to help users blunt the threat from this flaw, and users who applied that fix still should install this patch (and no, you don’t need to undo the FixIt setting first). Update 5:50 p.m. ET: I stand corrected on this — it looks like Microsoft won’t offer the patch for this flaw if you’ve already used the FixIt tool.

The one vulnerability addressed in July’s roundup that didn’t earn a critical rating — an “important” flaw in the way Microsoft Outlook handles attachments — probably should have, at least according to security vendor Symantec Corp.

“It appears fairly simple for an attacker to figure out and create an exploit for, which could cause executable file e-mail attachments, such as malware, to slip past Outlook’s list of unsafe file types,” wrote Joshua Talbot, security intelligence manager for Symantec Security Response, in a post on the company’s blog. “A user would still have to double-click on the attachment to open it, but if they do the file would run without any warning.”

If you are on Windows XP and have been putting off upgrading from Service Pack 2 to Service Pack 3, you will need to stop procrastinating this month to continue receiving security updates for Windows XP after today’s batch. Bear in mind that if you’ve held out this long, you may find that upgrading to Service Pack 3 takes a bit longer than you’d expect.

That’s because SP3 was released more than two years ago, and Microsoft has released hundreds of updates since then. As a result, if you’re upgrading to SP3, you should expect to have dozens of additional patches to install after the initial upgrade is complete, in order to bring your system up to date with the latest security fixes (yes, even if you had already installed these updates and otherwise kept up to date under SP2).

Anyone still using Windows 2000 should take note of this important change: After today, Microsoft will no longer be shipping security updates or any other updates for Windows 2000 machines.

Updates are available through Microsoft Update or via Automatic Update. Microsoft has more details on these patches at the Microsoft Security Response Center blog.