The latest reports of this apparent cyberspy activity come from security experts at Shadowserver.org, a nonprofit that tracks malware attacks typically associated with so-called “advanced persistent threat” (APT) actors. APT is a controversial term that means many things to different folks, but even detractors of the acronym’s overuse acknowledge that it has become a useful shorthand for “We’re pretty sure it came from China.”

A diagram depicting the (since-cleaned) attack on the Website of the Center for Defense Information.

One look at the list of the sites found to be currently serving an exploit to attack a newly-patched Adobe Flash Player vulnerability (CVE-2012-0779) shows how that shorthand is earned. Shadowserver uncovered Flash exploits waiting for visitors of the Web sites for Amnesty International Hong Kong and the Center for Defense Information, a Washington, D.C. think-tank. The home page for the International Institute for Counter-Terrorism was found to be serving up malware via a recent Oracle Java vulnerability (CVE-2012-0507), while the Cambodian Ministry of Foreign Affairs site was pointing to both Flash and Java exploits.

“In recent months we have continued to observe 0-day vulnerabilities emerging following discovery of their use in the wild to conduct cyber espionage attacks,” wrote Shadowserver volunteers Steven Adair and Ned Moran, in a blog post about the attacks, which they dubbed “strategic Web compromises.”

“Frequently by the time a patch is released for the vulnerabilities, the exploit has already been the wild for multiple weeks or months — giving the attackers a very large leg up,” they wrote. “The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in.”

The discoveries come just days after security vendor Websense found that the site for Amnesty International United Kingdom (AIUK)  was hosting the same Java exploit. According to Shadowserver, other sites that were compromised by remarkably similar attacks but since cleaned include those belonging to the American Research Center in Egypt, the Institute for National Security Studies, and the Center for European Policy Studies.

Shadowserver experts believe that many of the attacks above are likely the work of the same hacking group. For example, Adair and Moran said they found “a clear connection” between the hackers who compromised the AIUK site in this incident and a separate attack on the same site in December 2011, a break-in first reported by KrebsOnSecurity.com. Some of the common elements in the attacks include identical Internet addresses and files (down to the same internal metadata) used in different attacks.

Adair and Moran also called attention to targeted attacks that leverage the Flash flaw (CVE-2012-0779) via Microsoft Word documents, which have the built-in ability to invoke Flash objects. Mila Parkour, the author of the Contagiodump blog, on May 6 published an exhaustive look at just such an attack.

I hope it is obvious to readers that the exploits leveraged in these cyberspy attacks to steal national security and trade secrets are the same weapons that traditional computer crooks use to steal financial information (in fact, last week I blogged about other tantalilzing signs of overlap between these two seemingly disparate communities). It is almost certain that this Flash exploit will soon be bundled into automated exploit kits that are sold to miscreants on the cybercriminal underground, if it hasn’t already. If you use any of the above-mentioned software products and have fallen behind in patching them, please see the following posts:

May 8, 2012: Adobe, Microsoft Push Critical Security Fixes

May 4, 2012: Critical Flash Update Fixes Zero-Day Flaw

Mar 27, 2012: New Java Attack Being Rolled Into Exploit Packs

At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer.

That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc.

According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

“Higgins said, ‘You have a problem,’” Fuller recalled, of a phone conversation the bank had with Higgins in early March. “He said he had a slew of these people going through their Vons and Safeway stores exchanging cards. He had them on surveillance tape, knew where they were from and everything.”

Higgins told USB that the fraud he was seeing was mostly in Las Vegas, but that there also was some fraudulent card activity in neighboring states in the southwest.

“He had a theory that these guys came from Los Angeles and San Diego to Vegas just to make these transactions, and then went back,” Fuller said.

The fraud described by Higgins matched the unauthorized activity that they had seen stemming from accounts used at the private school cafeteria. Fuller said Visa has alerted Union Savings Bank that about 1,000 debit accounts it issued were compromised in the Global Payments breach — including the dozen or so card accounts that initially prompted USB to investigate.

USB officials say the bank has suffered approximately $75,000 in fraudulent charges, and that it has so far spent close to $10,000 reissuing customer cards.

Other banks notified by Higgins had much higher losses, Fuller said. “Mr. Higgins told us that the thieves also hit Bank of Oklahoma and Fulton Bank of New Jersey. He said Fulton was hit very hard by these guys, to the tune of about one thousand [stolen card accounts] each week.”

Higgins could not be reached for comment. Safeway officials confirmed that he retired from the company last month, but declined to discuss Higgins’ work or the incidents that prompted him to alert USB and other financial institutions affected by the Global Payments breach. Neither the Bank of Oklahoma nor Fulton Bank responded to repeated requests for comment.

The experience of Union Savings Bank illustrates how fraudsters can extract value from debit cards even if they only have some of the data associated with the accounts. Initial alerts about the breach from Visa and MasterCard stated that the breach at Global Payments compromised both Track 1 and Track 2 data from affected card accounts, meaning thieves could produce counterfeit versions of the cards and possibly commit other acts of identity theft against cardholders. Global Payments claims that only Track 2 data was taken, and that cardholder names, addresses and other data were not obtained by the criminals.

Yet, as USB’s story shows, the data on Track 2 alone was enough for the crooks to encode the card number and expiration date onto any cards equipped with a magnetic stripe. The cards could then be used at any merchant that accepts signature debit — transactions that do not require the cardholder to enter his or her PIN.

Visa and MasterCard each have revoked their certification of Global Payments as a compliant card processor. Global Payments said it is still investigating the cause and extent of the incident. The company maintains that fewer than 1.5 million card accounts were stolen, but some in the industry now believe more than 7 million card accounts may have been compromised. Meanwhile, the card associations keep broadening the window of time in which hackers likely had access to the processor’s network. Initially, Visa and MasterCard said the breach window at Global Payments was between January and February 2012, but in the latest round of alerts sent to banks affected by the breach, the card brands warned that the breach dates back to at least early June 2011.

USB’s experience also raises fresh questions about the timing of the breach discovery. Global Payments says it self-discovered and self-reported the breach on March 8, but Fuller said his bank figured out Global Payments was having an issue and reported the fraud before that.

“Global is saying this was self-discovered, but already knew it was them at the beginning of March, because within 48 hours of a customer telling us they were having problems, we figured out it was Global and alerted Visa,” Fuller said. “We are going to put Global on notice that we hold them accountable, because we’re bleeding here. Granted, a seventy-five thousand dollar loss isn’t the end of the world, but when you have a large institution like Global that doesn’t want to accept responsibility about what’s happened, that’s sort of annoying.”

From the FBI’s advisory:

“Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The warning is a good opportunity to revisit some wireless safety tips I’ve doled out over the years. Avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless. This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.

There are a number of free attack tools that can be used to spoof software update prompts, and these are especially effective against users on small local networks. Bear in mind that false update prompts don’t have to involve pop-ups. I’ve written at least two blog posts about EvilGrade, a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles. The deviousness of this tool is that it can be used to hijack the legitimate updaters built into software already installed on your computer.

If you must update while on the road, make sure that you initiate the update process. Avoid clicking pop-up prompts or anything that looks like it was launched from an auto-updater. When in doubt, always update from the vendor’s Web site. Most importantly — and Rule #1 of Krebs’s 3 Basic Rules for Online Safety covers this nicely — “if you didn’t go looking for it, don’t install it!” Also, using an update tracker, such as Secunia‘s Personal Software Inspector or File Hippo‘s Update Checker, can help you stay on top of the latest security patches for widely-used software, and make it easier for you to plan your software updates ahead of time.

Microsoft’s May patch batch includes fixes for vulnerabilities that could be exploited via Web browsing, file-sharing, or email. Eight of the 23 flaws earned Microsoft’s “critical” rating, meaning no user interaction is required for vulnerable systems to be hacked. At least three of the flaws were publicly disclosed before today.

According to Microsoft, the two updates are the most dire: The first is one related to a critical flaw in Microsoft Word (MS12-029); the second is an unusually ambitious update that addresses flaws present in Microsoft Office, Windows, .NET Framework and Silverlight. In a blog post published today, Microsoft explained why it chose to patch all of these seemingly disparate products all in one go. But the short version is that Microsoft is addressing the ghost of Duqu, a sophisticated malware family discovered last year that was designed to attack industrial control systems and is thought to be related to the infamous Stuxnet worm. A patch Microsoft issued last year addressed the underlying Windows vulnerability exploited by Duqu, but the company found that the same vulnerable code resided in a slew of other Microsoft applications.

Separately, Adobe has issued an update for its Shockwave Player. Adobe recommends that users of Adobe Shockwave Player 11.6.4.634 and earlier for Windows and Macintosh update to Adobe Shockwave Player 11.6.5.635. Fixes are available for Windows and Mac systems, from this link. Windows users can tell if they have Shockwave installed by checking for an entry for the program in the Add/Remove Programs listing from the Windows Control Panel. If you don’t already have this program, I’d recommend keeping it that way. I seem to have gotten along fine without it for several years now, and going without it just means one less buggy application to patch.

As always, if you experience any issues installing these updates, please leave a note in the comments section below.

It may be that the Internet security industry is long overdue for its own “Reese’s moment.” Many security experts who got their start analyzing malware and tracking traditional cybercrime recently have transitioned to investigating malware and attacks associated with so-called advanced persistent threat (APT) incidents. The former centers on the theft of financial data that can be used to quickly extract cash from victims; the latter refers to often prolonged attacks involving a hunt for more strategic information, such as intellectual property, trade secrets and data related to national security and defense.

Experts steeped in both areas seem to agree that there is little overlap between the two realms, neither in the tools the two sets of attackers use, their methods, nor in their motivations or rewards. Nevertheless, I’ve heard some of these same experts remark that traditional cyber thieves could dramatically increase their fortunes if they only took the time to better understand the full value of the PCs that get ensnared in their botnets.

In such a future, Chinese nationalistic hackers, for example, could avoid spending weeks or months trying to break into Fortune 500 companies using carefully targeted emails or zero-day software vulnerabilities; instead, they could just purchase access to PCs at these companies that are already under control of traditional hacker groups.

Every now and then, evidence surfaces to suggest that bridges between these two disparate worlds are under construction. Last month, I had the opportunity to peer into a botnet of more than 3,400 PCs — most of them in the United States. The systems were infected with a new variant of the Citadel Trojan, an offshoot of the ZeuS Trojan whose chief distinguishing feature is a community of users who interact with one another in a kind of online social network. This botnet was used to conduct cyberheists against several victims, but it was a curious set of scripts designed to run on each infected PC that caught my eye.

Computers infected with ZeuS variants typically relay not only password data, but also basic information about the victim PC, including operating system version, default browser, the system time, and the machine name that the victim user picked when installing the OS. But this version of Citadel sought much more information, and instructed all infected PCs to relay the output of several network diagnostic tools designed to help map out a local network.

Hosts infected with this version of Citadel were instructed to run several variations on the “net view” command, which displays a list of domains, computers and resources that are being shared by systems on the host PC’s local network. The hacked machines also were forced to run the command “osql -L”, which produces a list of database servers that may be present on the network. In addition, compromised PCs were prompted to run the Windows command line instruction “ipconfig /all”, which provides a wealth of data on the Internet addresses assigned to different components of the local network.

A screen shot of the Citadel panel. This page shows the breakdown of antivirus tools installed on infected PCs.

Other diagnostic commands run on each machine sought to dump the list of Windows users and groups on the network, as well as the homepage of the victim’s default browser (the latter is interesting because many organizations set internal systems to default to the company’s Intranet page).

It may well be that the miscreants behind this botnet simply wanted to cover their bases, in case the need arose to identify administrator accounts or users most likely to have access to sensitive financial information. And, of course, miscreants with complete control over infected systems always can run these commands manually. But it is rare to find examples of those involved in traditional cybercrime who are interested in gathering this information from so many infected systems by default, according to Dmitri Alperovitch, one of the aforementioned experts on Eastern European cybercrime who transitioned to tracking APT threats a few years back.

Alperovitch, co-founder of CrowdStrike, a security startup focused on identifying APT attacks and victims, called the development “troubling.” Alperovitch said the hackers behind this Citadel version may be trying to map out who exactly the victims are — as a precursor to selling access to those machines.

“Many of these techniques are exactly what the APT guys use to map out victim organization once they get access to it,” he said.

If APT attackers and the miscreants focused on ebanking fraud are such a match made in heaven, why aren’t we seeing more signs of interaction between these two communities? Alperovitch believes it’s because there aren’t many areas where these two worlds overlap.

“It always amazed me that this was not happening, and I questioned why that was the case for a number of years, and I’ve come to realize the reason is that these two communities — those doing intrusions for espionage purposes and cybercrime purposes — are so far apart and don’t really talk to each other or don’t know how to connect,” he said.  “If you’re a guy who’s specializing in banking cashouts, how do you find someone who is interested in F-35 fighter plane schematics? It’s not so easy.”

Alperovitch said he’s seen APT-based groups occasionally using financial cybercrime tools like ZeuS, but in those cases it appears the attackers were either lazy or were trying to conserve resources.

“That’s just the nature of convenience, because tools like ZeuS allow you to build [the malware] yourself and use it as a first-stage malware delivery system, instead of burning your own custom tool that’s much more valuable to you,” he said. “But just because these [APT actors] were using ZeuS doesn’t mean that they were collaborating with any cybercriminal group. I’m not discounting the possibility of an intermediary potentially bridging these two groups, but it would take someone in the cybercriminal world with a lot more connections with the intelligence agencies to take advantage of it.”

Adobe classifies a security flaw as critical if it can be used to break into vulnerable machines without any help from users. The company said the vulnerability (CVE-2012-0779) fixed in the version released today has been exploited in targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message, and that the exploit used in the attacks seen so far target Flash Player on Internet Explorer for Windows only.

Nevertheless, there are updates available for Flash Player versions designed for all operating systems that Adobe supports, including Mac, Linux and Android devices.

Adobe is urging users of Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235. Windows users of Flash Player 11.2.x who have selected the silent update option will receive the update automatically. Flash Player installed with Google Chrome is updated automatically, so no user action should be required for Chrome users. Users of Adobe Flash Player 11.1.115.7 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.8. Users of Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.9.

To find out if you have Flash installed, or which version is on your system, visit this link. If you have trouble updating your Flash version, consider uninstalling the program using Adobe’s Flash removal tool, rebooting, and then reinstalling the latest version. Updates are available via the Adobe Flash Player Download Center. Direct links to the OS-specific downloads are here.

Page 1 of a subpoena Microsoft sent to Google.

Microsoft’s unconventional approach to pursuing dozens of ZeuS botmasters offers a rare glimpse into how email providers treat subpoenas for account information. But the case also is once again drawing fire from a number of people within the security community who question the wisdom and long-term consequences of Microsoft’s strategy for combating cybercrime without involving law enforcement officials.

Last month, Microsoft made news when it announced a civil lawsuit that it said disrupted a major cybercrime operation that used malware to steal $100 million from consumers and businesses over the past five years. That legal maneuver may have upset some cyber criminal operations, but it also angered many in the security research community who said they felt betrayed by the action. Critics accused Microsoft of exposing sensitive information that a handful of researchers had shared in confidence, and of delaying or derailing international law enforcement investigations into ZeuS Trojan activity.

Part of the controversy stems from the bargain that Microsoft struck with a federal judge in the case. The court granted Microsoft the authority to quietly seize dozens of domain names and Internet servers that miscreants used to control the botnets. In exchange, Microsoft agreed to make every effort to identify the “John Does” that had used those resources, and to give them an opportunity to contest the seizure. The security community was initially upset by Microsoft’s first stab at that effort, in which it published the nicknames, email addresses and other identifying information on the individuals thought to be responsible for renting those servers and domains.

And then the other shoe dropped: Over the past few days, Google began alerting the registrants of more than three dozen Gmail accounts that were the subject of Microsoft’s subpoenas for email records. The email addresses were already named in Microsoft’s initial complaint posted at zeuslegalnotice.com, which listed nicknames and other information tied to 39 separate “John Does” that Microsoft is seeking to identify. But when Microsoft subpoenaed the email account information on those John Does, Google followed its privacy policy, which is to alert each of the account holders that it was prepared to turn over their personal information unless they formally objected to the action by a certain date.

According to sources who received the notices but asked not to be named, the Google alerts read:

“Hello,

Google has received a subpoena for information related to your Google
account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v.
John Does 1-39 et al., US District Court, Northern District of California,
1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).

To comply with the law, unless you provide us with a copy of a motion
to quash the subpoena (or other formal objection filed in court) via
email at google-legal-support@google.com by 5pm Pacific Time on May
22, 2012, Google may provide responsive documents on this date.

For more information about the subpoena, you may wish to contact the
party seeking this information at:

Jacob M. Heath
Orrick, Herrington, & Sutcliffe, LLP
Jacob M. Heath, 1000 Marsh Road
Menlo Park, CA 94025

Google is not in a position to provide you with legal advice.

If you have other questions regarding the subpoena, we encourage you
to contact your attorney.

Thank you.”

Unlike most of its competitors in the Webmail industry, Google is exceptionally vocal about its policy for responding to subpoenas. This has earned it top marks from privacy groups like the Electronic Frontier Foundation (EFF), which recently ranked ISPs and social media firms on the transparency of their policies about responding to requests for information filed by the government or from law enforcement.

Google spokeswoman Christine Chen said she could not comment on specific legal cases, but said the company complies with valid legal process.

“We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying,” Chen said. “When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it.”

At least 15 of the email accounts named in Microsoft’s lawsuit were addresses at hotmail.com or msn.com, both free Webmail services run by Microsoft. It’s not clear whether Microsoft gave those account holders a heads up about the subpoena. I asked Richard Boscovich, the former Justice Department lawyer and one of the architects of Microsoft’s legal strategy to target botnets with civil actions; he didn’t know, and referred me to Microsoft’s compliance unit. I’m still waiting for an answer. But it’s worth noting that Google was the only email provider on EFF’s list that was recognized for reliably alerting users about data demands. Microsoft was not recognized on this front.

Marcia Hofmann, a senior staff attorney with the EFF, said Microsoft’s legal effort underscores the tension between traditional law enforcement processes and companies using civil litigation to protect their own users and to vindicate their own interests.

“I suspect this is a situation where Microsoft feels law enforcement isn’t moving quickly enough,” Hofmann said. “But it also basically compromises law enforcement’s ability to do anything about the problem, and makes it possible for the suspects to evade any sort of law enforcement action.”

CUT-AND -PASTE JUSTICE?

Critics of the Microsoft effort say certain clues prove that the company borrowed and published raw intelligence without fully understanding the data’s true value and origins. Andy Fried, a former law enforcement official and owner of the Alexandria, Va. based security consultancy Deteque, was a co-founder of the little-known ZeuS Working Group, an ad hoc and extremely secretive collection of law enforcement officials and private security professionals dedicated to tracking ZeuS activity with the aim of bringing those responsible to justice.

“A basic tenet of this trust group is that everyone feels free to share data, but the rule is you never release that data outside of the trust group without express permission of whoever provided the data,” Fried said. “But there was no way that the data Microsoft published was received independently. Much of it was cut-and-pasted verbatim, and some of the data included in the search warrant was horrifically out of date.”

Yevhen "Jonni" Kulibaba

For instance, several of the key crime lords that Microsoft is seeking to unmask are already in prison for their crimes. John Doe #22 in Microsoft’s complaint — alleged to have used the nickname “Jonni” — is none other than Yevhen Kulibaba, a Ukrainian man arrested in London in 2010 and named as a ringleader of a money mule recruitment gang there. Kulibaba is currently serving a four-year jail sentence in connection with the ZeuS activity.

Microsoft said John Doe #23 goes by the alias “jtk,” yet this was the nickname used by Yuriy Konovalenko, the 30-year-old accomplice of Kulibaba who also was arrested as part of the U.K.-based ZeuS gang. Konovalenko likewise was sentenced to four years in jail.

Microsoft’s John Doe #24 is thought to go by the nickname “Veggi Roma,” but according to sources familiar with the case, this was an inside joke based on a lucky break that led police to the U.K. gang’s location. Investigators in London had been working with the FBI to monitor the communications of several members of the London-based ZeuS gang, but for some time they did not know whereabouts of the men, who were known at the time only as Jonni and Jtk. That is, until Jtk used his Internet connection to order a pizza to be delivered to their apartment. A “Veggi Roma” pizza, to be exact.

Yuriy "jtk" Konovalenko

Astute readers may be wondering how it is that Google’s emails and Microsoft’s subpoenas to the John Does named in the complaint are now public. According to Fried, that’s because some of the email addresses listed in Microsoft’s complaint as belonging to John Doe miscreants were in fact addresses used by security researchers who had registered domains to serve as “sinkholes” for one or more ZeuS botnets. Sinkholing is a practice by which researchers redirect the identification of the botnet control servers to their own server, so that malicious traffic that comes from each bot-infected client goes straight to the research box, ready to be analyzed.

COLLATERAL DAMAGE

Microsoft maintains that it worked with several security industry partners, and that it was operating under the assumption that the information those partners provided was either their own, or was freely available amongst them for the purpose of securing the Internet.

Microsoft’s Boscovich said the company did not work with law enforcement on this operation, and so had no idea whether there were ongoing or adjudicated investigations related the John Does named in its case. He emphasized that protecting customers was the company’s number one priority.

“Our main objective was to stop the bleeding, and everything we do is specifically related to that mission,” Boscovich said. “Congress specifically envisioned that it was and is appropriate for private entities to protect themselves and their interests, and as in this case, the interests of our customers. People are continuing to be victimized, computers compromised, identities stolen, and now those systems are posing a threat to other people on internet, irrespective of what operating systems they’re using.”

For his part, Fried said he believes Microsoft will soon find it more difficult to obtain sensitive information that security researchers and law enforcement gather about key cybercrime suspects. He also fears that the ZeuS working group and other informal information-sharing groups may disband or become less effective as a result of this case.

“Microsoft discounted everyone but themselves with their initial action, and they’ve compounded things pretty quickly with these subpoenas,” Fried said. “This is also going to cause collateral damage for a lot of trust groups, while all that they’ve accomplished is little more than a very miniscule inconvenience to the bad guys, whose servers were back up within 24 hours of the takdeowns.”

Jon Praed, founding partner of the Arlington, Va. based Internet Law Group, said he’s sympathetic to Microsoft’s position, and believes Google should have taken the trouble to investigate whether the John Doe accounts named in Microsoft’s lawsuit deserved to be notified.

“Unfortunately, most email providers have a one-size-fits-all privacy policy,” Praed said. “All of these companies have tried to create the legal right to do the right thing, but they’re making almost no attempt to apply that policy in practice. At the same time, Microsoft is spending a tremendous amount of money trying to stop this activity, and I don’t know anyone else out there who is even trying to do this.”

Security experts have been warning for months about mysterious attacks on OpenX installations in which the site owners discovered new rogue administrator accounts. That access allows miscreants to load tainted ads on sites that rely on the software. The bad ads usually try to foist malware on visitors, or frighten them into paying for bogus security software.

OpenX is only now just starting to acknowledge the attacks, as more users are coming forward with unanswered questions about the mysteriously added administrator accounts.

This problem first came to my attention after I read a blog post by infosec researcher Mark Baldwin, who wrote late last month about finding an unauthorized administrative account called “openx-manager” on one of his clients’ OpenX 2.8.8 installations, the latest version. After much investigation, Baldwin found that the rogue admin account was created virtually at the same instant that he’d last logged in to the customer’s OpenX installation.

Based on these and other findings documented in his blog, Baldwin concluded that OpenX 2.8.8 contains an unpatched flaw known as a cross-site request forgery (CSRF) vulnerability. These types of flaws can be especially sneaky because they are used to trick the victim into loading a page that contains a malicious request. CSRF attacks are most often used to force an end user to execute unwanted actions on a Web application in which he/she is currently authenticated, such as purchasing an item, or adding/deleting account information.

Baldwin told me he believes the attackers were able to add the rogue admin account to his client’s OpenX installation because OpenX contains a CSRF vulnerability that allows such actions.

“When you login to the OpenX application, an ad loads via an iframe on the right side of the dashboard,” Baldwin said in an interview with KrebsOnSecurity. “OpenX uses this to promote different products of theirs (currently OpenX Market). This iframe makes calls to d1.openx.org and most importantly, loads some Javascript. This is important because the only way the CSRF attack would be able to create a new user is via javascript, since that action uses the POST method. The IP address of d1.openx.org is 173.241.250.2 and the address of adserver.openx.org is 173.241.250.3. For all I know these may be the same servers. My belief is that these systems were compromised and the Javascript was modified to inject the rogue admin account via the iframe in the dashboard. So when an administrator logs in, the account would be created without any interaction from him.”

I confronted OpenX officials about this on Monday. In a very brief phone call today, company executives declined to discuss the attacks in detail, but acknowledged the existence of a CSRF vulnerability in the software that powers both their free and enterprise advertising platforms. OpenX Chief Technology Officer Michael Todd said the company would soon be publishing instructions on its blog outlining steps that users can take to prevent attackers from taking advantage of this flaw, and that it hoped to roll out an official fix for its OpenX Source product, which is the free version of the platform offered to anyone who wishes to host their own digital advertising services.

“What we’re going to do early next week — on Monday or Tuesday — is release a new version of OpenX for people to download as soon as possible,” Todd said. “We’re taking an extra few days to make sure that this gets done correctly and that we’re doing all the testing we need to do before we push that out. But first, we’ll publish a mitigation post that will tell people how they can change their systems,” to mitigate the threat, he said.

OpenX’s head of communications, Al Duncan, inexplicably cut the interview short after I’d asked just two questions, so I was unable to gain clarity on other aspects of this attack, such as whether OpenX’s internal systems may have been abused in the compromises, and how long the company has been aware of the problem. I also wanted to know more about how this vulnerability differed from a similar CSRF flaw in OpenX v. 2.8.7 that was disclosed in June 2011 by researcher Narendra Shinde.

It’s unclear whether the CSRF flaw detailed by Shinde is effectively the same bug that exists in this latest version. But the attackers targeting these flaws appear to have used the same name for the rogue admin account that Baldwin discovered on his client’s OpenX installation: “openx-manager.”

Until OpenX publishes its blog post, users and customers of this product should consider reviewing the mitigation advice offered at Baldwin’s blog.

For more background on this subject, see OpenX forum posts from Nov. 2011, January 2012,  March 2012, and April 2012. Internet security firms Armorize and Sophos also have been sounding the alarm about these attacks.

Visa and MasterCard send periodic alerts to card-issuing banks about cards that may need to be re-issued following a security breach at a processor or merchant. Indeed, it was two such alerts — issued within a day of each other in the final week of March — which prompted my reporting that ultimately exposed the incident. Since those initial alerts, Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time.

Initially, MasterCard and Visa warned that hackers may have had access to card numbers handled by the processor between Jan. 21, 2012 and Feb. 25, 2012. Subsequent alerts sent to banks have pushed that exposure window back to January, December, and then August. In an alert sent in the last few days, the card associations warned issuers of even more compromised cards, saying the breach extended back at least eight months, to June 2011.

Security experts say it is common for the tally of compromised cards to increase as forensic investigators gain a better grasp on the extent of a security breach. But so far, Global Payments has offered few details about the incident beyond repeating that less than 1.5 million card numbers may have been stolen from its systems.

In a letter (PDF) responding to questions from  Senator Robert P. Casey (D-Pa.), Global Payments CEO Paul Garcia maintained that the company discovered the breach internally and on its own on March 8, and that it began alerting the card associations the following day. Garcia said their initial disclosure was “forced by wild speculation in the press regarding this matter and our company.”

Global Payments spokeswoman Amy Korn declined to comment for this story, but said the company would be releasing additional information about the incident in a statement on its Web site, 2012infosecurityupdate.com, later this evening.

Update, May 4, 12:37 p.m. ET: The Wall Street Journal published a story today citing unidentified sources as saying that at least 7 million card accounts are now considered potentially vulnerable because of this breach.

Google-translated version of iFrameservice's homepage

Regular readers of this blog may be unsurprised to learn that this is another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits.

At the very least, a decent iFramer service will allow customers to verify large lists of file transfer protocol (FTP) credentials used to administer hacked Web sites, scrubbing those lists of invalid credential pairs. The service will then upload the customer’s malware and malicious scripts to the hacked site, and check each link to ensure the trap is properly set.

A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials.

The customer interface for the iFramer service.

Some services, like the one offered at iframeservice.net (pictured above and at left), offer a menu of extras to help customers maintain their Web-based minefields. Iframeservice.net attempts to gain a more permanent foothold on all sites for which it is given FTP credentials, testing the sites for additional security vulnerabilities (root exploits) that may grant administrative privileges on the site’s Web server.

This service also promises to help customers stay one step ahead of antivirus companies, by monitoring URL blacklists and generating customer alerts when boobytrapped pages get flagged as malicious. In addition, it offers the automated ability to obfuscate the true destination of malicious links as a way to confuse both antivirus scanners and the legitimate administrators of the hacked sites.

A recent compromise I helped a friend deal with reminds me of a stubborn fact about hacked sites that seems relevant here. Just as PC infections can result in the theft of FTP credentials, malware infestations also often lead to the compromise of any HTML pages stored locally on the victim’s computer. Huge families of malware have traditionally included the ability to inject malicious scripts into any and all Web pages stored on host machine. In this way, PC infections can spread to any Web sites that the victim manages when the victim unknowingly uploads boobytrapped pages to his Web site.

Obviously, the best way to avoid these troubles is to ensure that your system doesn’t get compromised in the first place. But if your computer does suffer a malware infection and you manage a Web site from that machine, it’s good idea to double check any HTML pages you may have stored locally and/or updated on your site since the compromise, and to change the password used to administer your Web site (using a strong password, of course).