The US Attorney’s Office announced they were able to shut down an international crime ring that used the Zeus malware to steal money from US bank accounts.

…charges against 37 defendants, in 21 separate cases, for their roles in global bank fraud schemes that allegedly used hundreds of false-name bank accounts to steal over $3 million from dozens of U.S. accounts that were compromised by malware attacks. […] The defendants charged in Manhattan federal court include managers of and recruiters for the money mule organization, an individual who obtained the false foreign passports for the mules, and money mules.

CNN calls it Trojan malware blamed for $3 million bank fraud

I am not a fan of calling things Trojan horse malware because the horse is so often removed, leaving just Trojan malware. That doesn’t sound right. Anyway, back to CNN:

According to complaints unsealed in Manhattan federal court, defendants used the Zeus Trojan program to surreptitiously obtain personal information and then hack into victims’ bank accounts.

The hackers then allegedly made unauthorized transfers of “thousands of dollars” to the bank accounts belonging to co-conspirators. Prosecutors said the malware was typically sent as an “apparently-benign e-mail” that embedded itself in the victims’ computers once it was opened.

The program, officials said, recorded keystrokes and allowed hackers to steal private account information, passwords and other “vital security codes.”

The alleged cybercriminals, based in Eastern Europe, used “money mules” to transport the stolen money overseas. Some of the mules had entered the United States on student visas or by using fake passports, according to the federal complaint. The FBI has already arrested 10 alleged money mules and 17 remain at large.

The attack path, in other words, starts with an email message that has malware attached. The email message is not filtered as spam and the Zeus malware is not filtered as, er, malware.

There are security control failures on many levels. The underlying story here, however, is one familiar in the physical security space — more secure banks means attacks shift towards more vulnerable users.

Thus, online banking security is good enough that attackers find it much easier to get passwords from users and then they use impersonation to get past bank security. Two-factor authentication, imperfect like the other security controls in question here, was the last standing defense that should have stopped this attack path.

Details of the cases are on the New York FBI site:

• United States v. Artem Tsygankov, et al.
• United States v. Artem Semenov, et al.
• United States v. Maxim Miroshnichenko, et al.
• United States v. Marina Oprea, et al.
• United States v. Kristina Svechinskaya, et al.
• United States v. Ilya Karasev
• United States v. Marina Misyura
• United States v. Dorin Codreanu
• United States v. Victoria Opinca, et al.
• United States v. Alexander Kireev
• United States v. Kasum Adigyuzelov
• United States v. Sabina Rafikova
• United States v. Konstantin Akobirov
• United States v. Adel Gataullin
• United States v. Ruslan Kovtanyuk
• United States v. Yulia Klepikova, et al.
• United States v. Alexandr Sorokin
• United States v. Alexander Fedorov
• United States v. Anton Yuferitsyn
• United States v. Jamal Beyrouti, et al.

The DoJ said 21 cases, but I see only 20. Perhaps one is still being prepared.

The wanted poster for the remaining fugitives is also online.

Ask me about how to better protect against this breach, or just attend my presentation on the Top Ten Breaches, October 13th at the RSA Conference in London.

Congratulations to Microsoft. They just announced their one-year birthday for security.

Yes, you read that right. One year of security.

I will try to refrain from any snarky commentary and just join in the celebration. Ok, just one nit: Windows was released in 1985, twenty-five years ago. That sounds like 24 years without security. Even if you go with a “modern” history of Windows you have to start with 95, which was released in…oh, I forget. Must have been around 1996. Seriously, though, I am reminded of a meeting I had with Microsoft around 2004 where the security team said they considered themselves only three years old with less than a dozen staff. That would put them in the XP release generation. They were not essential, however, and that brings me back to the party today.

Happy one-year!

Microsoft Security Essentials Celebrates First Birthday with 30 Million Customers!

According to the Microsoft Malware Protection Center (MMPC), in addition to providing a no-cost security solution to tens of millions of customers that may not have been actively protected before, Microsoft Security Essentials detected nearly 400 million threats over the past year, with customers choosing to remove more than 366 million of those threats. For more information about the specific threat breakdown, please visit the MMPC Blog.

Whoa, 34 million threats sounds like a lot. That’s almost a 10% failure rate, or 10 threats not removed per customer. Why were they not removed?

Sorry, this is a time to celebrate, not worry…but I still wonder so I went to the MMPC Blog for more information, as suggested.

No detail on the failures is provided. Instead I found data that shows Russia and China have far fewer copies of Security Essentials installed than the other “non-US countries” (that’s an official Microsoft designation, I didn’t make it up).

Quick birthday quiz: how many “non-US countries” are there in the world? 195 – 1 (US country) = 194.

With fewer copies installed the MMPC Blog says China and Russia have many more machines attacked than other “non-US countries”.

Security Essentials is installed all over, but the threats it’s protecting PCs against are far from globally uniform. For example, if you compare the graph of installations above to the chart of machines where Security Essentials detected exploit attacks below, you can see that while China is relatively low on the install base list and Russia came in at number 10 by install base, users are relatively more likely to be attacked via exploits.

Interesting point, except for the fact that I see another possible outcome.

Brazil has the highest level of Security Essentials installed (nearly a million more than the next highest) and yet is only slightly behind China in machines attacked. Same for the United Kingdom.

So if you add Brazil and the UK together you get about the same number of machines attacked (799,763) as China and Russia (841,159) despite having many more systems running Security Essentials. Which tells us what exactly? Will the percentage of attacks go down if more systems have Security Essentials? And back to my original point, why aren’t some infections removed; what does “machine attacked” really mean?

The MMPC blog says attacks are different by region, which could be a big clue.

The Autorun threat family has pulled away from Conficker in Brazil, and the widespread Bancos threat, which is unique to Brazil, entered the top 5. In China, exploit families like ShellCode and CVE-2010-0806 continue to dominate. In the United States, Renos has taken over the top spot from Wimad, the new top rogue threat is FakeSpyPro, and the Java runtime exploits of CVE-2008-5353 are a major problem.

I also wonder if the high rate of deployment in Brazil reflects the giant new Microsoft data-center, or are they talking only about end-user systems.

Happy Birthday!

Just when you thought it was safe to start your assessment of a cloud, ISACA releases yet one more methodology, which I will call the CCMAAP. The introduction on the ISACA site to CCMAAP is not very clear about how this fits with other assessment projects. It gets called a program, tool, template and road map all in the first sentence.

Objective—The cloud computing audit/assurance review will:

* Provide stakeholders with an assessment of the effectiveness of the cloud computing service provider’s internal controls and security
* Identify internal control deficiencies within the customer organization and its interface with the service provider
* Provide audit stakeholders with an assessment of the quality of and their ability to rely upon the service provider’s attestations regarding internal controls.

It looks quite useful for anyone already using COBIT or wondering how COSO works with a cloud. The first thing that jumps to my mind is that the COBIT mappings look very sparse. Page after page of audit questions have no COBIT reference. Even the CSA has only a few questions without a COBIT reference.