It seems that it’s not only the customers of US, UK and Brazilian banks that are under attack from crimeware such as the Zeus trojan, that logs into online bank accounts and allows criminals to transfer funds from victims’ accounts.

Now customers of Eastern European banks are also under attack, according to security researcher Joe Stewart of SecureWorks. Joe says that the BlackEnergy2 trojan is now being used to break into online bank accounts of infected users who are accessing online banking sites in Russia and Ukraine.

In addition to allowing cyber criminals to fraudulently transfer funds, the trojan launches a Distributed Denial of Service attack (DDoS) on the bank. This prevents legitimate users from logging in, and distracts bank security and IT employees.

Police in Europe and the United States have arrested 178 people in 14 countries on charges of credit card fraud.

Apparently the investigation has found 120,000 stolen credit card numbers, and 5,000 cloned credit cards. Six card cloning labs have been seized.

Brian Krebs (krebsonsecurity.com) has posted an excellent blog post today. He’s even posted a picture of one of the credit card cloning labs, sourced from the Spanish Ministry of Interior.

Bank Info Security magazine today published an interview with Doug Johnson of the American Bankers Association (ABA) on the topic of corporate banking account takeovers by cyber criminals. Cyber criminals are increasingly using malware to steal online access to the bank accounts of small and medium sized companies and government agencies, and fraudulently transfer hundreds of thousands of dollars out of those accounts.

The interview is worth reading, and it can be found here.

When asked how big of a threat cyber criminal takeovers of Internet corporate banking accounts is, Mr. Johnson replied:

“Well, I think that the threat is very large. I think that the threat is not only a large one from the standpoint of the number of cases — which the FBI continues to observe are increasing for them. But I think the biggest risk that we face here, as it relates to the corporate account takeover, is the damage it does to the reputation of financial institutions and financial institutions’ customers, and the damage it does potentially to the relationship between our customers and our financial institutions. Because I do believe at the end of the day this is all about shared responsibility. Both financial institutions as well as financial institution customers do have a responsibility to have skin in the game to protect accounts, and I think that it is only through that active partnership that they were able really to address the current threat.”

Patco, a Sanford, Maine-based construction company, had its corporate bank account taken over by cyber criminals last May, resulting in unauthorized funds transfers of over $588,000. The funds were sent to dozens of money mules throughout the country, who then forwarded the funds overseas.

Patco has sued their bank, Ocean bank of Portsmouth, NH, for failing to detect and prevent the fraudulent losses.

It’s most likely that Patco computers got infected by the Zeus banking trojan malware, or some other similar crimeware. This allowed the criminals to sniff the usernames and passwords of the employees at Patco who did their corporate online banking. The criminals then logged in to Patco’s accounts and initiated over half a million dollars in fraudulent funds transfers.

Patco is arguing that the bank did not take reasonable precautions. The bank is arguing that their systems were secure, and that the computers of Patco employees were infected with malware, resulting in the losses.

The United Kingdom’s Information Commissioner’s Office has warned organisations that they need to minimise the risk of mistakes, as the number of reported data breaches exceeds 1,000.

An ICO report revealed that 254 breaches were as a result of information being disclosed in error, 307 were as a result of stolen data or hardware and 233 due to lost data or hardware.

David Smith, deputy commissioner at the ICO, said: “We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us. Extra vigilance is required so that people’s personal information does not end up in the wrong hands.

“Organisations should have clear security and disclosure procedures that staff can understand, properly implement these and ensure that they are being followed by staff. Staff must be adequately trained not just in the value of personal information, but in how to protect it.

“We are keen to work with organisations to prevent breaches happening in the first place and to help ensure that things are put right when they do go wrong.”

The chairman of the House Judiciary Committee on Friday asked Google Inc. and Facebook Inc. to cooperate with inquiries into their privacy practices.

Rep. John Conyers Jr. (D-Mich.) said he wants Facebook CEO Mark Zuckerberg to explain Faebook’s privacy practices amid recent changes and consumer and media uproar. Conyers also said that he wants Google to retain the data and records related to the Wi-Fi data that the company’s Google Maps cars collected in recent years.

Conyers said “I want to ensure that privacy concerns are as paramount as creativity to these and all Internet companies, and I look forward to hearing about ways they can ensure this is the case.”

IronKey’s Chief Technology Officer, Gil Spencer, was at the AUSCERT security conference in Australia this week. He was the lucky recipient of a promotional USB flash drive from IBM at the conference.

Today IBM sent out an apology. It seems that the USB flash drives that they handed out were infected with autorun malware. Nice one, IBM.

They should have given out IronKey secure devices. IronKey Enterprise devices have anti-malware software and hardware and firmware protection against autorun USB malware.

According to McAfee’s Q1 Threat Report, malware that is designed to spread onto USB removable storage devices was the most prevalent malware threat in Q1 2010. The number 1 most detected malware variant by McAfee researchers was “Generic! Atr”, followed by a number of password-stealing Trojans and the Autorun Conficker worm.

This should come as no surprise. The ability to infect USB drives, and then spread onto computers on which those drives are used, has become a widely exploited technique in many malware packages. Perhaps the most famous case of such an infection was in late 2008 when such a worm, “Agent.btz”, infected sensitive Department of Defense computers. This led to a lockdown by the DoD of all removable storage devices until they could define a set of technical operating requirements to ensure that malware cannot spread onto and from removable storage devices.

IronKey worked with the Department of Defense, National Security Agency, and other bureaus to help define these technical requirements. Now these capabilities are available to Enterprise customers of IronKey devices. They include services such as built-in anti-malware scanning, intelligent hardware-based autorun tamper prevention, read-only mode, etc.

I just tried the Electronic Frontier Foundation (EFF.org)’s new browser fingerprinting website, Panopticlick.eff.org. It is a webpage that collects data from your web browser, and creates a new type of device fingerprint. It compares it to a database of all other devices that have visited the web page, and then tells you how unique your browser fingerprint is. Almost 1 million people have visited the website.

Concerningly, I visited with my Safari browser on a Mac. The web page says that my browser is uniquely identified out of 909,639 tested so far. My browser has a fingerprint that conveys at least 19.79 bits of identifying information.

It appears that the fingerprint includes the list of browser plug-ins that are installed into your browser, as well as which fonts are being used by your browser, your timezone, screensize, etc. This is new information for fingerprinting a device, as typical fingerprinting has included IP addresses, browser type, language, computer platform, cookies, etc.

What this means is that device fingerprinting can be used to identify individual users across websites, independent of traditional tracking such as web browser cookies and flash cookies.

The EFF gives some recommendations for avoiding browser profiling-based tracking. The prime way to do this is to make your browser look similar to everyone else’s browsers.
1. Use a “standard” widely used browser with “standard” computer settings.
2. Disable JavaScript, and consider using a JavaScript blocking tool like Noscript
3. Use TorButton to spoof your browser’s identification string to websites.
4. Use the “private browsing” features of your web browser.

A new report was released by the Anti-Phishing Working Group, rat the Sao Paulo Brazil “Counter Electronic-Crime Operations Summit”.

The report is titled “Global Phishing Survey: Trends and Domain Name Use 2H2009″. It is focused on an analysis of domain name registrar abuse, and how fraudulently registered domain names are used to operate phishing scams as well as malware and crimeware distribution.

In the second half of 2009, the “Avalanche” cyber crime gang appears to have been responsible for two-thirds of all phishing attacks launched in the second half of 2009, and was responsible for the overall increase in phishing attacks recorded across the Internet.

The Avalanche gang appears to be a group, perhaps largely of the same people, that has taken over from the notorious “Rock” phishing gang. The Rock phishers were the most prevalent online crime gang in the 2007-2008 period. They invented technology to automate phishing, spam and malware attacks by coordinating the compromise, operation and cleanup of thousands of servers across the Internet. The Rock phishing gang invented the “Fast Flux” technique of rotating phishing and malware sites across a given domain name, but on hundreds of servers, so that takedown of these sites was extremely difficult, and only having a domain registrar or registry suspend the domain could guarantee a takedown. This made approach effectively defeated blacklisting techniques for protecting users from visiting known phishing and malware distribution sites.

The Avalanche gang appears to have taken the approach to a new level. They continue to use large numbers of domain, and they use subdomain hosting services. But they are now using botnets, running on computers of consumers who do not realize that their computers are infected, and are in fact being used at night time by cyber criminals to perform their evil tasks.

The Avalanche gang is not only using this massive infrastructure for phishing, but they have been also using it to distributed malware and crimeware, notably the Zeus banking trojan.

Read all the details of the report here.