Meet Bluetana, the Scourge of Pump Skimmers

Krebs on Security

“ Bluetana ,” a new mobile app that looks for Bluetooth-based payment card skimmers hidden inside gas pumps, is helping police and state employees more rapidly and accurately locate compromised fuel stations across the nation, a study released this week suggests.

Meet the World’s Biggest ‘Bulletproof’ Hoster

Krebs on Security

For at least the past decade, a computer crook variously known as “ Yalishanda ,” “ Downlow ” and “ Stas_vl ” has run one of the most popular “bulletproof” Web hosting services catering to a vast array of phishing sites, cybercrime forums and malware download servers. What follows are a series of clues that point to the likely real-life identity of a Russian man who appears responsible for enabling a ridiculous amount of cybercriminal activity on the Internet today. Image: Intel471. KrebsOnSecurity began this research after reading a new academic paper on the challenges involved in dismantling or disrupting bulletproof hosting services, which are so called because they can be depended upon to ignore abuse complaints and subpoenas from law enforcement organizations. We’ll get to that paper in a moment, but for now I mention it because it prompted me to check and see if one of the more infamous bulletproof hosters from a decade ago was still in operation. Sure enough, I found that Yalishanda was actively advertising on cybercrime forums, and that his infrastructure was being used to host hundreds of dodgy sites. Those include a large number of cybercrime forums and stolen credit card shops, ransomware download sites, Magecart-related infrastructure , and a metric boatload of phishing Web sites mimicking dozens of retailers, banks and various government Web site portals. I first encountered Yalishanda back in 2010, after writing about “Fizot,” the nickname used by another miscreant who helped customers anonymize their cybercrime traffic by routing it through a global network of Microsoft Windows computers infected with a powerful malware strain called TDSS. After that Fizot story got picked up internationally, KrebsOnSecurity heard from a source who suggested that Yalishanda and Fizot shared some of the same infrastructure. In particular, the source pointed to a domain that was live at the time called mo0be-world[.]com , which was registered in 2010 to an Aleksandr Volosovyk at the email address stas_vl@mail.ru. Now, normally cybercriminals are not in the habit of using their real names in domain name registration records, particularly domains that are to be used for illegal or nefarious purposes. But for whatever reason, that is exactly what Mr. Volosovyk appears to have done. WHO IS YALISHANDA? The one or two domain names registered to Aleksandr Volosovyk and that mail.ru address state that he resides in Vladivostok, which is a major Pacific port city in Russia that is close to the borders with China and North Korea. The nickname Yalishanda means “Alexander” in Mandarin (????). Here’s a snippet from one of Yalishanda’s advertisements to a cybercrime forum in 2011, when he was running a bulletproof service under the domain real-hosting[.]biz: -Based in Asia and Europe. -It is allowed to host: ordinary sites, doorway pages, satellites, codecs, adware, tds, warez, pharma, spyware, exploits, zeus, IRC, etc. -Passive SPAM is allowed (you can spam sites that are hosted by us). -Web spam is allowed (Hrumer, A-Poster … ). -Forbidden: Any outgoing Email spam, DP, porn, phishing (exclude phishing email, social networks). There is a server with instant activation under botnets (zeus) and so on. The prices will pleasantly please you! The price depends on the specific content!!!! Yalishanda would re-brand and market his pricey bulletproof hosting services under a variety of nicknames and cybercrime forums over the years, including one particularly long-lived abuse-friendly project aptly named abushost[.]ru. In a talk given at the Black Hat security conference in 2017 , researchers from cyber intelligence firm Intel 471 labeled Yalishanda as one the “top tier” bulletproof hosting providers worldwide, noting that in just one 90-day period in 2017 his infrastructure was seen hosting sites tied to some of the most advanced malware contagions at the time, including the Dridex and Zeus banking trojans, as well as a slew of ransomware operations. “Any of the actors that can afford his services are somewhat more sophisticated than say the bottom feeders that make up the majority of the actors in the underground,” said Jason Passwaters , Intel 471’s chief operating officer. “Bulletproof hosting is probably the biggest enabling service that you find in the underground. If there’s any one group operation or actor that touches more cybercriminals, it’s the bulletproof hosters.” Passwaters told Black Hat attendees that Intel471 wasn’t convinced Alex was Yalishanda’s real name. I circled back with Intel 471 this week to ask about their ongoing research into this individual, and they confided that they knew at the time Yalishanda was in fact Alexander Volosovyk, but simply didn’t want to state his real name in a public setting. KrebsOnSecurity uncovered strong evidence to support a similar conclusion. In 2010, this author received a massive data dump from a source that had hacked into or otherwise absconded with more than four years of email records from ChronoPay — at the time a major Russian online payment provider whose CEO and co-founders were the chief subjects of my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime. Querying those records on Yalishanda’s primary email address — stas_vl@mail.ru — reveal that this individual in 2010 sought payment processing services from ChronoPay for a business he was running which sold counterfeit designer watches. As part of his application for service, the person using that email address forwarded six documents to ChronoPay managers, including business incorporation and banking records for companies he owned in China, as well as a full scan of his Russian passport. That passport, pictured below, indicates that Yalishanda’s real name is Alexander Alexandrovich Volosovik. The document shows he was born in Ukraine and is approximately 36 years old. The passport for Alexander Volosovyk, a.k.a. “Yalishandra,” a major operator of bulletproof hosting services. According to Intel 471, Yalishanda lived in Beijing prior to establishing a residence in Vladivostok (that passport above was issued by the Russian embassy in Beijing). The company says he moved to St. Petersburg, Russia approximately 18 months ago. His current bulletproof hosting service is called Media Land LLC. This finding is supported by documents maintained by Rusprofile.ru , which states that an Alexander Volosovik is indeed the director of a St. Petersburg company by the same name. ARMOR-PIERCING BULLETS? Bulletproof hosting administrators operating from within Russia probably are not going to get taken down or arrested, provided they remain within that country (or perhaps within the confines of the former republics of the Soviet Union, known as the Commonwealth of Independent States ). That’s doubly so for bulletproof operators who are careful to follow the letter of the law in those regions — i.e., setting up official companies that are required to report semi-regularly on various aspects of their business, as Mr. Volosovik clearly has done. However, occasionally big-time bulletproof hosters from those CIS countries do get disrupted and/or apprehended. On July 11, law enforcement officials in Ukraine announced they’d conducted 29 searches and detained two individuals in connection with a sprawling bulletproof hosting operation. The press release from the Ukrainian prosecutor general’s office doesn’t name the individuals arrested, but The Associated Press reports that one of them was Mikhail Rytikov , a man U.S. authorities say was a well-known bulletproof hoster who operated under the nickname “AbdAllah.” Servers allegedly tied to AbdAllah’s bulletproof hosting network. Image: Gp.gov.ua. In 2015, the U.S. Justice Department named Rytikov as a key infrastructure provider for two Russian hackers — Vladimir Drinkman and Alexandr Kalinin — in a cybercrime spree the government called the largest known data breach at the time. According to the Justice Department, Drinkman and his co-defendants were responsible for hacks and digital intrusions against NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. Whether AbdAllah ever really faces justice for his alleged crimes remains to be seen. Ukraine does not extradite citizens, as the U.S. authorities have requested in this case. And we have seen time and again how major cybercriminals get raided and detained by local and federal authorities there, only to quickly re-emerge and resume operations shortly thereafter, while the prosecution against them goes nowhere. Some examples of this include several Ukrainian men arrested in 2010 and accused of running an international crime and money laundering syndicate that used a custom version of the Zeus trojan to siphon tens of millions of dollars from hacked small businesses in the U.S. and Europe. To my knowledge, none of the Ukrainian men that formed the core of that operation were ever prosecuted, reportedly because they were connected to influential figures in the Ukrainian government and law enforcement. Intel 471’s Passwater said something similar happened in December 2016, when authorities in the U.S., U.K. and Europe dismantled Avalanche , a distributed, cloud-hosting network that was rented out as a bulletproof hosting enterprise for countless malware and phishing attacks. Prior to that takedown, Passwater said, somehow an individual connected to Avalanche who went by the nickname “ Sosweet ” got a tip about an impending raid. “Sosweet was raided in December right before Avalanche was taken down, [and] we know that he was tipped off because of corruption [because] 24 hours later the guy was back in service and has all his stuff back up,” Passwater said. The same also appears to be true for several Ukrainian men arrested in 2011 on suspicion of building and disseminating Conficker , a malware strain that infected millions of computers worldwide and prompted an unprecedented global response from the security industry. So if a majority of bulletproof hosting businesses operate primarily out of countries where the rule of law is not strong and/or where corruption is endemic, is there any hope for disrupting these dodgy businesses? Here we come full circle to the academic report mentioned briefly at the top of this story: The answer seems to be — like most things related to cybercrime — “maybe,” provided the focus is on attempting to interfere with their ability to profit from such activities. That paper, titled Platforms in Everything: Analyzing Ground-Truth Data on the Anatomy and Economics of Bulletproof Hosting , was authored by researchers at New York University , Delft University of Technology , King Saud University and the Dutch National High-Tech Crimes Unit. Unfortunately, it has not yet been released publicly, and KrebsOnSecurity does not have permission yet to publish it. The study examined the day-to-day operations of MaxiDed , a bulletproof hosting operation based in The Netherlands that was dismantled last summer after authorities seized its servers. The paper’s core findings suggest that because profit margins for bulletproof hosting (BPH) operations are generally very thin, even tiny disruptions can quickly push these businesses into the red. “We demonstrate the BPH landscape to have further shifted from agile resellers towards marketplace platforms with an oversupply of resources originating from hundreds of legitimate upstream hosting providers,” the researchers wrote. “We find the BPH provider to have few choke points in the supply chain amenable to intervention, though pro?t margins are very slim, so even a marginal increase in operating costs might already have repercussions that render the business unsustainable.” Breadcrumbs Ne'er-Do-Well News Web Fraud 2.0 AbdAllah Alexander Alexandrovich Volosovik Alexander Volosovyk bulletproof hosting providers chronopay Delft University of Technology Downlow Dutch National High-Tech Crimes Unit Intel 471 Jason Passwaters King Saud University MaxiDed Mikhail Rytikov New York University sosweet stas_vl@mail.ru Yalishanda

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Zoom Fixes Flaw Opening Meetings to Hackers

Threatpost

Zoom has patched a flaw that could have allowed attackers to guess a meeting ID and enter a meeting. Vulnerabilities Web Security cpx 360 teleconference meeting web conferencing zoom zoom flaw

Zoom Fixes Flaw That Could Allow Strangers Into Meetings

Data Breach Today

Check Point Guessed Valid Meeting IDs, Allowing for Snooping Conferencing service provider Zoom has fixed a vulnerability that - under certain conditions - could have allowed an uninvited third party to guess a meeting ID and join a conference call.

Cisco Webex Flaw Lets Unauthenticated Users Join Private Online Meetings

Threatpost

The flaw could allow a remote, unauthenticated attacker to enter a password-protected video conference meeting. Vulnerabilities Web Security Cisco cisco flaw Cisco patch Cisco video conferencing vulnerability conference meeting high severity flaw patch video conferencing Webex WebEx flaw

Meet Perficient’s Chief Strategists: Mike Porter

Perficient Data & Analytics

Mike Porter , CRM and Data Chief Strategist, has more than 21 years of experience helping clients define data strategies and build CRM solutions that meet their present and future needs. Thrilling our clients with innovation and impact – it’s not just rhetoric.

Meet Perficient’s Chief Strategists: Arvind Murali

Perficient Data & Analytics

By focusing on the business outcomes, we can build and implement data solutions that are broad enough to meet clients’ current needs and nimble enough to scale for future iterations. These questions define our approach to creating data governance solutions that meet clients’ specific goals.

MDM 69

Meet DoppelPaymer, BitPaymer's Ransomware Lookalike

Dark Reading

New ransomware variant DoppelPaymer was leveraged in campaigns against the City of Edcouch, Texas, and the Chilean Ministry of Agriculture

Meet Perficient’s Chief Strategists: Bill Busch

Perficient Data & Analytics

Thrilling our clients with innovation and impact – it’s not just rhetoric. This belief is instrumental for our clients’ success. In 2018 we introduced our Chief Strategists , who provide vision and leadership to help our clients remain competitive.

Feds, Tech Giants Meet to Coordinate 2020 Election Security

Data Breach Today

Facebook, Google, Microsoft and Twitter Discuss Information Sharing, Coordination Representatives from the U.S.

Coffee Meets Bagel dating app confirms data breach

Security Affairs

The week closes with the news of another embarrassing data breach, the Coffee Meets Bagel confirmed a hack on Valentine’s Day. The dating app Coffee Meets Bagel confirmed that hackers breached its systems on Valentine’s Day and may have obtained access to users’ account data. Coffee Meets Bagel learned of the incident on Feb. million Coffee Meets Bagel accounts (673 MB of data) were offered for sale. SecurityAffairs – Coffee Meets Bagel , hacking).

The next step in AI-based meeting management

DXC Technology

Microsoft this spring has been rolling out intelligent features in Outlook designed to make work meetings both easier to schedule and more productive. Partners Workplace AI calendar collaboration Email Meetings Microsoft OutlookThe new features appear in Outlook’s email application and calendar. It seems like a pretty good marriage of artificial intelligence (AI) and enterprise productivity needs — and done in a way that […].

Intelligent Authentication Market Grows to Meet Demand

Dark Reading

Confidence in user identity is critical to prevent fraud and theft, and companies are looking for new ways to get the necessary assurance

Making meetings work for you and your project

DXC Technology

I can remember very clearly the worst meeting I was ever involved in. Leadership and Success Uncategorized Meetings program management project managementA “flagship” municipal project with the potential to bring world admiration to a city. This new project needed new IT systems. So 44 of us sat in a room together — architects, engineers, program and project managers, business analysts, change managers, release […].

IT 50

#DevDay: Where modernization meets realization

Micro Focus

Introduction to the Micro Focus #DevDay 2020 series #DevDay has been running for more than five years and across more than 50 locations. So what’s new for 2020? Paula Barker, Field Marketing Manager for Application Modernization, gives us a sneak preview.

MY TAKE: CASBs help companies meet ‘shared responsibility’ for complex, rising cloud risks

The Last Watchdog

We met at Black Hat 2019 and had a wide ranging discussion about the complex challenges companies face meeting their end of the security burden, while using cloud services. It is a positive development that CASBs arose — and can be expected to continue innovating to help companies meet this challenge. Cloud Access Security Brokers – aka “caz-bees” — have come a long way in a short time.

Risk 159

Meet Team Hanzo: Matthew Stringer on Making a Difference

Hanzo Learning Center

For this Meet Team Hanzo spotlight, I talked with Matthew Stringer, from the Hanzo Service Delivery team. Archiving dynamic web capture Meet Team Hanzo hiring career NASA

News from The Sedona Conference Working Group 6 Annual Meeting

Hanzo Learning Center

This past week, I had the privilege of participating in The Sedona Conference Working Group 6 (WG6) Annual Meeting in New York as a dialogue leader. This year’s meeting covered a wide gamut of cross-border discovery and privacy issues.

Coffee Meets Bagel Dating App Warns Users of Breach

Threatpost

Breach 617 million records breach coffee meets bagel Dark Web data breach dating app OKCupid Phishing Scams security flaw Valentine’s DayThe dating site said users' names and email addresses that were added to the system prior to May 2018 may be impacted.

Meet Team Hanzo: Evan Gumz—He’s Ready to Make the Next Legal Rockstar

Hanzo Learning Center

TeamHanzo Meet Team Hanzo Evan GumzSitting down with Evan Gumz is calming. You get the sense that you’re in good hands. He’s thoughtful, he listens, and he knows what it takes to help customers be wildly successful.

IT 52

A vulnerability in Zoom platform allowed miscreants to join Zoom meetings

Security Affairs

A vulnerability in the Zoom online meeting system could be exploited to join meetings and view all content shared by participants. . The popular video conferencing Zoom is affected by a vulnerability that could be exploited to join meetings and view all content shared by participants.

Meet Team Hanzo: Bess Spencer, Application Engineer Extraordinaire

Hanzo Learning Center

Engineer Meet Team Hanzo Hanzo employee profile hiring careerHow does the saying go? You can’t shoot for the moon if you don’t reach for the stars? At Hanzo, we hold these aspirations near and dear to our hearts.

52

Meet Team Hanzo: Dan Spaide, Hanzo Partner Manager, The Practical Guy who Focuses on Solutions

Hanzo Learning Center

Meet Team Hanzo partner Dan SpaideThis month I had the distinct pleasure to interview Dan Spaide. It’s fitting that such a nice family guy lives near the city of brotherly love, and he brings that concern for community to the work he does for Hanzo.

IT 52

Cisco Webex flaw allows unauthenticated remote attackers to join private meetings

Security Affairs

Cisco addressed a vulnerability in Cisco Webex that could be exploited by a remote, unauthenticated attacker to join a protected video conference meeting. The vulnerability affects Cisco Webex Meetings Suite sites and Cisco Meetings Online sites for versions earlier than 39.11.5 (for

Hackers Could Use Smart Displays to Spy on Meetings

WIRED Threat Level

By exploiting flaws in popular video conferencing hardware from DTEN, attackers can monitor audio, capture slides—and take full control of devices. Security Security / Cyberattacks and Hacks

Thoughts on the 2019 Sedona Conference Annual Meeting

Zapproved

The post Thoughts on the 2019 Sedona Conference Annual Meeting appeared first on Zapproved. Ediscovery Events sedona conference

59

Meet LockerGoga, the Ransomware Crippling Industrial Firms

WIRED Threat Level

The new strain of malware represents a dangerous combination of aggressive disruption and high-stakes targets. Security Security / Cyberattacks and Hacks

Meet Team Hanzo: Kristin Oberhaus — Drumming up Enthusiasm For Everything from Slack Legal Hold to the Ohio State Buckeyes

Hanzo Learning Center

Meet Team Hanzo Kristin OberhausGetting to know Kristin is like making a friend in college. She's a great partner in business who analyzes problems and brings thoughtful reflection to every challenge.

52

Meet Team Hanzo: Emily Whetter, Software Engineer Who’s Got Groove

Hanzo Learning Center

Meet Team Hanzo Hanzo Dynamic Investigator Hanzo Emily WhetterCan you feel the beat? Hanzo’s Software Engineer Emily Whetter thrives at a fast pace and leads a software team that is creating innovative solutions for legal professionals to leverage the internet as a frontier for discovery.

52

Ransomware Meets 'Grey's Anatomy'

Dark Reading

Fictional Grey Sloan Memorial Hospital is locked out of its electronic medical records, but in the real world, healthcare organizations face even greater risks

When Encryption Meets Flash Arrays

Thales eSecurity

Fortunately, meeting the customer requirements is possible using a key sharing paradigm but requires close collaboration between the application and storage array vendors. The post When Encryption Meets Flash Arrays appeared first on Data Security Blog | Thales e-Security.

IFLA WLIC 2020 - Satellite Meetings

CILIP

In addition to the week-long WLIC, many IFLA Professional Units will hold satellite meetings before or after the Congress and these will be geographically limited to various venues throughout Ireland, Northern Ireland, England, Scotland and Wales. Satellite meetings allow IFLA?s

Meet Team Hanzo: Aidan Randle - Conde, Data Scientist and Puzzle Master

Hanzo Learning Center

Meet Team HanzoLook out Will Shortz , there is a new type of puzzle master on the scene. Although, the puzzle master I interviewed is not developing crosswords for the New York Times or to confound even the most astute puzzle aficionados on NPR’s Sunday Puzzle.

IT 52

Meet 5 Women Shaping Microsoft's Security Strategy

Dark Reading

Profiles of some of the women currently leading Microsoft security operations - and their efforts to drive inclusivity

US officials meet UK peers to remark the urgency to ban Huawei 5G tech

Security Affairs

officials responsible for national security and telecommunications were meeting their peers in Britain ahead of the final decision on Huawei 5G technology. officials responsible for national security and telecommunications were meeting their peers in Britain in the attempt to convince U.K.

Regulatory Update: NAIC Fall 2019 National Meeting

Data Matters

The National Association of Insurance Commissioners (the NAIC) held its Fall 2019 National Meeting (Fall Meeting) in Austin, Texas, from December 7 to 10, 2019. The Fall Meeting was highlighted by the following activities. The Annuity Suitability (A) Working Group and the Life Insurance and Annuities (A) Committee are expected to meet before the end of 2019 to finalize the proposed revisions in their entirety.

Regulatory Update: NAIC Fall 2019 National Meeting

Data Matters

The National Association of Insurance Commissioners (the NAIC) held its Fall 2019 National Meeting (Fall Meeting) in Austin, Texas, from December 7 to 10, 2019. The Fall Meeting was highlighted by the following activities. The Annuity Suitability (A) Working Group and the Life Insurance and Annuities (A) Committee are expected to meet before the end of 2019 to finalize the proposed revisions in their entirety.