NSA collecting phone records of millions of US citizens daily

The U.S. NSA is collecting phone records of millions of Verizon Communications customers, according to a secret court order obtained by the Guardian.

The U.S. NSA is collecting phone records of millions of customers Verizon, the second telephone company in the country. The shocking news has been revealed by ‘Guardian‘ whose journalists had access to a “Top Secret” court order, signed by Judge Roger Vinson, issued in April against Verizon.

The order obliges the Verizon company to deliver the daily list of calls, “both within the Member States and between the United States and other countries.”

The order was issued by the U.S. The Foreign Intelligence Surveillance Court directs Verizon’s Business Network Services Inc and Verizon Business Services units to hand over electronic data including all calling records on an “ongoing, daily basis” until the order expires on July 19, 2013. Curious that order forbids disclosure of the order’s existence.

The order reveals that is ongoing a massive collection of communications records of millions of Americans, each citizen is intercepted regardless of whether he was suspected of some crime. It must be considered that the order covers each phone number dialed by every Verizon’s customer including location and routing data, duration and frequency of the calls, but not collecting the contents of the communications.



The revelation is embarrassing for the Obama administration, since now authorities and law enforcement haven’t commented the news, a source close to the judiciary has confirmed the authenticity of the order.

A spokesman for the National Security Agency announced:

“We will respond as soon as we can,” .

The news is arousing great noise, let’s consider that US Government has been severely criticized for many other law proposals that violate citizen’s privacy.

“That’s not the society we’ve built in the United States,” “It’s not the society we set forth in the Constitution, and it’s not the society we should have.” commented  Kurt Opsahl, an attorney at the Electronic Frontier Foundation.

The order is the demonstration of advanced surveillance conducted by the US Government that began under the administration of President George W. Bush.

AT&T Inc, the biggest telephone company of US did not provide any comment when asked if the government had made a similar request for its data.

It can be expected that other providers have been achieved by similar court orders.

The business behind a cashout service for cybercriminals

Brian Krebs has recently published an interesting post on his KrebsOnSecurity blog regarding the way cyber criminals cashout their money through a dedicated cashout service. The conversion of ill-gotten gains into cash, The “Cashout”, is considered most risky part of a cybercrime that exposes crooks to law enforcement investigation.

Krebs introduces a new cashout service for ransomware authors that offers money laundering service by abusing of a legitimate Web site that allows betting on dog and horse races in the United States. The Ransomware is a category of malware which restricts access to victim’s resources that it infects and demands a ransom paid to the author of malicious code in order to remove any. The service also employs a free CAPTCHA service from Microsoft that can be used to preserve the abuse of the service.

Most complex malicious codes encrypt files on the victim’s hard drive meanwhile other simply lock the system and display messages requesting the payment. Cyber criminals provide to the victims detailed instructions to pay ransom using prepaid cards such as  MoneyPak or PaySafe and to provide evidence of the transaction.

The principal problem relates to the conversion of the extorted money criminals have to spend it in shops that accept these methods of payment, crooks have to daily manage a large number of transactions and often they are not based on the place where the fraud is consumed.

The post described an original ransomware cashout service hosted in Belarus that support crooks in this articulated and risky phase, the service in fact checks the balances of MoneyPak codes sent by victims to demonstrate the payment and verify them abusing of a legitimate feature of  betamerica.com, a site for betting on dog and horse races in the US. The same service also provides cashout service for PaySafe cards from Mexico for a quarter of the price of their balances.

The operations team at Betamerica.com are aware of these abuses and have already tried to block the account used to check the MoneyPak voucher codes, anyway impeding them to place any bet to avoid money laundering.

“This account was already flagged as some type of bot or compromise, and was set to non-wagering,” explained an operator at betamerica.com.

“We are pretty diligent, because in the past we have had [individuals who] will try to do a Moneypak deposit and then do a withdrawal, basically trying to launder it. Bottom line is that money has to be wagered. It’s not going to be returned to you in another form.”

Following the Cashout process described by Krebs:

The ransomware victims who agree to purchase MoneyPak vouchers to regain control over their PCs.
The guys operating the botnets that are pushing ransomware, locking up victim PCs, and extracting MoneyPak voucher codes from victims.
The guy(s) running this cashout service.
The “cashiers” or “cashers” on the back end who are taking the Moneypak codes submitted to the cashing service, linking those codes to fraudulently-obtained prepaid debit cards, and then withdrawing the funds via ATMs and wiring the proceeds back to the cashing service, minus their commission. The cashing service then credits a percentage of the MoneyPak voucher code values to the ransomware peddler’s account.



The Business dimension

The cashout service is very expensive, the fee requested to the ransomware author is more than half of the value of the MoneyPaks, the service manager justifies the so high cost with decreasing of infection rate on exploits.

Analyzing the list of lists of checks made on MoneyPak voucher appears that a large number of requests are generated by a scammer that is extorting around $300 to the victims. It seems that around 24,000 MoneyPak codes have been checked that could indicate that the cashout service has processed more than $7 million coming from ransom victims.



This figure should lead us to a deeper reflection on criminal proceeds industry and in particular of this kind of malware. The situation is worrying because in addition to an increase of this type of crime should bear in mind that most of them are not even reported for fear of legal retaliation for downloading pirated content or pornographic.

Facebook Zeus malware targeting bank accounts

Principal security firms detected a new variant of Facebook Zeus malware that is exploiting the popular social network to target user’s bank accounts.A Facebook Zeus malware variant (aka ZeuS/ZBOT) has been detected by principal security firms confirming the longevity of malicious code and the ability of cybercrime to customize it according to its needs.Symantec was one of the first companies to detect the Facebook Zeus virus and its capability to drain user’s bank accounts,  the malicious code exploits phishing messages as a method of propagation. A compromised account  is used to automatically send messages to its contact with links to ads, usually to video or product. The new Facebook Zeus instance is able to infect only Windows users, there is no news of variant that targeted Linux or Mac OS X systems. 

The Facebook Zeus malware appears very complex, it is able to replace a bank’s Web site page with a fake one used to capture social security number data and other information from the victims. Once again cyber criminals don’t use directly the credentials collected but re-sold them on the black market within a Fraud As A Service (FaaS) model. 

How does Facebook Zeus steal victim’s credentials? 

ZBOT connects to a remote site to download its encrypted configuration file containing the following information:

Site where an updated copy of itself can be downloaded
List of websites to be monitored
Site where it will send the stolen data

“These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers. Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.” reported TrendMicro post.



According to Trend Micro the pages are being hosted by the Russian criminal gang known as the Russian Business Network. Despite Facebook is aware of the diffusion of the Facebook Zeus malware since now it appears to have not taken clomourous countermeasures.  Eric Feinberg, founder of the advocacy group Fans Against Kounterfeit Enterprise (FAKE) declared that has tried to warn Facebook on the diffusion of the cyber threat. I contacted Mr Feinberg requesting major info on the event and he told me:
“Best way to describe how we uncover the Zeus Malware is as follows. I observed that the Russian Business Network was created Fake Facebook Profiles that were posted .tk links to websites selling counterfeit Merchandise. The .tk links caught my attention when i did url query of these .tk links url query report listed these as likely hostile and from the Russian Business Network. I turn the links over to a colleague who identified the Zeus Botnet”

The majority of the victims of Facebook Zeus malware is located in the USA and UK, other cases are registered all over the world including India, Russia and South Africa.
The resurrection of Facebook Zeus variant is not surprising, cybercriminal underground Also never stops to make a profit on old cyber threats and the Prolific business is daily growing in the underground.