Pierluigi Paganini April 10, 2013

In various articles I wrote on the large diffusion of botnets and the capabilities of malicious agents to use as spread channel the social media platforms or popular applications.

The diffusion and management of a botnet architecture has never been so easy, the underground offer covers every need and provides advanced customization services.

Security expert Dancho Danchev has recently reported that the diffusion of malicious structures is increasing and that the proceeds related their use, such as stolen accounting data on a mass scale, are considered a commodity that’s being offered by virtually all participants in the cybercrime ecosystem.

Every day users access to their email box, run every kind of application from different platforms and communicate using most popular chat and VOIP … they daily do all this operation in most of cases ignoring security fundamentals and criminals know it.

We all know what happen when the user is a victim of a hack on his email account or if his social network profile is compromised, but do you really know what could happen if hackers can gather access to your Skype account?

Various the hypothesis proposed by Danchev such as:

• Use Skype credit for personal purposes.
• Use the account as a channel to spread malicious links or infected files.
• Use accounting data for successive TDoS (Telephony Denial of Service) services.

What is really concerning is that all these operations are simply executable by any cyber criminal due the large diffusion of DIY tools, in particular in this case in the underground is already available a nice tool dedicated to the popular Skype.

The criminals factory is providing ring flooder dedicated to Skype providing for the product also training material and a small amount of credit to start to work, all the package at the cost of 490 rubles ($15.67).

In execution the flooder search for Skype instances and once detected them it starts dialing any given number within a particular range, the application is very simple and not support multiple account neither gives the possibility to anonymize the communication using a proxy.

The offer in the underground on Skype does not end here, recently a DIY SMS flooder has been offered on hacking forums for $20, following a simple screenshot of the advertised DIY Skype SMS flooding tool:

Using the DIY tool attacker can send SMS messages to numbers in Russia, Ukraine, and Azerbaijan taking advantage of the fact that every Skype account with a positive balance can send SMS messages.

To start the attacks hackers just need to authenticate themselves using a stolen Skype account, then the tool will automatically start using the account’s balance and flood the victim’s cell phone number with multiple messages. Current tool is not yet optimized because it uses only one Skype account, however the authors are working to a new release that will support for multiple Skype accounts at any time with obvious consequences.

We have also said that using Skype is possible to conduct malicious campaigns on a large scale to infect its users, last week Dmitry Bestuzhev, a Kaspersky Lab Expert,  published an interesting article that described a malware in circulation that is using Skype as a vector to spread its code to infect machines with a primary purpose to mine Bitcoins.

The malicious campaign is really recent, the researchers  detected a variant of malware that used the popular Skype VOIP client to send messages to the users suggesting them to click on a malicious link to see a picture of themselves online.

Despite the campaign started a few days ago thousands of victims have been already infected clicking on the malicious link proposed through Skype, Kaspersky estimated around 2000 clicks per hour.  It’s not the first time that Skype is used to spread malware, in the last week the same research Bestuzhev  detected another malware from Venezuela using the same techniques for different purpose.

The last scenario to explain is related to the use of accounting data for successive TDoS (Telephony Denial of Service) services, Ring-based DIAL (Digitally Initiated Abuse of teLephones) attacks are becoming very common such as the SMS-based DoS (Denial of Service) attacks, it’s natural that criminal community is starting to focus its offer on a product that can easily automatize them.

What is a TDoS?

During the last weeks security experts have witnessed a surge in number of TDoS attacks (telephony denial of service) attacks against Emergency call centers, Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued an alert on the malicious events and the need to prevent it deploying proper countermeasures.

The attackers hit public-safety answering points (PSAP), also known as “public-safety access point”, or rather call centers responsible for answering calls to an emergency telephone number like police or firefighting. This type of attack is very dangerous because having direct impact on crucial operations.

The alert is high, ambulance and hospital communication lines, public entities and private business are considered privileged targets exposed to major risks. Principal motivation behind this type of attacks is the extortion according US authorities. Following the typical scheme of an attack described by DHS and the FBI:

1.    An individual calls, claiming to represent a payday loan collections company.
2.    The caller typically has a strong accent and asks to speak with a current or former employee about an outstanding debt.
3.    The caller demands payment of $5,000 because an employee (who no longer works for the company or never did) defaulted on a loan.
4.    When the target fails to cough up the money, the attacker launches a TDoS.
5.    The organization is then inundated with a continuous stream of calls for an unspecified but lengthy period of time.
6.    Phone service is disrupted, preventing incoming and/or outgoing calls.

The agencies have offered these recommendations for targeted organizations:

• Don’t pay the blackmail.
• Report all attacks to the FBI by logging onto the website www.ic3.gov. Use the keyword “TDoS” in your report title. Identify your organizations as a public safety answering point (PSAP) or Public Safety organization.
• List as many details as possible, including:
  • Calls logs from the “collection” call and TDoS
  • Time, date, originating phone number and traffic characteristics
  • Call-back number to the “collections” company or requesting organization
  • Method of payment and account number where the “collection” company requests the debt to be paid
  • Any information that you can obtain about the caller, or his/her organization
• Contact your telephone service provider; they may be able to assist by blocking portions of the attack.

All these cases show great interest of cyber criminals in the possibility to interfere with communication channels such as VOIP or telephone lines, the attacks are mainly motivated by the intent to monetize the attack with extortion scheme, menacing the company to paralyze it blocking all critical communication channels.

The future could reserve nasty surprises, hackers don’t need specific skills to paralyze a company or hit a public services … we must be prepared!

(Security Affairs – Cybercrime)