Megaupload Server Purge Delayed

A scheduled purging of Megaupload’s data was tentatively shelved Tuesday to give its millions of account holders an opportunity to attempt to retrieve their content from the file-sharing service whose top officials were indicted on criminal copyright charges.

The authorities shuttered the Hong Kong-based site Jan. 19, and indicted seven of its top officials in what the Justice Department said was “among the largest criminal copyright cases ever brought by the United States.”

As part of its prosecution, the government had copied an undisclosed amount of data from Megaupload’s servers in the United States.

The entire contents of Megaupload were set to be purged later this week by Carpathia and Cogent, two of Megaupload’s U.S.-based server hosts. The United State has frozen Megaupload’s assets, and it has been unable to pay it’s hosting bill, said Ira Rothken, Megaupload’s attorney.

Rothken said in a telephone interview he is negotiating with the government to unfreeze Megaupload assets so keep Megaupload’s servers active so the company can “deliver consumer data back to consumers.” He said the two companies have agreed not to purge data for at least two weeks.

The Electronic Frontier Foundation said Tuesday it would assist those attempting to retrieve their data, but could not promise results to the estimated 150 million account holders.

Julie Samuels, an EFF attorney, said in a telephone interview it was unclear what data the authorities copied from Megaupload’s servers, and said it was too early to say what access the authorities have to data uploaded by individual account holders.

Jay Prabhu, chief of the Justice Department’s Cybercrime Unit, said in a court filing that search warrants authorized the government to seize “selected data.”

Megaupload’s terms of service inform account holders that they “have no proprietary interest in any of the files on Megaupload’s servers” and that “Megaupload can terminate site operations without prior notice.”

The government said the site facilitated copyright infringement of movies “often before their theatrical release, music, television programs, electronic books, and business and entertainment software on a massive scale.” The government said Megaupload”s “estimated harm” to copyright holders was “well in excess of $500 million.”

A five-count indictment from the Eastern District of Virginia was unsealed two weeks ago, when the Justice Department said it seized 18 domains in all connected to Megaupload. The agency said it executed more than 20 search warrants in the United States and eight countries, seizing $50 million in assets.

Megaupload, which often charges its 150 million registered members for its file-sharing service, was on the recording and movie industries’ most-hated lists, often being accusing of facilitating wanton infringement of their members’ copyrights. The indictment claims it induced users to upload copyrighted works for others to download, and that it often failed to comply with removal notices from rights holders under the Digital Millennium Copyright Act.

According to the indictment, the defendants generated revenue through subscriptions and online advertising. Subscriptions cost as “little as a few dollars a day” or $260 per lifetime. The indictment claimed the site took in $150 million in subscription fees overall and $25 million in advertising over a five-year period.

Among the indicted, they include:

*Kim Dotcom, 37, of New Zealand and Hong Kong, Megaupload founder.
*Finn Batato, 38, of Germany, chief marketing officer.
*Julius Bencko, 35, of Slovakia, graphic designer.
*Sven Echternach, 39, of Germany, head of business development.
*Mathias Ortmann, 40, of Germany and Hong Kong, chief technical officer co-founder and director.
*Andrus Nomm, 32, of Turkey and Estonia, software programmer.
*Bram van der Kolk, aka Bramos, 29, of the Netherlands and New Zealand, programmer.

Dotcom, van der Kolk, Batato and Ortmann all were denied bail last week in Aucklund New Zealand, where they were arrested. The government is seeking to extradite them to the United States. The others remain at large.

Cridex Trojan breaks CAPTCHA, targets Facebook, Twitter users

A variant of a banking Trojan known as Cridex can communicate with a CAPTCHA-breaking server inorder to establish malicious email accounts. Researchers at Websense Security Labs posted a videodocumenting howCridex broke a CAPTCHA test and opened a Yahoo email account in six attempts.

Cridex is a data-stealing Trojanthat is similar to Zeus in the way itoperates: It logs content from Web sessions and alters them to harvest information from theinfected user.

Websense Security Labs

The Cridex network grows as it infects new machines via malicious emails. The emails containlinks to a BlackHole exploit kit, which attacks vulnerabilities in Web browsers and plug-ins. If successful,the kit downloads Cridex onto the machine.

Cridex is a data-stealing Trojan that is similar to Zeus in the way itoperates: It logs content from Web sessions and alters them to harvest information from theinfected user, according to the Websense Security Labs blog.

Cridex targets information from platforms like Facebook, Twitter and several online bankingservices. That data is then sent to a remote server.

Finally, it uses the infected machine to grow the size of the bot.

According to Websense, the Trojan opens Web sessions to online mail services and registers newemail accounts that are later used by the bot to send spam/malicious emails.

Cridex cannot run without a successful attack by the Black Hole exploit kit. Machines withupdated Web browsers and applications, as well as the latest antivirus software, should beprotected, Websense said.

Carder Forced Gang Members to Have Sex to Weed Out Undercover Feds

Photo: Jim Merithew/Wired.com

The mastermind of a carding gang in Georgia devised a novel way for weeding out undercover Feds from his operation – he forced members to have group sex, according to a local police detective who helped bust the ring.

Vikas Yadav, an Indian national who was deported in 2010, recruited other carders and mules through sado-masochism web sites, forcing would-be accomplices to have group sex with other men and women while Yadav videotaped them, according to the Athens Banner-Herald.

Anyone who wanted in with [Yadav] would have to have three-way sex, either with other men or women, but Vikas had to be involved and he would record it all and save the recordings so he could watch it on his big flatscreen TV, Athens-Clarke police Detective Beverly Russell recently revealed to the paper.

Authorities say a TV in his upscale Athens, Georgia, bedroom was rigged to a pair of hard drives capable of holding 12 trillion bytes of memory.

Three of his main conspirators – Dashun McQuiller, Shaun Grittner, and Dwight Riddick, a former New York City police officer – were sentenced in federal court this month.

Yadav’s descent into crime had a steep fall. He initially came to the U.S. to earn a masters degree at the University of Georgia’s College of Pharmacy, which he did in 2004, but he was expelled from a doctoral program in 2005 after he was caught plagiarizing.

He subsequently went to work at a liquor store, where his crime spree began. Authorities say he installed a recording device on the store’s card reader to capture account numbers and PINs and would then encode the information onto blank cards to withdraw cash from accounts or purchase flat-screen TVs and other big ticket items that were then re-sold for cash.

He had dealers lined up who placed orders for specific items, like 50 to 60 flatscreen TVs of a certain size and brand, Russell told the paper. Its not like he sent people randomly to go to the store. He had shopping lists with items already lined up to buy.

Yadav was arrested in August 2008 outside a WalMart in Mississippi, according to a court document, after the store manager called police about a suspicious transaction and provided the license number of an Enterprise rental van. When police pulled the van over, they found a stack of credit and gift cards on the car’s dashboard with Vadak’s name on them and a duffel bag containing a laptop and accessories for encoding data onto blank cards. The van was filled with multiple televisions, Wii game consoles and other electronics.

Back in Georgia, authorities were aided in their investigation when a rental truck arrived at Yadav’s home at the same time police were searching for the his address. The truck, driven by accomplice Riddick, was crammed with newly purchased TVs.

The Athens paper describes Yadav’s crime ring as a multi-million-dollar operation, but it appears he was never charged with most of his crimes. Court records show proceedings for him only on a limited number of charges in Mississippi, with losses amounting to only about $30,000. The documents don’t mention Yadav’s bizarre work requirement for accomplices, but according to the Athens paper, Detective Russell learned about it from Yadav’s accomplices.

Threat Level could not reach Detective Russell for comment.

Riddick pleaded guilty to interstate transportation of stolen property and was sentenced two years of probation. McQuiller and Grittner pleaded guilty to conspiracy to defraud, and were sentenced to 30 months and 10 months in prison, respectively.

Yadav pleaded guilty in Mississippi to access device fraud and was sentenced to one year in prison. According to the Athens paper, he was deported.

New Mobile-Phone Privacy Law Proposed

Rep. Edward Markey (D-Massachusetts) unveiled draft legislation Monday requiring mobile-phone carriers to reveal if they are employing tracking software such as Carrier IQ.

“Consumers have the right to know and to say ‘no’ to the presence of software on their mobile devices that can collect and transmit their personal and sensitive information,” Markey said inThe Hill.

Under the Mobile Device Privacy Act (.pdf), consumers would have to consent that data from their phones would be sent to third parties, like Carrier IQ in Mountain View, California.

Carrier IQ has said that its software was secretly installed on some 150 million phones. It conceded that it has the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received.

Carrier IQ said that the data it vacuums to its servers from handsets is vast — as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, Carrier IQ said, it is not logging every keystroke, as a prominent critic suggested.

The data, which gets downloaded from consumers’ phones roughly once a day, is encrypted during transit and also provided to carriers to enhance the “user experience,” Carrier IQ said.

Carrier IQ came under intense scrutiny last month after a Connecticut-based Android developer posted a YouTube video showing the software has enormous access to usage information, and claiming that it logs a user’s every keystroke.

Sprint recently announced that it is dropping Carrier IQ, as did Apple. T-Mobile and AT&T also employ it. Verizon does not.

Phoenix Exploit Kit responsible for mass WordPress compromises

The PhoenixExploit Kit, a popular crimeware kit that provides subscription based updates to attackers, isbelieved to be at the heart of a mass compromise of hundreds of WordPress websites.

According to researchers at M86 Security, at least 400 compromised sites based on WordPress3.2.1 were redirected to malicious pages set up by the Phoenix crimeware kit. According to M86, theattacker uploaded a HTML page to the standard uploads folder redirecting users to the exploitkit.

Phoenix, which has been used by attackers since at least 2007, delivers a customized exploit Webpage based on the users browser and operating system. The malicious code can scan a victimssoftware for vulnerabilities and then exploit multiple flaws in Adobe Flash, Java, and InternetExplorer. The attack is successful because Phoenix has the ability to easily bypass URL reputationmechanisms and other security technologies, said Daniel Chechik, a senior researcher with M86Security labs.

The content uploaded by the attacker is not part of the home page and will not show when usersbrowse  these websites. In fact, accessing any page on these compromised WordPress sites,other than the uploaded page, will not infect the users machine, Chechik wrote in the companysblog.

A Phoenixphishing attack designed to lure victims into browsing to the malicious pages was detected bysecurity vendor Websense.

The exploit page, according to M86 is hosted by a Russian domain.

Google Chrome users in the clear

Crimeware toolkits are a very popular way for people to conduct attacks without a lot oftechnical knowledge. M86 reported on the SiberiaExploit Kit, which was updated in 2010 to automate the process of making alternative variantsof malware to dupe antivirus technologies. Users of Microsoft Internet Explorer commonly fallvictim to the attacks, according to an analysis of a browser automated exploitkit called Eleonore.

Phoenix attacks Internet Explorer and Firefox users. M86 said users of Google Chrome were nottargeted in this specific attack.