Is FBI spying on Irish iPhone and iPad users?

Identification info on millions of iPhone and iPad users has been leaked to the internet, allegedly from FBI’s computers. Among them are also hundreds of Irish names.

The hacker group Anti-sec, a branch of the Anonymous movement, recently claimed it holds 12 million Apple device IDs (UDID), push notification IDs and names of iPhone and iPad users worldwide. There is supposed evidence that the data came from an FBI’s computer, though FBI have denied it. Of these 12 million, the hackers have made 1 million available to decrypt and have a look at, which we did. And to our surprise we have found a very large number of very Irish names on the list. And while most of those are likely to be American, there is also quite a noticeable presence of Irish spelled names such as Daithi, Ciaran or Ciara, Cathal, Padraig or Padraic, etc there, which Americans would be unlikely to use, combined with recognisable family names like Haggerty, Doyle, O’Byrne, Murphy, Lafferty, etc.

The information itself could theoretically be used to access iPhone and iPad apps from locations other than the owner’s device, so it depends on the sort of apps someone uses to determine what sort of damage that can cause to them. With some skill, attackers could retrieve the users’ geo-location, access their contact lists, log into their Facebook or Twitter, read their chats, etc.

But even more concerning than the potential abuse of leaked UDID’s is the fact that someone, whether that was FBI or anyone else, is collecting and storing lists of ID’s that should not be public knowledge. If Anti-sec got it from FBI or from other hackers, the fact remains, your name could be on the list, and your Apple device could be compromised without you knowing about it. And if that is the case, then there is definitely reason to be worried.

Since the leak, users worldwide have been scrambling to ascertain whether or not their devices have been compromised. In light of this, a number of sites have since popped up offering the user the ability to check their UDID against the leaked information. We strongly advise against this, as verifying just who is behind any such site and what they do with your UDID once you willingly give it to them is next to impossible.

Urban Schrott
IT Security & Cybercrime Analyst
ESET Ireland

Ciaran McHale
Tech Support Specialist
ESET Ireland

 

CyberThreats Daily: FBI nabs international “scareware” ring

Long a puzzling challenge, the FBI seems to be making strides in tackling international coordinated scams, in this case, scareware. Scareware, the practice of providing fake infection notifications to users’ computers, and then offering to sell solutions to problems that don’t exist, has been quite a boon as of late for fraudsters. FBI claims the current bust uncovered a ring which had bilked customers out of an estimated $72 million. Not bad for a little scammer work, very bad for unsuspecting customers.

What is interesting is manner in which the FBI was able to coordinate the bust with 7 other countries, a none-too-trivial feat. While they were able to seize 22 computers in the U.S., there were also 25 computers in France, Germany, Latvia, Lithuania, the Netherlands, Sweden, and the United Kingdom. The U.S. Justice Department made the announcement, noting that it was a coordinated effort between law enforcement in all the host countries, definitely not a one-man-band.

This follows trends we’ve been noting for some time. Scam operations of all different flavors rely heavily on a global distributed approach, not a single attack source. This makes law enforcement jump though amazing hoops to try to bring legally binding prosecution, especially trying to comply with local laws in all countries who may be involved, and not get the case thrown out for a single improper procedure, no trivial task. To add to the difficultly, tracking a complex operation realtime, which is likely to have a dynamic nature, will have resources (and evidence) moving seamlessly from one country to another. This means law enforcement would need incredibly fast response and tracking information to have any prospect of getting to the “smoking keyboard” before it sprints to another country and/or jurisdiction.

Understandably, the techniques aren’t forthcoming, and for good reason, for every one caught there are multiple others that they still hope to, so we’ll see what the half-life is of their current bag of tricks. As malware and attacks continually morph to avoid detection, techniques to pursue their makers must also, keeping law enforcement on its toes. Latvian authorities seized 5 bank accounts believed to be connected to the scam, giving a clue of where the nexus of the operation affecting an estimated 960,000 victims may have been.

Cameron Camp
ESET Research Systems Manager

Giving Cold Callers the Cold Shoulder

Yesterday I had a phone call. Well, several, of course, but this was yet another irritating cold call. If you’ve read some of my many blogs on the subject, you might think that it must have been yet another support desk scam, but it wasn’t.

The first question I asked was “who do you represent”: it turned out to be one of many companies in the UK that offers a service to people who feel they may have a claim against a mortgage lender or insurance provider. That’s not really my field, so I find it harder to distinguish between legitimate and less legitimate businesses in that field, and I can’t say that this wasn’t a legitimate call. Except that, like many people in many countries I’m subscribed to a “do not call” register.  In fact, the European Union’s Data Privacy Directive 2002/58/EC requires members states to enact legislation to control cold-calling, using either an opt-in or an opt-out model: for example:

And in the US, there is the National Do Not Call Registry at https://www.donotcall.gov/default.aspx, and an equivalent site for Australians is https://www.donotcall.gov.au/.

Hence my second question: “Are you in the UK?” Unfortunately, the answer was no. And therein lies a problem that goes beyond support scams. The telephone network, like the Internet, isn’t very good at recognizing national boundaries. Which is why I have a couple of rules of thumb when it comes to cold callers (apart from the fact that I don’t expect UK companies to contact me at all, which doesn’t mean it never happens). I don’t talk to cold-callers who withhold caller ID*. And I won’t do business with a company that uses offshore call-centres to avoid do-not-call registers.

*While Spanish telecom providers appear to be pretty relaxed about the extent to which businesses cold-call, at any rate on weekdays and Saturday mornings, there is at least an agreement between most of the major providers that callers are not allowed to withhold the number from which they call. And my colleague Josep Albors tells me that there is, in fact, a Spanish do-not-call list called Robinson’s List, which seems to be well in accordance with the EC directive. See: https://www.listarobinson.es/default.asp. Josep also tells me that the restriction on withholding caller-ID is working very successfully there.

And back in the US, the FCC is upping the penalties for those who spoof Caller ID for malicious purposes in accordance with the Truth in Caller ID Act (hat tip to Aryeh for that info). Not that these measures will impact on offshore scammers, but at least they make my rules of thumb just a little more effective.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

CyberThreats Daily: Win7 machines harder hit by infection as VXers change tactics

Win7 infection rates rose during the second half of 2010 even as malware hit rates on XP machines declined, according to official statistics from Microsoft.

The latest edition of Microsoft’s Security Intelligence Report shows an infection rate of four Win7 PCs per 1,000 in the second half of 2010, up from three Win7 PCs per 1,000 during the first half of 2010. The rise of more than 30 per cent contrasts with a drop of the infection rate, albeit from a much higher starting point, for older and less secure machines running Windows XP. Read more on The Register.

Getting a grip on Flash cookies: Adobe publishes Flash 10.3

Adobe has published version 10.3 of its Flash Player for all platforms. This version finally gives users control of their Flash cookies, but only if one of the currently supported web browsers is used: Firefox 4, Chrome 11, Internet Explorer 8 (or higher) and, soon, Safari. Full article on The H Security.

Magic Lantern: Shining a light on the AV numbers game?

“You don’t hear anything about the FBI’s Magic Lantern spyware – sorry, policeware – for years, and then suddenly it’s all over the place. Media-wise, at any rate: I don’t have any exciting news of an epidemic of electronic surveillance, but there seems to be a lot of interest in Computer and Internet Protocol Address Verifier (CIPAV) again… “ writes David Harley, ESET senior research fellow

Follow

Get every new post delivered to your Inbox.

Join 72 other followers