News Archive February 2014

Table of contents:

2014 Tax Filing Season Ushers in Fraud Opportunities


The beginning of the 2014 tax filing season was January 31st and if you haven’t filed your taxes yet, now may be a good time to get started...unless, of course, you want any potential refund you may receive stolen by fraudsters “kind enough” to file on your behalf. According to a report filed by the Treasury Inspector General’s office last year, the Internal Revenue Service issued almost $4 billion in fraudulent tax refunds in 2012 alone. In most of these cases, personal information was stolen by identity thieves who then filed bogus tax returns on behalf of unsuspecting victims and had the refunds sent via direct deposit or paper check to an address other than that of the victim. Many of the refunds reported as fraud last year were over $5,000 - offering cyber criminals an easy way to make some serious cash each year before disappearing back into the criminal underworld. In fact, for this reason, the IRS has taken additional security measures this year in the hopes of preventing some of this fraudulent activity.

The result so far has been delayed refund disbursements for legitimate tax refunds and growing frustration from many people who depend on their tax refund as an integral part of their annual income.

Like so many other identity-centric scams, the information required by fraudsters to file a fake tax return is readily available at a variety of underground websites.

The packages for sale are commonly referred to as “fullz”; meaning the purchase includes the victim’s first name, middle name, last name, email address, physical address, phone number, date of birth and Social Security number. Many of the sites selling this information also provide tips to their customers in the hopes of maximizing fraudulent tax returns. For example, one such site recently profiled recommends that customers search by address to find information about spouses and children as these additional items on a tax return often lead to substantially larger refunds. A few months ago, this blog profiled a company owned by Experian that was involved in selling information about millions of Americans to hxxp://Superget.info.

2014 Tax Filing Season Ushers in Fraud Opportunities

This site is one of the largest “fullz” suppliers in the world and currently has information on millions of people around the world available with only a few mouse clicks. It’s important to note that once a fraudulent tax return has been filed on your behalf, it can be difficult to correct the information. Any refund you are rightfully entitled to could be postponed for months or even years while the IRS investigates the matter. For some, this could represent a significant financial hardship.

Also don’t forget that a criminal with all your personal information could easily create credit accounts using this same information - increasing the chances of financial burden even further.

If you are concerned that you may be the victim of identity theft outside the tax system, you are encouraged to contact the IRS Identity Protection Specialized Unit so the IRS can take action to secure your tax information from potential fraudsters. A combination of specialized PINs and IRS Form 14039 (requiring photo identification with any tax return) are usually enough to protect your tax refund from criminals that rely increasingly on this relatively easy scam to make big profits.

Back to Top

A Look Inside BlackPOS


Point of Sale malware is nothing new, but BlackPOS may represent one of the most advanced versions of POS-specific malware to date. BlackPOS, for those unfamiliar with the term, is the malware variant responsible for the loss of over 40 million credit card numbers used in Target stores across the country during the holiday shopping season. It is also suspected in many of the other retail attacks reported as of late including Neiman Marcus and most recently, White Lodging (a franchise operating hotels under the Marriott, Hilton, Sheraton and Westin brands). Shortly after the Target breach was first announced, an anonymous user uploaded a copy of BlackPOS to a malware scanning service operated by Symantec. Although the copy was quickly removed from the site and later from Google’s cache servers, security experts have gotten a good look at this complex piece of malware and now better understand how it was able to go undetected for so long. BlackPOS was first introduced into Target’s systems in November of last year. Alarmingly, over 40 different malware scanning utilities found nothing threatening about BlackPOS.

Clearly, the software was specifically designed to avoid detection and run in a custom environment. Although it is still unclear exactly how the malware was introduced into the system, many experts feel that it was embedded within a software update to Target’s front end computer systems. BlackPOS is available for sale via numerous underground hacking websites. The file is only 207 kilobytes and can be purchased for between $1,800 and $2,300 depending on what options are selected.

The program is specifically designed to breach firewall software and works by recording the credit and debit card information of every card processed through an infected terminal.

One thing that makes BlackPOS unique (and dangerous) is that it has been specifically designed by its author (sometimes known as Antikiller in hacking forums) to run in POS systems used by most major retailers in the United States.


This means Antikiller has access to at least one of these systems which he used to develop and debug the BlackPOS code. A Russian computer security group claims that another variant of BlackPOS has been used to breach major US banks including Chase, Capital One and Citibank among others. Although there is limited information about who Antikiller really is at this time, evidence points to the hacker’s association with a large group of Russian and Ukrainian men responsible for numerous cybercrime activities including large scale DDoS attacks and protests launched in conjunction with another well-known hacking group (Anonymous).

While it is still unclear how many businesses have been affected by BlackPOS at this time, it appears the malware has been used since at least January 2013 to perpetrate multiple breaches around the country.

Despite having a better understanding of the malware, security experts are still unsure of exactly how to combat such a specialized threat at this time. It is very likely that additional breaches will be reported before retailers finally get a handle on BlackPOS and its many variants.

Back to Top

Belkin Smart Home Technology Vulnerable to Attack


Smart home technology has become increasingly popular and is expected to gain a significant market share in 2014. With its increased popularity, however, this technology has garnered the attention of hackers around the world looking to capitalize on a new technology trend. Belkin is a respected technology company best known for home and small business networking equipment. More recently, the company has introduced an entire line of smart home technology devices under the brand name WeMo. The most popular of these WeMo devices is an outlet that can be controlled by a smart phone anywhere in the world.

Belkin’s other claim to fame in the home automation market is that their products can be used to build custom smart home solutions that add Internet connectivity to nearly any device including sprinkler systems, antennas and thermostats. IOActive, an Internet security firm, recently released a report advising that over 500,000 Belkin WeMo devices are susceptible to widespread attacks from anywhere in the world due to several vulnerabilities that allow hackers to access home networks and remotely controlled appliances connected to WeMo devices.

At first glance, it may seem like a hacked WeMo device would be nothing more than a simple prank, but more dangerous implications (such as the potential of starting a house fire) are also possible.

The vulnerability report also demonstrates that hackers could potentially perform malicious firmware updates and even gain access to other devices including laptops and smartphones. Even more alarming is the fact that at least two of these vulnerabilities allow hackers to spoof Belkin’s encryption keys and cloud services.

WeMo vulnerable

Hackers could theoretically push malicious firmware updates and capture session credentials simultaneously as a direct result of these vulnerabilities. As a result of the report released by IOActive, Belkin has corrected five potential vulnerabilities affecting the WeMo line of home automation products. These patches were issued via in-app notifications and updates for both Apple’s App Store and the Google Play Store. Another update was issued late last year that prevents XML injection attacks from gaining access to other connected WeMo devices. More recently, Belkin added SSL encryption validation to the product’s firmware distribution feed, thus eliminating the storage of signed keys on the physical device while also password protecting the serial port interface.

Belkin claims that users with the most recent firmware release (currently version 3949) are protected from the reported vulnerabilities; however, users with older versions of the firmware are susceptible to a multitude of potential threats until downloading new firmware via either Apple’s App Store or the Google Play Store.

Despite Belkin’s claims that many of these vulnerabilities have been fixed, the report from IOActive recommends that users of WeMo products suspend usage and disconnect devices from the Internet until these issues have been properly addressed. If that seems too extreme, at least consider removing WeMo products from potentially dangerous appliances such as stoves until better security measures have been implemented by Belkin in its popular line of home automation products.

Back to Top

Linksys Routers under Attack


Linksys, a popular home and small business router manufacturer, has a new threat to worry about as a self-replicating program known as “The Moon” exploits a vulnerability in the company’s E-Series product line. The worm was uncovered and reported on Wednesday by the Internet Storm Center (ISC) after it was noted that many popular Linksys E1000 and E1200 were scanning random IP address ranges on ports 80 and 8080. The Internet Storm Center researchers were able to capture the malware responsible for the scanning activity after intentionally leaving a test system vulnerable to attack. The premise of The Moon is to compromise existing vulnerabilities in the aforementioned Linksys routers and then use these routers to scan for other vulnerable devices.

Although it appears that the E1000 and E1200 models are the most popular models affected by this latest threat, ISC stated that other Linksys routers may also be affected by The Moon including: E320, E3000, E2500, E2100L, E2000, E1550, E1500, E900. ISC has been unable to confirm vulnerabilities in these routers; however, many of these products share the same firmware as E1000 and E1200 so it is highly probable that customers using any of this equipment could also be affected.

This new worm has been named The Moon because it contains the logo of Lunar Industries (a fictional company from a 2009 movie entitled “The Moon”).

The malware operates by requesting a Home Network Administration Protocol (HNAP) URL from any devices behind discovered IP addresses. For those unfamiliar with the term, HNAP was developed by Cisco and enables the identification, configuration and management of networking devices from within the router firmware. The HNAP request is used by The Moon to identify the router’s model number and firmware version before determining if that device is vulnerable to infection. Once a vulnerable router is discovered, the malware sends another request using a specific CGI script allowing for execution of local commands on the Linksys router.

Linksys routers moon worm

ISC did not disclose the particular CGI script used as it contains an authentication bypass vulnerability that could be further exploited if publicly documented. Since the request does not require authentication, The Moon is able to send random administrative credentials to the router that are not checked by the CGI script (basically allowing for a brute force hacking situation). Other than attempting to locate other potentially vulnerable routers, it is unclear what the purpose of The Moon is at this time. Some of the research uncovered by ISC indicates the existence of a command-and-control server; essentially turning the routers into botnets that could be controlled remotely anywhere in the world.

While Linksys is aware of the vulnerability in some of its E-Series routers, no firmware updates have been issued at this time.

If you currently use one of these Linksys routers at your home or business, the only way to protect yourself at this time is to change the port interface to something other than 80 or 8080 as The Moon will not be able to recognize a vulnerable router on any other port. That said, it would be relatively easy for the developers of The Moon to change this shortcoming in the future, but hopefully Linksys will provide a firmware patch ahead of any modified malware code.

Back to Top

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal