Showing posts with label The Darkness. Show all posts
Showing posts with label The Darkness. Show all posts

Saturday, May 14, 2016

Carding Sites Turn to the "Dark Cloud"


The Darkness - I Believe In A Thing Called Love (Official Music Video)

Crooks who peddle stolen credit cards on the Internet face aconstantchallenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes. In this post, well examine a large collection of hacked computers around the worldthat currently serves as a criminal cloud hosting environment for a variety of cybercrime operations, from sending spam to hosting malicious software and stolen credit card shops.

I first became aware of this botnet, which Ive been referring to as the Dark Cloud for want of a better term, after hearing from Noah Dunker, director of security labs at Kansas City-based vendorRiskAnalytics. Dunker reached out after watching a Youtube video I posted that featured some existing and historic credit card fraud sites. He asked what I knew about one of the carding sites in the video: A fraud shop called Uncle Sam, whose home page pictures a pointing Uncle Sam saying I want YOU to swipe.

The Uncle Sam carding shop is one of a half-dozen that reside on a Dark Cloud criminal hosting environment.

I confessed that I knew little of this shop other than its existence, and asked why he was so interested in this particular crime store. Dunker showed me how the Uncle Sam card shop and at least four others were hosted by the same Dark Cloud, and how the system changed the Internet address of each Web site roughly every three minutes. The entire robot network, orbotnet, consisted of thousands of hacked home computers spread across virtually every time zone in the world, he said.

Dunker urged me not to take his word for it, but to check for myself the domain name server (DNS) settings of the Uncle Sam shop every few minutes. DNS acts as a kind of Internet white pages,by translatingWeb site names to numeric addresses that are easier for computers to navigate. The way this so-called fast-flux botnet works is that it automatically updates the DNS records of each site hosted in the Dark Cloud every few minutes, randomly shuffling the Internet address of every site on the network from one compromised machine to another in a bid to frustrate those who might try to take the sites offline.

Sure enough, a simple script was all it took to find a few dozen Internet addresses assigned to the Uncle Sam shop over just 20 minutes of running the script. When I let the DNS lookup script run overnight, it came back with more than 1,000 unique addresses to which the site had been moved during the 12 or so hours I let it run. According to Dunker, the vast majority of those Internet addresses (> 80 percent) tie back to home Internet connections in Ukraine, with the rest in Russia and Romania.

Mr. Bin, another carding shop hosting on the dark cloud service. A bin is the bank identification number or the first six digits on a card, and its mainly how fraudsters search for stolen cards.

Right now theres probably over 2,000 infected endpoints that are mostly broadband subscribers in Eastern Europe, enslaved as part of this botnet, Dunker said. Its a highly functional network, and it feels kind of like a black market version of Amazon Web Services. Some of the systems appear to be used for sending spam and some are for big dynamic scaled content delivery.

Dunker said that historic DNS records indicate that this botnet has been in operation for at least the past year, but that there are signs it was up and runningas early as Summer 2014.

Wayne Crowder, director of threat intelligence for RiskAnalytics, said the botnet appears to be a network structure set up to pushdifferent crimeware, including ransomware, click fraud tools, banking Trojans and spam.

Crowder said the Windows-based malware that powers the botnet assigns infected hosts different roles, depending on the victim machines strengths or weaknesses: More powerful systems might be used as DNS servers, while infected systems behind home routers may be infected with a reverse proxy, which lets the attackers control the system remotely.

Once its infected, it phones home and gets a role assigned to it, Crowder said.That may be to continue sending spam, host a reverse proxy, or run a DNS server. It kind of depends on what capabilities it has.

Popeye, another carding site hosted on the criminal cloud network.

Indeed, this network does feel rather spammy. In my book Spam Nation, I detailed how the largest spam affiliate program on the planet at the time used a similar fast-flux network of compromised systems to host its network of pill sites that were being promoted in the junk email. Many of the domains used in those spam campaigns were two- and three-word domains that appeared to be randomly created for use in malware and spam distribution.

Were seeing two English words separated by a dash, Dunker said the hundreds of hostnames found on the dark cloud network that do not appear to be used for carding shops. Its a very spammy naming convention.

Its unclear whether this botnet is being used by more than one individual or group. The variety of crimeware campaigns that RiskAnalytics has tracked operated through the network suggests that it may be rented out to multiple different cybercrooks. Still, other clues suggests the whole thing may have been orchestrated by the same gang.

For example, nearly all of the carding sites hosted on the dark cloud network including Uncle Sam, Scrooge McDuck, Mr. Bin, Try2Swipe, Popeye, and Royaldumps share the same or very similar site designs. All of them say that customers can look up available cards for sale at the site, but that purchasing the cards requires first contacting the proprietor of the shops directly via instant message.

All six of these shops and only these six are advertised prominently on the cybercrime forum prvtzone[dot]su. It is unclear whether this forum is run or frequented by the people who run this botnet, but the forum does heavily steer members interested in carding toward these six carding services. Its unclear why, but Prvtzone has a Google Analytics tracking ID (UA-65055767) embedded in the HTML source of its page that may hold clues about the proprietors of this crime forum.

The dumps section of the cybercrime forum Prvtzone advertises all six of the carding domains found on the fast-flux network.

Dunker says hes convinced its one group that occasionally rents out the infrastructure to other criminals.

At this point, Im positive that theres one overarching organized crime operation driving this whole thing, Dunker said. But they do appear to be leasing parts of it out to others.

Dunker and Crowder say they hope to release an initial report on their findings about the botnet sometime next week, but that for now the rabbit hole appears to go quite deep with this crime machine. For instance, there areseveral sites hosted on the network that appear to be clones of real businesses selling expensive farm equipment in Europe, and multiple sites report that these are fake companies looking to scam the unwary.

There are a lot of questions that this research poses that wed like to be able to answer, Crowder said.

For now, Id invite anyone interested to feel free to contribute to the research. This text file contains a historic record of domains I found that are or were at one time tied to the 40 or so Internet addresses I found in my initial, brief DNS scans of this network. Heres a larger list of some 1,024 addresses that came up when I ran the scan for about 12 hours.

If you liked this story, check out this piece about another carding forum called Jokers Stash, which also uses a unique communications system to keep itself online and reachable to all comers.

Tags: dark cloud, Mr. Bin, Noah Dunker, Popeye, prvtzone, RiskAnalytics, Royaldumps, Scrooge McDuck, Try2Swipe, Uncle Sam, Wayne Crowder

Source: http://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/

Continue Reading ..

The Dark History Behind Eurovision"s Ukraine Entry


The Darkness - Official Trailer #2 (2016)
Dear TIME Readers,

As a regular visitor to TIME.com, we are sure you enjoy all the great journalism created by our editors and reporters. Great journalism has great value, and it costs money to make it. One of the main ways we cover our costs is through advertising.

The use of software that blocks ads limits our ability to provide you with the journalism you enjoy. Consider turning your Ad Blocker off so that we can continue to provide the world class journalism you have become accustomed to.

The TIME Team

Source: http://time.com/4329061/eurovision-jamala-russian-ukraine-crimea/

Continue Reading ..

Friday, May 13, 2016

The Dark Mirror: Zender"s Winterreise review Ian Bostridge is impeccable despite prosaic staging


The Darkness - Movie Review

As tenor Ian Bostridge has himself chronicled, his relationship with the most famous of all song cycles stretches back through his entire career as a singer. As well as performing Schuberts Die Winterreise many times in concert, he has sung it in stage dramatisations, and even written a book about his enduring fascination with it. Until now, though, Bostridge had not performed the most celebrated 20th-century reworking of the cycle, by the composer Hans Zender for tenor and ensemble, which over the last 20 years has established its own place in the repertoire.

For the Barbican performances of the Zender version in which Bostridge is partnered by the Britten Sinfonia, conducted by Baldur Brnnimann there is a theatrical staging too, devised by director Netia Jones, but which proves to be more of a distraction than anything else. After Joness previous stagings of operas such as Oliver Knussens double bill and Unsuk Chins Alice in Wonderland, her treatment of Winterreise seems disappointingly prosaic and neutral. There are the predictable video images of figures wandering through snowy landscapes, and moody closeups of Bostridge as that conflicted traveller, while the singer himself is got up in evening dress, as if he has stepped straight out of a 1920s German expressionist film, or is the louche MC of a Weimar republic cabaret. The sense of the cycle as a musical and emotional journey is hardly suggested at all.

Related: Ian Bostridge on Zender"s Dark Mirror: Schubert"s Winterreise

Certainly the visual commentary on the songs is nothing like as powerful and revealing as the musical one represented by Zenders reworking, with its pungent scoring from an ensemble that includes guitar, accordion and tuned percussion, realised with great presence by the Britten Sinfonia instrumentalists, so that Schuberts originals seem to be refracted through the whole subsequent history of German Lieder. At the centre of it, too, is Bostridges impeccably coloured performance, his articulation of every morsel of the text utterly lucid, even when, in Zenders version, it has to be spoken or delivered as Sprechgesang. His concept of what the cycle encompasses is projected as clearly as it always is.

  • At the Barbican, London, until 14 May. Box office: 020-7638 8891.

Source: http://www.theguardian.com/music/2016/may/13/the-dark-mirror-zenders-winterreise-review-ian-bostridge-barbican-london

Continue Reading ..