Attacks/Breaches
8/12/2013
11:12 AM
Connect Directly
RSS
E-Mail
50%
50%

Cyber Criminals Find New Online Currency Service

Since the Justice Department shut down digital currency service Liberty Reserve, a new cyber underground payment standard has emerged.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
How are hackers moving money in the wake of U.S. authorities taking down online currency service Liberty Reserve?

After a temporary lull in online payment activity, cybercriminals have increasingly been turning to a service known as Perfect Money, said Idan Aharoni, the head of cyber intelligence at EMC Corp's RSA security division. "We expected a large migration to another e-currency, and that has happened," Aharoni told Reuters on Friday.

Together with shutting down the Liberty Reserve site in May, the Department of Justice charged seven employees of the Costa Rica-based operation with having facilitated $6 billion in money laundering. As part of that takedown, U.S. authorities also filed a civil action against 35 exchanger websites related to Liberty Reserve, seeking that their domain names be forfeited.

Those efforts lead to the inevitable question of how the service's existing 1 million worldwide users might next move money without leaving a trail.

[ Here's one way the National Security Agency is hoping to plug leaks: NSA Cuts 90% Of System Admin Jobs. ]

Last week, an unnamed source told TechWeekEurope that multiple carder forums -- marketplaces for buying and selling stolen credit card information -- have adopted Perfect Money as their new default payment method. Other carder sites, meanwhile, have also reportedly added Perfect Money -- as well as WebMoney, also known as WMZ -- as new payment options. Still, based on chatter on underground cybercrime forums, some hackers' requests to join Perfect Money have recently been rejected on the grounds that their "type of activity is not welcome."

Could Perfect Money be actively trying to avoid the ire of U.S. banking regulators and law enforcement agencies and thus the fate suffered by Liberty Reserve? The service issued a customer advisory on June 15, warning that "all accounts that belong to U.S. citizens/residents/U.S. companies will be disabled on 1st of July." On that date, those accounts were set to be frozen, and no more transactions would be allowed. "Please do not postpone taking action to withdraw your balance," it said.

Closing out an account wouldn't be cheap, with Perfect Money charging a fixed $100 fee, plus 3% of the amount withdrawn. In addition, while the service promises a 4% annual interest rate on balances, it also charges fees for internal transfers (0.5%), wire transfer deposits (1.5% and up) and wire transfer withdrawals (4%).

On the upside, the online payment service offers more robust security than the average bank, including sending optional one-time codes sent via SMS -- each of which costs a customer $0.10 to generate -- for logging in. The service also records the IP address used to set up an account. Every time someone attempts to access a particular Perfect Money account from an IP address that's not on file, the service emails a one-time access code to the account holder's verified email address, which must be entered into the website before the transaction can proceed.

But who runs Perfect Money, and to which banking regulators might the service be answerable? That's not clear. According to some news reports, the service is based in Panama. But that country's financial regulators have said that Perfect Money has no registered offices in the country.

More clues: The service is customized for use in 20 different languages -- but says it provides customer support only in English -- and the website has been registered using Iceland's top-level domain name. The website also lists a mailing address in Hong Kong, but no phone number or email address. A query made via the website, requesting information on where the service is based, as well as what steps it's taken to avoid being targeted by U.S. financial regulators, wasn't returned.

To what extent would an e-currency service be responsible for policing its customers? Seth Ginsberg, a lawyer for former Liberty Reserve principal Mark Marmilev -- who's pleaded not guilty to money laundering charges -- said that e-currency providers shouldn't be punished because some people use the services to disguise illicit activities.

"It's my understanding that Liberty Reserve was designed to compete with mainstream financial providers. The fact that it may have been misused by various customers should not reflect on the company," Ginsburg told Reuters. Indeed, the BBC reported that many legitimate users outside the United States simply viewed Liberty Reserve as a cheaper alternative to PayPal. For example, the service offered instant transfers, and a maximum service fee of $2.99 per transaction.

"There is a legitimate need for alternatives to the mainstream financial market, so the fact that there's another company out there filling the void left by Liberty Reserve is not surprising," Ginsburg said.

For comparison purposes, in December the Department of Justice slapped British multinational bank HSBC with a record $1.9 billion fine for its "blatant failure" to implement money-laundering controls, which resulted in terrorists being able to use the bank to move money. Aside from that fine being levied, however, no arrests were made.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.