67.4 F
jacksonville,fl
Friday, February 22, 2019

Cyber Security

Home Cyber Security

“Stole $24 Million But Still Can’t Keep a Friend”

0

Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings. The documents suggest that Truglia stole from his father and even a dead man — all the while lamenting that his fabulous new wealth brought him nothing but misery.

The unflattering profile was laid out in a series of documents tied to a lawsuit lodged by Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018. Terpin also is pursuing a $200 million civil lawsuit against AT&T in connection with the theft.

Authorities arrested Truglia on November 14, 2018 on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from a different Silicon Valley executive. But Terpin’s civil lawsuit (PDF) maintains that evidence was revealed at Truglia’s bail hearing that he had texted his father and multiple friends to brag about the $24 million hack on the day of Terpin’s theft, allegedly offering to take friends to the Super Bowl with “porn star escorts.”

Terpin’s lawsuit includes a large number of supporting documents, including an affidavit filed by Chris David, a 25-year-old New York City resident who claims to have been an acquaintance of Truglia’s until he began to unravel the source of his new friend’s overnight riches.

In his affidavit (PDF), David describes himself as a self-employed private jet broker who met Truglia in a fitness center attached to Truglia’s luxury apartment building. Truglia allegedly struck up a conversation about booking private jets with his cryptocurrency. When the two met again a few days later, David says Truglia showed him accounts on his mobile phone and computer indicating he had over $7 million in cash in a JP Morgan account and more than $12 million in various cryptocurrencies.

“At the same time, Nick showed me two thumb drives (Trezors),” David recounted. “One had over $40 million in cash value of various cryptos, and the other one had over $20 million cash value of various cryptos.”

David said Truglia initially explained his wealth by saying he’d made the money by mining cryptocurrencies, but that Truglia later would admit he stole the funds.

“Over the next few months, Nick and I socialized at nightclubs, local bars, the gym, and in his apartment playing video games,” David recounted. “Gradually, I got to know Nick. He does not have a job or visible means of support. His typical day is to get up late, go to the gym, eat at the deli across the street, play video games late into the night and he had no friends. Nick was an egotistical braggart about his life and wealth. For example, once at a crowded lounge, he said: ‘Chris, I have more money than all of the people here tonight.’”

David started documenting Truglia’s activities after he and several of his friends were arrested for allegedly stealing Truglia’s laptop, mobile phone and Trezor drive. That incident, recounted in this New York Post story  and in David’s own testimony, indicates that Truglia later recanted the accusation and chalked it up to confusion resulting from a heavy night of drinking.

According to David, when Truglia wasn’t bragging about his wealth he was displaying it openly: He lived in a $6,000 per month apartment, wore a Rolex watch which he claimed cost $100,000, and boasted he was going to purchase a $250,000 McLaren sports car. David also said he recorded conversations with Truglia in which the latter admitted to stealing $24 million from Terpin.

David said he even witnessed Truglia attempting a SIM swap at a Times Square AT&T store in August 2018. Here’s David’s account of that hijack effort, which allegedly failed when Truglia declined to pay the target’s overdue phone bill:

The affidavit states that later in the month David took screen shots of a now-defunct Twitter account that Truglia allegedly used (@erupts), which included six different messages about what the theft of $24 million had wrought.

Tweets from the account @erupts, allegedly penned by Nicholas Truglia.

“Stole 24 million but still can’t keep a friend,” reads another tweet allegedly tied to Truglia’s account:

David says Truglia even acknowledged stealing $15,000 after hacking into his own father’s accounts. According to David, Truglia’s dad asked to be repaid, and that his son agreed to return the money — but in bitcoin. In the image below — which David claims was a screenshot he took of a mobile phone chat conversation between Truglia and his father — the elder expresses mystification and frustration about how to complete the transaction.

A screen shot David says he took of an alleged chat conversation between Truglia and his father regarding repayment of $15,000.

In the affidavit, David also testifies that he saw Truglia in possession of a fake New York State driver’s license which had the name and identifying information of a deceased man named Quentin Capobianco, but with Truglia’s photo on the license.

A copy of this phony drivers’ license was documented by investigators with the Regional Enforcement Allied Computer Team, or REACT — a task force in Santa Clara, Calif. that is almost singularly focused on tracking down criminals who use unauthorized SIM swaps to steal virtual currencies (for a deep dive into the workings of the REACT Task Force, see my November 2018 story, Busting SIM Swappers and SIM Swap Myths).

David said he took this photograph of a license Truglia had in his possession; the license includes Truglia’s photograph but the information of a dead man that Truglia allegedly SIM swapped.

That REACT Task Force investigation report (PDF) was included in Terpin’s lawsuit, and it lays out how detectives tied Truglia to SIM swaps that allegedly gave him access to Capobianco’s accounts at Coinbase, a virtual currency trading and purchasing platform.

David testified that despite Truglia’s ill-gotten riches, he was constantly borrowing small amounts of cash and was otherwise tight with his money. Much like David’s testimony, a related memo (PDF) filed by REACT Detective Caleb Tuttle suggests that Truglia was in the process of being evicted from his pricey Manhattan apartment because he refused to pay his rent.

A snippet from a memo filed about Truglia by REACT Task Force Detective Caleb Tuttle.

Truglia is currently being held by Santa Clara authorities on a $1.4 million bond. His next court date is April 10. Neither Truglia nor his attorney could be immediately reached for comment. Members of the REACT Task Force declined to comment for this story.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication. However, many online services let customers reset their password merely by using their mobile phones.

All four major wireless carriers — AT&T, SprintT-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

For more on ways to minimize your chances of becoming the next SIM swapping victim, check out the “What Can You Do?” section at the conclusion of this story.


Tags: , , , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

773M Password ‘Megabreach’ is Years Old

0

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled “Collection #1” and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely “made up of many different individual data breaches from literally thousands of different sources.”

KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.

Here’s a screenshot of a subset of that seller’s current offerings, which total almost 1 Terabyte of stolen and hacked passwords:

The 87GB “Collection1” archive is one of but many similar tranches of stolen passwords being sold by a particularly prolific ne’er-do-well in the underground.

As we can see above, Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — “Sanixer.” So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.

Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his “freshest” offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.

By way of explaining the provenance of Collection #1, Sanixer said it was a mix of “dumps and leaked bases,” and then he offered an interesting screen shot of his additional collections. Click on the image below and notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Hunt’s published research on this 773 million Collection #1.

Sanixer says Collection #1 was from a mix of sources. A description of those sources can be seen in the directory tree on the left side of this screenshot.

Holden said the habit of collecting large amounts of credentials and posting it online is not new at all, and that the data is far more useful for things like phishing, blackmail and other indirect attacks — as opposed to plundering inboxes. Holden added that his company had already derived 99 percent of the data in Collection #1 from other sources.

“It was popularized several years ago by Russian hackers on various Dark Web forums,” he said. “Because the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful.”

A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when they are available.

If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that. As we can see from the offering above, your password is probably worth way more to you than it is to cybercriminals (in the case of Collection #1, just .000002 cents per password).

For most of us, by far the most important passwords are those protecting our email inbox(es). That’s because in nearly all cases, the person who is in control of that email address can reset the password of any services or accounts tied to that email address – merely by requesting a password reset link via email. For more on this dynamic, please see The Value of a Hacked Email Account.

Your email account may be worth far more than you imagine.

And instead of thinking about passwords, consider using unique, lengthy passphrases — collections of words in an order you can remember — when a site allows it. In general, a long, unique passphrase takes far more effort to crack than a short, complex one. Unfortunately, many sites do not let users choose passwords or passphrases that exceed a small number of characters, or they will otherwise allow long passphrases but ignore anything entered after the character limit is reached.

If you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong and unique passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Finally, if you haven’t done so lately, mosey on over to twofactorauth.org and see if you are taking full advantage of multi-factor authentication at sites you trust with your data. The beauty of multi-factor is that even if thieves manage to guess or steal your password just because they hacked some Web site, that password will be useless to them unless they can also compromise that second factor — be it your mobile device or security key.


Tags: , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

0

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains tied to GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.

Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.

Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.

However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. 

That’s according to Ron Guilmette, a dogged anti-spam researcher. Researching the history and reputation of thousands of Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time received service from GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.

Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about a weakness that could be used to hijack email service for 20,000 established domain names at a U.S. based hosting provider. A few months later, Bryant warned that the same technique could be leveraged to send spam from more than 120,000 trusted domains across multiple providers. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.

Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”

SAY WHAT?

For a more concrete example of what’s going on here, we’ll look at just one of the 4,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax. Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients. To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com). After that, the attackers simply claim ownership over the domain, and tell GoDaddy to allow the sending of email with that domain from an Internet address they control.

Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.

“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette.

“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

“We’ve identified a fix and are taking corrective action immediately,” the statement continued. “While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.”

SPAMMY BEAR

Guilmette has dubbed the criminals responsible as “Spammy Bear” because the majority of the hijacked domains used in the spam campaigns traced back to Internet addresses in Russia.

In the case of Mozilla’s Virtualfirefox.com domain, historic DNS records archived by Farsight Security show that indeed on Dec. 13, 2018 — the very same day that spammers began blasting out their bomb threat demands — the Internet address in the domain’s DNS records at GoDaddy were changed to 194.58.58[.]70, a server in the Russian Federation owned by a hosting company there called Reg.ru.

The record above, indexed by Farsight Security, shows the DNS entries for virtualfirefox.com were changed to allow sending of email from an ISP in Russia on Dec. 13, 2018, the same day spammers used this domain and thousands of others for a mass emailed bomb threat.

In fact, Guilmette found that that at least 3,500 of the commandeered domains traced back to Reg.ru and to a handful of other hosting firms in Russia. The next largest collection of fraudulently altered Internet addresses were assigned to hosting providers in the United States (456), although some of those providers (e.g. Webzilla/WZ Communications) have strong ties to Russia. The full list of Internet providers is available here.

Guilmette’s sleuthing on the 4,000+ domains abused in both 2018 spam campaigns, combined with data from Farsight, suggest the spammers hijacked domains belonging to a staggering number of recognizable corporations who used GoDaddy for DNS, including but not limited to:

Abbott Laboratories; Ancestry.com; AutodeskCapital One; CVS Pharmacy; SSL provider Digicert; Dow Chemical; credit card processors Elavon and Electronic Merchant Systems; Fair Isaac Corp.; Facebook; Gap (Apparel) Inc; Fifth Third Bancorp; Hearst CommunicationsHilton InterntionalING Bank; the Massachusetts Institute of Technology (MIT); McDonalds Corp.NBC Universal MediaNRG Energy; Oath, Inc (a.k.a Yahoo + AOL); OracleTesla Motors; Time WarnerUS Bank; US Steel Corp.; National Association; Viacom International; and Walgreens.

In an interview with KrebsOnSecurity, Bryant said the hijacking technique can be a powerful tool in the hands of spammers and scammers, who can use domains associated with these companies not only to get their missives past junk and malware filters, but also to make phishing and malware lures far more believable and effective.

“This is extremely advantageous to attackers because they don’t have to pay any money to set it all up, and there’s a strong reputation attached to the domain they’re sending from,” Bryant said. “A lot of services will flag email from unknown domains as high risk, but the domains being hijacked by these guys have a good history and reputation behind them. This method also probably greatly complicates any sort of investigatory efforts after the spam campaign is over.”

WHAT CAN BE DONE?

Guilmette said managed DNS providers can add an extra layer of validation to DNS change requests, checking to see if a given domain already has DNS servers assigned to the domain before processing the request. Providers could nullify the threat by simply choosing a different pair of DNS servers to assign to the request. The same validation process would work similarly at other managed DNS providers.

“As long as they’re different, that ruins this attack for the spammers,” Guilmette said. “The spammers want the DNS servers to be the same ones that were already there when the domain was first set up, because without that they can’t pull of this hack. All GoDaddy has to do is see if this particularly odd set of circumstances apply in each request.”

Bryant said after he published his initial research in 2016, a number of managed DNS providers mentioned in his blog posts said they’d taken steps to blunt the threat, including Amazon Web Services (AWS), hosting provider Digital Ocean, and Google Cloud. But he suspects this is still a “fairly common” weakness among hosting providers and registrars, and many providers simply aren’t convinced of the need to add this extra precaution.

“A lot of the providers are of the opinion that it’s down to a user mistake and not a vulnerability they should have to fix,” he said. “But it’s clearly still a big problem.”

Update, 10:38 p.m.: An earlier version of this story stated that Guilmette had identified more than 5,000 domains associated with the Spammy Bear campaigns. The true number is closer to 4,000. The discrepancy was my mistake and due to a formatting error in a spreadsheet. Also added text to clarify that not all of the domains were registered through Godaddy, but that all of them at one point at least received managed DNS service from the company.


Tags: , , , , , , , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

How the U.S. Govt. Shutdown Harms Security

0

The ongoing partial U.S. federal government shutdown is having a tangible, negative impact on cybercrime investigations, according to interviews with federal law enforcement investigators and a report issued this week by a group representing the interests of FBI agents. Even if lawmakers move forward on new proposals to reopen the government, sources say the standoff is likely to have serious repercussions for federal law enforcement agencies for years to come.

One federal agent with more than 20 years on the job told KrebsOnSecurity the shutdown “is crushing our ability to take the fight to cyber criminals.”

“The talent drain after this is finally resolved will cost us five years,” said the source, who asked to remain anonymous because he was not authorized to speak to the news media. “Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting. As a nation, we are much less safe from a cyber security posture than we were a month ago.”

The source said his agency can’t even get agents and analysts the higher clearances needed for sensitive cases because everyone who does the clearance processing is furloughed.

“Investigators who are eligible to retire or who simply wish to walk away from their job aren’t retiring or quitting now because they can’t even be processed out due to furlough of the organization’s human resources people,” the source said. “These are criminal investigations involving national security. It’s also a giant distraction and people aren’t as focused.”

The source’s comments echoed some of the points made in a 72-page report (PDF) released this week by the FBI Agents Association, a group that advocates on behalf of active and retired FBI special agents.

“Today we have no funds for making Confidential Human Source payments,” reads a quote from the FBIAA report, attributed to an agent in the FBI’s northeast region. “In my situation, I have two sources that support our national security cyber mission that no longer have funding. They are critical sources providing tripwires and intelligence that protect the United States against our foreign adversaries. The loss in productivity and pertinent intelligence is immeasurable.”

My federal law enforcement source mentioned his agency also was unable to pay confidential informants for their help with ongoing investigations.

“We are having the same problems like not being able to pay informants, no travel, critical case coordination meetings postponed, and no procurements to further the mission,” the source said.

The extended shutdown directly affects more than 800,000 workers, many of them furloughed or required to work without pay. Some federal employees, now missing at least two back-to-back paychecks, are having trouble keeping food on the table. CNN reports that FBI field offices across the country are opening food banks to help support special agents and staff struggling without pay.

An extended lack of pay is forcing many agents to seek side hustles and jobs, despite rules that seek to restrict such activity, according to media reports. Missing multiple paychecks also can force investigators to take on additional debt. This is potentially troublesome because excess debt down the road can lead to problems keeping one’s security clearances.

Excessive debt is a threat to clearances because it can make people more susceptible to being drawn into illegal activities or taking bribes for money, which in turn may leave them vulnerable to extortion. Indeed, this story from Clearancejobs.com observes that the shutdown may be inadvertently creating new recruiting opportunities for foreign intelligence operatives.

“If you are a hostile intelligence service human intelligence (HUMINT) targeting officer you are hoping this situation lasts a long time and has a multitude of unintended consequences affecting the cleared government employee population,” writes Christopher Burgess.

The shutdown may impact government and civilian cybersecurity efforts in other ways. As Brian Fung reported last week at The Washington Post, a rising number of federal Web sites are falling into disrepair, making it harder for Americans to access online services.

“In the past week, the number of outdated Web security certificates held by U.S. government agencies has exploded from about 80 to more than 130, according to Netcraft, an Internet security firm based in Britain,” Fung wrote.

Alex Stamos, former chief security officer at Facebook, said this creates problems for people trying to access key documents at government Web sites because the world’s dominant browser — Google Chrome — heavily discourages users from even visiting sites with expired security certificates.

But Stamos says he’s far more concerned about who’s maintaining, monitoring and safeguarding the countless Internet servers and other government online assets during the shutdown.

“What worries me more is what this indicates for the fact that there’s not standard maintenance going on,” Stamos said in this week’s episode of security journalist Patrick Gray‘s “Risky Business” podcast. “We’ve gone through a Patch Tuesday since the government shut down. Who is actually maintaining the systems, who is sitting in the SOCs [security operations centers], who’s looking at the logs? Even if you have critical cybersecurity people at NSA or Cyber Command working, there’s a lot of importance in having people show up for their jobs.”

U.S. Senate leaders are now planning to hold competing votes on Thursday in a bid to end the shutdown, but a story Wednesday in The New York Times reckons that neither measure is expected to draw the 60 votes required to advance.

“You hear [New England Patriots football coach Bill] Belichick and other coaches constantly preaching about leaving distractions outside the locker room,” said the federal law enforcement source who spoke with this author. “Can’t think of many bigger distractions like not getting paid, damaging credit scores, not being able to pay bills, and losing supplemental insurance. We just wish our national leaders would listen to another Belichick gem: ‘Do Your Job.’”


Tags: , , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Three Charged for Working With Serial Swatter

0

The U.S. Justice Department has filed criminal charges against three U.S. men accused of swatting, or making hoax reports of bomb threats or murders in a bid to trigger a heavily armed police response to a target’s address. Investigators say the men, aged 19 to 23, all carried out the attacks with the help of Tyler Barriss, a convicted serial swatter whose last stunt in late 2018 cost a Kansas man his life.

Image: FBI.gov

FBI agents on Wednesday arrested Neal Patel, 23, of Des Plaines, Ill. and Tyler Stewart, 19 of Gulf Breeze, Fla. The third defendant, Logan Patten, 19, of Greenwood, Mo., agreed to turn himself in. The men are charged in three separate indictments with conspiracy and conveying false information about the use of explosive devices.

Investigators say Patten, who used the Twitter handle “@spared,” hired Barriss in December 2017 to swat individuals and a high school in Lee’s Summit, Mo.

Around the same time, Stewart, a.k.a. “@tragic” on Twitter, allegedly worked with Barriss to make two phony bomb threats to evacuate a high school in Gurnee, Ill. In that incident, Barriss admitted telling police in Gurnee he had left explosives in a classroom and was high on methamphetamine and was thinking about shooting teachers and students.

Also in December 2017, Patel allegedly worked with Barriss to plan a bomb threat targeting a video game convention in Dallas, Texas. Patel is also accused of using stolen credit cards to buy items of clothing for Barriss.

The Justice Department’s media release on the indictments doesn’t specify which convention Barriss and Patel allegedly swatted, but a Wired story from last year tied Barriss to a similarly timed bomb threat that caused the evacuation of a major Call of Duty tournament at the Dallas Convention Center.

“When the social media star SoaR Ashtronova tweeted about the confusion she felt as she fled the event beneath the whir of police helicopters, Barriss taunted her from one of his Twitter accounts: ‘It got ran, baby girl. Thats what happens,” Wired reported.

Interestingly, it was a dispute over a $1.50 grudge match in a Call of Duty game that would ultimately lead to Barriss’s final — and fatal — swatting. On Dec. 28, 2017, Barriss phoned police in Wichita, Kan. from his location in California, telling them he was a local man who’d just shot his father and was holding other family members hostage.

Prosecutors say Barriss did so after getting in the middle of a dispute between two Call of Duty gamers, 18-year-old Casey Viner from Ohio and Shane Gaskill, 20, from Wichita. Viner allegedly asked Barriss to swat Gaskill. But when Gaskill noticed Barriss’ Twitter account suddenly following him online, he tried to deflect the attack. Barriss says Gaskill allegedly dared him to go ahead with the swat, but then gave Barriss an old home address — which was then being occupied by someone else.

When Wichita police responded to the address given by Barriss, they shot and killed 28-year-old Andrew Finch, a father of two who had no party to the dispute and did not know any of the three men.

Both Viner and Gaskill have been charged with wire fraud, conspiracy and obstruction of justice. Barriss pleaded guilty in Nov. 2018 to a total of 51 charges brought by federal prosecutors in Los Angeles, Kansas and Washington, D.C. He has agreed to serve a sentence of between 20 to 25 years in prison. Barriss is slated to be sentenced on March 1, 2019.

Stewart’s attorney declined to comment. Lawyers assigned to Patel and Patten could not be reached for comment.

As the victim of a swatting attack in 2013 and several other unsuccessful attempts, I am pleased to see federal authorities continue to take this crime seriously. According to the FBI, each swatting incident costs emergency responders approximately $10,000. Each hoax also unnecessarily endangers the lives of the responders and the public, and draws important resources away from actual emergencies.


Tags: , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Cloud Hosting Provider DataResolution.net Battling Christmas Eve Ransomware Attack

0

Cloud hosting provider Dataresolution.net is struggling to bring its systems back online after suffering a ransomware infestation on Christmas Eve, KrebsOnSecurity has learned. The company says its systems were hit by the Ryuk ransomware, the same malware strain that crippled printing and delivery operations for multiple major U.S. newspapers over the weekend.

San Juan Capistrano, Calif. based Data Resolution LLC serves some 30,000 businesses worldwide, offering software hosting, business continuity systems, cloud computing and data center services.

The company has not yet responded to requests for comment. But according to a status update shared by Data Resolution with affected customers on Dec. 29, 2018, the attackers broke in through a compromised login account on Christmas Eve and quickly began infecting servers with the Ryuk ransomware strain.

Part of an update on the outage shared with Data Resolution customers via Dropbox on Dec. 29, 2018.

The intrusion gave the attackers control of Data Resolution’s data center domain, briefly locking the company out of its own systems. The update sent to customers states that Data Resolution shut down its network to halt the spread of the infection and to work through the process of cleaning and restoring infected systems.

Data Resolution is assuring customers that there is no indication any data was stolen, and that the purpose of the attack was to extract payment from the company in exchange for a digital key that could be used to quickly unlock access to servers seized by the ransomware.

A snippet of an update that Data Resolution shared with affected customers on Dec. 31, 2018.

The Ryuk ransomware strain was first detailed in an August 2018 report by security firm CheckPoint, which says the malware may be tied to a sophisticated North Korean hacking team known as the Lazarus Group.

Ryuk reportedly was the same malware that infected the Los Angeles Times‘ Olympic printing plant over the weekend, an attack that led to the disruption of newspaper printing and delivery services for a number of publications that rely on the plant — including the Los Angeles Times and the San Diego Union Tribune.

A status update shared by Data Resolution with affected customers earlier today indicates the cloud hosting provider is still working to restore email access and multiple databases for clients. The update also said Data Resolution is in the process of restoring service for companies relying on it to host installations of Dynamics GP, a popular software package that many organizations use for accounting and payroll services. 

A status update shared by Data Resolution with affected customers on Jan. 2, 2018 shows the company is still struggling to restore services more than a week after the attack began.

Cloud hosting providers are often pitched as a way for companies to increase security and to better protect themselves from threats like ransomware, which scrambles data on infected systems and demands payment in exchange for a digital key needed to unlock affected systems.

At the same time, cloud providers represent an especially attractive target for ransomware attacks because they store vast amounts of data for other companies. In 2017, cloud hosting provider Cloudnine was hit by a ransomware attack, leading to an outage that lasted for several days.

Much depends on security practices maintained by each provider, according to an MIT Technology Review story last year that named cloud ransomware attacks as a top security concern for 2018.

“The biggest cloud operators, like Google, Amazon, and IBM, have hired some of the brightest minds in digital security, so they won’t be easy to crack,” wrote Martin Giles. “But smaller companies are likely to be more vulnerable, and even a modest breach could lead to a big payday for the hackers involved.”

A source at a company that uses Data Resolution to manage payroll payments told KrebsOnSecurity that the cloud hosting provider said it did not attempt to pay the requested ransom, preferring to restore systems from backups instead.


Tags: , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Happy 9th Birthday, KrebsOnSecurity!

0

Hard to believe we’ve gone another revolution around the Sun: Today marks the 9th anniversary of KrebsOnSecurity.com!

This past year featured some 150 blog posts, but as usual the biggest contribution to this site came from the amazing community of readers here who have generously contributed their knowledge, wit and wisdom in more than 10,000 comments.

Speaking of generous contributions, more than 100 readers have expressed their support in 2018 via PayPal donations to this site. The majority of those funds go toward paying for subscription-based services that KrebsOnSecurity relies upon for routine data gathering and analysis. Thank you.

Your correspondence and tips have been invaluable, so by all means keep them coming. For the record, I’m reachable via a variety of means, including email, the contact form on this site, and of course Facebook, LinkedIn, and Twitter (direct messages are open to all). For more secure and discreet communications, please consider reaching out via Keybase, Wicker (krebswickr), or Signal (by request).

Many of you have requested a redesign to make this site more mobile-friendly. We’d targeted for that to happen in 2018, but multiple unforeseen circumstances conspired to delay that project this year. Rest assured, that long-overdue change will be coming soon in 2019. Thanks for your patience.

Below are some of the most-read and commented-on enterprise stories throughout 2018, a year marked by a relentless onslaught of data breaches, data leaks and increasingly sneaky scams. It seems unlikely that 2019 will be any different, and while I will endeavor to keep readers abreast of the latest threats and trends, I’m also interested to hear what you would like to see more of in the coming year. So please sound off in the comments below or drop me a note.

By the way, if you’d prefer to keep up with KrebsOnSecurity posts via email, please consider signing up for the newsletter (expect ~3-4 emails per week).

Thanks again for your readership, encouragement and support. Happy New Year!

A Chief Security Concern for Executive Teams

What the Marriott Breach Says About Security

Half of All Phishing Sites Now Have the Padlock

Voice Phishing Scams Are Getting More Clever

Hanging Up on Mobile in the Name of Security

Google: Security Keys Neutralized Employee Phishing

Plant Your Flag, Mark Your Territory

Panerabread.com Leaks Millions of Customer Records

Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers

Don’t Give Away Historical Details About Yourself


You can skip to the end and leave a comment. Pinging is currently not allowed.

Serial Swatter and Stalker Mir Islam Arrested for Allegedly Dumping Body in River

0

A 22-year-old man convicted of cyberstalking and carrying out numerous bomb threats and swatting attacks — including a 2013 swatting incident at my home — was arrested Sunday morning in the Philippines after allegedly helping his best friend dump the body of a housemate into a local river.

Suspects Troy Woody Jr. (left) and Mir Islam, were arrested in Manila this week for allegedly dumping the body of Woody’s girlfriend in a local river. Image:  Manila Police Dept.

Police in Manila say U.S citizens Mir Islam, 22, and Troy Woody Jr., 21, booked a ride from Grab — a local ride hailing service — and asked for the two of them to be picked up at Woody’s condominium in Mandaluyong City. When the driver arrived the two men stuffed a large box into the trunk of the vehicle.

According to the driver, Islam and Woody asked to be driven to a nearby shopping mall, but told the driver along the way to stop at a compound near the Pasig River in Manila, where the two men allegedly dumped the box before getting back in the hailed car.

The Inquirer reports that authorities recovered the box and identified the victim as Tomi Michelle Masters, 23, also a U.S. citizen from Indiana who was reportedly dating Woody and living in the same condo. Masters’ Instagram profile states that she was in a relationship with Woody.

Update, 12:30 p.m. ET, Dec. 24: Both men have since been charged with murder, according to a story today at the Filipino news site Tempo, and the police believe there was some kind of violent struggle between Masters and Woody.

“Police eventually recovered the box that contained the naked body of the victim that was wrapped in duct tape,” Tempo reports. The local police station head was quoted as saying “the victim was believed to have been killed in the Mandaluyong condominium she shared with Woody, her alleged boyfriend. He said medical examination showed scratch marks all over Woody’s body.”

Original story:

Brooklyn, NY native Islam, a.k.a. “Josh the God,” has a long rap sheet for computer-related crimes. He briefly rose to Internet infamy as one of the core members of UGNazi, an online mischief-making group that claimed credit for hacking and attacking a number of high-profile Web sites.

On June 25, 2012, Islam and nearly two-dozen others were caught up in an FBI dragnet dubbed Operation Card Shop. The government accused Islam of being a founding member of carders[dot]org — a credit card fraud forum — trafficking in stolen credit card information, and possessing information for more than 50,000 credit cards.

JoshTheGod’s (Mir Islam’s ) Twitter feed, in April 2012 warning fellow carding forum carderprofit members that the forum was being run by the FBI.

In June 2016, Islam was sentenced to a year in prison for an impressive array of crimes, including stalking people online and posting their personal data on the Internet. Islam also pleaded guilty to reporting phony bomb threats and fake hostage situations at the homes of celebrities and public officials (as well as this author).

At that 2016 sentencing, Islam’s lawyer argued that his client suffered from multiple psychological disorders, and that he and his co-conspirators orchestrated the swattings out of a sense of “anarchic libertarianism.”

Islam was let out of prison under supervised release before serving the whole sentence, but soon was back inside after violating the terms of his release. Earlier this year, Islam filed a typosquatting lawsuit from prison that named Woody Jr. In that bizarre handwritten complaint (PDF), Islam refers to Woody as “TJ,” and says the two men were best friends and have known each other for eight years.

An anti-cybersquatting domain dispute filed by Mir Islam earlier this year while in jail. In it, Islam refers to Woody as “TJ” and says the two have been best friends for years.

Troy Woody Jr. describes himself as an “early crypto investor,” but sources say Woody — like Islam — was a core member of the UGNazi group who went by the nicknames “MrOsama,” and “Everlife.” His Instagram profile suggests he was in a relationship with Ms. Masters. Both are pictured in the first of the three large photos below, taken from Woody’s Instagram account.

The Instagram profile of Troy Woody Jr., a.k.a. “titled,” and “MrOsama,” one of two Americans arrested today for allegedly dumping a woman’s body in a Manila river. The woman pictured on the left is believed to the victim, identified as Woody’s condo roommate, Tomi Michelle Masters, 23.

People are innocent until proven guilty in a court of law, at least in the United States. But I can’t say any of this surprises me. Most I’ve encountered who were involved serial swatting and stalking attacks definitely had a few screws loose and were fairly scary individuals. Case in point: Tyler Barriss, the 25-year-old admitted serial swatter and stalker who pleaded guilty to a swatting attack last year that ended with police shooting and killing an innocent, unarmed man.

Update, 7:13 p.m. ET: An earlier version of this story incorrectly stated the accused hailed an Uber.

Update, 12:20 p.m. ET, Dec. 24: The television news station GMA News has video footage from a surveillance camera at Woody’s condo showing the two men loading a large box into the back of the hailed ride.


Tags: , , , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Feds Charge Three in Mass Seizure of Attack-for-hire Services

0

Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different “booter” or “stresser” sites — attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.

The seizure notice appearing on the homepage this week of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites.

As of Thursday morning, a seizure notice featuring the seals of the U.S. Justice Department, FBI and other law enforcement agencies appeared on the booter sites, including:

anonsecurityteam[.]com
booter[.]ninja
bullstresser[.]net
critical-boot[.]com
defcon[.]pro
defianceprotocol[.]com
downthem[.]org
layer7-stresser[.]xyz
netstress[.]org
quantumstress[.]net
ragebooter[.]com
request[.]rip
str3ssed[.]me
torsecurityteam[.]org
vbooter[.]org

Booter sites are dangerous because they help lower the barriers to cybercrime, allowing even complete novices to launch sophisticated and crippling attacks with the click of a button.

Cameron Schroeder, assistant U.S. attorney for the Central District of California, called this week’s action the largest simultaneous seizure of booter service domains ever.

“This is the biggest action U.S. law enforcement has taken against booter services, and we’re doing this in cooperation with a large number of industry and foreign law enforcement partners,” Schroeder said.

Booter services are typically advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy “terms of use” agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

But experts say today’s announcement shreds that virtual fig leaf, and marks several important strategic shifts in how authorities intend to prosecute booter service operators going forward.

“This action is predicated on the fact that running a booter service itself is illegal,” said Allison Nixon, director of security research at Flashpoint, a security firm based in New York City. “That’s a slightly different legal argument than has been made in the past against other booter owners.”

For one thing, the booter services targeted in this takedown advertised the ability to “resolve” or determine the true Internet address of a target. This is especially useful for customers seeking to harm targets whose real address is hidden behind mitigation services like Cloudflare (ironically, the same provider used by some of these booter services to withstand attacks by competing booter services).

Some resolvers also allowed customers to determine the Internet address of a target using nothing more than the target’s Skype username.

“You don’t need to use a Skype resolver just to attack yourself,” assistant U.S. Attorney Schroeder said. “Clearly, the people running these booter services know their services are being used not by people targeting their own infrastructure, and have built in capabilities that specifically allow customers to attack others.”

Another important distinction between this week’s coordinated action and past booter site takedowns was that the government actually tested each service it dismantled to validate claims about attack firepower and to learn more about how each service conducted assaults.

In a complaint unsealed today, the Justice Department said that although FBI agents identified at least 60 different booter services operating between June and December 2018, they discovered not all were fully operational and capable of launching attacks. Hence, the 15 services seized this week represent those that the government was able to use to conduct successful, high-volume attacks against their own test sites.

“This is intended to send a very clear message to all booter operators that they’re not going to be allowed to operate openly anymore,” Nixon said. “The message is that if you’re running a DDoS-for-hire service that can attack an Internet address in such a way that the FBI can purchase an attack against their own test servers, you’re probably going to get in trouble.”

DOWN THEM ALL

Charged in a Los Angeles federal court this week were the alleged operators of “Downthem” — a booter service the government says helped some 2,000 customers launch debilitating digital assaults at more than 200,000 targets, including many government, banking, university and gaming Web sites.

Prosecutors say that in addition to running and marketing Downthem, defendants Matthew Gatrel from St. Charles, Ill., and Juan Martinez of Pasadena, Calif. sold huge, continuously updated lists of Internet addresses tied to devices that could be used by other booter services to make attacks far more powerful and effective.

The user interface for Downthem[.]org, one of 15 booter sites seized by the feds today.

Booter and stresser services let customers pick from among a variety of attack methods, but almost universally the most powerful of these methods involves what’s known as a “reflective amplification attack.” In such assaults, the perpetrators leverage unmanaged Domain Name Servers (DNS) or other devices on the Web to create huge traffic floods.

Ideally, DNS servers only provide services to machines within a trusted domain — such as translating an Internet address from a series of numbers into a domain name, like example.com. But DNS reflection attacks rely on consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web.

Attackers can send spoofed DNS queries to these DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger than the requests. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

The government alleges that Gatrel and Martinez constantly scanned the Internet for these misconfigured devices, and then sold lists of Internet addresses tied to these devices to other booter service operators.

Schroeder said the government is arguing that the use of these third-party servers in reflective amplification attacks can be prosecuted under existing wire fraud and computer trespass laws.

“Certainly [booter service operators] don’t have permission from all of those other devices owners to use the devices and their bandwidth to direct these attacks,” she said. “We look at it as a wire fraud violation because essentially they’re stealing property from upstream providers and using their resources to conduct these attacks. There are also multiple ways we can show this is pretty clearly not lawful under the Computer Fraud and Abuse Act.”

Prosecutors further allege Gatrel resold his booter services to other booter operators, including Quantum Stresser — one of the 15 services seized by the government this week. The alleged operator of that service, Pennsylvania resident David Bukoski, was charged in the District of Alaska this week for aiding and abetting computer intrusions.

Investigators say Bukoski’s booter service was among the longest running services targeted by the FBI, operating since at least 2012. An indictment against Bukoski unsealed this week maintains Quantum Stresser had over 80,000 customer subscriptions, and that during 2018 the service was used to conduct over 50,000 actual or attempted attacks targeting people and networks worldwide.

Adam Alexander, assistant U.S. attorney for the District of Alaska, said additional prosecutions against booter service operators will be forthcoming.

“We are becoming more experienced, thanks to the growing expertise and shoe-leather investigative work required to attribute, identify and prosecute individuals responsible for these services,” Alexander said. “Actions like this one demonstrate our capabilities are increasing as well.”

According to the government, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution; seizure of computers or other electronics; significant prison sentences; a penalty or fine.

Schroeder said the government understands this week’s takedowns aren’t going to solve the booter problem once and for all, and that other booter services will likely spring up in the wake of those dismantled this week. But she said the arrests and seizures have helped build a template that the government can use in tandem with its industry partners to shorten the lifespan of new booter services and to bring those responsible to justice.

“We certainly don’t expect this problem to go away after this,” Schroeder said. “But this is an attempt to build a strategic approach to this problem, to look at it in a more systemic way and deal with it on a much larger scale.”

The Justice Department’s press release about this action is here.

This is a developing story and may be updated throughout the day. Any substantive updates will be noted here with a timestamp.

Update, 2:42 p.m. ET: Added link to DOJ press release.

Update, 7:59 p.m. ET: Added comment from AUSA Adam Alexander.


You can skip to the end and leave a comment. Pinging is currently not allowed.

Microsoft Issues Emergency Fix for IE Zero Day

0

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.

According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.

Tags: , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Follow threeblocksaway | styleandeasy

0FansLike
0FollowersFollow
33FollowersFollow
7SubscribersSubscribe

EDITOR PICKS

Outlander Season Three