Technical Details in The MLB Baseball Players Signals Hacking 

By Cesar Ortiz (c)

November 24, 2019

The Mayor League Baseball (MLB) organization is updating the ongoing investigative effort on the  2017 baseball games signal hacking issue. The Houston Astros organization is leading the pack of baseball teams under the investigative radar. Astros front-office employees, on-field staff and the Astros manager, AJ Hinch have already been interviewed. Other players allegedly involved are the current Boston Red Sox manager Alex Cora and the New York Mets manager Carlos Beltran. 

The SNY TV Network on November 14, 2019, is quick to state that the MLB has no evidence yet for imposing sanctions to Cora and Beltran,  further stating, “ The league does not have either accusations or evidence that would point to severe discipline for either”.

For years, stealing signals from players was considered an art. It is not illegal, but officials become wary when they find reports of the activity when it is done using banned technology. 

The use of technology to intercept or relay the signals is forbidden. The New York Times reported in 2017 the use of an Apple watch as a means to electronically relay signals to the Red Sox team partners by a Red Sox trainer. The Apple watch use was revealed in a detailed official complaint filed by Brian Cushman, the New York Yankees general manager. Among the exhibits in the complaint was a video shot of the Reds Sox dugout in Boston during the 2017 three-games series. The Red Sox team was fined by the MLB.

Recently, USA Today ran an article explaining how Manny Machado was caught stealing and relaying signals in game two of the 2018 World Series. In the Machado event, there was no violation of any rules because all the signal intelligence was acquired and relayed by Machado using manual signaling skills. No mechanical or electronic devices where used.

 The Athletic ran an article detailing how the Astros in 2017 ran a hacking operation using a video camera and drum beats to relay signals from the catchers to everyone in the stadium, only the hacking partners knew the meaning of the beats and how to decode them.

 Some suspected means of stealing baseball signals are:

 (1) The use of a realistic-looking medical bandage-like device worn by the player at bat that receives a buzzing signal with a  predetermined pattern, for example, one buzz for a fastball. 

(2) Hidden catcher aimed mini cameras that feed data of catchers signals and sends out information on the type of pitch. 

(3) Extended range antennas for radio devices to hear the pitcher-catcher-manager conferences at the mound. 

(4) Lips reading text interpreters for conferences between players (that is the reason players cover their mouth with the gloves when they speak to each other). 

(5) Monitoring of the live video broadcast of the game (MLB mandated a delay in the video monitors that are used in the dugouts and nearby areas). 

Most of the suspected technical equipment techniques used are detectable by specialized equipment and manual signaling stealing can be detected by a trained eye. 

The fact that we may find such hacking practice, even when they can be detected, tends to show the high amounts of monetary rewards involved, that in the eyes of the perpetrators, warrant the risk of detection. So far, no one has been charged with any criminal or civil offense. MLB is offering leniency to those who speak up on the subject and, as of this date,  all technical equipment use events are related to the 2017 year. 

The MLB hacking using information technology techniques and equipment brings to the field a new form of platform to think about, perhaps some Silicon Valley entrepreneurs will design custom hardware and software to detect the hacking devices.

Target Data Breach Unveiled

How It was done. You will be surprised that all the tools used where known!

By Cesar Ortiz- Trojan. POSRAM Identified As the RAM Scraper in the KAPTOXA Operation That Infected Target Stores

Article first published 1/23/2014  as "Target Data Breach Unveiled: Technical Details Are Known" in Yahoo! Contributors/ABC News Network.

This article won the "Best General Interest Article in 2014", General- Category by Yahoo Contributors Users.

The US government in an effort to warn other point of sale merchants of the potential danger of  more attacks that will provide another wave of  "Target like" customer victims, have released an internal document where detailed insight of the methodology used by attackers of the Target data breach is revealed. The consulting firm iSIGHT Partners was one of the investigative contracted forensics experts. The US Department of Homeland Security released to merchants a joint Department of Homeland Security, USSS, FS-ISAC and iSIGHT report titled "KAPTOXA POS Report" where we get a look at an insight of the methods and tools used to hack Target. Hopefully, merchants will take notice and immediately take preventive measures.

The methodology used at Target was almost exactly as I predicted in our original exclusive December 26, 2013 “ The Target Stores Data Breach ” Yahoo! article, right after the hack. Journalist Brian Krebs was also right on target when he mentioned at that time that the hack might have been based on a known trojan virus called BlackPos that is readily detected by all anti-virus software. The updated modified version of BlackPos trojan used in the Target breach is named Trojan.POSRAM, this derivative is highly sophisticated in stealth features in order to hide to prevent detection. POSRAM is believed to have originated in Russia.

When we compile the information given by the report and the media, specially an article in the Wired publication named “The Malware that Duped Target Have Been Found”, we come close to figure out the order of events in the Target data breach. First, the merchant network system is infiltrated with the malware, possibly remotely, exploiting an opening in the system or by executing a simple human engineering exploit. The malware is a data scrapping tool that takes data from the memory of the point of sale terminal (POS) or what we know as the cash register. This tool will reside in the system and will store the stolen data inside the merchant’s servers. The tool will monitor the data in the files named “pos.exe" and "PosW32.exe”; these files contain the memory space that includes magnetic strip data of your bank card. In the Target's breach event it remained still for six days. That inactivity period is excellent to prevent detection.

The residing malware in the merchant creates a connection to an out of the premises server that receives and transmits data to the victim server. The outside server, can be located anywhere, in the world, and, queries the victim server at specific time intervals. This one was located in Russia. Some of the malicious scripts used have references in Russian language. If the local merchant time is for example between 10 AM and 5 PM, as it is used in the old BlackPos tool, then the data is deposited in an a  temporary NetBIOS share “host” folder created by the malware. This share folder is then accessed using file transfer protocol (FTP). Many more complex technical details have been found by the media in just a few hours after the release of the KAPTOXA POS Report. All the details follow the same pattern; surprisingly, modified known exploits where used at all times.

 KAPTOXA is the name given by investigators to the specific operation methodology and compilation of hacking tools in the Target data breach. Nothing in the KAPTOXA operation is out of the ordinary. Probably the other tools used in the hack are already known in the trade. It is not that the criminals used super sophisticated malware, it is the way and the timing they where used. The fact that known hacking tools where used will open the doors to a wave of lawsuits that will claim that the merchants could have prevented the hack; this is one of the reason that the government has taken the unprecedented steps of releasing some of the facts and data about the crime before even finishing the investigation. Merchants should verify their systems immediately. Victimized stores should consider making public their breach ASAP. The more time the notifications to affected customers passes by, the higher the lawsuit figures will be and more damage to the customer is made.

Two individuals from Mexico were arrested in McAllen, Texas with ninety six fraudulent bank cards in their possession. The suspects had used bank cards with account information matching the Target stolen cards of South Texas residents. After the shopping spree, the suspects left for Mexico. They entered the US again possibly, for another shopping spree. They where detained upon arrival. This event confirms that the stolen data is sold in the illicit market by regions. Criminals are maximizing the use of the stolen data by being very creative. Regardless of Target's downplay efforts to minimize the impact, a customer can be a victim of identity theft with the specific data stolen at Target.

Google: “ Your Computer Appears To Be Infected ” Warning is Not a Scam, but, Beware Of Where It Shows And What May Come Next

Original Article Published by The Author in Yahoo Content Network as:

Google: “ Your Computer Appears To Be Infected ” Warning is Not a Scam, but, Beware Of Where It Shows And What MayCome Next.

By Cesar Ortiz

In July 21, 2011 in Google's own Blogger page there is an article signed by Damian Menscher, a security engineer at Google, describing how he identified that infected computers were sending search traffic through proxies to the search engine. When you do a search, the malware sends you to a Google proxy IP, then, just before doing the search, changes the search string and shows malware pay per click sites in a way that leads you to think that you are still being in the real Google.

Mr. Menscher explains the following “As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results. We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections”

The notification will ONLY show at the top of the main Google page and it will be a page wide window with a black bar at the top. This same bar was seen when Google was testing to launch their Google+ service recently. The body of the window is in yellow and it will read in black letters:

“Your computer appears to be infected.
It appears that your computer is infected with software that intercepts your connection to Google and other sites. Learn how to fix this [Link]”

This message is for real. More than two million infected computers have been detected worldwide so far. If you receive the message, Google has detected that your PC is infected with a malware that appears to have gotten onto users' computers from one of roughly a hundred variants of a fake antivirus, or "fake AV" software that has been in circulation for a while. This time, one of the variants uses the Google service to scam users, therefore prompting Google to step in. When users click on the “Learn how to fix this” link, they are taken to a real Google page that will help users to get rid of the AV virus.

Up to now everything is running smoothly, but, now comes the catch, we know that scammers will design or copy the warning window that Google has been running since July 21, 2011 and that in the “Learn how to fix this” link they will send users to malware scam trap. We can expect that Google will make sure that no one will be able to insert a fake message to replace the real one that they are posting in good faith, but no one can prevent hackers to insert a fake look alike window somewhere else, including a fake Google main page.

Users must be alert that when they connect with the Google main page the address bar will show the proper address such as http://www.google.com/  there will be variants because Google routes users according to their detected geographical location. Make sure you have your anti virus software up to date and that is running in real time mode and be aware that Google will post this warning message ONLY at the top of their main page. If it shows somewhere else, it is a scam, no matter how real it may look.

UPDATE By the Author August 31, 2011

Update-August 29, 2011 Researchers evade Google redirect notice
Staff Report: SC Magazine-

http://www.scmagazineus.com/researchers-evade-google-redirect-notice/article/210774/

Researchers evade Google redirect notice "The Burmese YGN hacker group on Sunday detailed a URL redirect vulnerability that bypasses Google's notification to users that they might be visiting a malicious site.The flaw exists in the way that Google checks redirected URLs against a blacklist of known malicious web sites.
The attacker would send a victim a proxy server link which redirected to a malicious URL and, when clicked, would verify if the landing website was blacklisted by Google, researchers said. If it was, the server would generate a second malicious URL to infect users."

This is exactly what I predicted in the article above on July 23, 2011.

Facebook “ Free Apple iTunes $25 Giftcard “ Scam Spreading Virally

Thousands of users worldwide are being taken to this scam whose only purpose is to earn money for the scammers. There is no free lunch anywhere, let alone the “free Apple $25 iTunes Giftcard. Victims are taken to real surveys that pay scammers money. The scam runs as follows:

Victimized users are posting messages in their walls that read:

“Free $25 Apple iTunes Giftcard

Bonusitunesgiftcard.blogspot.com

Limited time left, get yours now!”

Lets assume that you are the victim, when you click on the blue “Free $25 Apple iTunes Giftcard” link, you are taken to a webpage with an official Apple “man with the iPod” logo that urges you to follow two more “easy steps”, remember, you already clicked on one link (step 1), the second step is to click on an official Facebook “Share This” button to get your free card. When you click on step 2, you are then presented with a window with an  image of the real Apple $25 Giftcard and a Facebook “Share this link on your own wall” blue button, when the button is clicked, the Facebook interface will immediately send the same message you receive originally to all your friends, therefore propagating the scam.

The “last” step to “get your card” is step 3. Now you are presented with a window with a real Apple logo imagery so that you may think the “free card” campaign is endorsed by Apple. When victimized users click on the “finish by taking a survey” blue button, you are presented with a professional looking window that even has a “need help?” option. This window has a locked key image and is titled “Content Locked”, at this time, users should be suspicious, you followed three steps and no Giftcard yet?

Users are then told to select from three “offers” from winning an iPhone, a Mercedes or a Gucci shopping spree. You are then taken to a survey that could be on any subject. No one ever has received anything for taking the survey. What can you expect when you are taken by deception to a survey? As stated above, the surveys are real; therefore the scammer gets money for each survey taken.

To clean this mess, victims should do the following:

(1)  Go to your Facebook page and select your “News feed” and delete the related post by clicking the blue “Remove Post” button.

(2)  Notify your friends to follow the same steps.

" VISIT THE NEW FACEBOOK " Scare Spreading Virally in Facebook

This scare does not include any threat, malware, scam or virus attack; that is the reason we are calling it just a scare. At best, it is a waste of time and resources. Not to say that since it has been spreading in the wild at alarming proportions, some scammer will take a hint and modify the contents inside the message to include a malware attack. The Facebook message looks like this:

(Beginning of quote)

“Warning!!!

PLEASE RE-POST FOR EVERYONE!!!!!!!!!THIS NOTICE IS DIRECTED TO EVERYONE WHO HAS A PAGE ON FACEBOOK: IF SOME PEOPLE IN YOUR PROFILE OR YOUR FRIENDS SEND YOU A LINK WITH WORDS "VISIT THE NEW FACEBOOK ' DO NOT OPEN! IF YOU OPEN IT YOU CAN SAY GOODBYE TO YOUR PAGE. IT'S A HACKER WHO STEALS YOUR DETAILS AND REMOVES YOU FROM YOUR OWN PAGE. COPY AND SPREAD THE WORD”

(End of quote)

All the leading security labs, as well as us, have not found any malware or threat inside this scare. There is no "hacker", "no stealing" or any other damage, so far. Just delete it, don’t pass it along to others.