Industry Intel

Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam.

We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the fake emails.

More details:

read more…

Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com.  Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case.

read more…

In a series of blog posts published throughout 2012, we’ve been highlighting the existence of a vibrant underground market segment, namely, that of ‘hacking for hire’ services, email hacking in particular. Commercially available as a service for years, the practice’s growth was once largely fueled by the release of DIY Web-based popular email provider hacking tools, which once acquired by prospective cybercriminals, quickly became the foundation for a successful business model. How have things changed nowadays, in terms of tactics, techniques and procedures? Profoundly.

Case in point, we’ve been tracking two such ‘hacking for hire’ services, both of which offer a diversified portfolio of malicious services to prospective customers, such as email hacking, Web site hacking, DDoS for hire, DDoS protection, and grade modification. What type of tactics, tools and procedures do they rely on? Let’s find out.

read more…

In a cybercrime ecosystem populated by commercially available WordPress brute-forcing and mass vulnerable WordPress installation scanning tools, cybercriminals continue actively capitalizing on the platform’s leading market share within the Content Management System’s market segment. Successfully exploiting tens of thousands of installations on a daily basis, for the purpose of utilizing the legitimate infrastructure to achieve their fraudulent/malicious campaign objectives, the tactic is also largely driven by the over-supply of compromised/accounting data, usually embedded within sophisticated Web-based attack platforms like the ones we’ve profiled in the past.

We’ve recently intercepted a malicious campaign exclusively relying on rogue WordPress sites, ultimately serving client-side exploits to users through the Magnitude Web malware exploitation kit. Despite its relatively low profile in terms of proliferation — we believe the campaign is in its early stages — it exposes a pseudo-randomly generated sub-domains based fraudulent infrastructure that is worth keeping an eye on.

read more…

In the first ThreatVlog of 2014, Marcus Moreno discusses the increase in Potentially Unwanted Applications/Programs and their impact on machines, productivity, and the user experience. Also in the video is a talk on the wonderful audio ads that have been infecting machines and annoying computer users, discussing how they get into the machine and where to find them. Finally, he talks about Microsoft’s call for all security companies to come together to help end malicious malware families.

http://youtu.be/LzaC-XIKaCA

Operational Security (OPSEC) has always been an inseparable part of the cybercrime ecosystem, especially in the context of preventing law enforcement agencies from tracking down the activities of fraudulent and malicious adversaries online. Throughout the years, the industry has witnessed active utilization of malware-infected hosts (Socks4/Socks5) as anonymization ‘stepping stones’ and the use of cybercrime-friendly VPN providers, bypassing internationally accepted data retention regulations, as some of the primary anonymization tactics used by cybercriminals. Nowadays, this set of tactics has evolved into a diversified mix of legitimate and purely malicious infrastructure that provides value-added services such as APIs supporting Socks4/Socks5 services, DIY real-time Socks4/Socks5 syndicating tools, and the development of hybrid based type of anonymous ‘solutions’. These services empower cybercriminals with the necessary ‘know-how’ to  conceal their activities online, and there is a as clear attempt to standardize this ‘know-how’ through the distribution of commercial OPSEC training manuals.

read more…

The rise of boutique cybercrime-friendly E-shops, which we’ve extensively profiled in our “A Peek Inside a Boutique Cybercrime-Friendly E-Shop” series, continues further expanding as a market segment within the underground marketplace. Driven by the proliferation of public/commercially obtainable DIY (do it yourself) type of malware/botnet generating tools along side the ongoing standardization of the monetization process offered by opportunistic cybercriminals acting as intermediaries between those possessing the fraudulently obtained assets and their prospective customers, the market segment is prone to expand.

Having already profiled a managed hosting service, empowering novice cybercriminals possessing compromised/hacked accounting information with efficient ways to monetize the stolen data, we continue finding factual evidence that further confirms an ongoing standardization of the monetization process. In this post, I’ll discuss a market leading managed hosting service that is currently hosting 2500+ boutique E-shops offering access to a vast amount of compromised/hacked accounting data, with hosting services, through a convenient Web-based E-shop management interface.

read more…

Digital security is not the first thing that comes to mind when thinking about during the Sochi Olympics, but should be something that is on your mind when travelling to popular areas.  Just as scams are popular in tourist areas around the world, hacking is on the rise where media professionals, security, and large groups of travelers will be gathering.   In the past, malicious attacks through the digital infrastructure have occurred at the Olympics and other such events, and the Sochi Olympics will not be any different.  So, as you get ready to hit the Russian mountains, here are some tips to keep you and your digital work safe.

Before you head into Olympic Village

• Ask yourself if you really do need that laptop with you.  If not, leave it at home.
• Ensure all your programs are updated to their latest versions including browsers, e-mail, and antivirus.  Double check your drivers as well.
• Backup your full computer onto an external device that is staying home.
• Clear your cache and temporary internet files, and remove all remembered passwords from the browsers.
• Encryption is your friend.  There are many solutions out there that can provide full disk encryption, or even just encryption of vital folders.
• Setup cloud based backup solutions that maintain strong security around login procedure (Webroot/Dropbox/Box).  Backup and save all the files you will be working on while travelling to the cloud server and revert back upon return from the games.

While at the Olympics

• Your Wi-Fi and Bluetooth connections are the fastest and easiest to exploit.  If you do not need to be using these connections, keep them turned off.  This tip goes for phones, tablets, and computers.
• Do not plug any USBs into your computer that you find on the ground or are given to you by people you do not trust.  The largest breach in US National Security occurred from a rogue USB drive, and while your data might not have the same impact, the method of breach is still one of the more common.
• If you can connect to the internet through a wired connection in your room, do so.  This helps keep you off rogue Wi-Fi signals that could gather your data.
• Avoid logging into private websites, banking websites, and any other website where your private information could be compromised.
• If connecting for work, use your VPN to connect and stay secured.

Remember, digital security should not be forgotten when traveling, and hackers are getting increasingly more innovative with each digital advance.  The best security you can provide for your digital work is to leave your laptop at home, but if you insist on bringing it, ensure you remember you are the first line of defense in protecting yourself.

Since its inception in 1996, Alexa has positioned itself as primary Web metrics data portal, empowering Web masters, potential investors, and marketers with access to free analytics based on data gathered from toolbars installed on millions of PCs across the world. Successfully establishing itself as the most popular, publicly accessible Web site performance benchmarking tool, throughout the years, the Alexa PageRank has acted as a key indicator for the measurement of a Web site’s popularity, growth and overall performance, often used in presentations, competitive intelligence campaigns, and comparative reviews measuring the performance/popularity of particular Web sites.

Operating in a world dominated by millions of malware-infected hosts, converted to Socks4/Socks5 for, both, integration within automatic account registration tools, DoS tools, in between acting as anonymization ‘stepping-stones’, cybercriminals continue utilizing this legitimate, clean IPs-based infrastructure for purely malicious and fraudulent purposes. Their latest target? Utilizing the never-ending supply of malware-infected hosts to influence Alexa’s PageRank system. A newly released, commercially available, DIY tool is pitching itself as being capable of boosting a given domain/list of domains on Alexa’s PageRank, relying on the syndication of Socks4/Socks5 malware-infected/compromised hosts through a popular Russian service.

read more…

In need of a fresh example of penetration pricing, within the cybercrime ecosystem, used by a cybercrime-friendly vendor in an attempt to quickly gain as much market share as possible in the over-supplied market segment for keylogging-specific systems? We’re about to give you a very fresh one.

A newly released, commercially available PHP/MySQL based, keylogging-specific malware/botnet generating system, with full Unicode support, is currently being offered for $5o, with the binary re-build priced at $20, in a clear attempt by the vendor to initiate basic competitive pricing strategies to undermine the market relevance of competing propositions. Just like the Web based DDoS/passwords-stealing tool that we profiled yesterday, this most recently released keylogging system is once again acting as a very decent example of a “me too” type of underground market release, whose overall success in the short term would mostly rely on basic branding, and whose long term success relies on the systematic introduction of new features.

To get a better view of the tool’s core functions, let’s take a peek at its administration panel.

read more…

Driven by the never ending supply of newly released DIY (do it yourself) underground market releases, in combination with the systematically rebooted life cycles of releases currently in circulation, cybercriminals continue actively developing new cybercrime-friendly malware generating/botnet building applications. Motivated by the desire to further continue the monetization of this ever-green market segment, a key driving force behind the consequential rise of E-shops offering access to compromised accounting data like those we’ve extensively profiled at Webroot’s Threat Blog in the past, these cybercriminals continue to ‘innovate’ and reboot the life cycles of known releases through the systematic and persistent introduction of new features.

We’ve recently spotted a newly released, commercially available Web-based DDoS/Passwords stealing-capable DIY type of botnet generating tool, whose general availability is prone to empower potential cybercriminals with DDoS attack capabilities, as well as an efficient platform for the mass harvesting of accounting data, both of which will be inevitably monetized through the usual, now standardized monetization channels. Let’s take a peek inside the tool’s command and control interface, and discuss its key differentiation features in the broader context of their applicability in the overall threat landscape.

read more…

Regular readers of Webroot’s Threat Blog are familiar with our “A Peek Inside a Boutique Cybercrime-Friendly E-shop” series, originally started in 2012, highlighting the trend emerging at the time of boutique based E-shops selling access to compromised/hacked accounts. Popping up on our radars on systematic basis, this maturing market segment is already entering in a new life cycle stage in early 2014. The current stage is the direct result of the ongoing efficiency-oriented mentality applied by cybercriminals over the years in the face of the active implementation of tactics such as, for instance, templatization, ultimately leading to standardization of key cybercrime ecosystem processes, resulting in improved return on investment/stolen assets liquidity for their fraudulent operations.

read more…