Industry Intel

On a daily basis, we intercept hundreds of thousands of fraudulent or malicious emails whose purpose is to either infect users with malicious software or turn them into victims of fraudulent schemes. About 99% of these campaigns rely on social engineering tactics, and in the cases where they don’t include direct links to the actual malware, they direct users to the market leading Black Hole Exploit Kit.

In terms of volume and persistence, throughout January, 2013, a single malicious campaign impersonating FedEx topped our metrics data. What’s so special about this campaign? It’s the fact that the digital fingerprint of one of the most recently introduced malware variants used in the campaign corresponds to the digital fingerprint of a malware-serving campaign that we’ve already profiled, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.

Sample screenshot of the spamvertised email:

Sample spamvertised compromised URLs part of the campaign:
hxxp://relax-legend.ba/ZXSZUSBLZG.php?receipt
hxxp://stylephone.co.il/misc/teasers.php?receipt
hxxp://voguepay.com/FEZDVUUCLG.php?receipt=
hxxp://sunrisemedya.com/HAEJMKGUMT.php?receipt
hxxp://sunseekerownersclub.com/OOLZRZQTIW.php?receipt
hxxp://selimi-fugenabdichtungen.de/IYSZJVVIRA.php?receipt
hxxp://sunseekerownersclub.com/OOLZRZQTIW.php?receipt
hxxp://www.cursillodeorientacion.com/OLKIHLKYSB.php?receipt
hxxp://www.diocesebatroun.org/UEKFWHOJPF.php?receipt
hxxp://suarevista.com.br/QGQRXAOJLV.php?receipt
hxxp://fundloan.info/AYKQRUYOSL.php?receipt
hxxp://secretmobilemoneyprofits.com/SCTQOFXHVC.php?php=receipt
hxxp://www.matwigley.co.uk/SOJAJDTLAX.php?php=receipt
hxxp://rossiangelo.it/ALAGZUCWHV.php?receipt
hxxp://tqm.com.ua/misc/teasers.php?receipt
hxxp://metalphotosplus.com/PAUDSPBBXE.php?receipt
hxxp://businesscoaching24.com/BWMIZNPQAT.php?receipt
hxxp://www.bsf.org.pk/misc/teasers.php?get_receipt
hxxp://ferz.kiev.ua/misc/teasers.php?get_receipt

Detection rate for the malware variants distributed over the past 24 hours:
MD5: 980ffe6cee6ad5a197fbebdeeac9df57 – detected by 31 out of 46 antivirus scanners as Trojan-Downloader.Win32.Kuluoz.amg
MD5: bf061265407ea1f7c21fbf5f545c4c2b – detected by 6 out of 46 antivirus scanners as PAK_Generic.001
MD5: 6bb823d87f99da067e284935ca3a8b14 – detected by 36 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
MD5: 75db84cfb0e1932282433cdb113fb689 – detected by 29 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B

Deja vu!  This is the same MD5: 75db84cfb0e1932282433cdb113fb689 that we profiled in the “Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware” analysis, indicating a (thankfully) low QA (Quality Assurance) applied on behalf of the cybercriminals launching these campaigns.

The campaign is ongoing, so watch what you click on! Webroot SecureAnywhere users are proactively protected from these threats with our comprehensive internet security solution.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Cybercriminals are mass mailing tens of thousands of emails, impersonating Booking.com, in an attempt to trick its users into thinking that their credit card was not accepted. Users are then urged to click on a fake “Print Booking Details” link, which leads them to the malware used in the campaign.

More details:

read more…

In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs.

Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme.

More details:

read more…

On a daily basis, we continue to observe the emergence of the DIY (do-it-yourself) trend within the entire cybercrime ecosystem. And although the DIY activity cannot be compared to the malicious impact caused by “cybercrime-as-a-service” managed underground market propositions, it allows virtually anyone to enter the profitable world of cybercrime, thanks to the ongoing leaks of proprietary malware generating tools and freely available alternatives.

In this post, I’ll profile the latest version of a Russian DIY password stealing malware that’s targeting multiple browers, Email, IM, FTP clients, as well as online poker clients.

read more…

Users of FedEx’s Online Billing service, watch out!

Cybercriminals are currently mass mailing tens of thousands of emails impersonating the company, in an attempt to trick its customers into clicking on exploits and malware dropping links found in the legitimate-looking emails.

More details:

read more…

Financial institutions and online payment processors are a common target for cybercriminals, who systematically brand-jack and abuse the reputation of their trusted brands, in an attempt to scam or serve malware to their customers.

Over the past 24 hours, cybercriminals have launched yet another spam campaign, impersonating PayPal, in an attempt to trick its users into thinking that they’ve received a “Transaction Confirmation“, which in reality they never really made. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

For years, the DIY (do-it-yourself) trend has been evident across the entire cybercrime ecosystem.

From the early exploits generating DIY tools that set the foundations for the upcoming “malicious economies of scale” trend to emerge, to the ongoing leaks of DIY botnet and malware generating tools that were once only available to advanced attackers, it’s never been easier to enter the world of cybercrime.

In this post, I’ll profile a novice cybercriminal’s approach to entering the profitable world of ransomware.

More details:

read more…

LinkedIn users, watch what you click on!

Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails.

Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts.

More details:

read more…

Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign.

More details:

read more…

Just as we anticipated on two occasions in 2012, managed email hacking for hire services continue popping-up at publicly accessible cybercrime-friendly communities, a trend that’s largely driven by the demand for such services by unethical competition, “friends”, or current/ex-spouses.

Often pitched as “forgotten password recovery” services, they rely on social engineering, brute-forcing, and spear phishing campaigns, often leading to a successful compromise of a targeted account. Based on the number of positive vouches, the services continue receiving a steady stream off satisfied and verified customers.

In this post, I’ll profile one of the most recently advertised email hacking for hire services, specializing in hacking GMail and Yahoo! accounts, as well as email accounts using popular free Russian email service providers. How much does it cost to hack a Gmail or Yahoo! account? What about corporate email?

Let’s find out.

read more…

How easy is it to create an undetected piece of malware these days? Too easy to be true!

With more DIY malware botnets and DIY malware generating tools continuing to leak at public cybercrime-friendly forums, today’s novice cybercriminals have access to sophisticated point’n’click malware generating tools that were once only available in the arsenal of the experienced cybercriminal.

In this post, I’ll profile a recently leaked DIY malware generating tool, discuss its core features, and emphasize on its relevance in the context of the big picture when it comes to ongoing waves of malicious activity we’ve been monitoring over the years.

More details:

read more…